How to do Port Specific VLAN + Routing

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I need to configure routing between two VLANs with the same Port Specific VLAN, something like this:

(SwitchA)10.1.1.1-------tag 100------10.1.1.2(SwitchC)192.168.1.2-----tag 100------192.168.1.1(SwitchB)

How can I do this?

Here is the options that I tried so far:

1- Two VLANs with port specific VLAN. Limitation: Can't enable ipforwarding with this option.
2- Using policies, here is the policies of one of SwitchC's ports, another two would be needed:

Policy applied in the ingress direction:

entry port1-ingress {        if {
                vlan-id 100;
        } then {
                permit;
                replace-vlan-id 802;
        }
}

Policy applied in the egress direction:

entry port1-egress {        if {
                vlan-id 802;
        } then {
                permit;
                replace-vlan-id 100;
        }
}

This somehow didn't work. I don't know why.


There's an option that I thought about but haven't tried it yet:

Using four VLANs:
    - Two VLANs with whatever tag but configured with port specific VLAN 100 in the ports connected to the other switches. Those VLANs will have no ip address and learning disabled.
    - Two  VLANs with ip addresses, each one connected via cable untagged to one of the anterior VLANs.

I think this third option should work but wouldn't be an elegant solution.

Any ideas?

Thanks
Photo of Thiago

Thiago

  • 216 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,304 Points 10k badge 2x thumb
Hi Thiago,

This ACL did not do what you want, as the VLAN ID will only be replaced on egress (after egress ACLs have been processed). Because of this, the egress ACL will not be hit.

Since PS tags require no IP forwarding on the VLAN, it looks like the physical loopback using four VLANs may be the best option.

-Brandon
Photo of Thiago

Thiago

  • 216 Points 100 badge 2x thumb
Thanks,

I guess I will really use the physical loopback option.

If I understood correctly, the replace-vlan-id only works in egress, right? Is there any documentation about this besides Conceps Guide?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,234 Points 10k badge 2x thumb
Hi Thiago,

I am not quite sure what you are trying to achieve, but you might be able to use a secondary IP address in the VLAN with tag 100 on switch C.

See How to add secondary IP address on a VLAN.

Erik
Photo of Thiago

Thiago

  • 216 Points 100 badge 2x thumb
I can't use secondary IP because the two networks must be isolated at layer 2.
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
Can you try using another switch?
VLAN 100 into Switch C, routed and then untagged out to Switch D that then tags VLAN 100 again.
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Thiago, 

Is there any specific reason why you cannot change the vlan ID for vlan 192.168.1.x (between SwitchC and SwitchB) or even for vlan 10.1.1.x (between SwitchA and SwitchC)?

The easiest way would be just change the tag from 100 to another vlan ID (200, for instance).

That would be:

(SwitchA)10.1.1.1-------tag 100------10.1.1.2(SwitchC)192.168.1.2-----tag 200------192.168.1.1(SwitchB)

or

(SwitchA)10.1.1.1-------tag 200------10.1.1.2(SwitchC)192.168.1.2-----tag 100------192.168.1.1(SwitchB)
Photo of Thiago

Thiago

  • 216 Points 100 badge 2x thumb
The middle switches are actually DWDM management cards with very limited capability, to change the VLAN tag would ve very traumatic (have to reboot 200+ cards over the system). I am trying to avoid this.

Today I have routers doing this, I would like to exchange them to extreme switches which already work as components for other networks. Sure, I could use two switches, but then I would be exchanging 1 old router to two new extreme switches, not very smart design.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,234 Points 10k badge 2x thumb
So currently you are using something like the following?

(SwitchA)10.1.1.1-------tag 100------10.1.1.2(ROUTER)192.168.1.2-----tag 100------192.168.1.1(SwitchB)

The router uses routed interfaces (no bridge group) and tags the Ethernet frames with VLAN ID 100 (this would be "encapsulation dot1Q 100" for Cisco IOS)?

The problem is that a switch forwards frames at layer two, as opposed to the router, but there shall not be a layer 2 connection.

You could look into private VLANs, specifically isolated VLANs. Together with a secondary IP address you might achieve both layer 3 forwarding and layer 2 isolation with the same VLAN tag on two ports.
Photo of Thiago

Thiago

  • 216 Points 100 badge 2x thumb
That's actually a great idea, thanks!
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
Well one thing you can do is create vlan 100 and put a primary and secondary IP on it, and both ports in vlan 100.

It will route correctly, unicasts will be forwarded out each learned port appropriately but broadcasts will be heard. may cause a little bandwidth congestion, but it should work in your scenario.
(Edited)
Photo of Thiago

Thiago

  • 216 Points 100 badge 2x thumb
I can't let the devices in the same layer 2 domain because they exchange duplicate information using a proprietary layer 2 protocol among each other.