How to set up VLAN trunking to connect to an ISP

Discussion in 'Cisco' started by szhang3@gmail.com, Feb 27, 2007.

  1. Guest

    Hi, All,
    I have a very basic and small scenario on VLAN and trunking technology
    that will be applied on our network. After searching on the Internet
    for a while I couldn't get clear specification anywhere to answer my
    questions. If you could help me out I will be really really appreciate
    it.

    We have a network contains three distinct geographical locations that
    are connected each other by T1 lines (like a triangle). From one of
    the locations (Headquarter location) we use subscribed ADSL to connect
    to the Internet. The three sites each uses a Cisco 2610 router to do
    internal routing. The IP range is 192.168.x.x/24. The headquarter uses
    a Cisco 506E Pix to do NAT, VPN and access list control.

    At present, we are upgrading bandwidth by replacing T1 with fiber
    optics. After the upgrade, the three sites will be linked to the ISP
    via fiber lines directly. The ISP will create VLANs for us instead of
    using subnets to segment the network. The configuration the ISP
    provided us is:

    Public VLAN -101 (native VLAN)
    Private VLAN- 102

    The ISP already created the two VLANs and VLAN trunking on their
    switch and asked us to follow up on our switch in the HQ site. Since
    the VLAN knowledge is absolutely new for me, I'd like to ask several
    pretty detailed questions over here and cordially hope you could help
    me out:

    1.Since VLAN101 is public VLAN, does it mean VLAN 102 is the only VLAN
    that our network devices should be put in? If it's the ONLY VLAN,
    since it contains more than 600 hosts, I will use a class B IP range,
    i.e.,172.16.x.x/22 instead of 192.168.x.x/24. All devices within the
    same subnet don't need be routed to communicate each other. Is my
    understanding correct?
    2.Since only one VLAN inside, inter-VLAN routing and router-on-a-stick
    have no use. Can we abandon routers and only use switches and PIX for
    traffic control?
    3.We are considering buying a new switch to be the core switch doing
    VLAN and trunking. The ISP engineer said it's really no matter the
    switch on our side a layer2 or a layer3. But if it's a layer 2 switch,
    how can we assign the IP address to the VLAN 102 port? Is a router
    which supports VLAN trunking still needed in this case?
    4.On the core switch, how many ports should be in the 802.1Q trunk? -
    Can I only set it up on the native VLAN101 port? How should I assign
    all the other ports on the switch then? Make them all ports for
    LAN102? Physically this switch's ports will connect network devices in
    the specific location and the fiber link box. (Sorry for my naïve
    question because I'm having difficulty to understand logical
    interfaces and physical interfaces in my performance of setting VLAN.
    I got difficult to find clear docs and examples on the Internet
    either.)
    5.Should the PIX play any role in the VLAN configuration? Or I just
    leave its setting intact?

    Thank you all for your assistance! Any post or link will be greatly
    appreciated.
     
    , Feb 27, 2007
    #1
    1. Advertising

  2. Guest

    Can anybody provide hint on any one of the issues?
    Many thanks!
     
    , Feb 28, 2007
    #2
    1. Advertising

  3. Guest

    In article <>, "" <> writes:
    > Hi, All,
    > I have a very basic and small scenario on VLAN and trunking technology
    > that will be applied on our network. After searching on the Internet
    > for a while I couldn't get clear specification anywhere to answer my
    > questions. If you could help me out I will be really really appreciate
    > it.
    >
    > We have a network contains three distinct geographical locations that
    > are connected each other by T1 lines (like a triangle). From one of
    > the locations (Headquarter location) we use subscribed ADSL to connect
    > to the Internet. The three sites each uses a Cisco 2610 router to do
    > internal routing. The IP range is 192.168.x.x/24. The headquarter uses
    > a Cisco 506E Pix to do NAT, VPN and access list control.


    What does the PIX do for you? Does it merely control access and
    provide VPN connectivity across your Internet connection? Is it,
    therefore, totally irrelevant to this discussion about your
    LAN connectivity?

    > At present, we are upgrading bandwidth by replacing T1 with fiber
    > optics. After the upgrade, the three sites will be linked to the ISP
    > via fiber lines directly. The ISP will create VLANs for us instead of
    > using subnets to segment the network. The configuration the ISP
    > provided us is:


    What bandwidth are you getting?
    What distances are we talking about?

