Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
5
Replies

VLAN implementation

Go to solution
tim.gross
Level 1
Level 1

‎10-22-2015 04:56 AM - last edited on ‎03-25-2019 03:45 PM by Community Manager

I need fresh input for networking issue I cannot seem to get straight in my head.

I am trying to implement multiple VLANs on our network and I understand VLANs, and inter-VLAN routing, but cannot wrap my head around what happens to that segmentation when it is routed to the site where the datacenter is.

I have configured the following VLANs at the main site where the datacenter is and at the branch site.

VLAN10 for VOIP, VLAN100 for staff, VLAN200 for the wireless network, each with their own subnet.  I know that VLAN10 at the branch is not the same as VLAN 10 at the main site, but how do I maintain the segmentation/security that I need for VOIP, or wireless?

The branch has a Dell 3548 L2 switch connected to a Cisco 2821 router, connecting back to Cisco 3845 router and Cisco 4506 at the datacenter over a Metro Ethernet circuit.  If I segment my network with VLANs and route the traffic from the remote branch back to main site, is there any way to get the data from say VLAN10 at the branch to end up in VLAN10 at the main site?  I don’t want to lose the segmentation/security.  Would routing the data to an SVI on the router back at the main site in the corresponding VLAN work?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-22-2015 05:38 AM

I think that you have told us that you have a vlan 10 at the branch and a vlan 10 at the data center. You have not told us what you are using for IP addressing for these vlans. It should be an IP subnet at the branch and a different IP subnet at the datacenter. And you have not told us how you have configured the connection between sites over the Metro Ethernet. Is it a separate routed subnet (I hope) or are you extending the vlans over the Metro Ethernet?  How the data flows back and forth is a function of how you set up routing to make sure that traffic is forwarded to the correct destination.

 

If you want to make sure that traffic originating at the branch vlan 10 gets forwarded only to vlan 10 at the datacenter you have a couple of choices. You might configure VRFs. They would allow you the most stringent control to make sure that vlan 10 only went to vlan 10. But they do add complexity to the configuration. Another option would be to configure access lists. For example you could configure an access list that permits the IP subnet of vlan 10 at the branch to vlan 10 at the datacenter and denies traffic to any vlan 100 or any vlan 200. A third option would be to configure Policy Based Routing in which you configure Policy to forward traffic from a particular source subnet to a particular destination subnet.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-22-2015 05:28 AM

Not sure what you mean by maintaining the segmentation security.

You can use acls on the SVIs to control traffic flows or you could look at VRFs which would separate your IP subnets but it's difficult to say because it's not clear what you are trying to do.

Jon

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-22-2015 05:38 AM

I think that you have told us that you have a vlan 10 at the branch and a vlan 10 at the data center. You have not told us what you are using for IP addressing for these vlans. It should be an IP subnet at the branch and a different IP subnet at the datacenter. And you have not told us how you have configured the connection between sites over the Metro Ethernet. Is it a separate routed subnet (I hope) or are you extending the vlans over the Metro Ethernet?  How the data flows back and forth is a function of how you set up routing to make sure that traffic is forwarded to the correct destination.

 

If you want to make sure that traffic originating at the branch vlan 10 gets forwarded only to vlan 10 at the datacenter you have a couple of choices. You might configure VRFs. They would allow you the most stringent control to make sure that vlan 10 only went to vlan 10. But they do add complexity to the configuration. Another option would be to configure access lists. For example you could configure an access list that permits the IP subnet of vlan 10 at the branch to vlan 10 at the datacenter and denies traffic to any vlan 100 or any vlan 200. A third option would be to configure Policy Based Routing in which you configure Policy to forward traffic from a particular source subnet to a particular destination subnet.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
tim.gross
Level 1
Level 1
In response to Richard Burts

‎10-22-2015 07:57 AM

Thanks Rick,

Yes, I have separate subnets for each VLAN at each site, and a separate subnet for routing between branches.

MainSubnet - 172.16.131.0/23

MainRouter - 172.16.10.1

BranchRouter - 172.16.10.22

BranchSubnet - 172.16.140.0/24

What I am questioning in particular is the following:  PC in VLAN100 at branch 172.16.140.5 needs to send a packet to a staff computer at Main VLAN100 172.16.131.20.  Don't want computer in VLAN200 at Main to see or be able to intercept that data.  If VLAN tag is dropped I assume the packet will enter Main site on default VLAN and get routed to PC 172.16.131.20 via routes?

BUT, since the PC's at Main are also in VLANs, they will not be able to see the traffic coming in from the router on the default VLAN, correct? 

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to tim.gross

‎10-22-2015 08:05 AM

This has nothing to do with vlan tags because they are not relevant when you are routing traffic.

So if a PC in vlan 100 at the branch sends traffic it goes to the 2821 router subinterface.

Any vlan tag is then removed and the traffic is routed to the 3845 router at the main office.

It then forwards the packet to the 4500 and on to the destination IP.

Note it's not clear at the main office whether you are using subinterfaces on the router or the 4500 is routing for the vlans but it doesn't matter.

The traffic will be within vlan 100 at the main site so any devices in other vlans will not see it.

What isn't stopped though is traffic between vlans so a client in vlan 200 at the branch site could send traffic to a vlan 100 client the main site.

If you wanted to stop that then again acls or VRFs is the way to go.

Jon

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎10-22-2015 08:28 AM

I am glad that you do have separate subnets for each vlan at each site and are routing traffic over the Metro Ethernet. Based on this I agree with Jon that vlan tags do not really come into play. There might be vlan tags as traffic is forwarded from switch to router but at the router the vlan tag is removed and there are no vlan tags as you route between sites.

 

And since you are routing between sites the router at the branch will see traffic from source 172.16.140.5 to destination 172.16.131.20. It forwards the packet over the Metro Ethernet. The datacenter router sees a packet with destination 172.16.131.20 and forwards it using vlan 100. There is no opportunity for any device in vlan 200 to observe or to intercept that packet.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents