Split VLANs using Cisco Catalyst 2900 series

julesmartens · ‎04-05-2020

Hi,

I switched to FTTH for Internet and IPTV. My new ISP uses VLAN6 and VLAN4 to separate these types of traffic.

I'd like to continue to use my own non-cisco router/firewall such that my internal (internet) network will run in one eco-system (Unifi - Ubiquity). Unfortunately, my Unifi router does not support multiple VLAN's on WAN side.

As containment, I consider to use my Cisco Catalyst 2960 switch to split VLANs before entering my Unifi router.

Physical connections in new setup:

FTTH (VLAN6+4) --> Catatlyst2960

Catatlyst --> VLAN6--> (WAN port) Unifi Router --> internet traffic

Catatlyst --> (VLAN4) --> (WAN port) Fritzbox router --> IPTV

Unifi Router(LAN)-->switch1

switch1 --> WIFI APs

switch1 --> PCs / NAS / Server

Fritzbox router --> STB1

Is this possible and how to configure my Catalyst for this purpose?

Thanks!

Regards,

Jules

Richard Burts · ‎04-05-2020

Jules

There are some things that we do not know about your situation and that makes it difficult to give good advice. Would we be correct in assuming that the ISP connection operates as a trunk, carrying vlans 4 and 6? If it is a trunk are both vlans using tagged frames or is one vlan tagged and the other vlan untagged?

I am also not clear about this part of your post

Catatlyst --> VLAN6--> (WAN port) Unifi Router --> internet traffic

Catatlyst --> (VLAN4) --> (WAN port) Fritzbox router --> IPTV

It mentions WAN port twice, does that mean 2 different ports with same descriptor? Or something else? Can you clarify?

Assuming that the ISP connection is operating as a trunk then I would suggest this approach for your catalyst:

- configure a port on the 2960 as a trunk carrying vlans 4 and 6. (you might need to manipulate the definition of native vlan depending on whether both vlans are tagged or one is not tagged)

- configure vlans 4 and 6.

- configure one port to be an access port in vlan 4 and connect that port to Fritzbox

- configure another port to be an access port in vlan 6 and connect that port to Unify router.

- it is not clear whether the 2960 is used for anything else. You mention switch1 connected to Unify for WIFI, and PCs. and NAS and it is not clear whether this is a different switch or will be running on other ports of 2960. Can you clarify?

HTH

Rick

julesmartens · ‎04-16-2020

Hi Rick,

Yes, my ISP connection operates as trunk with Internet and IPTV on it respectively tagged VLAN6 and VLAN4.

Also, VOIP lives on this trunk, if I remember correctly this traffic is untagged. ISP has given me a fixed IPv4 via PPP en IPCP.

My Unifi-router, unfortunately, does not support having two VLANs on WAN side unless I code this via json. I'd like the Unifi GUI and I rather don't configure my router/firewall partially from json and partially from the unifi GUI. I noticed on unifi forum that more users have requested for "VLAN groups" on WAN side but so far this feature hasnt been implemented yet. So currently I can only set my WAN to either VLAN6(internet) or VLAN4(IPTV) but not both. ;-(.

My idea is to use my redundant Cisco switch to split VLANs for me. To answer your question, the Cisco switch will only be used for this purpose.

Downstream from the Cisco switch, I will connect;

1) my own (Unifi) FW/Router used for Internet traffic @VLAN6.

This router will on LAN-side connect to a next Unifi-switch1 to distribute traffic further downstream in my LAN (server/NAS etc).

2) the router provided by the ISP (Fritzbox) used for IPTV traffic @VLAN4.

Each of the above connections will connect to the WAN ports of these two routers.

I wonder how this works with IP addresses. Normally a router will provide IP addresses (DHCP) to connected clients (LAN side). In this setup, the Cisco switch lives between ISP and WAN side of the routers.

On the Cisco switch, I managed to configure the access ports for VLAN4 and VLAN6.

I struggle with the configuration of the trunk. I set a port as trunk but when I verify that port, it does not show that it is a trunk.

Any suggestions?

Regards,

Jules

Richard Burts · ‎04-16-2020

Jules

Thanks for the additional information. It should be possible to configure your Cisco switch with a trunk port connecting to the ISP and an access port for vlan 4 and an access port for vlan 6. If that is configured and connected to both of your routers then the routers should see the ISP as a local connection and should be able to obtain IP addresses on their WAN port using DHCP. If it is not working it might be helpful if you would post the configuration. It would also be good if you would post the output of the commands show interface status and show interface trunk from the switch.

HTH

Rick