cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
545
Views
0
Helpful
9
Replies
huud
Beginner

Can traffic from VLAN network traverse a LAN network and back

Hi,

 

I have worked on Cisco switches and routers and I know 2 physical switches must have identical VLANs both connected to a router-on-a-stick for end devices behind each switch to communicate with each other.

 

My question is is it possible for traffic from a VLAN network to traverse to a normal LAN network, something as below (< and > mean connected to)

 

Device A (VLAN 10) > Switch VLAN 10 > Router Sub-interface (VLAN 10) > --- < Another Router (No VLAN) < Switch (No VLAN) < Device B

1 ACCEPTED SOLUTION

Accepted Solutions

Thank you for confirming that the source is in one network, the destination is in another network, and a third network connects them. In this case the fact that one device does support vlans while the other device does not support vlans does not matter. If the source device does support vlans then Vlans and vlan tagging is used between the source device that supports vlans and the router subinterface. The router vlan subinterface removes the vlan tag and forwards a standard Ethernet frame toward the destination. The destination device (which does not support vlans) receives a standard Ethernet frame (no vlan tag) and things work. Or if the traffic is originated from the device that does not support vlans then that device sends a standard Ethernet frame (no vlan tag). The standard Ethernet frame is forwarded and reaches the router vlan subinterface. That router vlan subinterface will add a vlan tag to the frame and forward it to the destination device which does support vlans.

So it works in both directions. The key thing to understand is that the vlan tagging is only done between the host that does support vlans and the router vlan subinterface. Every where else in the network it is just a standard Ethernet frame.

HTH

Rick

View solution in original post

9 REPLIES 9
balaji.bandi
VIP Expert

Device A (VLAN 10) > Switch VLAN 10 > Router Sub-interface (VLAN 10) > --- < Another Router (No VLAN) < Switch (No VLAN) < Device B

You need to bridge the interface for teh VLAN to extend with trunking.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Seb Rupik
VIP Advisor

On the sub-interface 'Router Sub-interface (VLAN 10)'  you would need to make sure the frames are sent untagged, ie native:

router(config-subif) #encapsulation dot1q 10 native

This will allow 'Another Router' to receive and not drop them. Likewise the return frames will be sent back to 'Router Sub-interface (VLAN 10)' untagged and so placed into the native VLAN.

 

cheers,

Seb.

 

Joseph W. Doherty
Hall of Fame Expert

"I have worked on Cisco switches and routers and I know 2 physical switches must have identical VLANs both connected to a router-on-a-stick for end devices behind each switch to communicate with each other."

Not necessarily.  If you connect two switches, using different VLANs, but each using untagged frames (for example, access ports), you can intermix those VLANs w/o a router (generally, this isn't done nor recommended).

To me, it's unclear how you interconnect your two routers.  If it's a routed link (normally the case), what you have would work fine, at L3, not L2.

Also, it's unclear whether either of your routers need subinterfaces and/or why you need two routers.

"To me, it's unclear how you interconnect your two routers.  If it's a routed link (normally the case), what you have would work fine, at L3, not L2."

 

In my case the 2 routers would in the same subnet, and the networks behind them would communicate via Static Routes set on each router.

 

"Also, it's unclear whether either of your routers need subinterfaces and/or why you need two routers."

 

In my case only 1 router is to have subinterfaces ()the one with VLANs), the other will be without any subinterface.

 

My situation is that I have a laptop with VMware Workstation running 192.168.28.0/24 network, and a dell server which is running 10.0.64.0/24 network. both are running 1 firewall VM each, the network between the firewalls is 192.168.1.0/24. As understood VMware Workstation does not support VLANs, while dell server runs ESXi which supports VLAN, and the firewall VM (OPNsense) also supports VLAN. So in my case the firewall VM on dell server would have VLANs while the firewall VM in VMware Workstation would not have VLANs, the connection between the 2 firewall VMs would be a trunk.

 

Currently there is no VLAN and both firewalls are running LAN networks with Static Routes, the connection between the dell server and VMware workstation on laptop is bridged, no physical switch is being used.

I believe that several of the responses were assuming that the source device and the destination device were to be in the same subnet. If I am understanding correctly that is not the case. Am I correct that the source device is in 192.168.28.0, the destination device is in 10.0.64.0, and that the connection between the routers is 192.168.1.0? If that is the case then connection between them should be no problem. vlan membership is not an issue. The source may be sending an Ethernet frame with vlan tags. The router will receive the Ethernet frame, remove the vlan tag producing a standard Ethernet frame, and forward the standard Ethernet frame to the other router, which will forward the standard Ethernet frame to the destination. Should work just fine, assuming that each router has appropriate routing logic to be able to forward to the remote subnet.

HTH

Rick

Am I correct that the source device is in 192.168.28.0, the destination device is in 10.0.64.0, and that the connection between the routers is 192.168.1.0?

Hi Rick, yes this is the case, the source can be from either network, 192.168.28.0/24 or 10.0.64.0/24.

Thanks..

Thank you for confirming that the source is in one network, the destination is in another network, and a third network connects them. In this case the fact that one device does support vlans while the other device does not support vlans does not matter. If the source device does support vlans then Vlans and vlan tagging is used between the source device that supports vlans and the router subinterface. The router vlan subinterface removes the vlan tag and forwards a standard Ethernet frame toward the destination. The destination device (which does not support vlans) receives a standard Ethernet frame (no vlan tag) and things work. Or if the traffic is originated from the device that does not support vlans then that device sends a standard Ethernet frame (no vlan tag). The standard Ethernet frame is forwarded and reaches the router vlan subinterface. That router vlan subinterface will add a vlan tag to the frame and forward it to the destination device which does support vlans.

So it works in both directions. The key thing to understand is that the vlan tagging is only done between the host that does support vlans and the router vlan subinterface. Every where else in the network it is just a standard Ethernet frame.

HTH

Rick

View solution in original post

Thanks Rick,

 

Very well explained, and understood, exactly clarifies my confusion.

You are welcome. I am glad that the explanations have been helpful. It is a subtle point, but helpful to understand that vlan tags only operate (and only need to be considered) on switch interfaces configured as trunk and on router subinterfaces. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick