?
Solved

Very simple ... switch & 2 subnets question

Posted on 2006-05-31
12
Medium Priority
?
381 Views
Last Modified: 2010-04-17
Hello there,

I wonder if someone can fill in a couple of gaps in my understanding here ... embarrassing question time.

1. COMPANYA is on 10.10.1.0 / 255.255.255.0
2. COMPANYB is on 192.9.200.100 / 255.255.255.0
3. Both companies are not connected to each other - one is 'downstairs', one is 'upstairs' ... they each have their own gateway (ISA) to the outside world, servers, AD etc ...
4. Both companies share the same server room and use HP Procurve 2824/2650 switches  ... the 2824's are next to one another in my racking

I wanted to create a persistant link between the 2 companies - mainly for admin reasons and testing

Questions

1. Can I use the switches to link the 2 subnets ? (ie. connect COMPANYA 2824 switch to COMPANYB switch on a gigabit port)
2. If not, please briefly explain and suggest what I need

I've tried the above and added a ROUTE ADD to my local workstation to test, and it's not happening for me ... so I wanted to check that what I am doing is actually possible.

I guess this question could have been written a lot simplier

"Can I use a 2824 switch to connect to different subnets together and use it to route traffic. If not, what would you use?"

Thanks and sorry for being a bit dumb.

S.S.
0
Comment
Question by:SpencerSteel
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 1

Expert Comment

by:Viper2299
ID: 16798067
You actually need a router.  You have to setup a router between the two subnets and let it route between the two networks/subnets.  Switches cannot do this because they only look at the layer 2 (MAC) address.  
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16798317
>>Switches cannot do this

Not necessarily - they can if they're layer 3 switches - which the 2650 appears to be ...

"Basic IP routing: enables automatic routing to the connected VLANs and up to 16 static routes—including one default route—in IP networks "

So, technically, it appears you have what you need to do what you want.  However, are these YOUR companies?  Are you in charge of both networks?  Do you have Executive approval to connect the two networks?!?  You had BETTER get something in writing authorizing you to do this - because you can create security issues - and if they really are two totally different companies, you wouldn't want company A impacting company B - even if everyone is totally trustworthy - what if A gets a virus and infects B and takes B down for a couple of days - A could be liable for B's loss of business ... see where I'm going with this?

So, with your ASSets firmly covered, I would recommend to you that you get a Firewall, not a router/layer 3 switch.  With a GOOD layer 3 switch - you could build in some basic Access Control Lists - which would limit some access, but a good firewall would give you deeper packet inspection, logging, and control.

So, in a nutshell, you could do the networks like this:

A 10.10.1.0/24
B  192.9.200.100 /24

A      Internet                                                                                    B          Internet
            |                                                                                                          |
            |                                                                                                          |
Modem &/or Router &/or Firewall                                          Modem &/or Router &/or Firewall
     10.10.1.1                                                                                            192.9.200.1                              
            |                                                                                                          |
    Switching Infrastructure---------- 10.10.1.5  Firewall   192.9.200.5  ------Switching Infrastructure
       |                |                                                                                     |                |    
Rest of PC's     Net MngrA. PC 10.10.1.100                                              Rest of PC's     Net MngrB. PC 192.9.200.100

On the firewall you could have some rules like this:

From NetA to NetB port/prot ICMP action ALLOW LOG
From NetB to NetA port/prot ICMP action ALLOW LOG
From Net MngrA to NetB port/prot ANY action ALLOW LOG
From Net MngrB to NetA port/prot ANY action ALLOW LOG
From NetA to NetB port/prot ANY action DENY LOG
From NetB to NetA port/prot ANY action DENY LOG

These basic firewall rules allow you to:
Ping test from one net to the other
Alerts you to malicious activity doing ping scans of nets via logging
Allows the Network Manager machines from both nets full network access across the firewall, but logs it for accounting.
Denies anyone else access across the nets from each other and logs attempts.

Now, the 2650 could have a static route for the other network pointing at the firewall.  However, the other switch doesn't have this ability and the individual hosts would need persistent routes put in their routing tables in order to hit the firewall.

