basic topology...

core switch catalyst 3750

vlan 100 office A  192.168.5.x

vlan 200 office B  192.168.9.x

 Currently there is no routing between vlan's. I cannot ping anything on the 9.x.

If there is not routing between the vlans then her current system of changing PCs (and probably changing offices) is probably the best solution. There are probably several issues about trying to put both vlans on her switch port. The biggest issue is that putting two vlans on a switch port generally requires that the port be configured as a trunk and that Ethernet frames for one of the vlans to be tagged. So does the NIC on her PC understand and process tagged frames?

It looks to me like when the network was set up there was an administrative security policy that  is based on complete separation of the vlans as there is separation of the organizations. What you are suggesting could be construed as an evasion or breaking of that security policy.

HTH

Rick

I understand the security behind the vlan's, but it's not necessary on this one computer. This lady is the secretary for both companies and has full access to both company's files/records. At the IETC convention there was a Cisco engineer there who told me this was most definitely doable. His email address was lost in the washing machine though  :-/

If you can't ping anything on the other vlan does that mean each vlan does not route to anywhere else eg. other vlans or the internet.

If they do route to other vlans you may find that there are SVIs for both vlans but they have acls applied in which case you could just modify the acl.

Or maybe not.

It is doable ie. servers do this all the time but as Rick says it depends on whether the PC supports tagging.

If it does it is really more a question of how to set that up correctly than a networking issue ie. all you need to do on the network side is setup the port on the switch as a trunk allowing both vlans.

There are however a couple of things to be aware of from the network perspective -

a) if the vlan does route to other subnets then you only want one default gateway ie. the current one. There is  no need for another gateway as the PC would be directly connected to the other network anyway and multiple default gateways can lead to unexpected issues.

b) you need to make sure you cannot route between vlans on your PC otherwise this could be a security issue. There is no need for the PC to route between these vlans because it has direct connections to both.

From memory when you setup the trunking  there is an option to turn off ip forwarding between those subnets.

Sorry I can't be more specific but it was a while ago that I last did this.

Jon

The original question was "My question is, can I tag her switch port with both VLANs and then just add a secondary IP to her PC NIC". I believe that it is more complicated than just add a secondary IP to her PC NIC. I will agree with the Cisco engineer that if you want it badly enough, and are wiling to spend the money that it may take then you could provide access to both vlans for that PC.

But if you could do it does not necessarily mean that you SHOULD do it. The original design seems to provide complete isolation of the networks. Putting her PC on both networks changes that. It opens the possibility that traffic from Company A could come into her PC and be forwarded into the network of Company B. And it creates the very real possibility that data from Company A will be transmitted onto the network of Company B. How significant is that? Only someone who really knows the local situation can really determine the impact of these changes.

HTH

Rick

Rick

Putting her PC on both networks changes that. It opens the possibility that traffic from Company A could come into her PC and be forwarded into the network of Company B. And it creates the very real possibility that data from Company A will be transmitted onto the network of Company B.

Agreed which is why I said you must make sure that ip forwarding is disabled between those subnets.

If you don't then there is a very real possibility of what you mention happening.

I do remember an option to disable this so you can, as far as I am aware, make sure this does not happen.

Jon

Jon

I believe that there are two conversations going on in this thread. One conversation is about is it possible, and if so then how to do it. I agree that it is possible. The other conversation is about whether it is a good idea to do it. What are the benefits and what are the risks and how do they balance.

As an engineer I am interested in the possibilities of how to achieve it, and this focuses on how things ought to work. But as I do more work in the Security area I find myself more aware of the risks that exist that things may not be done as we intend. If every one does the right thing then there will be no leakage between companies. But what are the possibilities that the secretary will write an Email with Company A information but happen to send it on the Company B NIC? What are the possibilities that a PC will be replaced and someone will not realize the importance of disabling IP forwarding?

We do not know much about the environment of these companies and if we knew more then perhaps we could more confidently advise whether this is a good thing to try or not. But based on the little that we do know I want to be sure that the risks are considered and the impact on the existing design evaluated before a decision is made to build a link between these networks.

HTH

Rick