    > Public VLAN -101 (native VLAN)
    > Private VLAN- 102


    What do you envision using the "Public" VLAN for?
    What do you envision using the "Private" VLAN for?
    How do you think that this segments your network?

    > The ISP already created the two VLANs and VLAN trunking on their
    > switch and asked us to follow up on our switch in the HQ site. Since
    > the VLAN knowledge is absolutely new for me, I'd like to ask several
    > pretty detailed questions over here and cordially hope you could help
    > me out:


    This sounds like pretty ad hoc setup on the carrier's part. Not the
    kind of thing I'd feel very comfortable with. One wonders whether they
    can defeat a VLAN hopping attack.

    > 1. Since VLAN101 is public VLAN, does it mean VLAN 102 is the only VLAN
    > that our network devices should be put in?


    It's a VLAN. One VLAN is pretty much like the next. The word "public"
    doesn't mean anything to me. The word "native" does mean something.

    You get a [very minor] performance improvement using the native
    VLAN. Frames transmitted in the native VLAN are sent without the overhead
    of a dot1q tag.

    > since it contains more than 600 hosts, I will use a class B IP range,
    > i=2Ee.,172.16.x.x/22 instead of 192.168.x.x/24. All devices within the
    > same subnet don't need be routed to communicate each other. Is my
    > understanding correct?


    Yes. If you put all the devices on all three sites on one VLAN and
    assign them IP addresses in a single IP subnet then you don't need any
    routers to get traffic from one site to the next.

    But why do you have two VLANs then?

    > 2=2ESince only one VLAN inside, inter-VLAN routing and router-on-a-stick
    > have no use. Can we abandon routers and only use switches and PIX for
    > traffic control?


    Switches aren't going to be very good for traffic control. The PIX
    can't do traffic control at all on your LAN. The PIX controls your
    Internet traffic (I assume).

    > 3. We are considering buying a new switch to be the core switch doing
    > VLAN and trunking.


    Why? What will VLANs and trunking do for you when you have only one VLAN?

    What does it mean to have a "core switch" when your other switches don't
    even connect to it?

    You can't do trunking without two switches. One at each end of the trunk.
    You can't make much use of VLANs when all you have is one IP
    subnet.

    You might plausibly get away with a scenario in which a core layer 3
    switch routes between three separate VLANs and uses a trunk port
    to carry two of them to your remote sites over the carrier's network.

    You'd still be carrying broadcast frames across the carrier's network,
    but at least the broadcast domains for the three sites wouldn't overlap.

    ! Core layer 3 switch
    interface gig1/1
    description to carrier
    switchport trunk encap dot1q
    switchport trunk native vlan 101
    switchport trunk allowed vlans 101,102
    switchport mode trunk

    interface gig2/1
    description template port to local LAN
    switchport access vlan 100
    switchport mode access
    spanning-tree portfast

    interface vlan 100
    description layer 3 interface to site local LAN
    ip address 192.168.1.1 255.255.255.0

    interface vlan 101
    description layer 3 interface to site A LAN
    ip address 192.168.2.1 255.255.255.0

    interface vlan 102
    description layer 3 interface to site B LAN
    ip address 192.168.3.1 255.255.255.0

    ip routing
    ip route 0.0.0.0 0.0.0.0 192.168.1.100 ! The PIX


    ! Layer 2 switch at site A
    interface Gigabit0/1
    description to carrier
    switchport trunk encap dot1q
    switchport trunk native vlan 101
    switchport trunk allowed vlan 101
    switchport mode trunk

    interface FastEthernet0/1
    description template user port
    switchport access vlan 101
    switchport mode access
    spanning-tree portfast

    interface VLAN 1
    shutdown

    interface VLAN 101
    description switch management interface
    ip address 192.168.2.2 255.255.255.0

    no ip routing
    ip default-gateway 192.168.2.1

    ! Layer 2 switch at site B
    interface Gigabit0/1
    description to carrier
    switchport trunk encap dot1q
    switchport trunk native vlan 101
    switchport trunk allowed vlan 102
    switchport mode trunk

    interface FastEthernet0/1
    description template user port
    switchport access vlan 102
    switchport mode access
    spanning-tree portfast

    interface VLAN 1
    shutdown

    interface VLAN 102
    description switch management interface
    ip address 192.168.3.2 255.255.255.0

    no ip routing
    ip default-gateway 192.168.3.1

    > The ISP engineer said it's really no matter the
    > switch on our side a layer2 or a layer3. But if it's a layer 2 switch,
    > how can we assign the IP address to the VLAN 102 port? Is a router
    > which supports VLAN trunking still needed in this case?


