Link to home
Create AccountLog in
Avatar of RudiR
RudiR

asked on

Merging 2 remote sites via Vlan?

Hello.

I will try and describe the problem as detailed as i can.

As of today we have a main office and a remote office, the remote office is connected to the main office through a Wan connection (Layer 3).

So basically they are connected straight to the switch at our main office and are seen as a local part of the network here in every way.

Now there are a second remote office that are soon to be connected to the main office.

The Wan supplier has now decided that they will change the technology a bit and they are merging Remote office 1 and 2 at their location and adding a Vlan tag to each office.

Remote office 1 vill be tagged "vlan10"
Remote office 2 vill be tagged "vlan11"

So i will get both the remote sites through the same cable but tagged on different vlans to the main office.

I am curious on how to best solve the solution to have a transparent network with full permissions to either network.

The simplest solution would be to have all nets acting as one net with the same ip range, it's small offices so there are maybe 5 users or so.

We have a HP procurve switch 3500yl that are connected to the remote office today and a ASA 5510 firewall for external connections.

I would think that you could trunk a port in the swith, but are unsure on what configurations need to be put into the firewall.

Regards

This problem is something that i should be finnished with this week ^^
Problem.jpg
Avatar of Heiko Bialozyt
Heiko Bialozyt
Flag of Switzerland image

simply ... its not possible

as long as you dont have common objects you can use same ip addresses on two or more VLAN's.
but i assume, you want to access common systems on main office. finaly this systems can not know who was calling them. and so its not possible to find a way back from central side to first or second remote-site.

you have to setup different ip-ranges for each site. but you dont need VLAN's to solve this task.
Avatar of RudiR
RudiR

ASKER

The thing is that these 2 remote sites shall get dhcp adresses from the server at the main office.

Ok assume that i create to new dhcp scopes to reflect the new vlans at the main office dhcp server.

192.168.10.xxx
192.168.11.xxx

And i create a trunk port on the switch where the vlans come in.

then i would need to specify that vlan 10 is the 192.168.10.xxx network.

My guess is that the vlan config is done on the swith side and i guess the access part is done on the firewall.

Hope to hear from you again.
ok ... its a easy thing

you have to configure dhcp-relay agents on your remote site-firewalls. there you have to specify the central dhcp-server as final destination.
then create new address-ranges on this dhcp server and setup related options (at least default-gateway and dns). activate them

the relay-agents will forward all dhcp-requests to central dhcp-server with additional information about the relay-agent. so the dhcp-server can use the appropriate range and send ip address back to the agent.

DHCP is always a broadcast and will be cancled by every router or gateway. a relay-agent is the only way to transport them to a central place.
Avatar of RudiR

ASKER

Thanks for the reply but that would not work since there are no firewalls at the remote offices.
Everything that they do is directed to the main office.

Think of it as if you pulled out a 50km long cat5 ethernet cable to connect to the remote offices, only difference is that it's one cable to both remote locations and the traffic is seperated by these two Vlans.

The Wan provider has grouped the two remote locations into a single line and added vlan 10 and 11 to the respective location.

So there are no firewall to setup dhcp relay, the dhcp requests will reach the main office but each location will have a unique vlan tag.

Hope i explained it a bit better this time ^^
ups thats very different.

so you have to configure a trunkport from your wan-provider to your switch.
then create a native acces-mode port as member of vlan 10 and a second as member of vlan 11.
so you will get untagged traffic out of this two ports.
finaly connect this two ports two two port in your default vlan.

maybe you have to disable security warnings on this ports because of some switches recognise the shortcut between vlans.

there is no internal way to make such a connection.
Avatar of RudiR

ASKER

It sounds like i should add another switch in between the wan and the switch at my main office.

I do the trunkport and the 2 native ports on the extra switch and then connect one cable each from the native vlan ports to the main switch?

That sounds right to you?

There is no configuration needed on the main switch if i have understud this correctly?

Regards
Avatar of RudiR

ASKER

Ok, i did a fast drawing on the setup as i think it should look like.

Only thing i am unsure about is wich default gateway i should use on the different Vlans?
Should i have the same as the main network or do i have to configure a seperate one for each vlan.

Regards
Vlan.jpg
Hi RidiR,

this new drawing changes everything. You're NOT using same IP-Range.
You have 3 subnets, 192.168.1.0 on Main-network, 192.168.10.0 on office-1 and 192.168.11.0 on office 2.

you need layer 3 functionality of procurve. it is installed but has to be configured.
you have to setup the vlans 10 and 11 and give a ip address. for example setup vlan 10 with ip address 192.168.10.1 and vlan 11 with ip address of 192.168.11.1 and vlan 1 with ip 192.168.1.1
then you have the defaultgatways for each subnet. setup the default-gateway for the switch to the current default-gateway of main-network. finaly add two static routes on your default-gateway pointing to 192.168.1.1 and active routing on the procurve.

now you need dhcp-relay-agents or three interfaces on dhcp-server, else the server cannot decide whats the right scope. the hp 3500 is not able to build dhcp-relay-agents. if you have only one interface on dhcp-server, you have to find a device inside the remote-office-subnets which can do that.
check for 802.1q capabilities on networkcards of your server. (HP supports 802.1q) if you server is able to do so, you can activate them and setup three logical interfaces on one physical interface and connect then the physical interface to a trunk-port with all three vlans on you switch. then you dont need relay-agents, because dhcp-server is direct visible to all subnets.
Avatar of RudiR

ASKER

Hello.

The drawing was just an illustration on what i thought would be the best solution, but reading what you wrote it looks like i created more work for me then intended :D

If you would suggest a setup for this to work wich way would you go?
If i need to get more hardware i will but i want the easiest possible solution.

Today i only have the ASA5510 and the procurve switch at the main office.

damn this proves to be a challange for me, advance networking is not what i know best.
ok let me try an easy solution.
do you have all interfaces of asa5510 in use? if not, asa can handle all tasks.
how many devices (ip-addresses) do you have active in each location?
Avatar of RudiR

ASKER

On the ASA i have 2 ports occupied, external (internet) and one to the internal net.
I think that there are 2 or 3 ports available in the firewall.

About the Ip adresses i have one scope today that supply Ip adresses to the main location and one of the remote offices, the second remote office has not been connected to the wan.

It's when they connect the second office to the wan that they also change to vlans.

As of today there are one range C class net (192.168.1.xxx) i think the dhcp scope is like 100 adresses or so, more then enough for the users.
ASKER CERTIFIED SOLUTION
Avatar of Heiko Bialozyt
Heiko Bialozyt
Flag of Switzerland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of RudiR

ASKER

Nice.

So basically i do the following and it should work.

* Create a trunkport on the switch for the incomming Wan (vlan 10 and 11)
* Create 2 native switchports one for each vlan.
* Connect the 2 vlan switchports to the regular Lan.
* Disable security on the switchports (all 4?)

Does this solution still require 2 additional dhcp scopes on the server?
there is nothing else to do.
Avatar of RudiR

ASKER

Ok so the 2 remote sites will get IP adresses from the main site as if it were one big network?

That is perfect and a slick solution to my problem.
exact ... you will get one big network.
Avatar of RudiR

ASKER

Thanks for the help, i will try and make this configuration on the switch asap.

I will close this thread and accept your solution.
Avatar of RudiR

ASKER

Thanks alot for the detailed help.