VLAN Config Question

By tmohler ·
Here is just a little background on the situation.

One of our branches is renting out office space and the tenants requested internet access. It wasn't a big deal; they said it was a couple PC's. I got a call from the company's IT requesting public IP's because they are bringing a 2003 server with them. The new guys are connected with a subsidiary insurance company that spans our main facility to the aforementioned branch that I?ve never really had to officially administer (citrix stations, outside tech support, etc. etc.). I?ve always wanted to segregate them anyway.

I figured I would just get DSL at that location and let them have at as they would physically be off our network then. Anything short of T1 or satellite will not serve that location so I?m wanting to run them across the WAN for internet access to a cable modem that the insurance company uses as their own at the main facility. Still not a big deal but if they are going to be physically connected I still want to logically isolate them from us. And I keep all my available IPs. It?s just less eggs in my basket.

I'm thinking I can just use VLAN and it seems simple enough I've just never dealt with it.

Here is how I planned on laying it out: Mentioned clients ?> unmanaged non 802.1q switch ?> fiber link ?> compliant switch: this switch connects to our MPLS gateway so I would here set the port from the new guys as member of let?s say VLAN2 and the port the gateway is connected to as a member of the default VLAN and VLAN2. ? > WAN ?> switch connecting gateway: set gateway port the same and set the port connecting to a public switch on a separate floor as members of both VLANs -> fiber link to other floor ?> compliant switch: set incoming port for both VLANs and set a port connecting to their private switch as a member of only VLAN2 -> private switch->clients and internet connection

On the ports connecting to the non VLAN aware devices if I set them to untagged does it strip the VID and still allow VLAN within the VLAN aware switched environment.

One other thing I?m wondering about is if I am possibly going to run into problems at the MPLS sending tagged packets through that? Or is that something I will just need to contact them about? I think I read somewhere about ISPs double and triple tagging or something along the lines of that to avoid that problem.

Anyway, any advice is appreciated and sorry for the novel!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Just because you're renting office space...

by SYNner In reply to VLAN Config Question

You're doing it the wrong way. Just because your branch office is renting out office space doesn't mean you have to provide network connectivity. The tenants should get their own connectivity. The security risk is toooooooo great to do this. They need to be totally isolated physically, logically, operationally. If they are compromise, they will blame you and vice versa.

Related Discussions

Related Forums