how to connect 2 lans with certain restrictions

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

i need to connect two LANS. one LAN is our clients(172.16.100.x) and one is
ours(192.168.100.x). we have a dedicated link through fibre optic as a
transport which links directly to us through the media converter, where it
plugs into my layer 2 switch. (not a good design, i know) we(192.168.100.x)
need to connect to their oracle database and applications created in oracle
as well as use development tools from our LAN. what i want to do is to
isolate our lan resources where we (192.168.100.x) can access their
((172.16.100.x)LAN,oracle servers and certain clients) but completely
restrict their access to our lan.
 
flaminjune said:
i need to connect two LANS. one LAN is our clients(172.16.100.x) and one is
ours(192.168.100.x). we have a dedicated link through fibre optic as a
transport which links directly to us through the media converter, where it
plugs into my layer 2 switch. (not a good design, i know) we(192.168.100.x)
need to connect to their oracle database and applications created in oracle
as well as use development tools from our LAN. what i want to do is to
isolate our lan resources where we (192.168.100.x) can access their
((172.16.100.x)LAN,oracle servers and certain clients) but completely
restrict their access to our lan.

First of all, if you want to remain isolated, you can't just plug the
LANs into each other. This will provide a connection (that still needs
to be routed), but all that separates the two LANs is the fact that
they're on different IP networks. If your layer-two switch is managed,
you can create VLANs. If it's not managed, buy a managed one that does
802.1q VLANs. You'll only need two ports for the client's network (VLAN
A) - one for the media converter and one for a router between the two of
you. Then you can route between the two LANs and control access using
access-lists. This is the professional way of handling the situation and
will require a router with the capabilities you need (think Cisco). If
you wanted to do it all with one piece of equipment, you could use a
layer-3 switch (a switch that also routes), but they are expensive. On
the other hand, if you need wire-speed routing, a layer-3 switch will
probably cost about the same as a managed layer-2 plus a 100Mb router,
and will out-perform two separate units. Since both networks will likely
need Internet access as well, you'll have to plan out how they get to
the Internet. Your client will need an Internet router that can have a
static route to your network via the router in between the two LANs (and
so will you unless you're planning on using the new router for both
routes). Most SOHO routers can handle this these days, so you likely
already have what you need in that regard.

Example:
Client LAN
172.16.x.x THEIR INTERNET ROUTER
\ |172.16.1.1
\ |
\ |
Client's LAN Switch YOUR INTERNET ROUTER
| /192.168.100.1
|Fiber Link /
| /
VLAN A Your Switch VLAN B (Managed Layer-2)
| / \
| / \
| / Your LAN (VLAN B) 192.168.100.x
| |
172.16.1.2 | |192.168.100.2
LAN-to-LAN Router

Their Internet router would need a static route to 192.168.100.0/24 via
172.16.1.2

Your Internet router would need a static route to 172.16.0.0/16 via
192.168.100.2

If all you need to access is a single server on their network (let's say
172.16.1.100), your static route would look like:

ip route 172.16.0.0 255.255.0.0 192.168.100.2 (on your default gateway
router).

And theirs would look like:
ip route 192.168.100.0 255.255.255.0 172.16.1.2

Then, an access list to prevent all but that server from accessing your
network:
access-list 101 permit ip 172.16.1.100 any
access-list 101 permit ip any 172.16.1.100

Then apply the access-list to the router interface in both directions
and you've got a route from any computer on your LAN to the DB server
and from the DB server back to any computer on your LAN (all other
traffic is implicitly denied). You can get as granular as you like with
this. And if you ever needed to add more connectivity (to more devices
on their LAN) all you need to do is modify the access list.


....kurt
 
Back
Top