How to "share" a port between 2 VLAN's on 3Com SS 3226....

I am trying to segment traffic on our remote office network and need assistance. We have a 100MB Ethernet Internet drop in this office, which shares this connection with another pseudo-related entity to our firm. The two "firms" are separated in the building, but have the exact same 3Com Superstack 3226 switch on each end (linked together via a fiber-optic cable run and SPF transceiver in Port 26 on each switch). The 100MB Internet connection is plugged into a single port on our switch (let's call that switch "A") and all of the ports on Switch "A" and the switch in the other firm (lets call that switch "B") are members of the same VLAN currrently.

Recently, we've noticed a severe degradation in the network consistency seen by our firm's staff, but not by the other firm. We don't host servers or other physical devices using Internet Access in our offices (all of our staff have desktop computers with Citrix/RDP access to our main office location)...but the other firm does.

Whether that's a result of the problems we've seen or not, I'd like to segment these two firms such that all of the ports on Switch "B" are on one VLAN, The ports on switch "A" are on their own VLAN...EXCEPT...the port containing the 100MB ethernet connection....which would need to be accessible by both original VLAN's. I know from reading various newsgroup posts, this can only be done a few of which is with a layer 3 switch...which these two switches are.

I'm pretty sure I know how to set each port to one VLAN or another...but I need to know how to share a port between the two of them? Also, what about the SPF Transceiver port (port 26) linking the two switches by fiber-optic is this dealt with in the same scenario?

This is something of an urgent issue for anything this community can do to assist, I'd appreciate it.

Who is Participating?
jfradyConnect With a Mentor Commented:
The switches are Layer 3 switches and can perform routing.  The issue is that your firewall has to play a part in this scenario any way you go.  You can't segment the networks with VLAN's without having two separate Layer 3 networks.  In order to do this you will have to change the subnet that one of the networks is on.  And the firewall has to be able to route to both of those networks.

I understand what you are trying to do and I'm attempting to tell you how to do it.  The best way to do it depends on the questions I have posed and also the equipment that you have.  I'm telling you that you can't really do it with VLAN's in the way you are seeming to want to do it.  

The way a firewall that is doing network address translation works is that it translates one set of addresses to another (public to private).  When you segment the 2 networks and have two different IP ranges the firewall will have to perform NAT on both of those ranges.  That is doable for the firewall you have by setting up two LAN networks and routing.   Not by using VLAN's.  Another way your firewall can do it is by dedicating a separate port for either your firms network or your partner firms network.  Then use VLAN's in the switching infrastructure to get the appropriate network traffic to the right ports on each network.

The switches are not the limiting factor here.  

The two options you have are:

1 - Use a different port on your firewall for one groups network.  This can happen with the equipment you have by using VLAN's as I described before.  The distance between the networks does not matter.  To be separate the two networks have to be on separate network ranges.  If it helps you imagine it that your switch will be split into two.  One switch will connect a copper port to the firewall and  20+ others will connect to users in your network.  Let's call that VLAN 1.  One copper port and the fiber uplink will be in VLAN 2.  The copper port will connect to the second port on the firewall and the fiber port will feed the other switch.  The two networks traffic will be separate and only routed together as it passes to the Internet connection.

2 - Use one of the switches as a router and "daisy-chain" the networks.  Firewall <-> Your network and subnet <-> their network and subnet.  Their traffic would traverse your network for Internet access and any separation or disallowing of sharing services would have to be done with ACL's on the switches.

Either way - and this might be where you're mis-understanding - one of the networks will absolutely have to be re-addressed.  No two ways about it.  If the networks are to be separate they have to be different IP ranges and separate Layer 3 networks.  

Looking back I think this is where the disconnect in understanding is occurring.  Please don't take this the wrong way, but do you have an understanding of the difference between how Layer 2/Layer 3 networks work and routing?  I understand that you have knowledge and experience.  As I do.  Essentially VLAN is synonymous with Layer 3 network or Subnet.  You can have Layer 2 VLAN's but without having a router a Layer 2 VLAN can not communicate with any other network.  

In my opinion option 1 above makes the most sense for what you have.  It will separate the traffic between the two firms networks and give both firms Internet access.  
There are two ways to do what you are describing.  Depending on the router (or firewall) the switches connect into and it's capabilities you could either set up a VLAN trunk for both networks to your router/firewall or you could just use the 3226 to route to the other 3226 network.  

Of course you will have to change IP addresses, default gateway etc. on all devices on the new network.  Are you using DHCP?

This is a good idea to keep the traffic segmented but nothing yet indicates that this would resolve your performance issues.  In fact if it were a networking issue causing the performance problems it would likely be seen by both firms as they now occupy the same layer 2 network.  

