Connect windows system to two subnets

Hi,
In the diagram below I need system (A) to communicate with system (B). System (A) must be able to remain connected to the 10.0.0.0 subnet though.
Subnet 10.0.0.0 is the main windows network and houses the connection to the internet. Subnet 10.1.1.0 consists of POS software. System A needs to run a POS application that talks to the POS server (system (B)) while still being able to communicate with the windows server and Internet via the 10.0.0.0 subnet.

The two switches in the 10.0.0.0 subnet are in seperate buildings and are connected via fiber. There are no other physical connections avaliable between building 1 and building 2.

The two switches are Linksys SRW2016 and SRW2048 devices.

I can not add additional NICs to the systems in subnet 10.1.1.0. I can add additional NICs to systems in the 10.0.0.0 subnet however.
Drawing2.jpg
IT101Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GrayMatterCommented:
There are a few options.  First, what is device 10.1.1.254?

One option would be to add a second card in WS 10.0.0.23 and assign it an address on the 10.1.1.0/24 network then uplink the two switches.

Another option would be to put in router to physically connect the two networks and then add a static route on 10.0.0.23 telling it to go to the router to get to 10.1.1.0/24.  You will also need a static route on 10.1.1.130 for it to get back.

Cheers!
GM
0
IT101Author Commented:
Thanks for the fast reply GrayMatter!
I did not take down what the 10.1.1.254 router model was. I know it was a cisco appliance and I'm quite sure it did not have an internal modem (not that that would matter). I'm quite sure it then connects to a modem and VPN that would connect
 
Option 1: Pull me up anywhere that I miss a step:
Do you mean add another NIC to 10.0.0.23; assign it as address in the 10.1.1.0 subnet
Link the two switches together that are in the second (right hand) building
Does this mean I have two NICs from the 10.0.0.23 system with different subnets both connected to the switch in the left hand buiding?
If I did this how do I make the switches aware to forward the packets destined for  to the other subnet? I thought you needed a level 3 device to do that?
Option2: Is it possible to make say 10.0.0.44 the router by adding another NIC to it and connecting its second NIC to the 10.1.1.0 switch? I have been asked to accomplish this without additional hardware costs.
0
IT101Author Commented:
missed a sentence above in first paragraph:
*VPN that would connect the POS network to their main sites network.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

ffleismaSenior Network EngineerCommented:
hi IT101,

Im assuming 10.1.1.0 subnet needs to be at building 2 (building on the right side). you can try connecting the 10.0.0.0 switch on building 2 to the router at 172.16.12.1 instead of cascading it to the switch on building 1. then do a router on a stick on that router. afterwhich cascade the 10.0.0.0 switch and 10.1.1.0 switch on building 2 while doing trunking between them.

hope it helps :-)
0
linrafCommented:
You can also go into the Network card adapter setting where you set your ip address, click advanced and you can add a secondary ip address on the second subnet.

This will allow communication, but you do need to examine why you have 2 separate subnets to begin with. If it is for security, a router is the better option so that you can open it only to hte traffic that you want to allow.
0
ffleismaSenior Network EngineerCommented:
can routers 172.16.12.1 and 10.1.1.254 do VPN? if so you can do a site to site VPN between the two routers.

hope it helps :-)
0
IT101Author Commented:
Thanks guys...
Subnet 10.1.1.0 is owned by the POS provider and I am not allowed to reprogram their devices (e.g site to site VPN) and they would charge to reconfigure them if the final plan of attack included any changes on their devices/systems.
This is also the reason why they were originally on seperate subnets (prior to the new requests the systems never needed to talk to one another and all subnet 10.1.1.0 systems were provided by the POS provider.
@ ffleisma: I'm not sure I want to go down the road of the first suggestion as it sounds like too large a change to the network topology and I wouldn't feel comfortable completing this in a small time frame. Also would this mean that I would have to buy another router anyway to keep the network behind the firewall?
@linraf: Can you elaborate on the 2 IPs to one card theory (how this works)?
 
0
IT101Author Commented:
I have just had an email from the POS provider on the situation and they advised as follows:

The SRW 2048 & SRW 2016 devices should be able to have the config updated on them to allow the 10.1.1.0 network to be routed through it, you will need the to plug the 10.1.1.0 network onto the 10.0.0.0 network.
Has anyone ever done this before?
0
ffleismaSenior Network EngineerCommented:
i believe SRW2048 is a switch and is not capable of layer routing as per documentation from cisco.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9967/ps9991/data_sheet_c78-502271.html
0
IT101Author Commented:
Yeah so to do what they are saying it would need to be a layer 3 capable switch?
0
IT101Author Commented:
I just read this taken from a cisco paper on the SRW devices:

Individual users or applications can be prioritized above others using various Class of Service options - by port, layer 2 priority (802.1p), and Layer 3 priority (TOS or DSCP). Intelligent Broadcast, and Multicast storm control minimizes and contain the effect of these types of traffic on regular traffic. IGMP Snooping limits bandwidth-intensive video traffic to only the requestors without flooding to all users.  
 http://www.cisco.com/en/US/docs/switches/lan/csbms/srw2048/administration/guide/SRW-US_v10_UG_A-Web.pdf
What does that mean? It definetly is soley a layer 2 device?
0
IT101Author Commented:
If the SRW's definetley can not do the job (which from everything I have read (and as ffleisma has pointed out) they are only layer 2); I think I would like 1 "dodgey/no hardware cost" solution (e.g make an existing system route the traffic) and one stable solution (e.g buy a router to join the subnets).
 
Can you advise me on what the best and cheapest router would be for the job?
I have just looked at the cisco 851-K9 router which looks to be the cheapest in the cisco router range but is there anything even cheaper than this that would do the job that I have missed? Maybe a layer 3 switch? I have never worked with a layer 3 switch before.
 
As for the other solution can anyone give me a few pointers on the steps to setup an XP Pro machine (say SPN-LVL2-SYS01) to act as a router between the two subnets?
Thanks
Ben
0
linrafCommented:
POS systems are generally separated due to security concerns and PCI Compiance.
In order to connect the 2 networks you would almost definitely want a router between so that you only open the required ports.

That being said, a network cable between two switches each with separate subnets makes them physically part of the same network.

If you give a machine 2 ip addresses, one from each subnet ( one gateway), it will be able to communicate via ip address to the second subnet.

To do this:
Control panel
Network connections
Right click on the network connection
Properties
highlight internet protocol tcp/ip  (version 4, not 6 if both are listed)
properties
Make sure that original set of ip addresses is set
click advanced
add an ip address from the second subnet and the subnet mask
ok, ok close.

0
ffleismaSenior Network EngineerCommented:
what firewall are you using? can your firewall do routing? im thinking, maybe you could create two vlans (10.0.0.0/24 subnet and 10.1.1.0/24 subnet) then trunk it all the way to you firewall, no cost incurred just a change in configuration and adding connection between the two switches for 10.0.0.0 and 10.1.1.0 at building 2

hope this helps :-)
0
IT101Author Commented:
@linraf: I will give this a go in a test environment. Would the system on the left building then need two gateways or something though? The main windows server and this 2NIC'ed system?
@ffleisma: Yeah its an asa5505 but its not licenced to use any more VLANs so I can not use it to route as you have said unfortunatley.
0
linrafCommented:
The systems on the left building is the one that needs access to 2 networks, you put the 2 ip addresses in that 1 nic. Only one gateway, the one for the left side building that gets to the internet.  There must be a cable connecting the switches for the 2 networks also for this to work.

Again I advise you to look into pci compliance before connecting the 2 networks in any way.

Generally for pci compliance you need to have your payment network separated from machines that have access to surf the internet. By connecting this machine ( or even connecting the switches) in pretty much anyway, I think you are violating that.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT101Author Commented:
thanks linraf, this works just as you have said.
I have tried it now in my lab and have advised the POS techs of this possibility. If it does breach any regulations I will simply add a router on the right hand side building.
 
All I have left to ask now is "how does the 2 IP solution actually work?"...
Would I be close to say this:
When the switches are joined together they work just as they should as layer 2 devices and update their MAC tables to comply with the new MAC addresses on each side for correct forwarding and therefore packets destined for the POS network are forwarded through the switches to the correct PC with the destination MAC address.
When they arrive to the POS Client destination are they decapsulated and the origin IP checked to see if they originated from the correct subnet?
What I am trying to say is; at what point in the OSI does this now pass where before (without the two IPs) it failed? Is it because the packets are now initially tagged with a correct IP origin that is within the destinations subnet that it now works?
Thanks for all the help!
0
linrafCommented:
Once you connect the layer 2 switches without a router, it becomes 1 physical layer 2 network. The only thing separating the layer 3 networks is the different ip addresses. As network cards can accept multiple ip addreses, the card with 2 ip addresses is now part of of both layer 3 networks.
0
IT101Author Commented:
Thanks for the additional explaination linraf. In terms of the structure of the packets... in the layer 3 encapsulation where the origin IP and destination IP are, does it just know to add its IP that is within the destination subnet as the origin?
Thanks again for all your help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.