    On a Cisco router, the syntax for a dot1q trunk is:

    interface fastethernet 0/0
    description main interface/native vlan
    ip address 192.168.2.1 255.255.255.0

    interface fastethernet 0/0.102
    ! Making sub-interface number match VLAN is not neccessary, but is pretty
    description vlan 102 sub-interface
    encapsulation dot1q 102
    ip address 192.168.3.1 255.255.255.0

    > 4. On the core switch, how many ports should be in the 802.1Q trunk?


    The port where you plug in the fiber from the carrier. One port.

    > Can I only set it up on the native VLAN101 port?


    What VLAN101 port? What were you planning to use VLAN101 for?

    > How should I assign
    > all the other ports on the switch then? Make them all ports for
    > LAN102?


    Yes.

    > Physically this switch's ports will connect network devices in
    > the specific location and the fiber link box. (Sorry for my na=EFve
    > question because I'm having difficulty to understand logical
    > interfaces and physical interfaces in my performance of setting VLAN.
    > I got difficult to find clear docs and examples on the Internet
    > either.)


    > 5=2EShould the PIX play any role in the VLAN configuration? Or I just
    > leave its setting intact?


    You're changing all your LAN IPs. If the PIX has a LAN IP, that IP
    address needs to change. And all its rules need to change. Oh me, oh my.

    Why do that to yourself? Why aren't you using routers and leaving your
    IP addressing alone? Either a router-on-a-stick or a real router can
    do the job. One at each site to route from the carrier's VLAN102
    to the site's VLAN 11, 12 and 13 (for example). That's how I'd do it.

    But if you want to go low-end and use a single layer 3 device at
    the hub site and not allow point-to-point traffic to short-cut past
    the hub, use the configuration I supplied above and go that way
    instead.
     
    , Feb 28, 2007
    #3
  4. "" <> writes:
    >Can anybody provide hint on any one of the issues?
    >Many thanks!


    If your ISP can't help you with the handoff..
     
    Doug McIntyre, Feb 28, 2007
    #4
  5. Guest

    Hi, Bri... I want to thank you for your patience and your detailed
    replies on my questions on two lines these days. You are so
    knowledgeable on the VLAN technology. I'd like to get back to your
    questions on your post and hopefully I could get your further guidance
    on the configuration.

    > What does the PIX do for you? Does it merely control access and
    > provide VPN connectivity across your Internet connection? Is it,
    > therefore, totally irrelevant to this discussion about your
    > LAN connectivity?


    Yes, the PIX is irrelevant to the internal connectivity and only for
    the Internet traffic. We currently use three cisco 2610XM routers to
    solve internal routing.

    > > Public VLAN -101 (native VLAN)
    > > Private VLAN- 102

    >
    > What do you envision using the "Public" VLAN for?
    > What do you envision using the "Private" VLAN for?
    > How do you think that this segments your network?


    This is what the carrier's engineer literally said to me but what I've
    been keeping confusing. My understanding is the ISP plans to built a
    dot1q trunk link between their switch and our switch. They've assigned
    VLAN 101 (as native VLAN) and VLAN 102 for us on their switch and
    require us to keep the matching VLAN IDs on our switch. I don't know
    what their meaning of "public VLAN" is. Perhaps it represents a native
    VLAN from an ISP view, which means that frames belonging to the native
    VLAN are not encapsulated with tags thus all untagged frames can be
    sent and received across their and our network always. (?)

    > > The ISP already created the two VLANs and VLAN trunking on their
    > > switch and asked us to follow up on our switch in the HQ site. Since
    > > the VLAN knowledge is absolutely new for me, I'd like to ask several
    > > pretty detailed questions over here and cordially hope you could help
    > > me out:

    >
    > This sounds like pretty ad hoc setup on the carrier's part. Not the
    > kind of thing I'd feel very comfortable with. One wonders whether they
    > can defeat a VLAN hopping attack.


    Based on Cisco publications I'm concerning the VLAN security too. The
    disadvantages of one braodcast domain under a VLAN seems outweigh the
    advantage of the fiber upgrading of the network...

    > But why do you have two VLANs then?


    The ISP assigned VLAN101(native VLAN) and VLAN102 for us in advance.


    > > 3. We are considering buying a new switch to be the core switch doing
    > > VLAN and trunking.

