Understanding VLANs on Cisco gear

If server port belongs to only the server VLAN, but the client port belongs to both client and server VLANS, then the client port has full access to the server VLAN as a bona-fide member of that VLAN.

So the server can still talk to that client port while belonging only to the server VLAN since the client port also belongs to the server VLAN.

On my switch, the config to belong to multiple VLANs looks like this: switchport multi vlan 1,2 switchport mode multi

yes, that's for sure. but: the client port is only member of the client VLAN, while the server port is only member of the server VLAN. as we are not in production at the moment with this switch rather than setting it up, the scenario is exactly like this (in the real world it'd be unuseable).

however, given that, it doesn't work as intended. the machines shouldn't be able to see each other. but they do.

sure, no question. that's how i understood VLANs when i started networking more than a decade ago.

thx.

How do Cisco refer to trunking differently to 'the rest of the world'?

Them 4500 series is a multi-layer switch of course there is inter-vlan communication ... under certain conditions.

Please post the link/s you reading from. I'd like to see if you've misread something or am taking something out of context.

BernieM

Please post your config so we can actually see what you're telling the switch to do.

BernieM

Cisco calls links carrying multiple VLANs (their tags) trunks, while a trunk for the rest of the world means port trunking or port aggregation (a 'fat pipe' or whatever). in Cisco speak, this is a channel.

however, as _every_ cisco whitepaper sez, they were the first to steal this ideas from students^Winvented it first. :)

it's my colleague doing it. i don't think i'll post the config here -- it's not an OpenBSD dmesg. :)

Check the definition of the word "trunk" at WiKiPedia

It has both definitions - for "port trunk" (link aggregation), and "VLANs". By the way, in Telecom the word "trunk" has it's own meaning.

Good luck,

Mike

------ Cisco IP Phone Headset Adapters

that's what i quoted; mind this piece:

'(Confusingly, the term 'trunk' also gets used for what Cisco call "channels" : Link Aggregation or Port Trunking).'

yes, but the first one being far more common.

i know :)

timo

People are trying to help you. Without seen your config nobody cannot tell what's wrong with your switch. Do you have L3 interfaces defined for VLANs? Do you servers and workstations have the same IP network addresses? Do you have "proxy arp" enabled on interfaces? Do you have SmartNet with Cisco? Why don't you call them directly to troubleshoot the problem?

Mike

------ Cisco IP Phone Headset Adapters

PS. If it's your "colleague job" to work with a switch, why are you troubleshooting the problem?

i know, and i appreciate this. i gave the information that should be sufficient to understand the problem, and i asked a clear question.

company policies might prevent someone to publish such data.

yep.

for testing purposes, yes, in production, no. we 're going to build about ten VLANs for security's sake and all of them contain a /21 network.

if it's not enabled by default (i guess it shouldn't), no.

that's an easy to answer question: after their sales engineers told us they will of course support us we signed the contract. it was worth between 250,000 and 750,000 (go figure). as soon as this was done, they told us we won't get support as we are 'too small'. suport itself has to be at least 100,000 bucks per annum.

this is why i avoided cisco in the last seven years. this is why they lost a f****ng big part of the market. that 'philosophy' leads to at least one weekly remote-exploitable flaw in IOS.

still, i have to deal with it. :D

why not? maybe in 'modern times' it's all about fighting each other, at least this is what the free, civilized, western 'democracies' practice. but i do it differently ;)

OK, when you say that a machine in VLAN X can talk to a machine in VLAN Y, how do you know this ?

Is it at the TCPIP level that communications exist ? or are you 100% it happens at the ethernet level ?

Can you try other protocols (non TCPIP) to see if communications also exists ?

Are you able to use some ethernet monitoring software on one node and put that port into promiscusous mode (port monitor)

Does the client machine have server ethernet addresses in its ARP table ? or does it only see some router's ethernet address because there is a router that bridges the 2 VLANS ?

Similarly, does the router's ARP table contain the client's ethernet address ?

Not quite. Your original post contained one question ... "can someone explain this to me?". Explain what to you?

You expressed concern that hosts in one vlan can communicated with hosts in another. One a multilayer switch I would be concerned if they couldn't. This is a switch not a firewall ... it doesn't default to 'closed'.

Out of the box once you have vlan interfaces defined with ip addresses and have enabled ip routing that's what it's going to do.

of course exclude sensitive information.

vlan seperation does not make a secure network. How do you want frames to be filtered between vlans?

We never had that anything like that kind of problem, not even for items that we were paying about $100 a year for support.

*Maybe* there is some lower bound if you want to be classed as an ISP but we received equal treatment for our expensive support contracts and our cheap support contracts.

which means you are not following the "best practice" guide. The only things that should live in the default VLAN is switch management - user traffic should use other VLANs.

the default VLAN may also end up untagged by default, so at another switch may mutate to a different VLAN number unless "untagged" is mapped consistently in different configs.

the "best practice docs - choose the one that matches your switch s/w (IOS or CatOS on the 4500, probably IOS unless you decided to make your own life even more difficult)

it's an interesting question, but without specifics - we can't tell where you have a problem.... you should describe you settings or post them, along with how the switch is connected. As you know - if it's just the switch involved, with NO router anywhere - then it should not happen - But - if there is a router connection, then the Vlans could be talking across the router.

We are all here asking & answering questions, but we can't just make things up without knowing how your tinker toys are connected !

thus Walter Roberson spake:

we are no ISP. and we're not the only ones being treated like this by Cisco. as i said, that's why i avoid them, that's (one of the reasons) why they lose market share. OpenBGPd rocks :)

funnily enough, i spent hours of reading 'best practice' stuff recommended by Cisco's sales engineers in the metro.

(...)

perfectly true. no question. but was not mentioned in their bible. (as they take part in some holy infallibility one should have no gods besides their guides, hm? :)

it's already worst case. cisco switches and 'firewall'. to ignore all this, usually salary is being paid :D

forwarded to the guy responsible.

I tend to agree - but that seems to be true with any hardware vendor. Everything is just fine until after the sale. But, I can't believe you don't get any support in Berlin from Cisco ? If you have their hardware, and a "support contract", then what's the deal - literally -

-- Name: Timo Schoeler Registrant Organization: RISCworks Registrant Address: Triftstrasse 39 Registrant City: Berlin Registrant State/Province: DE Registrant Postal Code: 13353 Registrant Country: DE

Here we are! do a "sh ip int brief". what do you see?

what do you get, if you hit "tracert " (replace the by the actual ip address) at your client-pc?

a 2 hop list?

You allready said it: you've configured your 4507 as a vlan-router. To build your mentioned walls you have to know the diff between this (taken from a 4507r-config):

----snip----- Vlan 10 name Clients

Vlan 100 name Server

----snip------

an this:

---snip--- interface Vlan10 description Clients ip address x.x.x.x 255.255.255.0

interface Vlan100 description Server ip address y.y.y.y 255.255.255.0

---snip---

means the diff between a layer-2- and a layer-3-construct

does it help?