Avatar of RudiR
RudiR asked on

Merging 2 remote sites via Vlan?

Hello.

I will try and describe the problem as detailed as i can.

As of today we have a main office and a remote office, the remote office is connected to the main office through a Wan connection (Layer 3).

So basically they are connected straight to the switch at our main office and are seen as a local part of the network here in every way.

Now there are a second remote office that are soon to be connected to the main office.

The Wan supplier has now decided that they will change the technology a bit and they are merging Remote office 1 and 2 at their location and adding a Vlan tag to each office.

Remote office 1 vill be tagged "vlan10"
Remote office 2 vill be tagged "vlan11"

So i will get both the remote sites through the same cable but tagged on different vlans to the main office.

I am curious on how to best solve the solution to have a transparent network with full permissions to either network.

The simplest solution would be to have all nets acting as one net with the same ip range, it's small offices so there are maybe 5 users or so.

We have a HP procurve switch 3500yl that are connected to the remote office today and a ASA 5510 firewall for external connections.

I would think that you could trunk a port in the swith, but are unsure on what configurations need to be put into the firewall.

Regards

This problem is something that i should be finnished with this week ^^
Problem.jpg
Hardware FirewallsSwitches / HubsRouters

Avatar of undefined
Last Comment
RudiR

8/22/2022 - Mon
Heiko Bialozyt

simply ... its not possible

as long as you dont have common objects you can use same ip addresses on two or more VLAN's.
but i assume, you want to access common systems on main office. finaly this systems can not know who was calling them. and so its not possible to find a way back from central side to first or second remote-site.

you have to setup different ip-ranges for each site. but you dont need VLAN's to solve this task.
ASKER
RudiR

The thing is that these 2 remote sites shall get dhcp adresses from the server at the main office.

Ok assume that i create to new dhcp scopes to reflect the new vlans at the main office dhcp server.

192.168.10.xxx
192.168.11.xxx

And i create a trunk port on the switch where the vlans come in.

then i would need to specify that vlan 10 is the 192.168.10.xxx network.

My guess is that the vlan config is done on the swith side and i guess the access part is done on the firewall.

Hope to hear from you again.
Heiko Bialozyt

ok ... its a easy thing

you have to configure dhcp-relay agents on your remote site-firewalls. there you have to specify the central dhcp-server as final destination.
then create new address-ranges on this dhcp server and setup related options (at least default-gateway and dns). activate them

the relay-agents will forward all dhcp-requests to central dhcp-server with additional information about the relay-agent. so the dhcp-server can use the appropriate range and send ip address back to the agent.

DHCP is always a broadcast and will be cancled by every router or gateway. a relay-agent is the only way to transport them to a central place.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
RudiR

Thanks for the reply but that would not work since there are no firewalls at the remote offices.
Everything that they do is directed to the main office.

Think of it as if you pulled out a 50km long cat5 ethernet cable to connect to the remote offices, only difference is that it's one cable to both remote locations and the traffic is seperated by these two Vlans.

The Wan provider has grouped the two remote locations into a single line and added vlan 10 and 11 to the respective location.

So there are no firewall to setup dhcp relay, the dhcp requests will reach the main office but each location will have a unique vlan tag.

Hope i explained it a bit better this time ^^
Heiko Bialozyt

ups thats very different.

so you have to configure a trunkport from your wan-provider to your switch.
then create a native acces-mode port as member of vlan 10 and a second as member of vlan 11.
so you will get untagged traffic out of this two ports.
finaly connect this two ports two two port in your default vlan.

maybe you have to disable security warnings on this ports because of some switches recognise the shortcut between vlans.

there is no internal way to make such a connection.
ASKER
RudiR

It sounds like i should add another switch in between the wan and the switch at my main office.

I do the trunkport and the 2 native ports on the extra switch and then connect one cable each from the native vlan ports to the main switch?

That sounds right to you?

There is no configuration needed on the main switch if i have understud this correctly?

Regards
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
RudiR

Ok, i did a fast drawing on the setup as i think it should look like.

Only thing i am unsure about is wich default gateway i should use on the different Vlans?
Should i have the same as the main network or do i have to configure a seperate one for each vlan.

Regards
Vlan.jpg
Heiko Bialozyt

Hi RidiR,

this new drawing changes everything. You're NOT using same IP-Range.
You have 3 subnets, 192.168.1.0 on Main-network, 192.168.10.0 on office-1 and 192.168.11.0 on office 2.

you need layer 3 functionality of procurve. it is installed but has to be configured.
you have to setup the vlans 10 and 11 and give a ip address. for example setup vlan 10 with ip address 192.168.10.1 and vlan 11 with ip address of 192.168.11.1 and vlan 1 with ip 192.168.1.1
then you have the defaultgatways for each subnet. setup the default-gateway for the switch to the current default-gateway of main-network. finaly add two static routes on your default-gateway pointing to 192.168.1.1 and active routing on the procurve.

now you need dhcp-relay-agents or three interfaces on dhcp-server, else the server cannot decide whats the right scope. the hp 3500 is not able to build dhcp-relay-agents. if you have only one interface on dhcp-server, you have to find a device inside the remote-office-subnets which can do that.
check for 802.1q capabilities on networkcards of your server. (HP supports 802.1q) if you server is able to do so, you can activate them and setup three logical interfaces on one physical interface and connect then the physical interface to a trunk-port with all three vlans on you switch. then you dont need relay-agents, because dhcp-server is direct visible to all subnets.
ASKER
RudiR

Hello.

The drawing was just an illustration on what i thought would be the best solution, but reading what you wrote it looks like i created more work for me then intended :D

If you would suggest a setup for this to work wich way would you go?
If i need to get more hardware i will but i want the easiest possible solution.

Today i only have the ASA5510 and the procurve switch at the main office.

damn this proves to be a challange for me, advance networking is not what i know best.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Heiko Bialozyt

ok let me try an easy solution.
do you have all interfaces of asa5510 in use? if not, asa can handle all tasks.
Heiko Bialozyt

how many devices (ip-addresses) do you have active in each location?
ASKER
RudiR

On the ASA i have 2 ports occupied, external (internet) and one to the internal net.
I think that there are 2 or 3 ports available in the firewall.

About the Ip adresses i have one scope today that supply Ip adresses to the main location and one of the remote offices, the second remote office has not been connected to the wan.

It's when they connect the second office to the wan that they also change to vlans.

As of today there are one range C class net (192.168.1.xxx) i think the dhcp scope is like 100 adresses or so, more then enough for the users.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Heiko Bialozyt

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
RudiR

Nice.

So basically i do the following and it should work.

* Create a trunkport on the switch for the incomming Wan (vlan 10 and 11)
* Create 2 native switchports one for each vlan.
* Connect the 2 vlan switchports to the regular Lan.
* Disable security on the switchports (all 4?)

Does this solution still require 2 additional dhcp scopes on the server?
Heiko Bialozyt

there is nothing else to do.
ASKER
RudiR

Ok so the 2 remote sites will get IP adresses from the main site as if it were one big network?

That is perfect and a slick solution to my problem.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Heiko Bialozyt

exact ... you will get one big network.
ASKER
RudiR

Thanks for the help, i will try and make this configuration on the switch asap.

I will close this thread and accept your solution.
ASKER
RudiR

Thanks alot for the detailed help.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.