Solved: Re: How can I pass another complete network over my network

dajohnso · ‎04-27-2025

I have a network that connects two buildings with switch A and switch B. These two switches are connected with a pair of trunks using 1G dishes. I have about 10 vlans configures in my environment and everything works fine for my equipment and networks. I have a need to connect a 3rd parties network (switch C and D) over my network but I dont want to intermix the two networks. I have verified they have cisco switches as well and none of the vlans overlap (except we both have native vlan 1, I know, I'm already considering changing to a different native vlan). How can I bridge their switches using my link? I tried turning off lldp and connecting their trunk to my switch on an unused VLAN and that didnt work. I changes my ports to trunks and only allowed vlans 1,400,600,1002-1005 and I was able to ping from C to D (over A & B) with different IP blocks then I use in my network but when I added a vlan to switch C it did not show up on switch D vtp but they do when they are directly connected? So in short how can I connect C & D over my A & B so that C&D do not show up as cdp nei in my environment and C&D do not show my switches in cdp nei and so that all traffic and admin of C can reach D? I don't need to (or want to) be able to access anything on C or D and I certainly do not want C&D to see anything in my network. I can make any changes to my environment needed but I can only make suggestions for changes on the vendor network. Would it help if I moved everything in vlan 1 to vlan 2 and made it my native/management vlan? I want the connection between C&D to be as transparent as possible almost like they are directly connected. (I would rather NOT put them on one set of dishes and me on the other, I like having the redundant pair of dishes even though I do not need 2Gbps throughput, they are on a port channel group for load balance and redundancy)

Jens Albrecht · ‎04-27-2025

You need to take a look at Layer 2 Protocol Tunneling techniques. As the name applies the traffic between switches C and D is tunneled through your network without affecting it. This also allows switch C and D to see each other via CDP or to exchange vlan information via VTP through the tunnel as if they were directly connected.

You did not mention the hardware of your switches or the software they are running but this should serve as a good starting point:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/lyr2/b_1612_lyr2_9300_cg/configuring_layer2_protocol_tunneling.html

HTH!

View solution in original post

Jens Albrecht · ‎04-27-2025

Yepp, now I see it. I was searching for this info but could not find it. Thanks for this hint.

So same technique, just a different starting point:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/01xo/configuration/guide/tunnel.html

View solution in original post

Joseph W. Doherty · ‎04-27-2025

Yup, also sometimes known as Q-in-Q, as I mentioned in my original reply.

I've only needed to do it once, and in this case, I would be the vendor switch.

Without additional review of material, don't know whether configuration changes would be needed on all switches, but Jens might know.

What I had done worked fine but I also recall I only had to pass one of my VLANs across a MetroE provider.

View solution in original post

Joseph W. Doherty · ‎04-27-2025

If I understand your network correctly, I suspect the problem is you're expecting VTP to work between switches C and D while not using the same VTP domain as switches A and B.

I suspect, excluding VLAN 1, it would be easy to logically connect the VLANs on switches C and D if you don't use VTP on them. You would also need to define those switches VLANs to VTP for switches A and B, or don't use VTP at all.

As to the conflict between VLAN 1, between your switches and the vendor's, possibility Q-in-Q, or on the vendor switches, interconnect another VLAN to VLAN 1, and trunk that VLAN like the other vendor VLANs, would work. (These suggestions might be tried in CML.)

Joseph W. Doherty · ‎04-27-2025

BTW, there might be other options, for example VXLAN (?), but would need to know more about your equipment. Don't know what your, 4948 may support (they are old, and EoL, I believe) or what your vendor is using.

My prior reply should work for old or newer Cisco equipment.

Jens Albrecht · ‎04-27-2025

You need to take a look at Layer 2 Protocol Tunneling techniques. As the name applies the traffic between switches C and D is tunneled through your network without affecting it. This also allows switch C and D to see each other via CDP or to exchange vlan information via VTP through the tunnel as if they were directly connected.

You did not mention the hardware of your switches or the software they are running but this should serve as a good starting point:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-12/configuration_guide/lyr2/b_1612_lyr2_9300_cg/configuring_layer2_protocol_tunneling.html

HTH!

Joseph W. Doherty · ‎04-27-2025

You did not mention the hardware of your switches

OP diagram had his switches as 4948s.

