12-19-2014 02:06 PM - edited 03-07-2019 09:58 PM
I work in a building that has two separate entities, but both work together to accomplish the same goals. The IT admin before me set us up on separate VLANs through many cisco switches. One lady that works here does work for both entities. There are server shares that she needs to be able to access on both VLANs to do her work. The way it is now, she does Company A's work in the morning and then moves to another office to do work for Company B. My question is, can I tag her switch port with both VLANs and then just add a secondary IP to her PC NIC so she is able to access the server shares from both VLANs?
12-19-2014 07:16 PM
Hello
depending on you Lan you may not require any additional addressing?
does your office vlans extended over multiple areas? If so then it would suggest your have inter-domain routing running
Depending on the access switch this woman connects too is interconnected to the core/distribution switch via a trunk and this trunk is allowing both VLAN to cross it I guess all what would be required then is access granted to the file shares in question.
please share a topology of your lan if applicable to do so
res
paul
12-23-2014 07:12 AM
basic topology...
core switch catalyst 3750
vlan 100 office A 192.168.5.x
vlan 200 office B 192.168.9.x
Currently there is no routing between vlan's. I cannot ping anything on the 9.x.
12-23-2014 07:35 AM
If there is not routing between the vlans then her current system of changing PCs (and probably changing offices) is probably the best solution. There are probably several issues about trying to put both vlans on her switch port. The biggest issue is that putting two vlans on a switch port generally requires that the port be configured as a trunk and that Ethernet frames for one of the vlans to be tagged. So does the NIC on her PC understand and process tagged frames?
It looks to me like when the network was set up there was an administrative security policy that is based on complete separation of the vlans as there is separation of the organizations. What you are suggesting could be construed as an evasion or breaking of that security policy.
HTH
Rick
12-23-2014 07:57 AM
I understand the security behind the vlan's, but it's not necessary on this one computer. This lady is the secretary for both companies and has full access to both company's files/records. At the IETC convention there was a Cisco engineer there who told me this was most definitely doable. His email address was lost in the washing machine though :-/
12-23-2014 10:10 AM
If you can't ping anything on the other vlan does that mean each vlan does not route to anywhere else eg. other vlans or the internet.
If they do route to other vlans you may find that there are SVIs for both vlans but they have acls applied in which case you could just modify the acl.
Or maybe not.
It is doable ie. servers do this all the time but as Rick says it depends on whether the PC supports tagging.
If it does it is really more a question of how to set that up correctly than a networking issue ie. all you need to do on the network side is setup the port on the switch as a trunk allowing both vlans.
There are however a couple of things to be aware of from the network perspective -
a) if the vlan does route to other subnets then you only want one default gateway ie. the current one. There is no need for another gateway as the PC would be directly connected to the other network anyway and multiple default gateways can lead to unexpected issues.
b) you need to make sure you cannot route between vlans on your PC otherwise this could be a security issue. There is no need for the PC to route between these vlans because it has direct connections to both.
From memory when you setup the trunking there is an option to turn off ip forwarding between those subnets.
Sorry I can't be more specific but it was a while ago that I last did this.
Jon
12-23-2014 10:34 AM
The original question was "My question is, can I tag her switch port with both VLANs and then just add a secondary IP to her PC NIC". I believe that it is more complicated than just add a secondary IP to her PC NIC. I will agree with the Cisco engineer that if you want it badly enough, and are wiling to spend the money that it may take then you could provide access to both vlans for that PC.
But if you could do it does not necessarily mean that you SHOULD do it. The original design seems to provide complete isolation of the networks. Putting her PC on both networks changes that. It opens the possibility that traffic from Company A could come into her PC and be forwarded into the network of Company B. And it creates the very real possibility that data from Company A will be transmitted onto the network of Company B. How significant is that? Only someone who really knows the local situation can really determine the impact of these changes.
HTH
Rick
12-23-2014 10:48 AM
Rick
Putting her PC on both networks changes that. It opens the possibility that traffic from Company A could come into her PC and be forwarded into the network of Company B. And it creates the very real possibility that data from Company A will be transmitted onto the network of Company B.
Agreed which is why I said you must make sure that ip forwarding is disabled between those subnets.
If you don't then there is a very real possibility of what you mention happening.
I do remember an option to disable this so you can, as far as I am aware, make sure this does not happen.
Jon
12-23-2014 01:46 PM
Jon
I believe that there are two conversations going on in this thread. One conversation is about is it possible, and if so then how to do it. I agree that it is possible. The other conversation is about whether it is a good idea to do it. What are the benefits and what are the risks and how do they balance.
As an engineer I am interested in the possibilities of how to achieve it, and this focuses on how things ought to work. But as I do more work in the Security area I find myself more aware of the risks that exist that things may not be done as we intend. If every one does the right thing then there will be no leakage between companies. But what are the possibilities that the secretary will write an Email with Company A information but happen to send it on the Company B NIC? What are the possibilities that a PC will be replaced and someone will not realize the importance of disabling IP forwarding?
We do not know much about the environment of these companies and if we knew more then perhaps we could more confidently advise whether this is a good thing to try or not. But based on the little that we do know I want to be sure that the risks are considered and the impact on the existing design evaluated before a decision is made to build a link between these networks.
HTH
Rick
12-30-2014 04:29 PM
You could install a network driver that supports VLAN tagging and attach it to trunk port that trunking the two VLANs.
As the others have indicated please understand the security implications of this.
Please rate helpful posts :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide