I am hoping that one of you has already faced this issue and resolved it.

We have a client with 4 locations and a Head Office. Lets calls the Branches A, B, C and D and the Head office HO for clarity’s sake.

So, HO and A,B,C & D should be able to share traffic between them but should be invisible to all other subscribers on our network.

That is easy enough, set all the SMs for A,B,C,D & HO to have an Untagged Ingress VID of the same VLAN and that is sorted.

The problem is that this client might want the HO to also have access to the Internet. How would I go about doing this??


VLAN aware switch at the head end. Allow the VLAN for your customer to have access to the Internet.

Jerry Richardson wrote:
VLAN aware switch at the head end. Allow the VLAN for your customer to have access to the Internet.

Jerry, so what you are saying is that at the HO , the customer has to have a VLAN aware switch.

He tags his traffic with another VLAN that we give him. This VLAN is ignored by the SMs of A, B, C & D but our router at our NOC allows it to pass through.

Is this correct?

If that is the case, I am assuming that all the SMs of A, B, C, D and the HO must be set on Bridge rather than NAT.

Is there an FAQ available as to the steps that one would need to take to go through this whole process seamlessly?


You need a VLAN aware switch at your head end.

Each SM for HO, A, B, C, D tags the ingress traffic with VLAN 721 (example).

At your Head End allow VLAN 721 to access the WAN router.

All remote offices will have access to the HO, each other, and the Internet, but will be secure inside your network from all other SM’s.

The new manual has some decent information regarding VLAN’s.

OK, thanks.

Yes. I know that will work fine.

But what if the client wants A, B, C & D NOT to have internet access but wants HO to have Internet access??

So guys, is there no solution to this?

What exactly is the objective?

It may be that VPN tunnels are more approriate for the RO’s to connect to the HO, and then use a VLAN from the HO to your edge switch/router.

Well, the objective is to be able to compete with the DSL company that offers these solutions.

This is a sizeable client that is looking to switch to us. We need to be able to step into the DSL company’s shoes without complicating their life with VPNs etc.

OK, but what I mean is what exactly is the customer trying to do?

Do they want to have the RO’s only access a server and no Internet while the HO has access to the same server and the Internet?

The more specific you can be about the application the more specific I can be in my suggestions.

It keeps pointing to two VLAN routers at the HO and 2 NIC’s in the server. Even the DSL company would have to do this.

A properly configured VPN tunnel router at each location would make the most sense; then set the VPN tunnels at A,B,C,D to tunnel into the HO VPN router ( use a different IP range for each building ). Then set the firewall rules to only allow traffic for the Ranges of HO,A,B,C,D at the sites A,B,C,D. Then set HO to allow all standard traffic, and also to not allow the ranges of A,B,C,D access the WAN port on HO router.

There problem solved without needing a VPN router, and if the client ever does need to have internet access at one of the four remote offices, it is just a little config on the router at that location. HINT: some Tunnel routers even let you L2TP server on them as well; so you won’t even have to go on location to change or modify the configs.

This config should link up the remote offices and allow them access services at HO and at each office, but they will not be able to get onto the internet.

Is a little more configuring on the VPN router side, but it this way everything is encrypted inside a VPN tunnel and is not just floating around on your network. Which means it is a little more secure :smiley:

Just make sure to use decent VPN tunnel routers for this job, or it will come back to get you in the end.

OK guys.

Thank you very much for your feedback!

The best way to do it as AC_Bab… states placing VPN routers at each location… the simplest way to do it will be…

an sm at each RO and HO on the same Ingress VID. At Head office the managed switch port will have to be configured depending on how you want to integrate the RO to HO.

If you are running the same network at HO and all the RO’s then the HO SM goes into a port with the same VLANID as the port that connects the HO network, then you have one big flat network.

If you want the HO network to sit on the different network, the port that the HO SM plugs into you can configure to (if you have L3 capable switch) a L3 interface with an IP address which becomes the Gateway of all the RO.

For internet are you using a seperate SM or do you want to use the same SM (WAN). Who gets access to the internet can be controlled by access lists.

There are many solutions to resolve this issue depending on the user setup/requirements. If you want to replace the current provider, we need more information on the current network addressing scheme of the different locaations and we can throw out some more ideas…


we have many WAN customers who then wan internet in the past we have had to stick an additional SM at one location and make it an internet SM (problem here is a single point of failure on the SM and the WAN link at the location with the internet SM) . An option we always had was to configure a vlan interface on our core switch and give it an ip address and then that IP address would act as a gateway for all devices. The problem with this setup was that customers use private IP and the risk/chance of IP confilict between customers and us stopped us from taking this route, recently we have been playing with VRF technology which allows us to do the above with causing IP conflicts…


I have been doing this for more than 7 years, but using routing. About 95% of my clients are Intranet or private networks.

When I first started to use Canopy this was a mayor setback. But I installed or added a low cost router like Cisco 1605R.

I’ve been waiting for version 8. I’ve heard static routing will be available.

Routing has it’s benefits in this particular case. It stops WORM from penetrating your network. No broadcast!