I've recently become network administrator in a small office. In this office, there are 3 people which are leasing a shared space; each person is an independent entity requiring segregated networking from the other entities. They asked to have a private subnet for each of them.
In total, we have 4 subnets:
- primary company, so it uses internal email traffic, file sharing along with confidential clients' information
- independent company 1
- independent company 2
- independent company 3
An external company configured a Watchguard Firebox to provide these subnets (it firewalls all of the subnets so that they can't see each other, it only allows WAN access for the Internet), so this problem is solved. My task is to provide the 3 additional subnets to the 2nd floor, one per wall plug.
1st floor rack is composed of: Firebox, 2 fiber-optic-linked Netgear GS748T (managed switches) and some patch panels.
2nd floor rack is composed of: 2 linked hubs and 2 patch panels. In one of the hubs, 2 cables are incoming from the 1st floor (I don't know why they're 2).
At the moment, there's only a single VLAN set.
My question is: can I provide access to the other three subnets in the leased room using the current cables? The obvious solution would be putting a cable between a Firebox port and the patch panel, repeated three times, bypassing switches which are for the "real" office subnet.
I omitted first floor patch panels as they're not relevant to my question. Red wire is for primary company's subnet.
I don't know if it's all clear. Let me know 🙂
Best Answer
Without knowing what, exactly, has been done by "outside vendor" I'm going to guess that each "company" has a separate VLAN (virtual LAN.) That is the most common way to isolate entities that should not have the ability to snoop on each other's network traffic that share infrastructure.
If you have the password to access the switches you should be able to see if that is the case by examining the switch setup and mapping the port destination to any defined VLANs on the switch ports.
If so, you should be able to make access to any VLAN from any port. Keep your most ethical self in control when doing this. Hmm - actually, if you have "dumb hubs" on the second floor, you may need to upgrade those to a "smart switch" for proper VLAN handling. Or, if there is adequate cabling in the patch between first and second, and switch ports on the first, you just patch on the second floor, using switch ports on the first floor. To know what your options are, you really need to know (or describe) what you actually have, cable-wise.
If you have a VLAN-capable switch on the second floor, one wire can carry 4 VLANs between floors and then the switch can deliver them to the proper wall jacks.
OK. If you only have two cables (which for some reason are both connected from down to up on the "main company - building owner" network, and if you get a smart/managed/vlan capable switch for upstairs (probably only need one, really, at least for the scale of the problem so far) then you will need to set up VLANs on a downstairs switch for the building owner and each client. You'd plug each client into an "untagged" port on the downstairs switch assigned to their VLAN; on (at least one of) the lines running between down and up you have a port on a downstairs switch that is assigned to all 4 VLANS, tagged (which is how one wire carries 4 networks) and that connects to a port on the upstairs switch which also has all 4 of those VLANs, tagged. Then on the upstairs switch you break out the 3 "customer" VLANs to untagged ports which you patch to their assigned wall ports, and the company VLAN to the other ports (or to only the actual ports in use, as a better "best practice" which does require remembering that you need to reconfigure the switch when/if you move cables around.)
With smart/managed switches, the two lines from downstairs to upstairs can be configured as a LACP so that data can move twice as fast over the pair of cables.