Jens Albrecht · ‎04-27-2025

Yepp, now I see it. I was searching for this info but could not find it. Thanks for this hint.

So same technique, just a different starting point:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/01xo/configuration/guide/tunnel.html

Joseph W. Doherty · ‎04-27-2025

Yup, also sometimes known as Q-in-Q, as I mentioned in my original reply.

I've only needed to do it once, and in this case, I would be the vendor switch.

Without additional review of material, don't know whether configuration changes would be needed on all switches, but Jens might know.

What I had done worked fine but I also recall I only had to pass one of my VLANs across a MetroE provider.

dajohnso · ‎04-27-2025

Thanks. So far I have tried to follow this and have been unsuccessful. I did manage to block the cdp now so the vendor switches do not see my switches and I don't see theirs. I setup 4 C4948's on my desk Switch C int gi1/44 is plugged into switch A int gi1/1, same on switch D and B. Switch A and B are trunked via ports 43, 44.

switch C and D have

interface GigabitEthernet1/44
description trunk to slave
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-1005
switchport mode trunk
end

and switch A&B have

vlan dot1q tag native

interface GigabitEthernet1/1
switchport access vlan 22
switchport mode dot1q-tunnel
no cdp enable

now in A&B "sho cdp nei" doesn't show switch C&D (good)

but, switch C and D "sho cdp nei" doesnt show any switches either?

C and D can no longer ping each other, vtp is not populating on switch D?

show vlan dot1q tag native
has no output

Joseph W. Doherty · ‎04-27-2025

You do allow the new carrier VLAN, 22, across your trunks between switches A and B?

Did you also read Jens' reference's section about MTU considerations on the 4500 series? Although the 4948 isn't explicitly mentioned, I recall it's a "pizza box" 4500 sup. Unsure which though, vaguely recall might be equivalent to a sup-V. (It's QoS model, is pre sup-6.)

Also, your wireless links wouldn't have any issue with the slightly larger double tagged frames?

dajohnso · ‎04-28-2025

Using the guide prided in the responses here, all trunks now pass all vlans. C&D are in a dot1q tunnel on A&B. Limited success, pretty much everything is working except vlan 1 and vtp. Not sure if anything else isn't working as I am only testing onmy bench right now and I haven't tried the config with the vendor network yet. I want to get as much working before the cutover to minimize downtime. I have a note out to the vendor to see what their native/management vlan is (really hoping its not vlan 1)

dajohnso · ‎04-28-2025

The wirleess links appear to be pretty transparent. I have had any issues with switch A and B communicating over this link. The issues described above are all between C&D switches.

dajohnso · ‎04-27-2025

Sorry, thought I had added it.

I am using Cisco WS-C4948 running cat4500-entservicesk9-mz.150-2.SG11. The vendor switches are some form of Meraki switch.

dajohnso · ‎04-28-2025

Thanks for the info. I have reread the configuration guide and have had limited success!  Switch C&D can now see each other with "sho cdp nei" and C&D can not see A&B, and A&B do not see C&D as neighbors! Switched C&D can ping each other on vlans (except 1?). VTP is still not populating? On switch C&D "trunks" I am passing all vlans now to the tunnel. Switch A&B now show the tunnel with "show dot1q-tunnel" Very promising as I did not have to make any changes to vendor switches for this config!

here is what I have currently

Switch C&D (vendor)

interface GigabitEthernet1/44
description trunk to slave
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-1005
switchport mode trunk

Switch A&B (Mine/ISP)

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
vlan dot1q tag native
!
vlan 22
name dot1q
!

interface GigabitEthernet1/1
switchport access vlan 22

switchport trunk native vlan 22
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel lldp
no cdp enable
!

dajohnso · ‎04-28-2025

I have also tried without the vlan 22, same result.

interface GigabitEthernet1/1
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel lldp
no cdp enable
end

dajohnso · ‎04-28-2025

more success! Added "l2protocol-tunnel vtp" to int gi1/1 and now VTP is updating! Still cant ping in vlan 1 though.

interface GigabitEthernet1/1
switchport access vlan 22
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
l2protocol-tunnel lldp
l2protocol-tunnel vtp
no cdp enable
end

Seems to work the same with and without the vlan 22 commands, and/or the vlan 22 native command.