«

Hi, All,
I have a very basic and small scenario on VLAN and trunking technology
that will be applied on our network. After searching on the Internet
for a while I couldn't get clear specification anywhere to answer my
questions. If you could help me out I will be really really appreciate
it.

We have a network contains three distinct geographical locations that
are connected each other by T1 lines (like a triangle). From one of
the locations (Headquarter location) we use subscribed ADSL to connect
to the Internet. The three sites each uses a Cisco 2610 router to do
internal routing. The IP range is 192.168.x.x/24. The headquarter uses
a Cisco 506E Pix to do NAT, VPN and access list control.

At present, we are upgrading bandwidth by replacing T1 with fiber
optics. After the upgrade, the three sites will be linked to the ISP
via fiber lines directly. The ISP will create VLANs for us instead of
using subnets to segment the network. The configuration the ISP
provided us is:

Public VLAN -101 (native VLAN)
Private VLAN- 102

The ISP already created the two VLANs and VLAN trunking on their
switch and asked us to follow up on our switch in the HQ site. Since
the VLAN knowledge is absolutely new for me, I'd like to ask several
pretty detailed questions over here and cordially hope you could help
me out:

1.Since VLAN101 is public VLAN, does it mean VLAN 102 is the only VLAN
that our network devices should be put in? If it's the ONLY VLAN,
since it contains more than 600 hosts, I will use a class B IP range,
i.e.,172.16.x.x/22 instead of 192.168.x.x/24. All devices within the
same subnet don't need be routed to communicate each other. Is my
understanding correct?
2.Since only one VLAN inside, inter-VLAN routing and router-on-a-stick
have no use. Can we abandon routers and only use switches and PIX for
traffic control?
3.We are considering buying a new switch to be the core switch doing
VLAN and trunking. The ISP engineer said it's really no matter the
switch on our side a layer2 or a layer3. But if it's a layer 2 switch,
how can we assign the IP address to the VLAN 102 port? Is a router
which supports VLAN trunking still needed in this case?
4.On the core switch, how many ports should be in the 802.1Q trunk? -
Can I only set it up on the native VLAN101 port? How should I assign
all the other ports on the switch then? Make them all ports for
LAN102? Physically this switch's ports will connect network devices in
the specific location and the fiber link box. (Sorry for my naïve
question because I'm having difficulty to understand logical
interfaces and physical interfaces in my performance of setting VLAN.
I got difficult to find clear docs and examples on the Internet
either.)
5.Should the PIX play any role in the VLAN configuration? Or I just
leave its setting intact?

Thank you all for your assistance! Any post or link will be greatly
appreciated.

Can anybody provide hint on any one of the issues?
Many thanks!

In article <. com>, "" <> writes:
> Hi, All,
> I have a very basic and small scenario on VLAN and trunking technology
> that will be applied on our network. After searching on the Internet
> for a while I couldn't get clear specification anywhere to answer my
> questions. If you could help me out I will be really really appreciate
> it.
>
> We have a network contains three distinct geographical locations that
> are connected each other by T1 lines (like a triangle). From one of
> the locations (Headquarter location) we use subscribed ADSL to connect
> to the Internet. The three sites each uses a Cisco 2610 router to do
> internal routing. The IP range is 192.168.x.x/24. The headquarter uses
> a Cisco 506E Pix to do NAT, VPN and access list control.

What does the PIX do for you? Does it merely control access and
provide VPN connectivity across your Internet connection? Is it,
therefore, totally irrelevant to this discussion about your
LAN connectivity?

> At present, we are upgrading bandwidth by replacing T1 with fiber
> optics. After the upgrade, the three sites will be linked to the ISP
> via fiber lines directly. The ISP will create VLANs for us instead of
> using subnets to segment the network. The configuration the ISP
> provided us is:

What bandwidth are you getting?
What distances are we talking about?

