VLAN Questions

Discussion in 'Cisco' started by Bob Simon, Jan 9, 2007.

  1. Bob Simon

    Bob Simon Guest

    In a previous job a few years ago I needed to create two isolated
    VLANs on a 2900 with no connectivity between them. One other port on
    the switch had to be a member of both VLANs. I used the switchport
    mode multi command to accomplish this design and did not configure any
    ports as trunk.

    Now I need to do something equivalent on a 2950 but it appears that
    switchport mode multi is not supported (IOS 12.1). Do I have to
    configure a 2950 port as a trunk to accept packets from either VLAN?
    Is there another way to do this?

    Is dot1q encapsulation pretty much always used these days instead of
    ISL just because it's a standard?

    VLAN 1 on the 2950 has an IP address, which is how I reach the switch
    to manage it. Does VLAN 2 need one too? If so, why?

    The switch port that will become a trunk is now connected to a 3745
    router. Do I need to define two subinterfaces on this router each
    configured with dot1q encapsulation and an IP address for VLAN1 and
    VLAN2?

    I don't want traffic to route between the two VLANs. I presume that
    since the two subinterfaces are directly connected to the router, it
    will automatically route between them. Right?

    Is the best way to prevent this an access list?

    ip access-list extended no_route
    deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip any any

    int f0/0
    ip access-group no_route in
     
    Bob Simon, Jan 9, 2007
    #1
    1. Advertising

  2. www.BradReese.Com, Jan 10, 2007
    #2
    1. Advertising

  3. Bob Simon

    BernieM Guest

    "Bob Simon" <> wrote in message
    news:eek:...
    > In a previous job a few years ago I needed to create two isolated
    > VLANs on a 2900 with no connectivity between them. One other port on
    > the switch had to be a member of both VLANs. I used the switchport
    > mode multi command to accomplish this design and did not configure any
    > ports as trunk.
    >
    > Now I need to do something equivalent on a 2950 but it appears that
    > switchport mode multi is not supported (IOS 12.1). Do I have to
    > configure a 2950 port as a trunk to accept packets from either VLAN?
    > Is there another way to do this?


    It's one easy way.

    >
    > Is dot1q encapsulation pretty much always used these days instead of
    > ISL just because it's a standard?


    Yes.

    >
    > VLAN 1 on the 2950 has an IP address, which is how I reach the switch
    > to manage it. Does VLAN 2 need one too? If so, why?


    No.

    >
    > The switch port that will become a trunk is now connected to a 3745
    > router. Do I need to define two subinterfaces on this router each
    > configured with dot1q encapsulation and an IP address for VLAN1 and
    > VLAN2?


    Yes.

    >
    > I don't want traffic to route between the two VLANs. I presume that
    > since the two subinterfaces are directly connected to the router, it
    > will automatically route between them. Right?


    does vlan 2 exist anywhere else? do the hosts in vlan 2 need to get out?
    if not then don't trunk it to the 3750.

    >
    > Is the best way to prevent this an access list?
    >
    > ip access-list extended no_route
    > deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    > deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    > permit ip any any
    >
    > int f0/0
    > ip access-group no_route in
    >
     
    BernieM, Jan 10, 2007
    #3
  4. Bob Simon

    Bob Simon Guest

    On Wed, 10 Jan 2007 08:38:15 GMT, "BernieM" <>
    wrote:

    >
    >"Bob Simon" <> wrote in message
    >news:eek:...
    >> In a previous job a few years ago I needed to create two isolated
    >> VLANs on a 2900 with no connectivity between them. One other port on
    >> the switch had to be a member of both VLANs. I used the switchport
    >> mode multi command to accomplish this design and did not configure any
    >> ports as trunk.
    >>
    >> Now I need to do something equivalent on a 2950 but it appears that
    >> switchport mode multi is not supported (IOS 12.1). Do I have to
    >> configure a 2950 port as a trunk to accept packets from either VLAN?
    >> Is there another way to do this?

    >
    >It's one easy way.
    >
    >>
    >> Is dot1q encapsulation pretty much always used these days instead of
    >> ISL just because it's a standard?

    >
    >Yes.
    >
    >>
    >> VLAN 1 on the 2950 has an IP address, which is how I reach the switch
    >> to manage it. Does VLAN 2 need one too? If so, why?

