seriochka1
asked on
How to "share" a port between 2 VLAN's on 3Com SS 3226....
I am trying to segment traffic on our remote office network and need assistance. We have a 100MB Ethernet Internet drop in this office, which shares this connection with another pseudo-related entity to our firm. The two "firms" are separated in the building, but have the exact same 3Com Superstack 3226 switch on each end (linked together via a fiber-optic cable run and SPF transceiver in Port 26 on each switch). The 100MB Internet connection is plugged into a single port on our switch (let's call that switch "A") and all of the ports on Switch "A" and the switch in the other firm (lets call that switch "B") are members of the same VLAN currrently.
Recently, we've noticed a severe degradation in the network consistency seen by our firm's staff, but not by the other firm. We don't host servers or other physical devices using Internet Access in our offices (all of our staff have desktop computers with Citrix/RDP access to our main office location)...but the other firm does.
Whether that's a result of the problems we've seen or not, I'd like to segment these two firms such that all of the ports on Switch "B" are on one VLAN, The ports on switch "A" are on their own VLAN...EXCEPT...the port containing the 100MB ethernet connection....which would need to be accessible by both original VLAN's. I know from reading various newsgroup posts, this can only be done a few ways...one of which is with a layer 3 switch...which these two switches are.
I'm pretty sure I know how to set each port to one VLAN or another...but I need to know how to share a port between the two of them? Also, what about the SPF Transceiver port (port 26) linking the two switches by fiber-optic cable....how is this dealt with in the same scenario?
This is something of an urgent issue for us...so anything this community can do to assist, I'd appreciate it.
-Steve
Recently, we've noticed a severe degradation in the network consistency seen by our firm's staff, but not by the other firm. We don't host servers or other physical devices using Internet Access in our offices (all of our staff have desktop computers with Citrix/RDP access to our main office location)...but the other firm does.
Whether that's a result of the problems we've seen or not, I'd like to segment these two firms such that all of the ports on Switch "B" are on one VLAN, The ports on switch "A" are on their own VLAN...EXCEPT...the port containing the 100MB ethernet connection....which would need to be accessible by both original VLAN's. I know from reading various newsgroup posts, this can only be done a few ways...one of which is with a layer 3 switch...which these two switches are.
I'm pretty sure I know how to set each port to one VLAN or another...but I need to know how to share a port between the two of them? Also, what about the SPF Transceiver port (port 26) linking the two switches by fiber-optic cable....how is this dealt with in the same scenario?
This is something of an urgent issue for us...so anything this community can do to assist, I'd appreciate it.
-Steve
ASKER
The Router/Firewall currently used is a Linksys (Cisco) RV082, but that will soon be changing to a more robust router/firewall server, so I'm more interested in exactly how to route the traffic using the 3226 switches...since those won't change.
All of the workstations on our network...by and large, are static-assigned IP's and DNS info. Again, we don't host any servers on our side of this network...but the other firm does. We do use some DHCP addressing, for those times where someone does come into the office and need to "plug-in" for access, but aside from that...no.
I know part of the performance issue has to do with our main office's internet connection and it's usage. We are upgrading that circuit, but it will take a few months to get the new service installed. Outside of that, there are periods where our main office internet connection is not in use...but our staff get "locked up" or kicked off of any remote services they may be using. We've monitored our main office servers for CPU/Memory usage or errant programs that could be causing the problem...nothing shows up.
So, any specifics as to how to route the traffic between the VLAN's on switches A & B as I described above would be good. Yes, this may not resolve the issue completely, but I want to take every step to ensure there's nothing we've overlooked or missed in the process. Staff have lost all patience with these problems and it's affecting their ability to serve our clients.
Thanks.
All of the workstations on our network...by and large, are static-assigned IP's and DNS info. Again, we don't host any servers on our side of this network...but the other firm does. We do use some DHCP addressing, for those times where someone does come into the office and need to "plug-in" for access, but aside from that...no.
I know part of the performance issue has to do with our main office's internet connection and it's usage. We are upgrading that circuit, but it will take a few months to get the new service installed. Outside of that, there are periods where our main office internet connection is not in use...but our staff get "locked up" or kicked off of any remote services they may be using. We've monitored our main office servers for CPU/Memory usage or errant programs that could be causing the problem...nothing shows up.
So, any specifics as to how to route the traffic between the VLAN's on switches A & B as I described above would be good. Yes, this may not resolve the issue completely, but I want to take every step to ensure there's nothing we've overlooked or missed in the process. Staff have lost all patience with these problems and it's affecting their ability to serve our clients.
Thanks.
Do you have control of the other firms network to change their IP addressing?
I believe you stated the Internet connection is on your "side" of the network currently.
You also mentioned though that the other firm provides Internet facing applications. Is that through use of a DMZ or do you have static NAT/PAT assignments forwarding the traffic?
I'm trying to determine if you would re-address your network or their network. That would also impact how the router and the switches were configured. For instance, if you re-address your side it would be easier to keep the static assignments and forwarding for the other firms Internet facing devices. It would be more difficult however since your Internet connection currently is located on your side of the network.
I just glanced at the RV082 manual and it appears not to support VLAN's completely. It is however a multi-port device that appears to be able to create and route multiple networks via multiple ports. One approach that may work for you is to utilize the RV082 to do the routing and Internet connectivity for both networks by using a different physical port and utilizing VLAN's on the 3226's to extend the network for the other firm. In this case you would create the VLAN configuration and then add a new network for your firm's network on a different segment. In this setup on the switches you would have all the ports in your 3226 be untagged on your firm's VLAN and have the newly created network port plugged into one of those untagged ports. Then you would have an untagged port in your switch that is on the old network (other firm). The fiber uplink would still be in this original untagged network along with all the ports on the other switch. This approach would force all traffic between the firms through the router/firewall offering more control
The other approach would be to use the 3226 and no VLAN's. In this case you would change the IP scheme of the other firm's network. On your firms 3226 you would just enable the uplink port in a different Layer 3 network that you create for the other firm. Problems with this approach are due to the physical layer connectivity (Internet in your switch - other firm with web facing apps), And may also be hampered by your ability to modify the other firms network. If the Internet connection came into their side it would be easier to keep their IP scheme the same and add a route to your network. In the RV082 you would just create another LAN network.
Another approach might be to virtually extend the network to the other firm first and then route your firm's traffic back through their network. In this approach all your firms traffic would traverse the uplink between the two switches twice.
There are a number of other advantages/disadvantages to each approach. Unfortunately there are a number of solutions that would work. The key is to find which would work best in your situation with the minimal work now and later.
What are your thoughts on the best approach? Right now I'm thinking enabling another port in the RV082 might be the best way to go. If the Internet facing app's on your partner firms network could be in a DMZ you could also add a third port for the DMZ
I believe you stated the Internet connection is on your "side" of the network currently.
You also mentioned though that the other firm provides Internet facing applications. Is that through use of a DMZ or do you have static NAT/PAT assignments forwarding the traffic?
I'm trying to determine if you would re-address your network or their network. That would also impact how the router and the switches were configured. For instance, if you re-address your side it would be easier to keep the static assignments and forwarding for the other firms Internet facing devices. It would be more difficult however since your Internet connection currently is located on your side of the network.
I just glanced at the RV082 manual and it appears not to support VLAN's completely. It is however a multi-port device that appears to be able to create and route multiple networks via multiple ports. One approach that may work for you is to utilize the RV082 to do the routing and Internet connectivity for both networks by using a different physical port and utilizing VLAN's on the 3226's to extend the network for the other firm. In this case you would create the VLAN configuration and then add a new network for your firm's network on a different segment. In this setup on the switches you would have all the ports in your 3226 be untagged on your firm's VLAN and have the newly created network port plugged into one of those untagged ports. Then you would have an untagged port in your switch that is on the old network (other firm). The fiber uplink would still be in this original untagged network along with all the ports on the other switch. This approach would force all traffic between the firms through the router/firewall offering more control
The other approach would be to use the 3226 and no VLAN's. In this case you would change the IP scheme of the other firm's network. On your firms 3226 you would just enable the uplink port in a different Layer 3 network that you create for the other firm. Problems with this approach are due to the physical layer connectivity (Internet in your switch - other firm with web facing apps), And may also be hampered by your ability to modify the other firms network. If the Internet connection came into their side it would be easier to keep their IP scheme the same and add a route to your network. In the RV082 you would just create another LAN network.