    >
    > Why? What will VLANs and trunking do for you when you have only one VLAN?
    >
    > What does it mean to have a "core switch" when your other switches don't
    > even connect to it?
    >
    > You can't do trunking without two switches. One at each end of the trunk.
    > You can't make much use of VLANs when all you have is one IP
    > subnet.


    The trunk line will be set between the carrier's switch and a switch
    in our HQ in this scenario. If i design to have more than one VLANs
    rather than VLAN102 (i.e. each location has one VLAN), I think each
    location needs a switch to set up dot1q trunking to the carrier's
    switch individually.

    > You might plausibly get away with a scenario in which a core layer 3
    > switch routes between three separate VLANs and uses a trunk port
    > to carry two of them to your remote sites over the carrier's network.
    >
    > You'd still be carrying broadcast frames across the carrier's network,
    > but at least the broadcast domains for the three sites wouldn't overlap.
    >
    > ! Core layer 3 switch
    > interface gig1/1
    > description to carrier
    > switchport trunk encap dot1q
    > switchport trunk native vlan 101
    > switchport trunk allowed vlans 101,102
    > switchport mode trunk
    >
    > interface gig2/1
    > description template port to local LAN
    > switchport access vlan 100
    > switchport mode access
    > spanning-tree portfast
    >
    > interface vlan 100
    > description layer 3 interface to site local LAN
    > ip address 192.168.1.1 255.255.255.0
    >
    > interface vlan 101
    > description layer 3 interface to site A LAN
    > ip address 192.168.2.1 255.255.255.0
    >
    > interface vlan 102
    > description layer 3 interface to site B LAN
    > ip address 192.168.3.1 255.255.255.0
    >
    > ip routing
    > ip route 0.0.0.0 0.0.0.0 192.168.1.100 ! The PIX
    >
    > ! Layer 2 switch at site A
    > interface Gigabit0/1
    > description to carrier
    > switchport trunk encap dot1q
    > switchport trunk native vlan 101
    > switchport trunk allowed vlan 101
    > switchport mode trunk
    >
    > interface FastEthernet0/1
    > description template user port
    > switchport access vlan 101
    > switchport mode access
    > spanning-tree portfast
    >
    > interface VLAN 1
    > shutdown
    >
    > interface VLAN 101
    > description switch management interface
    > ip address 192.168.2.2 255.255.255.0
    >
    > no ip routing
    > ip default-gateway 192.168.2.1
    >
    > ! Layer 2 switch at site B
    > interface Gigabit0/1
    > description to carrier
    > switchport trunk encap dot1q
    > switchport trunk native vlan 101
    > switchport trunk allowed vlan 102
    > switchport mode trunk
    >
    > interface FastEthernet0/1
    > description template user port
    > switchport access vlan 102
    > switchport mode access
    > spanning-tree portfast
    >
    > interface VLAN 1
    > shutdown
    >
    > interface VLAN 102
    > description switch management interface
    > ip address 192.168.3.2 255.255.255.0
    >
    > no ip routing
    > ip default-gateway 192.168.3.1


    In your configuration above, the layer 3 switch has been configured
    three VLANs for three distinct locations. You assigned VLAN100 for the
    HQ site, VLAN 101 for site A and VLAN 102 for site B. At the same
    time, VLAN101 is still used as the native VLAN. This makes me a bit
    confused - could the native VLAN (for untagged frames) be same as a
    VLAN for tagged frames? Is it a typo or you did it on purpose?
    I can understand your design of using a router in each of the
    location. "One at each site to route from the carrier's VLAN102 to the
    site's VLAN 11, 12 and 13 (for example). " In this example, VLAN 11,
    12, 13 makes sense to me.

    Thank you very much for your feedback!
     
