Managed gigabit switch as router..?

Hi,

We have two physically separated subnets, LAN1 and LAN2, each with its own domain controllers, dhcp, dns etc...

Also we have a couple of servers which we would like to share between these two networks, such as WSUS, AV updates, intranet web server etc.

Due to the windows update services we would prefer to have gigabit access to these shared servers.

Would it be possible to set up a managed gigabit switch with three 'segments' one for LAN1, one for LAN2 and the third for the shared servers. LAN1 should *never* be able to communicate with LAN2 and vice versa, they should only have access to the shared servers through selected ports.

Thanks a lot for comments on this scenario.

Geir

Reply to
Geir
Loading thread data ...

It is possible to do this if your switch supports something like Cisco's private VLANs, or more generally, the feature of shared VLAN learning (SVL).

With SVL, your setup would be as follows:

- Configure the ports in LAN1 to have a PVID of VLAN A, but also make them members of VLAN C.

- Configure the ports in LAN2 to have a PVID of VLAN B, but also make them members of VLAN C.

- Configure the ports with the shared servers to have a PVID of VLAN C, but also make them members of VLAN A and VLAN B.

- Configure VLAN A, VLAN B and VLAN C to use SVL.

Also, if you're using IP as the protocol, configure VLAN A and VLAN B to be in separate subnets. However the subnet ranges must be chosen such that devices on VLAN C can have a smaller mask that makes them think that both VLAN A devices and VLAN B devices are within their subnet; e.g. VLAN A -> 10.1.1/24, VLAN B -> 10.1.2/24, VLAN C -> 10.1/16.

Anoop

Reply to
anoop

While a firewall would be preferable, it's probably not cost-effective for the speeds you are wanting. I usually deploy that sort of scenario on a Cisco FWSM in a 6500 series chassis, but the FWSM is around $30K, and the rest of the chassis is another $50K - not the sort of thing you would put in to save the cost of two $3000 servers.

A Cisco 3750G-{PT}S-E would probably suffice. It supports the full IOS access-list syntax, but doesn't support CBAC (IOS firewall).

Reply to
Daniel J McDonald

This last statement is actually incorrect. They can (and in fact should) all be assigned addresses from the same subnet. Then, as long as the VLAN configuration allows it, the stations will all be able to communicate. Since VLAN A and VLAN B are segregated, they won't be able to talk to each other even though they have addresses in the same subnet. On the other hand, they would both be able to communicate with VLAN C, and VLAN C would in turn be able to communicate with both.

Anoop

Reply to
anoop

Actually our current LAN1 is at 172.72.100.0 and LAN2 is at 172.72.100.0

Do we need to change our ip ranges to make this work with a small enough mask?

Which 24P gigabit switch models (midrange budget) do you suggest having the needed features?

thanks again

Geir

Reply to
Geir

Did you really mean to post the same range for both? In any case, I think it's fine as it is.

Sorry, I don't have any suggestions here. If you had some in mind check to see if they support either Shared VLAN Learning (SVL) or Private VLANs (Cisco's name for a technology that utilizes this). That should be all you need.

Anoop

Reply to
anoop

Ooops, sorry about that. LAN1 is at 172.72.100.0/23 and LAN2 is at

172.75.100.0/23.

What would you then suggest to use as LAN3 and subnet masks..?

regards

geir

Reply to
Geir Holmavatn

You would actually need to change all of the subnets so that they look like one big subnet. Basically everything could be put on 172.0.0.0/8. That would be sufficient to make the SVL configuration work.

However, I was thinking about this and realized that I failed to mention that the SVL/private VLAN configuration is only required if your "common" server (that we talked about being in VLAN C) is not VLAN aware. If that is VLAN aware the problem is much more easily solvable. Simply have the server participate in both VLANs with an IP interface in each of the subnets. Then almost any switch works (regardless of whether it's SVL or IVL).

Anoop

Reply to
anoop

What's "midrange" for you? Easiest and cleanest solution would be to acquire L3 switches and let them do the routing. You should be able to get some at around 1.500 - 2.000$ from the usual suspects (Netgear, Allied Telesis, SMC).

Reply to
Denis Jedig

Thats was my thought just give the servers ip adresses in both lans and set the switch port to be in both VLANS

Reply to
developers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.