    >
    >No.
    >
    >>
    >> The switch port that will become a trunk is now connected to a 3745
    >> router. Do I need to define two subinterfaces on this router each
    >> configured with dot1q encapsulation and an IP address for VLAN1 and
    >> VLAN2?

    >
    >Yes.
    >
    >>
    >> I don't want traffic to route between the two VLANs. I presume that
    >> since the two subinterfaces are directly connected to the router, it
    >> will automatically route between them. Right?

    >
    >does vlan 2 exist anywhere else?

    No.
    > do the hosts in vlan 2 need to get out? if not then don't trunk it to the 3750.

    Yes.

    I thought of another possible solution. Can VLAN 2 be untagged? Or
    when I set up port 1 of the 2950 as a trunk, is there a way to NOT
    encapsulate in 802.1q? After all, I don't need the 3745 to recognize
    the "color" of the VLAN.
     
    Bob Simon, Jan 10, 2007
    #4
  5. Bob Simon

    BernieM Guest

    "Bob Simon" <> wrote in message
    news:...
    > On Wed, 10 Jan 2007 08:38:15 GMT, "BernieM" <>
    > wrote:
    >
    >>
    >>"Bob Simon" <> wrote in message
    >>news:eek:...
    >>> In a previous job a few years ago I needed to create two isolated
    >>> VLANs on a 2900 with no connectivity between them. One other port on
    >>> the switch had to be a member of both VLANs. I used the switchport
    >>> mode multi command to accomplish this design and did not configure any
    >>> ports as trunk.
    >>>
    >>> Now I need to do something equivalent on a 2950 but it appears that
    >>> switchport mode multi is not supported (IOS 12.1). Do I have to
    >>> configure a 2950 port as a trunk to accept packets from either VLAN?
    >>> Is there another way to do this?

    >>
    >>It's one easy way.
    >>
    >>>
    >>> Is dot1q encapsulation pretty much always used these days instead of
    >>> ISL just because it's a standard?

    >>
    >>Yes.
    >>
    >>>
    >>> VLAN 1 on the 2950 has an IP address, which is how I reach the switch
    >>> to manage it. Does VLAN 2 need one too? If so, why?

    >>
    >>No.
    >>
    >>>
    >>> The switch port that will become a trunk is now connected to a 3745
    >>> router. Do I need to define two subinterfaces on this router each
    >>> configured with dot1q encapsulation and an IP address for VLAN1 and
    >>> VLAN2?

    >>
    >>Yes.
    >>
    >>>
    >>> I don't want traffic to route between the two VLANs. I presume that
    >>> since the two subinterfaces are directly connected to the router, it
    >>> will automatically route between them. Right?

    >>
    >>does vlan 2 exist anywhere else?

    > No.
    >> do the hosts in vlan 2 need to get out? if not then don't trunk it to
    >> the 3750.

    > Yes.
    >
    > I thought of another possible solution. Can VLAN 2 be untagged? Or
    > when I set up port 1 of the 2950 as a trunk, is there a way to NOT
    > encapsulate in 802.1q? After all, I don't need the 3745 to recognize
    > the "color" of the VLAN.


    Configure it as the 'native vlan' to have it untagged ... "switchport trunk
    native vlan 2"

    Another two ways ... don't configure a vlan 2 interface on the 3745, or
    don't configure a default gateway hosts in vlan 2 and don't configure proxy
    arp on the 3745.

    The ACL solution is fine if you need to access vlan 2 hosts across the
    network for management / administrative reasons but if it's a truly isolated
    vlan than there's a few options available.

    BernieM
     
    BernieM, Jan 10, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul

    VLAN or Not to VLAN

    Paul, Oct 27, 2003, in forum: Cisco
    Replies:
    0
    Views:
    600
  2. Neil Rowland

    Auxiliary VLAN V VLan

    Neil Rowland, Apr 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    604
    Phil Dotchon
    Apr 14, 2004
  3. PS2 gamer
    Replies:
    1
    Views:
    1,122
    Ivan Ostres
    May 28, 2004
  4. avraham shir-el
    Replies:
    4
    Views:
    8,684
    avraham shir-el
    Jul 20, 2004
  5. Patrick Michael

    Re: Questions....questions....questions

    Patrick Michael, Jun 16, 2004, in forum: A+ Certification
    Replies:
    0
    Views:
    852
    Patrick Michael
    Jun 16, 2004
Loading...

Share This Page