Another approach might be to virtually extend the network to the other firm first and then route your firm's traffic back through their network. In this approach all your firms traffic would traverse the uplink between the two switches twice.
There are a number of other advantages/disadvantages to each approach. Unfortunately there are a number of solutions that would work. The key is to find which would work best in your situation with the minimal work now and later.
What are your thoughts on the best approach? Right now I'm thinking enabling another port in the RV082 might be the best way to go. If the Internet facing app's on your partner firms network could be in a DMZ you could also add a third port for the DMZ
ASKER
As I said, the RV082 will be going away soon...so any solution involving that device would be short-lived. They're also 9-10 floors, opposite building side, from our office....so running any sort of cat5/6 cable to them on the RV082 wouldn't work. In addition, there's a chance that we'd be moving offices in the next 18 months (for this remote office)...so any change we make has to be made with minimal impacts to both sets of staff involved.
Right now, everyone is in the same VLAN...both their systems and ours, but in segmenting the VLANs out, my understanding was the port that holds that ethernet cable carrying our Internet connection would have to be a part of both VLANs in order to work properly.
The other firm has their own e-mail and file systems on their network, but I don't know the extent to which "the public" accesses those systems or if their website also sits in-house.
Right now, everyone is in the same VLAN...both their systems and ours, but in segmenting the VLANs out, my understanding was the port that holds that ethernet cable carrying our Internet connection would have to be a part of both VLANs in order to work properly.
The other firm has their own e-mail and file systems on their network, but I don't know the extent to which "the public" accesses those systems or if their website also sits in-house.
The segment connecting your network to theirs would only need to be a VLAN trunk if you needed their VLAN to traverse across your network. The method to have multiple VLAN's "share" as you say one link is to create a VLAN trunk. This allows both networks to cross the link in a tagged fashion. Tagged means that your traffic might have a tag indicating it is VLAN 1 and their traffic might be tagged for VLAN 2.
Let's get back to basics... your Internet connection is shared with this sister firm correct? Each network will needs it's own IP range, network, and default gateway. Both of those networks would need to be "defined" in your router/firewall in order to retain Internet access. Sure, I could tell you how to "share" the uplink between the two network but then you and/or their network would not function and be able to access the Internet.
Thats why I'm trying to show you the possibilities such that you can pick which direction you feel is most appropriate given your knowledge of the networks and political climate. Also, in the suggestion to utilize your existing firewall/router you would not need to pull any cable. The switch would still perform the media conversion from copper to fiber as it currently does. Also - any replacement firewall/router would have the minimum functionality of your current unit you mentioned.
Now, if you want to segment their network and cut off their Internet access I could easily tell you how to do the segmentation. Is that what you're looking to do or would you prefer to have both networks still function?
If you mean the connection to the firewall/router would have to be a VLAN trunk - that's what I mentioned that your existing unit cannot do. The only VLAN capability it supports is by use of a physically separate connection. I'll re-look at the manual again to verify but I believe that is what I read.
If the firewall/router would support having a VLAN trunk to your internal networks that would be a different story. Even if it does support it you would still need to re-address one of the networks. You would also still have the NAT issue and need to know what resources on their network are Internet accessible.
Let's get back to basics... your Internet connection is shared with this sister firm correct? Each network will needs it's own IP range, network, and default gateway. Both of those networks would need to be "defined" in your router/firewall in order to retain Internet access. Sure, I could tell you how to "share" the uplink between the two network but then you and/or their network would not function and be able to access the Internet.