Can you provide more details as to the performance issues, network setup, and router firewall?  
seriochka1Author Commented:
The Router/Firewall currently used is a Linksys (Cisco) RV082, but that will soon be changing to a more robust router/firewall server, so I'm more interested in exactly how to route the traffic using the 3226 switches...since those won't change.

All of the workstations on our and large, are static-assigned IP's and DNS info. Again, we don't host any servers on our side of this network...but the other firm does. We do use some DHCP addressing, for those times where someone does come into the office and need to "plug-in" for access, but aside from

I know part of the performance issue has to do with our main office's internet connection and it's usage. We are upgrading that circuit, but it will take a few months to get the new service installed. Outside of that, there are periods where our main office internet connection is not in use...but our staff get "locked up" or kicked off of any remote services they may be using. We've monitored our main office servers for CPU/Memory usage or errant programs that could be causing the problem...nothing shows up.

So, any specifics as to how to route the traffic between the VLAN's on switches A & B as I described above would be good. Yes, this may not resolve the issue completely, but I want to take every step to ensure there's nothing we've overlooked or missed in the process. Staff have lost all patience with these problems and it's affecting their ability to serve our clients.

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Do you have control of the other firms network to change their IP addressing?
I believe you stated the Internet connection is on your "side" of the network currently.
You also mentioned though that the other firm provides Internet facing applications.  Is that through use of a DMZ or do you have static NAT/PAT assignments forwarding the traffic?

I'm trying to determine if you would re-address your network or their network.  That would also impact how the router and the switches were configured.  For instance, if you re-address your side it would be easier to keep the static assignments and forwarding for the other firms Internet facing devices.  It would be more difficult however since your Internet connection currently is located on your side of the network.

I just glanced at the RV082 manual and it appears not to support VLAN's completely.  It is however a multi-port device that appears to be able to create and route multiple networks via multiple ports.  One approach that may work for you is to utilize the RV082 to do the routing and Internet connectivity for both networks by using a different physical port and utilizing VLAN's on the 3226's to extend the network for the other firm.  In this case you would create the VLAN configuration and then add a new network for your firm's network on a different segment.  In this setup on the switches you would have all the ports in your 3226 be untagged on your firm's VLAN and have the newly created network port plugged into one of those untagged ports.  Then you would have an untagged port in your switch that is on the old network (other firm).  The fiber uplink would still be in this original untagged network along with all the ports on the other switch.  This approach would force all traffic between the firms through the router/firewall offering more control

The other approach would be to use the 3226 and no VLAN's.  In this case you would change the IP scheme of the other firm's network.  On your firms 3226 you would just enable the uplink port in a different Layer 3 network that you create for the other firm.  Problems with this approach are due to the physical layer connectivity (Internet in your switch - other firm with web facing apps),  And may also be hampered by your ability to modify the other firms network.  If the Internet connection came into their side it would be easier to keep their IP scheme the same and add a route to your network.  In the RV082 you would just create another LAN network.

Another approach might be to virtually extend the network to the other firm first and then route your firm's traffic back through their network.  In this approach all your firms traffic would traverse the uplink between the two switches twice.

There are a number of other advantages/disadvantages to each approach.  Unfortunately there are a number of solutions that would work.  The key is to find which would work best in your situation with the minimal work now and later.

What are your thoughts on the best approach?  Right now I'm thinking enabling another port in the RV082 might be the best way to go.  If the Internet facing app's on your partner firms network could be in a DMZ you could also add a third port for the DMZ
seriochka1Author Commented:
As I said, the RV082 will be going away any solution involving that device would be short-lived. They're also 9-10 floors, opposite building side, from our running any sort of cat5/6 cable to them on the RV082 wouldn't work. In addition, there's a chance that we'd be moving offices in the next 18 months (for this remote office) any change we make has to be made with minimal impacts to both sets of staff involved.

Right now, everyone is in the same VLAN...both their systems and ours, but in segmenting the VLANs out, my understanding was the port that holds that ethernet cable carrying our Internet connection would have to be a part of both VLANs in order to work properly.

The other firm has their own e-mail and file systems on their network, but I don't know the extent to which "the public" accesses those systems or if their website also sits in-house.

The segment connecting your network to theirs would only need to be a VLAN trunk if you needed their VLAN to traverse across your network.  The method to have multiple VLAN's "share" as you say one link is to create a VLAN trunk.  This allows both networks to cross the link in a tagged fashion.  Tagged means that your traffic might have a tag indicating it is VLAN 1  and their traffic might be tagged for VLAN 2.  