> Public VLAN -101 (native VLAN)
> Private VLAN- 102

What do you envision using the "Public" VLAN for?
What do you envision using the "Private" VLAN for?
How do you think that this segments your network?

> The ISP already created the two VLANs and VLAN trunking on their
> switch and asked us to follow up on our switch in the HQ site. Since
> the VLAN knowledge is absolutely new for me, I'd like to ask several
> pretty detailed questions over here and cordially hope you could help
> me out:

This sounds like pretty ad hoc setup on the carrier's part. Not the
kind of thing I'd feel very comfortable with. One wonders whether they
can defeat a VLAN hopping attack.

> 1. Since VLAN101 is public VLAN, does it mean VLAN 102 is the only VLAN
> that our network devices should be put in?

It's a VLAN. One VLAN is pretty much like the next. The word "public"
doesn't mean anything to me. The word "native" does mean something.

You get a [very minor] performance improvement using the native
VLAN. Frames transmitted in the native VLAN are sent without the overhead
of a dot1q tag.

> since it contains more than 600 hosts, I will use a class B IP range,
> i=2Ee.,172.16.x.x/22 instead of 192.168.x.x/24. All devices within the
> same subnet don't need be routed to communicate each other. Is my
> understanding correct?

Yes. If you put all the devices on all three sites on one VLAN and
assign them IP addresses in a single IP subnet then you don't need any
routers to get traffic from one site to the next.

But why do you have two VLANs then?

> 2=2ESince only one VLAN inside, inter-VLAN routing and router-on-a-stick
> have no use. Can we abandon routers and only use switches and PIX for
> traffic control?

Switches aren't going to be very good for traffic control. The PIX
can't do traffic control at all on your LAN. The PIX controls your
Internet traffic (I assume).

> 3. We are considering buying a new switch to be the core switch doing
> VLAN and trunking.

Why? What will VLANs and trunking do for you when you have only one VLAN?

What does it mean to have a "core switch" when your other switches don't
even connect to it?

You can't do trunking without two switches. One at each end of the trunk.
You can't make much use of VLANs when all you have is one IP
subnet.

You might plausibly get away with a scenario in which a core layer 3
switch routes between three separate VLANs and uses a trunk port
to carry two of them to your remote sites over the carrier's network.

You'd still be carrying broadcast frames across the carrier's network,
but at least the broadcast domains for the three sites wouldn't overlap.

! Core layer 3 switch
interface gig1/1
description to carrier
switchport trunk encap dot1q
switchport trunk native vlan 101
switchport trunk allowed vlans 101,102
switchport mode trunk

interface gig2/1
description template port to local LAN
switchport access vlan 100
switchport mode access
spanning-tree portfast

interface vlan 100
description layer 3 interface to site local LAN
ip address 192.168.1.1 255.255.255.0

interface vlan 101
description layer 3 interface to site A LAN
ip address 192.168.2.1 255.255.255.0

interface vlan 102
description layer 3 interface to site B LAN
ip address 192.168.3.1 255.255.255.0

ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.100 ! The PIX


! Layer 2 switch at site A
interface Gigabit0/1
description to carrier
switchport trunk encap dot1q
switchport trunk native vlan 101
switchport trunk allowed vlan 101
switchport mode trunk

interface FastEthernet0/1
description template user port
switchport access vlan 101
switchport mode access
spanning-tree portfast

interface VLAN 1
shutdown

interface VLAN 101
description switch management interface
ip address 192.168.2.2 255.255.255.0

no ip routing
ip default-gateway 192.168.2.1

! Layer 2 switch at site B
interface Gigabit0/1
description to carrier
switchport trunk encap dot1q
switchport trunk native vlan 101
switchport trunk allowed vlan 102
switchport mode trunk

interface FastEthernet0/1
description template user port
switchport access vlan 102
switchport mode access
spanning-tree portfast

interface VLAN 1
shutdown

interface VLAN 102
description switch management interface
ip address 192.168.3.2 255.255.255.0

no ip routing
ip default-gateway 192.168.3.1

> The ISP engineer said it's really no matter the
> switch on our side a layer2 or a layer3. But if it's a layer 2 switch,
> how can we assign the IP address to the VLAN 102 port? Is a router
> which supports VLAN trunking still needed in this case?