Thats why I'm trying to show you the possibilities such that you can pick which direction you feel is most appropriate given your knowledge of the networks and political climate. Also, in the suggestion to utilize your existing firewall/router you would not need to pull any cable. The switch would still perform the media conversion from copper to fiber as it currently does. Also - any replacement firewall/router would have the minimum functionality of your current unit you mentioned.
Now, if you want to segment their network and cut off their Internet access I could easily tell you how to do the segmentation. Is that what you're looking to do or would you prefer to have both networks still function?
If you mean the connection to the firewall/router would have to be a VLAN trunk - that's what I mentioned that your existing unit cannot do. The only VLAN capability it supports is by use of a physically separate connection. I'll re-look at the manual again to verify but I believe that is what I read.
If the firewall/router would support having a VLAN trunk to your internal networks that would be a different story. Even if it does support it you would still need to re-address one of the networks. You would also still have the NAT issue and need to know what resources on their network are Internet accessible.
From the most current manual for your firewall:
VLAN - For each LAN port, a VLAN (a Virtual LAN, or
network within your network) can be established. Up to
eight VLANs can be established.
This means your firewall does not support VLAN tagging or a VLAN trunk. One physical connection to the firewall cannot carry two distinct networks unless you routed as described in the 4th paragraph of the post from 2:55.
Either way a network needs to be completely re-addressed to do any sort of segmentation. Unless the sister firm has their own Internet connection. Which in that case you probably wouldn't need to be connected to them anyway.
Thats another factor we havent addressed yet. Do you share information from their network to yours? Currently it appears to be an open connection between the two. When you split the networks will access be needed from one net to the other for file sharing etc.?
VLAN - For each LAN port, a VLAN (a Virtual LAN, or
network within your network) can be established. Up to
eight VLANs can be established.
This means your firewall does not support VLAN tagging or a VLAN trunk. One physical connection to the firewall cannot carry two distinct networks unless you routed as described in the 4th paragraph of the post from 2:55.
Either way a network needs to be completely re-addressed to do any sort of segmentation. Unless the sister firm has their own Internet connection. Which in that case you probably wouldn't need to be connected to them anyway.
Thats another factor we havent addressed yet. Do you share information from their network to yours? Currently it appears to be an open connection between the two. When you split the networks will access be needed from one net to the other for file sharing etc.?
ASKER
I think this is getting way too complicated and while I understand what you're saying and appreciate the help, let me try again to break this down so it's clear what we're looking for:
I want our firm and theirs to share basic services provided by the firewall (Internet Access & firewall protection, DHCP Services, etc...), but I don't want any traffic coming from their servers or activity to be seen by staff (and their workstations) on my network. We don't share files, printers or anything else with this other entity, it's a completely separate group only loosely affiliated with us. We, while needing to be separated from them, can share the same subnet/ip address range because we (my firm...Switch "A") don't house nor will house servers or other web-based applications from this office. We do some DHCP for those instances where folks from our main office come in (or our members) and plug their computer into an RJ-45 connection to "get on the internet", but all of our workstations, printers, etc.. are static IP addresses...as are the majority of this other firm's computers...have a static IP address.
I don't see the firewall being the point of making this change into separate VLAN's happen....since the RV082 is going away, it has only baisc VLAN capability we're not currently using, and there's a physical distance/space limitation between our firm and theirs. Even our new firewall will only have 2 NIC's and that's how we'd like to keep it...again given the distance limitations above.
My understanding was that a layer 3 switch would allow me to segment/tag the various ports on both of our switches such that their switch is say...VLAN2, ours is VLAN3, and the one port on our switch being fed the internet connection from the router would be accessible to both VLANs, hence no one being cut off from the Internet, but neither office being able to see the "traffic" or activity of the other. My understanding was also that these 3Com SS 3226 switches were layer 3 capable and able to do what I'm describing above. If that's not the case...please let me know. Otherwise, instructions/specifics with these switches on trunking/tagging ports to accomplish the above would be appreciated.
Sorry if this comes off as curt or whatever, but our staff is besides themselves with this issue and while my knowledge/experience is vast...I can't remember with this set of switches exactly how to do what I'm trying to do.
-Steve
I want our firm and theirs to share basic services provided by the firewall (Internet Access & firewall protection, DHCP Services, etc...), but I don't want any traffic coming from their servers or activity to be seen by staff (and their workstations) on my network. We don't share files, printers or anything else with this other entity, it's a completely separate group only loosely affiliated with us. We, while needing to be separated from them, can share the same subnet/ip address range because we (my firm...Switch "A") don't house nor will house servers or other web-based applications from this office. We do some DHCP for those instances where folks from our main office come in (or our members) and plug their computer into an RJ-45 connection to "get on the internet", but all of our workstations, printers, etc.. are static IP addresses...as are the majority of this other firm's computers...have a static IP address.
I don't see the firewall being the point of making this change into separate VLAN's happen....since the RV082 is going away, it has only baisc VLAN capability we're not currently using, and there's a physical distance/space limitation between our firm and theirs. Even our new firewall will only have 2 NIC's and that's how we'd like to keep it...again given the distance limitations above.
My understanding was that a layer 3 switch would allow me to segment/tag the various ports on both of our switches such that their switch is say...VLAN2, ours is VLAN3, and the one port on our switch being fed the internet connection from the router would be accessible to both VLANs, hence no one being cut off from the Internet, but neither office being able to see the "traffic" or activity of the other. My understanding was also that these 3Com SS 3226 switches were layer 3 capable and able to do what I'm describing above. If that's not the case...please let me know. Otherwise, instructions/specifics with these switches on trunking/tagging ports to accomplish the above would be appreciated.
Sorry if this comes off as curt or whatever, but our staff is besides themselves with this issue and while my knowledge/experience is vast...I can't remember with this set of switches exactly how to do what I'm trying to do.
-Steve
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are connected to SWITCH_A, stepchild company is attached to SWITCH_B. Which switch is the WAN LINK (internet) connected to?
Also, if your network is slowing to a crawl and theirs is not. You might just have a STP (spanning-tree/switching loop) issue. This can happen if there are any hubs or switches connected to your SWITCH_A, like in someones office or cubicle, where they were trying to attach more than 1 device to the network (2 PCs, 1 PC & 1 laptop, 1 PC and a networked printer, etc.) If there is one cable looping back in the network anywhere, it can cause issues like the one you describe.
Also, if your network is slowing to a crawl and theirs is not. You might just have a STP (spanning-tree/switching loop) issue. This can happen if there are any hubs or switches connected to your SWITCH_A, like in someones office or cubicle, where they were trying to attach more than 1 device to the network (2 PCs, 1 PC & 1 laptop, 1 PC and a networked printer, etc.) If there is one cable looping back in the network anywhere, it can cause issues like the one you describe.
I believe points should be awarded as much time was spent and a number of appropriate recommendations were provided.
After reviewing the question I agree. Post http:#a29743339 should be accepted, since it contains the only feasible solutions.
Sorry for the wrong closure recommendation.
Qlemo
Cleanup Volunteer
Sorry for the wrong closure recommendation.
Qlemo
Cleanup Volunteer
Starting the automated closure procedure to implement the recommendations from the participating Expert(s).
- thermoduric -
EE Community Support Moderator
https://www.experts-exchange.com/questions/26641690/01-Dec-10-17-Automated-Request-for-Review-Objection-to-Delete-Q-25697518.html
- thermoduric -
EE Community Support Moderator
https://www.experts-exchange.com/questions/26641690/01-Dec-10-17-Automated-Request-for-Review-Objection-to-Delete-Q-25697518.html
Of course you will have to change IP addresses, default gateway etc. on all devices on the new network. Are you using DHCP?
This is a good idea to keep the traffic segmented but nothing yet indicates that this would resolve your performance issues. In fact if it were a networking issue causing the performance problems it would likely be seen by both firms as they now occupy the same layer 2 network.
Can you provide more details as to the performance issues, network setup, and router firewall?