Let's get back to basics... your Internet connection is shared with this sister firm correct?  Each network will needs it's own IP range, network, and default gateway.  Both of those networks would need to be "defined" in your router/firewall in order to retain Internet access.  Sure, I could tell you how to "share" the uplink between the two network but then you and/or their network would not function and be able to access the Internet.

Thats why I'm trying to show you the possibilities such that you can pick which direction you feel is most appropriate given your knowledge of the networks and political climate.  Also, in the suggestion to utilize your existing firewall/router you would not need to pull any cable.  The switch would still perform the media conversion from copper to fiber as it currently does.  Also - any replacement firewall/router would have the minimum functionality of your current unit you mentioned.

Now, if you want to segment their network and cut off their Internet access I could easily tell you how to do the segmentation.   Is that what you're looking to do or would you prefer to have both networks still function?

If you mean the connection to the firewall/router would have to be a VLAN trunk - that's what I mentioned that your existing unit cannot do.  The only VLAN capability it supports is by use of a physically separate connection.  I'll re-look at the manual again to verify but I believe that is what I read.

If the firewall/router would support having a VLAN trunk to your internal networks that would be a different story.  Even if it does support it you would still need to re-address one of the networks.  You would also still have the NAT issue and need to know what resources on their network are Internet accessible.
From the most current manual for your firewall:

VLAN - For each LAN port, a VLAN (a Virtual LAN, or
network within your network) can be established. Up to
eight VLANs can be established.

This means your firewall does not support VLAN tagging or a VLAN trunk.  One physical connection to the firewall cannot carry two distinct networks unless you routed as described in the 4th paragraph of the post from 2:55.

Either way a network needs to be completely re-addressed to do any sort of segmentation.  Unless the sister firm has their own Internet connection.  Which in that case you probably wouldn't need to be connected to them anyway.

Thats another factor we havent addressed yet.  Do you share information from their network to yours?  Currently it appears to be an open connection between the two.  When you split the networks will access be needed from one net to the other for file sharing etc.?

seriochka1Author Commented:
I think this is getting way too complicated and while I understand what you're saying and appreciate the help, let me try again to break this down so it's clear what we're looking for:

I want our firm and theirs to share basic services provided by the firewall (Internet Access & firewall protection, DHCP Services, etc...), but I don't want any traffic coming from their servers or activity to be seen by staff (and their workstations) on my network. We don't share files, printers or anything else with this other entity, it's a completely separate group only loosely affiliated with us. We, while needing to be separated from them, can share the same subnet/ip address range because we (my firm...Switch "A") don't house nor will house servers or other web-based applications from this office. We do some DHCP for those instances where folks from our main office come in (or our members) and plug their computer into an RJ-45 connection to "get on the internet", but all of our workstations, printers, etc.. are static IP are the majority of this other firm's computers...have a static IP address.

I don't see the firewall being the point of making this change into separate VLAN's happen....since the RV082 is going away, it has only baisc VLAN capability we're not currently using, and there's a physical distance/space limitation between our firm and theirs. Even our new firewall will only have 2 NIC's and that's how we'd like to keep it...again given the distance limitations above.

My understanding was that a layer 3 switch would allow me to segment/tag the various ports on both of our switches such that their switch is say...VLAN2, ours is VLAN3, and the one port on our switch being fed the internet connection from the router would be accessible to both VLANs, hence no one being cut off from the Internet, but neither office being able to see the "traffic" or activity of the other. My understanding was also that these 3Com SS 3226 switches were layer 3 capable and able to do what I'm describing above. If that's not the case...please let me know. Otherwise, instructions/specifics with these switches on trunking/tagging ports to accomplish the above would be appreciated.

Sorry if this comes off as curt or whatever, but our staff is besides themselves with this issue and while my knowledge/experience is vast...I can't remember with this set of switches exactly how to do what I'm trying to do.

You are connected to SWITCH_A, stepchild company is attached to SWITCH_B.  Which switch is the WAN LINK (internet) connected to?

Also, if your network is slowing to a crawl and theirs is not.  You might just have a STP (spanning-tree/switching loop)  issue.  This can happen if there are any hubs or switches connected to your SWITCH_A, like in someones office or cubicle, where they were trying to attach more than 1 device to the network (2 PCs, 1 PC & 1 laptop, 1 PC and a networked printer, etc.) If there is one cable looping back in the network anywhere, it can cause issues like the one you describe.
I believe points should be awarded as much time was spent and a number of appropriate recommendations were provided.  
After reviewing the question I agree. Post http:#a29743339 should be accepted, since it contains the only feasible solutions.
Sorry for the wrong closure recommendation.

Cleanup Volunteer
Starting the automated closure procedure to implement the recommendations from the participating Expert(s).

- thermoduric -
EE Community Support Moderator

All Courses

From novice to tech pro — start learning today.