[thenotch]

OK, I'll do my best to explain this and what I am trying to accomplish and what is actually happening.

We have two companies who share a financial database application. At one point both were connected to the same LAN and there were no issues. Well, the bosses decided to give me one day to reconfigure the network and separate both companies onto two separate LANs (each with their own ISP). That went all well and fine but now I have to also allow a handful of users access to this shared application database.

LAN 1 is 192.168.1.1, workgroup CO1 and LAN 2 is 192.168.1.2, workgroup CO2. The application database is workgroup APP.

The application database has two NICs, one connected to LAN 1 with a static IP of .26, gateway 192.168.1.1 and one connected to LAN 2 with a static IP of .36, gateway 192.168.1.2.

From either LAN I can ping BOTH NICs. LAN 1 (the original LAN) connects without any issues, but LAN 2 has issues connecting at times. I normally have to reboot the computer, open up a command line and ping the .36 NIC, then browse to the application database box and then open the application to connect to the database. If I try doing this without these steps it cannot find the path to the application database (even though I can always ping both NICs).

So in a nutshell I need a way for users to connect to this database without having to go through all these steps.

Any thoughts? (Sorry if I didn't explain it well... it's still convoluted in my brain.... )

[Advertisements]

.....i'm confused as to how those are different lans with those ips...192.168.1.1 is in the same subnet as 192.168.1.2....which is question #1....are they separate only physically? i can easily assume the even if they are physically separate there's at least one connection that they share...and is there only one machine on either lan?

second...i would ASSUME that your issues with connecting to the application on the central machine are due to the fact that the machine belongs to at least one of the two workgroups right? can't be part of two so it's got to be part of one of them

third....by the description of what you've done...they haven't gotten very far separated....what was the purpose to begin with?

[dsenette]

.....i'm confused as to how those are different lans with those ips...192.168.1.1 is in the same subnet as 192.168.1.2....which is question #1....are they separate only physically? i can easily assume the even if they are physically separate there's at least one connection that they share...and is there only one machine on either lan?

second...i would ASSUME that your issues with connecting to the application on the central machine are due to the fact that the machine belongs to at least one of the two workgroups right? can't be part of two so it's got to be part of one of them

third....by the description of what you've done...they haven't gotten very far separated....what was the purpose to begin with?

[thenotch]

I probably didn't explain it well...

The split is is because they each have their own ISP and no longer share the costs of one ISP.

CO1 AND CO2 have their own ISP and router/gateway. Then from there they feed into the appropriate switches for their LAN.
At this point they are both independent and have no contact with each other.

Then, add in the application database. It has 2 NICs, one configured (statically) with CO1 gateway/IP scheme and connected to it's switches, the other configured (statically) with CO2 gateway/IP scheme and connected to it's switches.

That is the only common point of connection. None of the switches on one LAN connect to the switches on the other LAN.

The application database box is not on either workgroup, it is a different workgroup name. Both of the other workgroups see this box. The application database box is called APPBOX (for example) and is on the APP workgroup. The other two LANs are CO1 and CO2. I can go to either one of those networks, type in \\appbox and see the appropriate directories.

Edited by thenotch, 29 April 2008 - 03:30 PM.

[thenotch]

Rough layout of what I am talking about...

[dsenette]

how do you have ports 18 and 16 belonging to more than one VLan? and as a better question why?

[thenotch]

Well... the thought process was two NICs in that app database... the last VLAN is for those users who have access to both companies databases on that app server.

[dsenette]

.....so it's not a straight connection to the DB? the access is controlled by which door they come in? (i.e. which NIC they're on?)

[thenotch]

.....so it's not a straight connection to the DB? the access is controlled by which door they come in? (i.e. which NIC they're on?)

Correct... two separate LANs with their own ISP that both can talk to the APP DB depending on which NIC they have access to.

[dsenette]

i see the routers are .1.1 and .0.1 .....are all the computers on the corresponding LANs in the same ranges as their gateways?...you stated originally that both NICS on the APP server are 1.something....was this a typo or is it correct?

