ā05-04-2023 04:08 AM
Hi CSC,
Is it possible to have just a layer 2 transit VLAN without allocating addressing etc.. Scenario would be for example having an ISP WAN Link plugged into a port (say VLAN x) and then my FW Outside Port plugged into a port (VLAN X) to allow transit. A common thing done on WAN switching for example. I'm not talking about security implications of landing a WAN directly onto a Core, I just want to know how I'd go about a simple task like this on a FABRIC switch?
ā05-04-2023 04:43 AM - edited ā05-04-2023 04:57 AM
Hello @GRANT3779,
Yes, it is possible to have just a Layer 2 transit VLAN without allocating addressing. In fact, this is a common practice in many network architectures, particularly in service provider networks. The purpose of this transit VLAN is to provide connectivity between different devices and networks without the need for complex routing or IP address assignment.
To set up a transit VLAN on a fabric switch, you can create a VLAN interface for the transit VLAN and assign it to the appropriate port(s). You can also configure any necessary VLAN tagging or trunking settings to ensure that traffic is correctly routed between devices.
In the specific scenario you described where you have an ISP WAN link connected to a port on a fabric switch, and a firewall outside port connected to another port on the same switch, a VLAN interface is not necessary for the Layer 2 transit traffic between the two devices.
You simply need to create the VLAN on the switch, assign the appropriate switch ports to the VLAN, and configure any necessary Layer 2 features, such as VLAN tagging or access control lists. The switch will then forward the Layer 2 traffic between the connected devices on that VLAN.
ā05-04-2023 04:51 AM
Thanks for that information! Is this still being done via DNAC or "old school" via CLI on switch? When you say create VLAN Interface, does this transit vlan still require a L3 interface to be created in the fabric even though I'm using it for L2 transit only?
ā05-04-2023 04:56 AM
You're welcome @GRANT3779,
The process of creating a VLAN and configuring VLAN membership can be done either via DNAC or through the CLI on the switch, depending on your preference and network management approach.
When you say create VLAN Interface, does this transit vlan still require a L3 interface to be created in the fabric even though I'm using it for L2 transit only?
A VLAN interface is a Layer 3 interface associated with a VLAN, and is not required for Layer 2 transit traffic. In this scenario, you do not need to create a VLAN interface, as there is no need to assign an IP address or perform any Layer 3 routing functions on the transit VLAN. Instead, you simply create the VLAN on the switch and configure the necessary switch ports to be members of that VLAN. The switch will then forward the Layer 2 traffic between the connected devices on that VLAN.
ā05-04-2023 01:14 PM
Hi
i dont think it's possible w/o L2VN introduction as SDA Fabric is purely L3 driven in Underlay & u have no means w/o SDA-less precautions to L2-switch traffic between Fabric site components.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide