Managed gigabit switch as router..?
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by Geir on August 6, 2007, 7:43 am
Please log in for more thread options Hi, We have two physically separated subnets, LAN1 and LAN2, each with its own domain controllers, dhcp, dns etc... Also we have a couple of servers which we would like to share between these two networks, such as WSUS, AV updates, intranet web server etc. Due to the windows update services we would prefer to have gigabit access to these shared servers. Would it be possible to set up a managed gigabit switch with three 'segments' one for LAN1, one for LAN2 and the third for the shared servers. LAN1 should *never* be able to communicate with LAN2 and vice versa, they should only have access to the shared servers through selected ports. Thanks a lot for comments on this scenario. Geir | |||||||||||||||||||||||||
|
Posted by anoop on August 6, 2007, 11:41 am
Please log in for more thread options It is possible to do this if your switch supports something like Cisco's private VLANs, or more generally, the feature of shared VLAN learning (SVL). With SVL, your setup would be as follows: - Configure the ports in LAN1 to have a PVID of VLAN A, but also make them members of VLAN C. - Configure the ports in LAN2 to have a PVID of VLAN B, but also make them members of VLAN C. - Configure the ports with the shared servers to have a PVID of VLAN C, but also make them members of VLAN A and VLAN B. - Configure VLAN A, VLAN B and VLAN C to use SVL. Also, if you're using IP as the protocol, configure VLAN A and VLAN B to be in separate subnets. However the subnet ranges must be chosen such that devices on VLAN C can have a smaller mask that makes them think that both VLAN A devices and VLAN B devices are within their subnet; e.g. VLAN A -> 10.1.1/24,
VLAN B -> 10.1.2/24, VLAN C -> 10.1/16. Anoop | |||||||||||||||||||||||||
|
Posted by anoop on August 7, 2007, 2:05 am
Please log in for more thread options
>
> > Would it be possible to set up a managed gigabit switch with three
> > 'segments' one for LAN1, one for LAN2 and the third for the shared > > servers. LAN1 should *never* be able to communicate with LAN2 and vice > > versa, they should only have access to the shared servers through > > selected ports. >
> It is possible to do this if your switch supports something > like Cisco's private VLANs, or more generally, the feature > of shared VLAN learning (SVL). > > With SVL, your setup would be as follows: > - Configure the ports in LAN1 to have a PVID of VLAN A, > but also make them members of VLAN C. > - Configure the ports in LAN2 to have a PVID of VLAN B, > but also make them members of VLAN C. > - Configure the ports with the shared servers to have a > PVID of VLAN C, but also make them members of > VLAN A and VLAN B. > - Configure VLAN A, VLAN B and VLAN C to use SVL. > > Also, if you're using IP as the protocol, configure VLAN A > and VLAN B to be in separate subnets. However the > subnet ranges must be chosen such that devices > on VLAN C can have a smaller mask that makes > them think that both VLAN A devices and VLAN B devices > are within their subnet; e.g. VLAN A -> 10.1.1/24, > VLAN B -> 10.1.2/24, VLAN C -> 10.1/16. This last statement is actually incorrect. They can (and in fact should) all be assigned addresses from the same subnet. Then, as long as the VLAN configuration allows it, the stations will all be able to communicate. Since VLAN A and VLAN B are segregated, they won't be able to talk to each other even though they have addresses in the same subnet. On the other hand, they would both be able to communicate with VLAN C, and VLAN C would in turn be able to communicate with both. Anoop | |||||||||||||||||||||||||
|
Posted by Geir on August 7, 2007, 7:23 am
Please log in for more thread options
anoop wrote: >> Also, if you're using IP as the protocol, configure VLAN A
>> and VLAN B to be in separate subnets. However the >> subnet ranges must be chosen such that devices >> on VLAN C can have a smaller mask that makes >> them think that both VLAN A devices and VLAN B devices >> are within their subnet; e.g. VLAN A -> 10.1.1/24, >> VLAN B -> 10.1.2/24, VLAN C -> 10.1/16. >
> This last statement is actually incorrect. They can (and > in fact should) all be assigned addresses from the same > subnet. Then, as long as the VLAN configuration allows > it, the stations will all be able to communicate. Since > VLAN A and VLAN B are segregated, they won't be able > to talk to each other even though they have addresses > in the same subnet. On the other hand, they would both > be able to communicate with VLAN C, and VLAN C would > in turn be able to communicate with both. Actually our current LAN1 is at 172.72.100.0 and LAN2 is at 172.72.100.0 Do we need to change our ip ranges to make this work with a small enough mask? Which 24P gigabit switch models (midrange budget) do you suggest having the needed features? thanks again Geir | |||||||||||||||||||||||||
|
Posted by anoop on August 7, 2007, 9:56 am
Please log in for more thread options
> Actually our current LAN1 is at 172.72.100.0 and LAN2 is at 172.72.100.0
> > Do we need to change our ip ranges to make this work with a small enough > mask? Did you really mean to post the same range for both? In any case, I think it's fine as it is. > Which 24P gigabit switch models (midrange budget) do you suggest having
> the needed features? Sorry, I don't have any suggestions here. If you had some in mind check to see if they support either Shared VLAN Learning (SVL) or Private VLANs (Cisco's name for a technology that utilizes this). That should be all you need. Anoop | |||||||||||||||||||||||||
> 'segments' one for LAN1, one for LAN2 and the third for the shared
> servers. LAN1 should *never* be able to communicate with LAN2 and vice
> versa, they should only have access to the shared servers through
> selected ports.