[thenotch]

Right now, they are both 1.x ... 1.1 provides DHCP for CO1 and is it's gateway to it's ISP, 1.2 provides DHCP for CO2 and is it's gateway to it's ISP.

The idea in the future is to make them 0.1 and 1.1

[dsenette]

this is a guess....BUT...

what i THINK might be happening is that since they're all on the same subnet...and there are SOME connections between the VLANs (though.....they're not direct VLAN to VLAN connections)....the non working computer MIGHT be hitting the wrong NIC? also with your statement that you have to ping the interface before you can actually get it to work....it may also be a DNS issue where the machines are looking for the old IP? is there an internal DNS system or no?

i'm also going to ask a couple of the other guys to look in here (The ones with larger scale networking experience that know a bit about VLANs)

[starjax]

GRRRRRRRR

Your going to make me pull all my hair out. For the record I'm working on my CCNA. Some of what you need I haven't covered yet (its in CCNP). But I have lots of books and a final next week. SO it's good review.

So, the way i'll answer will be the "cisco" way. Doesn't mean its the best or that it will work with the equipment you have (non cisco). But the theory is sound. Please note that I haven't read the rest of the discourse after the diagram. At this point its about simplification.

You have 3 vlans. By default, only hosts that are memabers of the same vlan can communicate. To change this and allow inter-vlan communication possible, you will need a router or layer 3 switch. I'll use the router approach. This means that with multiple vlans we have trunking enabled. VLan identification is what switches use to keep track of all those frames as they traverse the switch fabric. To do this you need to trunk with ISL (cisco proprietary) or 802.1q (open standard, good for non cisco or mixed environments).

To support 802.1q routing on fast ethernet interface, the routers interface divided into logical interfaces --one for each vlan. These are called subinteraces.

so not only are you going to need to configuring the trunking, but your going to need to make sure your ip route information is setup correctly.

It's important to understand that each vlan is a separate subnet. Doesn't technically have "TO BE", but it's best to think of it as that way.

Assign ports to each vlan

so lets lay out a the logical network:

vlan1: 192.168.10.16/28
vlan2: 192.168.10.32/28
vlan3: 192.168.10.48/28

example:
(config)#int fa 0/4
(config-if)#switchport mode access
#switchport access vlan 1

then
(config)#int fa 0/1
(config-if)sitchport mode trunk
(config-if)switchport trunk encapsulation 802.1q


Then you have to address the router:

Router_A(config)#interface fastethernet 0/0
Router_A(config-if)#no shutdown
Router_A(config-if)#interface fastethernet 0/0.1
Router_A(config-subif)#encapsulation dot1q 1
Router_A(config-subif)#ip address 192.168.1.1 255.255.255.0
Router_A(config-if)#interface fastethernet 0/0.2
Router_A(config-subif)#encapsulation dot1q 10
Router_A(config-subif)#ip address 192.168.5.1 255.255.255.0
Router_A(config-if)#interface fastethernet 0/0.3
Router_A(config-subif)#encapsulation dot1q 20
Router_A(config-subif)#ip address 192.168.7.1 255.255.255.0
Router_A(config-subif)#end



This is a very rough layout and example of what to do. it should give you an idea of where you need to look at. One thing I didn't mention is that you may want to implement VTP to help manage your vlan's.
(hope ScHwErVe sees this and fills it full of holes... for education purposes).

[thenotch]

How about taking the VLANs out of the equation? Possibly this could work in another fashion sans the VLAN?

I don't have Cisco gear here (the bosses leave with little to no budget and then expect miracles) so anything Cisco-propriety won't do me much good.

[dsenette]

you could completely remove the VLANs from the equation...and change the scopes for your IP's....put one on 1.1 and one on 0.1 as you said you planned...then you wouldn't particularly need the vlans....or if you can weasle out another switch you could actually have segregated traffic that way...the two networks would never touch each other...

[starjax]

while the info I listed was "the cisco way", it is only cisco specific in the command syntax. everything listed should be at some level possible on all equipment, as long as it supports higher level functions.

IMHO, it would be easier to eliminate vlans and just setup your ip routing/subnets. Then it would be just a matter of allowing specific ip's to what you want/don't want them to access.