Very simple ... switch & 2 subnets question

Hello there,

I wonder if someone can fill in a couple of gaps in my understanding here ... embarrassing question time.

1. COMPANYA is on /
2. COMPANYB is on /
3. Both companies are not connected to each other - one is 'downstairs', one is 'upstairs' ... they each have their own gateway (ISA) to the outside world, servers, AD etc ...
4. Both companies share the same server room and use HP Procurve 2824/2650 switches  ... the 2824's are next to one another in my racking

I wanted to create a persistant link between the 2 companies - mainly for admin reasons and testing


1. Can I use the switches to link the 2 subnets ? (ie. connect COMPANYA 2824 switch to COMPANYB switch on a gigabit port)
2. If not, please briefly explain and suggest what I need

I've tried the above and added a ROUTE ADD to my local workstation to test, and it's not happening for me ... so I wanted to check that what I am doing is actually possible.

I guess this question could have been written a lot simplier

"Can I use a 2824 switch to connect to different subnets together and use it to route traffic. If not, what would you use?"

Thanks and sorry for being a bit dumb.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You actually need a router.  You have to setup a router between the two subnets and let it route between the two networks/subnets.  Switches cannot do this because they only look at the layer 2 (MAC) address.  
>>Switches cannot do this

Not necessarily - they can if they're layer 3 switches - which the 2650 appears to be ...

"Basic IP routing: enables automatic routing to the connected VLANs and up to 16 static routes—including one default route—in IP networks "

So, technically, it appears you have what you need to do what you want.  However, are these YOUR companies?  Are you in charge of both networks?  Do you have Executive approval to connect the two networks?!?  You had BETTER get something in writing authorizing you to do this - because you can create security issues - and if they really are two totally different companies, you wouldn't want company A impacting company B - even if everyone is totally trustworthy - what if A gets a virus and infects B and takes B down for a couple of days - A could be liable for B's loss of business ... see where I'm going with this?

So, with your ASSets firmly covered, I would recommend to you that you get a Firewall, not a router/layer 3 switch.  With a GOOD layer 3 switch - you could build in some basic Access Control Lists - which would limit some access, but a good firewall would give you deeper packet inspection, logging, and control.

So, in a nutshell, you could do the networks like this:

B /24

A      Internet                                                                                    B          Internet
            |                                                                                                          |
            |                                                                                                          |
Modem &/or Router &/or Firewall                                          Modem &/or Router &/or Firewall                                                                                                                
            |                                                                                                          |
    Switching Infrastructure----------  Firewall  ------Switching Infrastructure
       |                |                                                                                     |                |    
Rest of PC's     Net MngrA. PC                                              Rest of PC's     Net MngrB. PC

On the firewall you could have some rules like this:

From NetA to NetB port/prot ICMP action ALLOW LOG
From NetB to NetA port/prot ICMP action ALLOW LOG
From Net MngrA to NetB port/prot ANY action ALLOW LOG
From Net MngrB to NetA port/prot ANY action ALLOW LOG
From NetA to NetB port/prot ANY action DENY LOG
From NetB to NetA port/prot ANY action DENY LOG

These basic firewall rules allow you to:
Ping test from one net to the other
Alerts you to malicious activity doing ping scans of nets via logging
Allows the Network Manager machines from both nets full network access across the firewall, but logs it for accounting.
Denies anyone else access across the nets from each other and logs attempts.

Now, the 2650 could have a static route for the other network pointing at the firewall.  However, the other switch doesn't have this ability and the individual hosts would need persistent routes put in their routing tables in order to hit the firewall.

If you don't want to go this route and just want to use what you have, then you would create vlan tagging on the link between the two networks, put the OTHER network on the 2650 with a vlan and the uplink port in the vlan.  Put an IP address on the uplink port - an IP in the other network's vlan.  If the 2650 doesn't pick up on the two directly attached networks then you might need to modify the routing table manually.  On the OTHER network, you'd need the persistent static routes on the hosts pointing towards the IP that you put on the uplink port of the 2650.  However, I don't recommend doing it this way - see above.

Hope this helps.

Don JohnstonInstructorCommented:
According to what I've been able to find, the 2650 is a "Light Layer 3 switch". So...

1. Can I use the switches to link the 2 subnets ? (ie. connect COMPANYA 2824 switch to COMPANYB switch on a gigabit port)

Assuming that you can link the two office through the 2650 (and configure it), then the answer is yes.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

I would be careful at simply crossconnecting the two networks. Even though the subnet traffic still has to be routed, you have expanded the broadcast domain across both networks and all systems on both sides will see all broadcasts. I really don't think you want to do that.
You could use VLAN's. Create a new VLAN for CompanyA on Company B's switch and a corresponding Layer3 vlan interface, assign the uplink Gigabit port to the new VLAN and then connect the other network

By putting them on a separate VLAN, you've closed off the broadcasts and by creating a l3 interface, you can now happily route between them. Set a static route on your PC for the 10.10.1.x subnet pointing

SpencerSteelAuthor Commented:
Hello there guys ...

Some great replies here.

I've spent all afternoon looking into this VLAN business and it really looks like what i'm after. I hear all your concerns about the broadcast and you are all spot on.

It's the end of the day here - i'm going to have a stab at this one tomorrow ... i'll come back and let you know.

(there's some damn powerful stuff in there)

I'm concerned about the business side of it - as I said in my email, sounds like you have the gear to do it.  However, there are technical and security implications of doing it.  It's odd that you would want to connect two seperate businesses together this way - so are you in charge of both nets - have your covered yourself.

After that, the technical implementation is relatively simple.
pseudocyber - didn't mean to step on your ideas, wanted to expand on them, but I accidently hit the submit button too soon... got to get more coffee . . .
Chuckling - no prob lr.  :)
SpencerSteelAuthor Commented:
Yeah - they are a sister company we bought out last year ... i'm in charge of both *stress* ... the company 'downstairs' effectively runs a very, very similar set up to ours ... it's all the same hardward, software etc. Think of it as a two brands ... and no, it's not anything dodgy, porn, spam, gambling, ringtone related ... all proper :)

At the moment, i've an admin terminals for both companies here up in the server room, connected to theri respective switches, so no problems there ... and I have also created a VPN from A > B via the internet gateways (ISA Server) ...

So ... the reasons for doing this? Well ... I'm looking at sharing each others database applications (SQL Server) Things like that ... it would be useful for CompanyA to look at CompanyB database apps sometime and i'm thinking rather than go all the way out to the internet via VPN, (which I can do) I may as well use a faster backbone that is in place.

I can understand your concerns ... it's all legitimate ! Promise ! Perhaps it is madness ... but it's one of those things I'm now keen to understand.

Hope that clears up things a bit.


SpencerSteelAuthor Commented:
God ... sorry about 'typo hell' there ... where is the f7 on this thing ? :)

Yeah, then you should just be able to configure the two vlans on the 2650, put the uplink port in the "other vlan", put an IP on the vlan from the "other vlan", and enable tagging.  On the "other" switch, configure an uplink port for vlan tagging as well.  Then, on the "other" network, on your default router, put a static route pointing back to the uplink port of the first switch and you should be good to go.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SpencerSteelAuthor Commented:
Thanks for all your helps and advice on this one.

With your leads (and the manuals!), I was able to do what I wanted ...


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.