We have a somewhat exotic setup. Some devices connected to a cisco switch must be administered by a third party and we don't want to give this third party full access to our network. There devices do not have a routed subnet of it's own, they are part of the subnet the switch is in. This cannot be changed unfortunately.
We've come up with the following solution (which doesn't work):
- We've put the ports these devices are on on a separate vlan.
- We've connected a routerboard appliance with two interfaces to the switch, one interface is connected to the main vlan, the other one is connected to the new vlan for the devices.
- We try to setup a bridge (combined with a firewall so only incoming connactions are possible) on the routerboard, so the devices are accesable.
We cannot get this solution to work, the routerboard relays packets from one interface to the other, where the ceisco rejects it because of the wrong vlantag.
We tried setting up vlantagging on the routerboard (using this as reference: http://blog.butchevans.com/2010/02/to-tag-or-not-to-tag-that-is-the-question/) but no traffic seems to hit the routerboard.
Can we change the cisco settings to accept or ignore the wrong vlan tags, or how should we configure the routerboard?
Thanks in Advance!
You mentioned router and firewall. Is it possible to just setup port forwarding on the firewall? So the new admin might go to http://firewall:8080/ and that would get mapped to your.internal.device:80? It would probably be an easier solution than trying to bridge the VLANs together. It would be helpful to know more about the device capabilities available to solve the problem as it sounds like you can do this without adding more devices to your network.
I know this is late (putting it mildly), but this might be handy as a pointer for someone in the future.
On almost any reasonably modern Cisco switch there is some version of private VLAN (PVLAN). The idea of PVLAN is to keep hosts within a given VLAN from being able to talk to one another unless explicitly allowed to. There are three types of ports in PVLAN:
1.) Promiscuous - A port configured as promiscuous can send and receive to any port in the VLAN. Your router's port would likely be promiscuous.
2.) Isolated - Can only send traffic to promiscuous ports.
3.) Community - Can send traffic to other ports in the same community and to promiscuous ports.
In your scenario you'd have all of the hosts mentioned in the same VLAN. The externally managed boxes would be set up as isolated while the remainder would be set up in a common community. Your router/gateway would be a promiscuous port.
The actual implementation of this is going to vary based on which switch platform you have in use, but the principles remain the same...
"bridge between vlans" is kinda oxymoron, isn't it? Bridged/merged VLANs is just another single VLAN. What was the point to split VLAN into a pair and asking then bout bridging (thus merging) it again? :-) Solving a problem of upper layer (networking) at L2 is kinda unseasonable. )
Setup binat for them, thus they would be accessing some additional IPs which would get translated by your router to internal ones. You'd be able to control those, wouldn't you?