Catalyst 2950 & multi-VLAN ports (newbie question)

Discussion in 'Cisco' started by mark@no.spam, Jun 7, 2004.

  1. Guest

    Hi,

    I have a network configuration as follows:

    (A) DSL service coming in from a Westell 2200 DSL modem with integrated NAT
    firewall / router. Unfortunately it only has a single Ethernet port.

    (B) Secure office PC's

    (C) Publicly accessible computer lab PC's.

    I would like to set up each of the above on separate VLAN's, so that (A) can be
    seen by both (B) and (C), but (C) cannot see (B) and vice versa.

    I am considering the purchase of a 2950 24-port switch.

    However, I'm under the impression that a port can belong to only 1 VLAN, unless
    I turn on trunking. Correct? I'm not sure what the implications of trunking are
    - I'm a newbie.

    Is there a simple way to do what I want to do on a 2950?

    Thanks
    , Jun 7, 2004
    #1
    1. Advertising

  2. On Mon, 07 Jun 2004 11:46:49 GMT, wrote:

    >I have a network configuration as follows:
    >
    >(A) DSL service coming in from a Westell 2200 DSL modem with integrated NAT
    >firewall / router. Unfortunately it only has a single Ethernet port.
    >
    >(B) Secure office PC's
    >
    >(C) Publicly accessible computer lab PC's.
    >
    >I would like to set up each of the above on separate VLAN's, so that (A) can be
    >seen by both (B) and (C), but (C) cannot see (B) and vice versa.
    >
    >I am considering the purchase of a 2950 24-port switch.
    >
    >However, I'm under the impression that a port can belong to only 1 VLAN, unless
    >I turn on trunking. Correct? I'm not sure what the implications of trunking are
    >- I'm a newbie.
    >
    >Is there a simple way to do what I want to do on a 2950?


    The Protected Port feature is a possibility
    (http://www.cisco.com/en/US/products...guide_chapter09186a0080212a9f.html#wp1158863),
    though this will prevent B hosts from talking to each other and C
    hosts from talking to each other -- but they could all talk to A. If
    this is acceptable, you'd make all the B and C ports protected and
    leave the A port unprotected.

    Other than that I can't think of a good way to do this with a 2950
    unless the DSL modem supports trunking.

    -Terry
    Terry Baranski, Jun 7, 2004
    #2
    1. Advertising

  3. Guest

    Hi,

    Thanks for your reply.

    I am really surprised that the 2950 can't do multi-VLAN ports without trunking.
    I was just reading the description for the Netgear FS526T
    (http://www.netgear.com/products/prod_details.php?prodID=216), and making a port
    a member of more than one VLAN is a piece of cake.

    Unfortunately, the Westell 2200 doesn't support trunking, and the ports within
    VLANs (B) and (C) do need to talk to their peers.

    Given that the 2950 can't do this easily, you'd have to move up the line to the
    router, and tell the router that DSL port (A) can talk to the port connected to
    VLANs (B) and (C), but (B) can't talk to (C) and vice versa... right?

    I'm not that familiar with Cisco equipment. What would be the lowest end Cisco
    router that can do this?

    Thanks again...


    Terry Baranski <0VE.com> wrote:

    >On Mon, 07 Jun 2004 11:46:49 GMT, wrote:
    >
    >>I have a network configuration as follows:
    >>
    >>(A) DSL service coming in from a Westell 2200 DSL modem with integrated NAT
    >>firewall / router. Unfortunately it only has a single Ethernet port.
    >>
    >>(B) Secure office PC's
    >>
    >>(C) Publicly accessible computer lab PC's.
    >>
    >>I would like to set up each of the above on separate VLAN's, so that (A) can be
    >>seen by both (B) and (C), but (C) cannot see (B) and vice versa.
    >>
    >>I am considering the purchase of a 2950 24-port switch.
    >>
    >>However, I'm under the impression that a port can belong to only 1 VLAN, unless
    >>I turn on trunking. Correct? I'm not sure what the implications of trunking are
    >>- I'm a newbie.
    >>
    >>Is there a simple way to do what I want to do on a 2950?

    >
    >The Protected Port feature is a possibility
    >(http://www.cisco.com/en/US/products...guide_chapter09186a0080212a9f.html#wp1158863),
    >though this will prevent B hosts from talking to each other and C
    >hosts from talking to each other -- but they could all talk to A. If
    >this is acceptable, you'd make all the B and C ports protected and
    >leave the A port unprotected.
    >
    >Other than that I can't think of a good way to do this with a 2950
    >unless the DSL modem supports trunking.
    >
    >-Terry
    , Jun 8, 2004
    #3
  4. On Tue, 08 Jun 2004 10:17:58 GMT, wrote:

    >Hi,
    >
    >Thanks for your reply.
    >
    >I am really surprised that the 2950 can't do multi-VLAN ports without trunking.


    Older Cisco switches can do this -- I'm also confused as to why this
    functionality was done away with.

    >Unfortunately, the Westell 2200 doesn't support trunking, and the ports within
    >VLANs (B) and (C) do need to talk to their peers.
    >
    >Given that the 2950 can't do this easily, you'd have to move up the line to the
    >router, and tell the router that DSL port (A) can talk to the port connected to
    >VLANs (B) and (C), but (B) can't talk to (C) and vice versa... right?


    This is an option. The router would have ACLs in place to prevent B
    and C from talking to each other.

    >I'm not that familiar with Cisco equipment. What would be the lowest end Cisco
    >router that can do this?


    2600 series routers with 100Mbit interfaces can do trunking, and the
    10Mbit ones may be able to do it as well with recent IOS versions.
    Certain 1700 series routers may also support trunking, but I've never
    used them so I don't know. An issue to concern yourself with for this
    type of router-on-a-stick scenario is inter-vlan bandwidth
    requirements -- the router can potentially end up being a bottleneck.

    A better solution for your situation may be a layer-3 switch such as
    the 3550. You can create three VLANs (A, B, and C), and use ACLs to
    restrict traffic flowing between them as necessary. The benefits here
    are simplicity (one device instead of two), bandwidth (no router
    bottleneck), and potentially cost (depends).

    -Terry
    Terry Baranski, Jun 9, 2004
    #4
  5. wtown46333

    Joined:
    Oct 27, 2006
    Messages:
    2
    wtown46333, Nov 28, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    471
    Tim Tran
    Jul 20, 2003
  2. Rick

    catalyst 2950 vlan problem

    Rick, Nov 27, 2003, in forum: Cisco
    Replies:
    5
    Views:
    7,505
    M.C. van den Bovenkamp
    Nov 28, 2003
  3. Rick

    catalyst 2950 acl on VLAN

    Rick, Dec 1, 2003, in forum: Cisco
    Replies:
    0
    Views:
    731
  4. Robeast
    Replies:
    2
    Views:
    641
    Arthur Brain
    Apr 24, 2007
  5. Neddy
    Replies:
    8
    Views:
    1,655
    Doug McIntyre
    May 27, 2009
Loading...

Share This Page