How to do Port Specific VLAN + Routing


I need to configure routing between two VLANs with the same Port Specific VLAN, something like this:

(SwitchA)10.1.1.1-------tag 100------10.1.1.2(SwitchC)192.168.1.2-----tag 100------192.168.1.1(SwitchB)

How can I do this?

Here is the options that I tried so far:

1- Two VLANs with port specific VLAN. Limitation: Can't enable ipforwarding with this option.
2- Using policies, here is the policies of one of SwitchC's ports, another two would be needed:

Policy applied in the ingress direction:

entry port1-ingress { if {
vlan-id 100;
} then {
permit;
replace-vlan-id 802;
}
}

Policy applied in the egress direction:

entry port1-egress { if {
vlan-id 802;
} then {
permit;
replace-vlan-id 100;
}
}

This somehow didn't work. I don't know why.

There's an option that I thought about but haven't tried it yet:

Using four VLANs:
- Two VLANs with whatever tag but configured with port specific VLAN 100 in the ports connected to the other switches. Those VLANs will have no ip address and learning disabled.
- Two VLANs with ip addresses, each one connected via cable untagged to one of the anterior VLANs.

I think this third option should work but wouldn't be an elegant solution.

Any ideas?

Thanks

11 replies

Userlevel 7
Hi Thiago,

This ACL did not do what you want, as the VLAN ID will only be replaced on egress (after egress ACLs have been processed). Because of this, the egress ACL will not be hit.

Since PS tags require no IP forwarding on the VLAN, it looks like the physical loopback using four VLANs may be the best option.

-Brandon
Brandon Clay wrote:

Hi Thiago,

This ACL did not do what you want, as the VLAN ID will only be replaced on egress (after egress ACLs have been processed). Because of this, the egress ACL will not be hit.

Since PS tags require no IP forwarding on the VLAN, it looks like the physical loopback using four VLANs may be the best option.

-Brandon

Thanks,

I guess I will really use the physical loopback option.

If I understood correctly, the replace-vlan-id only works in egress, right? Is there any documentation about this besides Conceps Guide?
Userlevel 7
Hi Thiago,

I am not quite sure what you are trying to achieve, but you might be able to use a secondary IP address in the VLAN with tag 100 on switch C.

See How to add secondary IP address on a VLAN.

Erik
Erik Auerswald wrote:

Hi Thiago,

I am not quite sure what you are trying to achieve, but you might be able to use a secondary IP address in the VLAN with tag 100 on switch C.

See How to add secondary IP address on a VLAN.

Erik

I can't use secondary IP because the two networks must be isolated at layer 2.
Userlevel 3
Can you try using another switch? VLAN 100 into Switch C, routed and then untagged out to Switch D that then tags VLAN 100 again.
Userlevel 6
Hi Thiago,

Is there any specific reason why you cannot change the vlan ID for vlan 192.168.1.x (between SwitchC and SwitchB) or even for vlan 10.1.1.x (between SwitchA and SwitchC)?

The easiest way would be just change the tag from 100 to another vlan ID (200, for instance).

That would be:

(SwitchA)10.1.1.1-------tag 100------10.1.1.2(SwitchC)192.168.1.2-----tag 200------192.168.1.1(SwitchB)

or

(SwitchA)10.1.1.1-------tag 200------10.1.1.2(SwitchC)192.168.1.2-----tag 100------192.168.1.1(SwitchB)
The middle switches are actually DWDM management cards with very limited capability, to change the VLAN tag would ve very traumatic (have to reboot 200+ cards over the system). I am trying to avoid this.

Today I have routers doing this, I would like to exchange them to extreme switches which already work as components for other networks. Sure, I could use two switches, but then I would be exchanging 1 old router to two new extreme switches, not very smart design.
Userlevel 7
Thiago wrote:

The middle switches are actually DWDM management cards with very limited capability, to change the VLAN tag would ve very traumatic (have to reboot 200+ cards over the system). I am trying to avoid this.

Today I have routers doing this, I would like to exchange them to extreme switches which already work as components for other networks. Sure, I could use two switches, but then I would be exchanging 1 old router to two new extreme switches, not very smart design.

So currently you are using something like the following?

(SwitchA)10.1.1.1-------tag 100------10.1.1.2(ROUTER)192.168.1.2-----tag 100------192.168.1.1(SwitchB)

The router uses routed interfaces (no bridge group) and tags the Ethernet frames with VLAN ID 100 (this would be "encapsulation dot1Q 100" for Cisco IOS)?

The problem is that a switch forwards frames at layer two, as opposed to the router, but there shall not be a layer 2 connection.

You could look into private VLANs, specifically isolated VLANs. Together with a secondary IP address you might achieve both layer 3 forwarding and layer 2 isolation with the same VLAN tag on two ports.
Thiago wrote:

The middle switches are actually DWDM management cards with very limited capability, to change the VLAN tag would ve very traumatic (have to reboot 200+ cards over the system). I am trying to avoid this.

Today I have routers doing this, I would like to exchange them to extreme switches which already work as components for other networks. Sure, I could use two switches, but then I would be exchanging 1 old router to two new extreme switches, not very smart design.

That's actually a great idea, thanks!
Userlevel 3
Well one thing you can do is create vlan 100 and put a primary and secondary IP on it, and both ports in vlan 100.
It will route correctly, unicasts will be forwarded out each learned port appropriately but broadcasts will be heard. may cause a little bandwidth congestion, but it should work in your scenario.
Matthew Hum wrote:

Well one thing you can do is create vlan 100 and put a primary and secondary IP on it, and both ports in vlan 100.
It will route correctly, unicasts will be forwarded out each learned port appropriately but broadcasts will be heard. may cause a little bandwidth congestion, but it should work in your scenario.

I can't let the devices in the same layer 2 domain because they exchange duplicate information using a proprietary layer 2 protocol among each other.

Reply