On a Cisco router, the syntax for a dot1q trunk is:

interface fastethernet 0/0
description main interface/native vlan
ip address 192.168.2.1 255.255.255.0

interface fastethernet 0/0.102
! Making sub-interface number match VLAN is not neccessary, but is pretty
description vlan 102 sub-interface
encapsulation dot1q 102
ip address 192.168.3.1 255.255.255.0

> 4. On the core switch, how many ports should be in the 802.1Q trunk?

The port where you plug in the fiber from the carrier. One port.

> Can I only set it up on the native VLAN101 port?

What VLAN101 port? What were you planning to use VLAN101 for?

> How should I assign
> all the other ports on the switch then? Make them all ports for
> LAN102?

Yes.

> Physically this switch's ports will connect network devices in
> the specific location and the fiber link box. (Sorry for my na=EFve
> question because I'm having difficulty to understand logical
> interfaces and physical interfaces in my performance of setting VLAN.
> I got difficult to find clear docs and examples on the Internet
> either.)

> 5=2EShould the PIX play any role in the VLAN configuration? Or I just
> leave its setting intact?

You're changing all your LAN IPs. If the PIX has a LAN IP, that IP
address needs to change. And all its rules need to change. Oh me, oh my.

Why do that to yourself? Why aren't you using routers and leaving your
IP addressing alone? Either a router-on-a-stick or a real router can
do the job. One at each site to route from the carrier's VLAN102
to the site's VLAN 11, 12 and 13 (for example). That's how I'd do it.

But if you want to go low-end and use a single layer 3 device at
the hub site and not allow point-to-point traffic to short-cut past
the hub, use the configuration I supplied above and go that way
instead.

"" <> writes:
>Can anybody provide hint on any one of the issues?
>Many thanks!

If your ISP can't help you with the handoff..

Hi, Bri... I want to thank you for your patience and your detailed
replies on my questions on two lines these days. You are so
knowledgeable on the VLAN technology. I'd like to get back to your
questions on your post and hopefully I could get your further guidance
on the configuration.

> What does the PIX do for you? Does it merely control access and
> provide VPN connectivity across your Internet connection? Is it,
> therefore, totally irrelevant to this discussion about your
> LAN connectivity?

Yes, the PIX is irrelevant to the internal connectivity and only for
the Internet traffic. We currently use three cisco 2610XM routers to
solve internal routing.

> > Public VLAN -101 (native VLAN)
> > Private VLAN- 102
>
> What do you envision using the "Public" VLAN for?
> What do you envision using the "Private" VLAN for?
> How do you think that this segments your network?

This is what the carrier's engineer literally said to me but what I've
been keeping confusing. My understanding is the ISP plans to built a
dot1q trunk link between their switch and our switch. They've assigned
VLAN 101 (as native VLAN) and VLAN 102 for us on their switch and
require us to keep the matching VLAN IDs on our switch. I don't know
what their meaning of "public VLAN" is. Perhaps it represents a native
VLAN from an ISP view, which means that frames belonging to the native
VLAN are not encapsulated with tags thus all untagged frames can be
sent and received across their and our network always. (?)

> > The ISP already created the two VLANs and VLAN trunking on their
> > switch and asked us to follow up on our switch in the HQ site. Since
> > the VLAN knowledge is absolutely new for me, I'd like to ask several
> > pretty detailed questions over here and cordially hope you could help
> > me out:
>
> This sounds like pretty ad hoc setup on the carrier's part. Not the
> kind of thing I'd feel very comfortable with. One wonders whether they
> can defeat a VLAN hopping attack.

