How to set up VLAN trunking to connect to an ISP

Hi, All, I have a very basic and small scenario on VLAN and trunking technology that will be applied on our network. After searching on the Internet for a while I couldn't get clear specification anywhere to answer my questions. If you could help me out I will be really really appreciate it.

We have a network contains three distinct geographical locations that are connected each other by T1 lines (like a triangle). From one of the locations (Headquarter location) we use subscribed ADSL to connect to the Internet. The three sites each uses a Cisco 2610 router to do internal routing. The IP range is 192.168.x.x/24. The headquarter uses a Cisco 506E Pix to do NAT, VPN and access list control.

At present, we are upgrading bandwidth by replacing T1 with fiber optics. After the upgrade, the three sites will be linked to the ISP via fiber lines directly. The ISP will create VLANs for us instead of using subnets to segment the network. The configuration the ISP provided us is:

Public VLAN -101 (native VLAN) Private VLAN- 102

The ISP already created the two VLANs and VLAN trunking on their switch and asked us to follow up on our switch in the HQ site. Since the VLAN knowledge is absolutely new for me, I'd like to ask several pretty detailed questions over here and cordially hope you could help me out:

1=2ESince VLAN101 is public VLAN, does it mean VLAN 102 is the only VLAN that our network devices should be put in? If it's the ONLY VLAN, since it contains more than 600 hosts, I will use a class B IP range, i=2Ee.,172.16.x.x/22 instead of 192.168.x.x/24. All devices within the same subnet don't need be routed to communicate each other. Is my understanding correct? 2=2ESince only one VLAN inside, inter-VLAN routing and router-on-a-stick have no use. Can we abandon routers and only use switches and PIX for traffic control? 3=2EWe are considering buying a new switch to be the core switch doing VLAN and trunking. The ISP engineer said it's really no matter the switch on our side a layer2 or a layer3. But if it's a layer 2 switch, how can we assign the IP address to the VLAN 102 port? Is a router which supports VLAN trunking still needed in this case? 4=2EOn the core switch, how many ports should be in the 802.1Q trunk? - Can I only set it up on the native VLAN101 port? How should I assign all the other ports on the switch then? Make them all ports for LAN102? Physically this switch's ports will connect network devices in the specific location and the fiber link box. (Sorry for my na=EFve question because I'm having difficulty to understand logical interfaces and physical interfaces in my performance of setting VLAN. I got difficult to find clear docs and examples on the Internet either.) 5=2EShould the PIX play any role in the VLAN configuration? Or I just leave its setting intact?

Thank you all for your assistance! Any post or link will be greatly appreciated.

Reply to
Loading thread data ...

Can anybody provide hint on any one of the issues? Many thanks!

Reply to

What does the PIX do for you? Does it merely control access and provide VPN connectivity across your Internet connection? Is it, therefore, totally irrelevant to this discussion about your LAN connectivity?

What bandwidth are you getting? What distances are we talking about?

What do you envision using the "Public" VLAN for? What do you envision using the "Private" VLAN for? How do you think that this segments your network?

This sounds like pretty ad hoc setup on the carrier's part. Not the kind of thing I'd feel very comfortable with. One wonders whether they can defeat a VLAN hopping attack.

It's a VLAN. One VLAN is pretty much like the next. The word "public" doesn't mean anything to me. The word "native" does mean something.

You get a [very minor] performance improvement using the native VLAN. Frames transmitted in the native VLAN are sent without the overhead of a dot1q tag.

Yes. If you put all the devices on all three sites on one VLAN and assign them IP addresses in a single IP subnet then you don't need any routers to get traffic from one site to the next.

But why do you have two VLANs then?

Switches aren't going to be very good for traffic control. The PIX can't do traffic control at all on your LAN. The PIX controls your Internet traffic (I assume).

Why? What will VLANs and trunking do for you when you have only one VLAN?

What does it mean to have a "core switch" when your other switches don't even connect to it?

You can't do trunking without two switches. One at each end of the trunk. You can't make much use of VLANs when all you have is one IP subnet.

You might plausibly get away with a scenario in which a core layer 3 switch routes between three separate VLANs and uses a trunk port to carry two of them to your remote sites over the carrier's network.

You'd still be carrying broadcast frames across the carrier's network, but at least the broadcast domains for the three sites wouldn't overlap.

! Core layer 3 switch interface gig1/1 description to carrier switchport trunk encap dot1q switchport trunk native vlan 101 switchport trunk allowed vlans 101,102 switchport mode trunk

interface gig2/1 description template port to local LAN switchport access vlan 100 switchport mode access spanning-tree portfast

interface vlan 100 description layer 3 interface to site local LAN ip address

interface vlan 101 description layer 3 interface to site A LAN ip address

interface vlan 102 description layer 3 interface to site B LAN ip address

ip routing ip route ! The PIX

! Layer 2 switch at site A interface Gigabit0/1 description to carrier switchport trunk encap dot1q switchport trunk native vlan 101 switchport trunk allowed vlan 101 switchport mode trunk

interface FastEthernet0/1 description template user port switchport access vlan 101 switchport mode access spanning-tree portfast

interface VLAN 1 shutdown

interface VLAN 101 description switch management interface ip address

no ip routing ip default-gateway

! Layer 2 switch at site B interface Gigabit0/1 description to carrier switchport trunk encap dot1q switchport trunk native vlan 101 switchport trunk allowed vlan 102 switchport mode trunk

interface FastEthernet0/1 description template user port switchport access vlan 102 switchport mode access spanning-tree portfast

interface VLAN 1 shutdown

interface VLAN 102 description switch management interface ip address

no ip routing ip default-gateway

On a Cisco router, the syntax for a dot1q trunk is:

interface fastethernet 0/0 description main interface/native vlan ip address

interface fastethernet 0/0.102 ! Making sub-interface number match VLAN is not neccessary, but is pretty description vlan 102 sub-interface encapsulation dot1q 102 ip address

The port where you plug in the fiber from the carrier. One port.

What VLAN101 port? What were you planning to use VLAN101 for?


You're changing all your LAN IPs. If the PIX has a LAN IP, that IP address needs to change. And all its rules need to change. Oh me, oh my.

Why do that to yourself? Why aren't you using routers and leaving your IP addressing alone? Either a router-on-a-stick or a real router can do the job. One at each site to route from the carrier's VLAN102 to the site's VLAN 11, 12 and 13 (for example). That's how I'd do it.

But if you want to go low-end and use a single layer 3 device at the hub site and not allow point-to-point traffic to short-cut past the hub, use the configuration I supplied above and go that way instead.

Reply to

If your ISP can't help you with the handoff..

Reply to
Doug McIntyre

Hi, Bri... I want to thank you for your patience and your detailed replies on my questions on two lines these days. You are so knowledgeable on the VLAN technology. I'd like to get back to your questions on your post and hopefully I could get your further guidance on the configuration.

Yes, the PIX is irrelevant to the internal connectivity and only for the Internet traffic. We currently use three cisco 2610XM routers to solve internal routing.

This is what the carrier's engineer literally said to me but what I've been keeping confusing. My understanding is the ISP plans to built a dot1q trunk link between their switch and our switch. They've assigned VLAN 101 (as native VLAN) and VLAN 102 for us on their switch and require us to keep the matching VLAN IDs on our switch. I don't know what their meaning of "public VLAN" is. Perhaps it represents a native VLAN from an ISP view, which means that frames belonging to the native VLAN are not encapsulated with tags thus all untagged frames can be sent and received across their and our network always. (?)

Based on Cisco publications I'm concerning the VLAN security too. The disadvantages of one braodcast domain under a VLAN seems outweigh the advantage of the fiber upgrading of the network...

The ISP assigned VLAN101(native VLAN) and VLAN102 for us in advance.

The trunk line will be set between the carrier's switch and a switch in our HQ in this scenario. If i design to have more than one VLANs rather than VLAN102 (i.e. each location has one VLAN), I think each location needs a switch to set up dot1q trunking to the carrier's switch individually.

In your configuration above, the layer 3 switch has been configured three VLANs for three distinct locations. You assigned VLAN100 for the HQ site, VLAN 101 for site A and VLAN 102 for site B. At the same time, VLAN101 is still used as the native VLAN. This makes me a bit confused - could the native VLAN (for untagged frames) be same as a VLAN for tagged frames? Is it a typo or you did it on purpose? I can understand your design of using a router in each of the location. "One at each site to route from the carrier's VLAN102 to the site's VLAN 11, 12 and 13 (for example). " In this example, VLAN 11,

12, 13 makes sense to me.

Thank you very much for your feedback!

Reply to

[snip most of configuration]


Yes. The native VLAN isn't all that special. Tagged or not, for almost all practical purposes it's just another VLAN on the wire.

[It lacks one feature that a tagged VLAN has -- the ability to support [nested] VLAN tags on the frames that it carries]

On Cisco switches, if you specify that VLAN 101 is the native VLAN on a trunk port then the switch will not use VLAN 101 tags on frames transmitted on that port. It will transmit VLAN 101 frames untagged.

The receiving end puts the untagged frames into its trunk port's native VLAN which will, barring configuration inconsistencies, be VLAN 101.

Again, there's nothing very special about the native VLAN from a practical standpoint.

It's on purpose. I'm assuming a fully meshed virtual LAN presented on both VLAN 101 and VLAN 102. As below, this assumption may be faulty.

On the alternate assumption that the carrier is providing you with virtual hand-offs for two point-to-point links, the configuration also works at the core site, but may need tweaking at the satellite locations.

One question that I haven't asked and that I haven't seen you volunteer an answer for...

Is the carrier handing you a fully meshed virtual LAN (as I had been assuming)?

Or are they handing you two (or three) point to point links with VLAN 101 pointing to site A and VLAN 102 pointing to site B?

The fact that you say the carrier pre-configured things with two VLANs leads me to suspect the latter. They could be multiplexing two point to point links over one physical hand-off to the core site.

Reply to

=BB=D2=FD=D3=C3=CE=C4=D7=D6 -

I double checked with our ISP... The three locations will be linked to the ISP via fiver optics seperately, which means there will be three point-to-point links instead of a fully meshed link. Meanwhile, only two VLANs were assigned to our network by the ISP, one "public" VLAN

101 and one "private" VLAN102. It's not like what you assumed VLAN101 pointing to siteA and VLAN102 pointing to site B... since we have three distince locations..

Thank you very much for your continous assistance. Shu

Reply to
szhang3 Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.