VLAN Questions

In a previous job a few years ago I needed to create two isolated VLANs on a 2900 with no connectivity between them. One other port on the switch had to be a member of both VLANs. I used the switchport mode multi command to accomplish this design and did not configure any ports as trunk.

Now I need to do something equivalent on a 2950 but it appears that switchport mode multi is not supported (IOS 12.1). Do I have to configure a 2950 port as a trunk to accept packets from either VLAN? Is there another way to do this?

Is dot1q encapsulation pretty much always used these days instead of ISL just because it's a standard?

VLAN 1 on the 2950 has an IP address, which is how I reach the switch to manage it. Does VLAN 2 need one too? If so, why?

The switch port that will become a trunk is now connected to a 3745 router. Do I need to define two subinterfaces on this router each configured with dot1q encapsulation and an IP address for VLAN1 and VLAN2?

I don't want traffic to route between the two VLANs. I presume that since the two subinterfaces are directly connected to the router, it will automatically route between them. Right?

Is the best way to prevent this an access list?

ip access-list extended no_route deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip any any

int f0/0 ip access-group no_route in

Reply to
Bob Simon
Loading thread data ...

Hi Bob,

You may wish to investigate the Cisco Catalyst 2950 Config Wizard:

formatting link
Sincerely,

Brad Reese

formatting link

Reply to
www.BradReese.Com

It's one easy way.

Yes.

No.

Yes.

does vlan 2 exist anywhere else? do the hosts in vlan 2 need to get out? if not then don't trunk it to the 3750.

Reply to
BernieM

No.

Yes.

I thought of another possible solution. Can VLAN 2 be untagged? Or when I set up port 1 of the 2950 as a trunk, is there a way to NOT encapsulate in 802.1q? After all, I don't need the 3745 to recognize the "color" of the VLAN.

Reply to
Bob Simon

Configure it as the 'native vlan' to have it untagged ... "switchport trunk native vlan 2"

Another two ways ... don't configure a vlan 2 interface on the 3745, or don't configure a default gateway hosts in vlan 2 and don't configure proxy arp on the 3745.

The ACL solution is fine if you need to access vlan 2 hosts across the network for management / administrative reasons but if it's a truly isolated vlan than there's a few options available.

BernieM

Reply to
BernieM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.