    , Feb 28, 2007
    #5
  6. Guest

    In article <>, "" <> writes:
    > Hi, Bri... I want to thank you for your patience and your detailed

    [...]
    >>
    >> ! Core layer 3 switch
    >> interface gig1/1
    >> description to carrier
    >> switchport trunk encap dot1q
    >> switchport trunk native vlan 101
    >> switchport trunk allowed vlans 101,102
    >> switchport mode trunk
    >>
    >> interface gig2/1
    >> description template port to local LAN
    >> switchport access vlan 100
    >> switchport mode access
    >> spanning-tree portfast
    >>
    >> interface vlan 100
    >> description layer 3 interface to site local LAN
    >> ip address 192.168.1.1 255.255.255.0
    >>
    >> interface vlan 101
    >> description layer 3 interface to site A LAN
    >> ip address 192.168.2.1 255.255.255.0
    >>
    >> interface vlan 102
    >> description layer 3 interface to site B LAN
    >> ip address 192.168.3.1 255.255.255.0
    >>
    >> ip routing
    >> ip route 0.0.0.0 0.0.0.0 192.168.1.100 ! The PIX

    [snip most of configuration]
    >
    > In your configuration above, the layer 3 switch has been configured
    > three VLANs for three distinct locations. You assigned VLAN100 for the
    > HQ site, VLAN 101 for site A and VLAN 102 for site B.


    Yes.

    > At the same
    > time, VLAN101 is still used as the native VLAN.


    Yes. The native VLAN isn't all that special. Tagged or not, for almost
    all practical purposes it's just another VLAN on the wire.

    [It lacks one feature that a tagged VLAN has -- the ability to
    support [nested] VLAN tags on the frames that it carries]

    > This makes me a bit
    > confused - could the native VLAN (for untagged frames) be same as a
    > VLAN for tagged frames?


    On Cisco switches, if you specify that VLAN 101 is the native VLAN
    on a trunk port then the switch will not use VLAN 101 tags on frames
    transmitted on that port. It will transmit VLAN 101 frames untagged.

    The receiving end puts the untagged frames into its trunk port's native
    VLAN which will, barring configuration inconsistencies, be VLAN 101.

    Again, there's nothing very special about the native VLAN from a practical
    standpoint.

    > Is it a typo or you did it on purpose?


    It's on purpose. I'm assuming a fully meshed virtual LAN presented on
    both VLAN 101 and VLAN 102. As below, this assumption may be faulty.

    On the alternate assumption that the carrier is providing you with
    virtual hand-offs for two point-to-point links, the configuration also
    works at the core site, but may need tweaking at the satellite locations.

    > I can understand your design of using a router in each of the
    > location. "One at each site to route from the carrier's VLAN102 to the
    > site's VLAN 11, 12 and 13 (for example). " In this example, VLAN 11,
    > 12, 13 makes sense to me.


    One question that I haven't asked and that I haven't seen you volunteer
    an answer for...

    Is the carrier handing you a fully meshed virtual LAN (as I had been
    assuming)?

    Or are they handing you two (or three) point to point links with
    VLAN 101 pointing to site A and VLAN 102 pointing to site B?

    The fact that you say the carrier pre-configured things with two VLANs
    leads me to suspect the latter. They could be multiplexing two point to
    point links over one physical hand-off to the core site.
     
    , Mar 1, 2007
    #6
  7. Guest

    > One question that I haven't asked and that I haven't seen you volunteer
    > an answer for...
    >
    > Is the carrier handing you a fully meshed virtual LAN (as I had been
    > assuming)?
    >
    > Or are they handing you two (or three) point to point links with
    > VLAN 101 pointing to site A and VLAN 102 pointing to site B?
    >
    > The fact that you say the carrier pre-configured things with two VLANs
    > leads me to suspect the latter. They could be multiplexing two point to
    > point links over one physical hand-off to the core site.- Òþ²Ø±»ÒýÓÃÎÄ×Ö -


    I double checked with our ISP... The three locations will be linked to
    the ISP via fiver optics seperately, which means there will be three
    point-to-point links instead of a fully meshed link. Meanwhile, only
    two VLANs were assigned to our network by the ISP, one "public" VLAN
    101 and one "private" VLAN102. It's not like what you assumed VLAN101
    pointing to siteA and VLAN102 pointing to site B... since we have
    three distince locations..

    Thank you very much for your continous assistance.
    Shu
     
    , Mar 2, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. DaZZa
    Replies:
    0
    Views:
    674
    DaZZa
    Feb 16, 2004
  2. Bill F

    pix vlan trunking

    Bill F, May 3, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,201
    Walter Roberson
    May 4, 2004
  3. BG
    Replies:
    4
    Views:
    12,496
  4. Michael Letchworth

    Trunking VLAN to non cisco switch?

    Michael Letchworth, Dec 9, 2004, in forum: Cisco
    Replies:
    3
    Views:
    1,624
  5. Replies:
    5
    Views:
    9,645
    Walter Roberson
    Jan 2, 2005
Loading...

Share This Page