Based on Cisco publications I'm concerning the VLAN security too. The
disadvantages of one braodcast domain under a VLAN seems outweigh the
advantage of the fiber upgrading of the network...

> But why do you have two VLANs then?

The ISP assigned VLAN101(native VLAN) and VLAN102 for us in advance.


> > 3. We are considering buying a new switch to be the core switch doing
> > VLAN and trunking.
>
> Why? What will VLANs and trunking do for you when you have only one VLAN?
>
> What does it mean to have a "core switch" when your other switches don't
> even connect to it?
>
> You can't do trunking without two switches. One at each end of the trunk.
> You can't make much use of VLANs when all you have is one IP
> subnet.

The trunk line will be set between the carrier's switch and a switch
in our HQ in this scenario. If i design to have more than one VLANs
rather than VLAN102 (i.e. each location has one VLAN), I think each
location needs a switch to set up dot1q trunking to the carrier's
switch individually.

> You might plausibly get away with a scenario in which a core layer 3
> switch routes between three separate VLANs and uses a trunk port
> to carry two of them to your remote sites over the carrier's network.
>
> You'd still be carrying broadcast frames across the carrier's network,
> but at least the broadcast domains for the three sites wouldn't overlap.
>
> ! Core layer 3 switch
> interface gig1/1
> description to carrier
> switchport trunk encap dot1q
> switchport trunk native vlan 101
> switchport trunk allowed vlans 101,102
> switchport mode trunk
>
> interface gig2/1
> description template port to local LAN
> switchport access vlan 100
> switchport mode access
> spanning-tree portfast
>
> interface vlan 100
> description layer 3 interface to site local LAN
> ip address 192.168.1.1 255.255.255.0
>
> interface vlan 101
> description layer 3 interface to site A LAN
> ip address 192.168.2.1 255.255.255.0
>
> interface vlan 102
> description layer 3 interface to site B LAN
> ip address 192.168.3.1 255.255.255.0
>
> ip routing
> ip route 0.0.0.0 0.0.0.0 192.168.1.100 ! The PIX
>
> ! Layer 2 switch at site A
> interface Gigabit0/1
> description to carrier
> switchport trunk encap dot1q
> switchport trunk native vlan 101
> switchport trunk allowed vlan 101
> switchport mode trunk
>
> interface FastEthernet0/1
> description template user port
> switchport access vlan 101
> switchport mode access
> spanning-tree portfast
>
> interface VLAN 1
> shutdown
>
> interface VLAN 101
> description switch management interface
> ip address 192.168.2.2 255.255.255.0
>
> no ip routing
> ip default-gateway 192.168.2.1
>
> ! Layer 2 switch at site B
> interface Gigabit0/1
> description to carrier
> switchport trunk encap dot1q
> switchport trunk native vlan 101
> switchport trunk allowed vlan 102
> switchport mode trunk
>
> interface FastEthernet0/1
> description template user port
> switchport access vlan 102
> switchport mode access
> spanning-tree portfast
>
> interface VLAN 1
> shutdown
>
> interface VLAN 102
> description switch management interface
> ip address 192.168.3.2 255.255.255.0
>
> no ip routing
> ip default-gateway 192.168.3.1

In your configuration above, the layer 3 switch has been configured
three VLANs for three distinct locations. You assigned VLAN100 for the
HQ site, VLAN 101 for site A and VLAN 102 for site B. At the same
time, VLAN101 is still used as the native VLAN. This makes me a bit
confused - could the native VLAN (for untagged frames) be same as a
VLAN for tagged frames? Is it a typo or you did it on purpose?
I can understand your design of using a router in each of the
location. "One at each site to route from the carrier's VLAN102 to the
site's VLAN 11, 12 and 13 (for example). " In this example, VLAN 11,
12, 13 makes sense to me.

Thank you very much for your feedback!

In article <. com>, "" <> writes:
> Hi, Bri... I want to thank you for your patience and your detailed
[...]
>>
>> ! Core layer 3 switch
>> interface gig1/1
>> description to carrier
>> switchport trunk encap dot1q
>> switchport trunk native vlan 101
>> switchport trunk allowed vlans 101,102
>> switchport mode trunk
>>
>> interface gig2/1
>> description template port to local LAN
>> switchport access vlan 100
>> switchport mode access
>> spanning-tree portfast
>>
>> interface vlan 100
>> description layer 3 interface to site local LAN
>> ip address 192.168.1.1 255.255.255.0
>>
>> interface vlan 101
>> description layer 3 interface to site A LAN
>> ip address 192.168.2.1 255.255.255.0
>>
>> interface vlan 102
>> description layer 3 interface to site B LAN
>> ip address 192.168.3.1 255.255.255.0
>>
>> ip routing
>> ip route 0.0.0.0 0.0.0.0 192.168.1.100 ! The PIX
[snip most of configuration]
>
> In your configuration above, the layer 3 switch has been configured
> three VLANs for three distinct locations. You assigned VLAN100 for the
> HQ site, VLAN 101 for site A and VLAN 102 for site B.

Yes.

> At the same
> time, VLAN101 is still used as the native VLAN.

Yes. The native VLAN isn't all that special. Tagged or not, for almost
all practical purposes it's just another VLAN on the wire.

[It lacks one feature that a tagged VLAN has -- the ability to
support [nested] VLAN tags on the frames that it carries]

> This makes me a bit
> confused - could the native VLAN (for untagged frames) be same as a
> VLAN for tagged frames?

On Cisco switches, if you specify that VLAN 101 is the native VLAN
on a trunk port then the switch will not use VLAN 101 tags on frames
transmitted on that port. It will transmit VLAN 101 frames untagged.

The receiving end puts the untagged frames into its trunk port's native
VLAN which will, barring configuration inconsistencies, be VLAN 101.

Again, there's nothing very special about the native VLAN from a practical
standpoint.

> Is it a typo or you did it on purpose?

It's on purpose. I'm assuming a fully meshed virtual LAN presented on
both VLAN 101 and VLAN 102. As below, this assumption may be faulty.

On the alternate assumption that the carrier is providing you with
virtual hand-offs for two point-to-point links, the configuration also
works at the core site, but may need tweaking at the satellite locations.

> I can understand your design of using a router in each of the
> location. "One at each site to route from the carrier's VLAN102 to the
> site's VLAN 11, 12 and 13 (for example). " In this example, VLAN 11,
> 12, 13 makes sense to me.

One question that I haven't asked and that I haven't seen you volunteer
an answer for...

Is the carrier handing you a fully meshed virtual LAN (as I had been
assuming)?

Or are they handing you two (or three) point to point links with
VLAN 101 pointing to site A and VLAN 102 pointing to site B?

The fact that you say the carrier pre-configured things with two VLANs
leads me to suspect the latter. They could be multiplexing two point to
point links over one physical hand-off to the core site.

> One question that I haven't asked and that I haven't seen you volunteer
> an answer for...
>
> Is the carrier handing you a fully meshed virtual LAN (as I had been
> assuming)?
>
> Or are they handing you two (or three) point to point links with
> VLAN 101 pointing to site A and VLAN 102 pointing to site B?
>
> The fact that you say the carrier pre-configured things with two VLANs
> leads me to suspect the latter. They could be multiplexing two point to
> point links over one physical hand-off to the core site.- Òþ²Ø±»ÒýÓÃÎÄ×Ö -

I double checked with our ISP... The three locations will be linked to
the ISP via fiver optics seperately, which means there will be three
point-to-point links instead of a fully meshed link. Meanwhile, only
two VLANs were assigned to our network by the ISP, one "public" VLAN
101 and one "private" VLAN102. It's not like what you assumed VLAN101
pointing to siteA and VLAN102 pointing to site B... since we have
three distince locations..

Thank you very much for your continous assistance.
Shu