Hi Kevin.

Thank you for your time.

Bridging was one of the solutions I thought, but I'm not a fan of bridge. I prefer routing.

This leads us to the solution of the switch you mensioned which I think is best, and undoubted the one I would use. The problem is that I don't know for sure my client's equipment. All the feedback I had so far, told me of a router (or two) and 3 switches, so I started to think of solutions with these devices.

In case of the 2600 router and the 16port ethernet module, I can use interface vlan 10 command ??? Is this allowed? If yes then it's really easy. :)

So, in conclusion, assuming we have 1 router and 3 switches, bridge is my only solution???

Thanks

"In case of the 2600 router and the 16port ethernet module, I can use interface vlan 10 command ??? "

Yes, absolutely. In fact, you must; that is what connects the switched VLAN to the routing engine.

"assuming we have 1 router and 3 switches, bridge is my only solution???"

Again true, but a disclaimer here: I have never tried the configuration I gave you for real.

The disadvantage of the bridging solution is that VTP will not work to the router interfaces, so you have to configure VLANs on all interfaces and switches by hand.

The advantage of using a central switch is that VTP propagates the VLAN database throughout the switched network; you only have to configure the new VLAN on one switch. Oh yes ... and VTP does work OK with the NM-16ESW.

P.S. If you find the information useful, please do not forget to "Rate this post". Thanks in advance.

Kevin Dorrell

Luxembourg

Thank you for your help.

I'll see what equipment my client has, and if it is 1 router and 3 switches, I'll try your configuration. I think it sould work. Do you want a feedback if it worked or not?

Thanks again Kevin.

Feedback - yes please. That's the main reason I do this forum, to gain experience from real life situations.

Thanks in advance.

Kevin Dorrell

Luxembourg

I have followed this one.

I take it the router is the only L3 device,and you want to run trunks to the router interfaces for redundancy.

Do you have trunks running between the switches? I assume you do, then I would just run each link in access mode with a different vlan on each link to the router

just a thought!

Richard.

Hi Richard

I'm not sure I understand what you mean.

I have three switches. 2 of them are connected with 2 gigabitethernet (channel-group) to each-other for redundancy.

In order to be fully redundant, they should both be connected to the router. Correct?

The 3rd switch should also be connected somehow.

The switches do not support L3 routing, so all of them should be connected to the router.

Also each of them should have the VLANs configured and no VTP used. Who would be VTP master?

I need 3 VLANs. If I connect the switches to the router through access ports, I would need 9 ethernet ports and 9 different VLANs. Right?

Is this what you said?

Thank you for your help

If you do connect all your switches redundantly using the bridge configuration on the router, make sure the router is the STP root. You can do that by lowering the priority.

Router(config)# bridge (bridge-group-number) priority (number)

Router(config)# bridge 10 priority 1

Or else you could have only one link being used for access to your layer 3 device.

I've just read about a cheaper solution for you, but still with the core/distribution switch we talked about. If you have a 1751, 2600 or 3600 series router, there is a WIC-4ESW, which is a 4-port switch card on a WIC module. Apparently the ports will do 802.1Q trunking.

The only drawback is that it will do VTP, but transparent mode only. That is, you would define the VLANs on one of your access switches, and they would propagate to the other switches, but not to the WIC-4ESW - you would have to define the new VLAN there by hand. Don't know if they plan to support other VTP modes on that WIC in the future.

Kevin Dorrell

Luxembourg

Hi,

Let's view this scenario. In my case I need to implement a similar solution, but with NAT in every BVI.

I have this commands "ip nat inside source list 100 interface BVI7 overload" and "access-list 100 permit ip any any". If I add "ip nat inside source list 100 interface BVI9 overload" the first one disappears...

Can you help, please?

Thanks in advance!

Hi,

   Because source is the same "ip nat inside source list 100" for both NAT statements, it will always override it; there is no workaround for this, other than creating another list like ACL 200, and use another NAT statements; however, you need to ensure the router matches each NAT statement that you want, for the traffic you want:

access-list 100 permit 192.168.10.0 0.0.0.255

access-list 200 permit 192.168.10.0 0.0.0.255

!

ip nat inside source list 100 interface BVI7 overload

ip nat inside source list 200 interface BVI9 overload

Regards,

Cristian Matei.

I agree with @Cristian Matei that the overlapping use of the same access list on both interfaces creates a problem. Unfortunately I do not believe that his suggested solution goes far enough to solve the issue

access-list 100 permit 192.168.10.0 0.0.0.255

access-list 200 permit 192.168.10.0 0.0.0.255

There are 2 access lists but they both use exactly the same logic and I believe that the result will not really solve the issue. When configuring address translation where traffic may be outgoing on 2 interfaces the better solution is to configure address translation using route maps. In this approach the route map can match on the access list and also match on the outbound interface. So one route map is for BVI7 and another route map is for BVI9. They could each have an individual access list but it would work just as well if both route maps used the same access list.

Another note is that configuring address translation this way it would be preferable to use a standard access list rather than an extended access list.