If you don't want to go this route and just want to use what you have, then you would create vlan tagging on the link between the two networks, put the OTHER network on the 2650 with a vlan and the uplink port in the vlan.  Put an IP address on the uplink port - an IP in the other network's vlan.  If the 2650 doesn't pick up on the two directly attached networks then you might need to modify the routing table manually.  On the OTHER network, you'd need the persistent static routes on the hosts pointing towards the IP that you put on the uplink port of the 2650.  However, I don't recommend doing it this way - see above.

Hope this helps.


0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 400 total points
ID: 16798518
According to what I've been able to find, the 2650 is a "Light Layer 3 switch". So...

1. Can I use the switches to link the 2 subnets ? (ie. connect COMPANYA 2824 switch to COMPANYB switch on a gigabit port)

Assuming that you can link the two office through the 2650 (and configure it), then the answer is yes.

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 400 total points
ID: 16800205
I would be careful at simply crossconnecting the two networks. Even though the subnet traffic still has to be routed, you have expanded the broadcast domain across both networks and all systems on both sides will see all broadcasts. I really don't think you want to do that.
You could use VLAN's. Create a new VLAN for CompanyA on Company B's switch and a corresponding Layer3 vlan interface, assign the uplink Gigabit port to the new VLAN and then connect the other network

By putting them on a separate VLAN, you've closed off the broadcasts and by creating a l3 interface, you can now happily route between them. Set a static route on your PC for the 10.10.1.x subnet pointing


0
 

Author Comment

by:SpencerSteel
ID: 16800297
Hello there guys ...

Some great replies here.

I've spent all afternoon looking into this VLAN business and it really looks like what i'm after. I hear all your concerns about the broadcast and you are all spot on.

It's the end of the day here - i'm going to have a stab at this one tomorrow ... i'll come back and let you know.

(there's some damn powerful stuff in there)

0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16800340
I'm concerned about the business side of it - as I said in my email, sounds like you have the gear to do it.  However, there are technical and security implications of doing it.  It's odd that you would want to connect two seperate businesses together this way - so are you in charge of both nets - have your covered yourself.

After that, the technical implementation is relatively simple.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16800365
pseudocyber - didn't mean to step on your ideas, wanted to expand on them, but I accidently hit the submit button too soon... got to get more coffee . . .
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16800377
Chuckling - no prob lr.  :)
0
 

Author Comment

by:SpencerSteel
ID: 16800421
Yeah - they are a sister company we bought out last year ... i'm in charge of both *stress* ... the company 'downstairs' effectively runs a very, very similar set up to ours ... it's all the same hardward, software etc. Think of it as a two brands ... and no, it's not anything dodgy, porn, spam, gambling, ringtone related ... all proper :)

At the moment, i've an admin terminals for both companies here up in the server room, connected to theri respective switches, so no problems there ... and I have also created a VPN from A > B via the internet gateways (ISA Server) ...

So ... the reasons for doing this? Well ... I'm looking at sharing each others database applications (SQL Server) Things like that ... it would be useful for CompanyA to look at CompanyB database apps sometime and i'm thinking rather than go all the way out to the internet via VPN, (which I can do) I may as well use a faster backbone that is in place.

I can understand your concerns ... it's all legitimate ! Promise ! Perhaps it is madness ... but it's one of those things I'm now keen to understand.

Hope that clears up things a bit.

S.S.

0
 

Author Comment

by:SpencerSteel
ID: 16800456
God ... sorry about 'typo hell' there ... where is the f7 on this thing ? :)

S.S.
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 1200 total points
ID: 16800499
Yeah, then you should just be able to configure the two vlans on the 2650, put the uplink port in the "other vlan", put an IP on the vlan from the "other vlan", and enable tagging.  On the "other" switch, configure an uplink port for vlan tagging as well.  Then, on the "other" network, on your default router, put a static route pointing back to the uplink port of the first switch and you should be good to go.
0
 

Author Comment

by:SpencerSteel
ID: 16831171
Thanks for all your helps and advice on this one.

With your leads (and the manuals!), I was able to do what I wanted ...

Thanks,

S.S.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question