This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to do Port Specific VLAN + Routing

How to do Port Specific VLAN + Routing

Thiago
New Contributor

‎04-26-2016 02:23 PM

I need to configure routing between two VLANs with the same Port Specific VLAN, something like this:

(SwitchA)10.1.1.1-------tag 100------10.1.1.2(SwitchC)192.168.1.2-----tag 100------192.168.1.1(SwitchB)

How can I do this?

Here is the options that I tried so far:

1- Two VLANs with port specific VLAN. Limitation: Can't enable ipforwarding with this option.
2- Using policies, here is the policies of one of SwitchC's ports, another two would be needed:

Policy applied in the ingress direction:

entry port1-ingress { if {
vlan-id 100;
} then {
permit;
replace-vlan-id 802;
}
}

Policy applied in the egress direction:

entry port1-egress { if {
vlan-id 802;
} then {
permit;
replace-vlan-id 100;
}
}

This somehow didn't work. I don't know why.

There's an option that I thought about but haven't tried it yet:

Using four VLANs:
- Two VLANs with whatever tag but configured with port specific VLAN 100 in the ports connected to the other switches. Those VLANs will have no ip address and learning disabled.
- Two VLANs with ip addresses, each one connected via cable untagged to one of the anterior VLANs.

I think this third option should work but wouldn't be an elegant solution.

Any ideas?

Thanks

0 Kudos
11 REPLIES 11

Erik_Auerswald
Contributor II
In response to Thiago

‎04-27-2016 05:43 PM

So currently you are using something like the following?

(SwitchA)10.1.1.1-------tag 100------10.1.1.2(ROUTER)192.168.1.2-----tag 100------192.168.1.1(SwitchB)

The router uses routed interfaces (no bridge group) and tags the Ethernet frames with VLAN ID 100 (this would be "encapsulation dot1Q 100" for Cisco IOS)?

The problem is that a switch forwards frames at layer two, as opposed to the router, but there shall not be a layer 2 connection.

You could look into private VLANs, specifically isolated VLANs. Together with a secondary IP address you might achieve both layer 3 forwarding and layer 2 isolation with the same VLAN tag on two ports.
0 Kudos

Henrique
Extreme Employee

‎04-27-2016 03:14 PM

Hi Thiago,

Is there any specific reason why you cannot change the vlan ID for vlan 192.168.1.x (between SwitchC and SwitchB) or even for vlan 10.1.1.x (between SwitchA and SwitchC)?

The easiest way would be just change the tag from 100 to another vlan ID (200, for instance).

That would be:

(SwitchA)10.1.1.1-------tag 100------10.1.1.2(SwitchC)192.168.1.2-----tag 200------192.168.1.1(SwitchB)

or

(SwitchA)10.1.1.1-------tag 200------10.1.1.2(SwitchC)192.168.1.2-----tag 100------192.168.1.1(SwitchB)
0 Kudos

Matthew_Hum1
Extreme Employee

‎04-27-2016 04:42 AM

Can you try using another switch? VLAN 100 into Switch C, routed and then untagged out to Switch D that then tags VLAN 100 again.
0 Kudos

Erik_Auerswald
Contributor II

‎04-26-2016 02:56 PM

Hi Thiago,

I am not quite sure what you are trying to achieve, but you might be able to use a secondary IP address in the VLAN with tag 100 on switch C.

See How to add secondary IP address on a VLAN.

Erik
0 Kudos

Thiago
New Contributor
In response to Erik_Auerswald

‎04-26-2016 02:56 PM

I can't use secondary IP because the two networks must be isolated at layer 2.
0 Kudos
GTM-P2G8KFN