cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11907
Views
5
Helpful
11
Replies

How to Convert VLAN ID

anitaleung2019
Level 1
Level 1

Dear expert,

I am facing an issue which you may come across before. Grateful if you would teach me how to do it.

 

background info:

For some reason, there are some ethernet switches to be configured as VLAN 1 (IP is 172.16.10.0/24) in production environment. The remote site LAN segment is using VLAN 250 (IP is 172.16.10.0/24). 

Now, the remote site LAN segment will be connected to production env. and both vlan id (VLAN 1 and VLAN 250) cannot be changed due to historical reason. 

Is it possible to convert the VLAN ID when it goes to / come from another VLAN ID?. 

foR example, user A (VLAN1) communicate with user B (VLAN 250), it can convert the VLAN 1 to VLAN250 before enter into the VLAN250. If yes. how to do it.

 

Attached please find the simple diagram for your reference. Thanks

 

Thanks

 

 

 

3 Accepted Solutions

Accepted Solutions

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

It is not an ideal solution, but simply configuring both ports as mode access will ensure the frame transits the link untagged. It will then be tagged with the other VLAN ID on ingress.

!! SW01
!
int gi1/0/24
  switchport mode access
  switchport access vlan 1
spann bpdufilter enable ! !! SW02 ! int gi1/0/48 switchport mode access switchport access vlan 250
spann bpdufilter enable !

You need to enable BPDU filter at both ends to stop the BPDU's from being transmitted and then being received by the other switch which will place the switchport in err-disabled.

 

cheers,

Seb.

View solution in original post

Joseph W. Doherty
Hall of Fame
Hall of Fame
As Seb describes, you can interconnect different VLANs using access mode ports. On Cisco switches, you can also do it using trunk ports but setting the native VLAN differently on each port.

Also, BTW, on Cisco switches if CDP is active on the ports it will "complain" about a VLAN mismatch.

View solution in original post

Hello Anita,

you should be fine by having all access ports bundled in a port channel.

I would use LACP on all member links to have a way to verify each link use channel-group X mode active

 

Note:

The use of spanning-tree BPDU filter is not strictly required with access ports the only risk is to have Vlan 1 root bridge to become also the root bridge for Vlan 250 if using modern approach the STP priority is a multiple of 4096 + Vlan-id number so likely vlan 1 root bridge is better then vlan 250 root bridge.

(even if it is the same device)

I would use spanning-tree bpdu filter simply to avoid joining the two STP instances.

On access ports Cisco switches use IEEE standard BPDU with PVST or Rapid PVST and they do not check the 802.1Q vlan-id with the internal vlan-id number as they do on trunk ports where they use Cisco proprietary encapsulation of PVST BPDU and this last case  a mismatch between the two fields 802.1q tag and internal vlan-id would lead to blocking the port for this at least for the affected Vlan(s)

 

 

 

Hope to help

Giuseppe

 

View solution in original post

11 Replies 11

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

It is not an ideal solution, but simply configuring both ports as mode access will ensure the frame transits the link untagged. It will then be tagged with the other VLAN ID on ingress.

!! SW01
!
int gi1/0/24
  switchport mode access
  switchport access vlan 1
spann bpdufilter enable ! !! SW02 ! int gi1/0/48 switchport mode access switchport access vlan 250
spann bpdufilter enable !

You need to enable BPDU filter at both ends to stop the BPDU's from being transmitted and then being received by the other switch which will place the switchport in err-disabled.

 

cheers,

Seb.

Dear Seb,

Thanks for your solution.

Can we setup HA for this access port? e.g. etherchannel.

If the first access port is down, another access port can still be function. Not sure any issue if all members are access ports in etherchannel?

 

Best regards

 

 

Hello Anita,

you should be fine by having all access ports bundled in a port channel.

I would use LACP on all member links to have a way to verify each link use channel-group X mode active

 

Note:

The use of spanning-tree BPDU filter is not strictly required with access ports the only risk is to have Vlan 1 root bridge to become also the root bridge for Vlan 250 if using modern approach the STP priority is a multiple of 4096 + Vlan-id number so likely vlan 1 root bridge is better then vlan 250 root bridge.

(even if it is the same device)

I would use spanning-tree bpdu filter simply to avoid joining the two STP instances.

On access ports Cisco switches use IEEE standard BPDU with PVST or Rapid PVST and they do not check the 802.1Q vlan-id with the internal vlan-id number as they do on trunk ports where they use Cisco proprietary encapsulation of PVST BPDU and this last case  a mismatch between the two fields 802.1q tag and internal vlan-id would lead to blocking the port for this at least for the affected Vlan(s)

 

 

 

Hope to help

Giuseppe

 

Dear Giuseppe,

 

Below please find the config file which may be implemented very soon. Grateful if you would point out which commands is incorrect (or missing, or need to add more parameters)

 

! SW 01
!
int gi1/0/24
descr to SW 02, port 48
switchport mode access
switchport access vlan 1
spann bpdufilter enable
spanning-tree portfast     <------ new added
channel-group 172 mode active  <-- new added
!
int gi1/0/25
descr to SW 02 port 49
switchport mode access
switchport access vlan 1
spann bpdufilter enable
spanning-tree portfast
channel-group 172 mode active
!
interface port-channel 172     <--- new added
description to SW 02 port-channel 172
switchport
switchport mode access
!

! SW02
!
int gi1/0/48
descr to SW 01, port 24
switchport mode access
switchport access vlan 250
spann bpdufilter enable
spanning-tree portfast
channel-group 172 mode active
!
int gi1/0/49
descr to SW 01 port 25
switchport mode access
switchport access vlan 250
spann bpdufilter enable
spanning-tree portfast
channel-group 172 mode active
!
interface port-channel 172
description to SW 01 port-channel 172
switchport
switchport mode access
!

 

Thanks

Hello Anita,

first of all, SW02 port-channel 172 requires the command

switchport access vlan 250

 

as the members ports.

 

Note: the configuration of port-channels is created automatically when enabling the LACP bundle. You don't need to configure them manually.

After the bundle is up any change should be done at the port-channel interface level.

On all member links I would remove the command

spanning-tree portfast

 

The other command spanning-tree bpdufilter enable is enough to keep the two Vlans isolated at STP level.

 

Hope to help

Giuseppe

 

Dear Giuseppe,

 

Thanks for your prompt response, the command "switchport access vlan 250" will be added in SW 02. It is good to use the "access port" to linkup two networks.

 

With reference to the another options
====
On Cisco switches, you can also do it using trunk ports but setting the native VLAN differently on each port.
====

 

Below please find the config using "trunk port". Grateful if you would enlighten me that the commands are correct or not. Your help is much appreciated.

 

=== switch A ===
interface vlan1
description native VLAN in switch A (192.168.250.0)
no ip address
!
interface GigabitEthernet0/1
description *** Connection to switch B GE 0/20 ***
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan 100,150,200

 

 

===== Switch B =====
inter vlan 1
shut
!
interface vlan 250
description native vlan of switch B (192.168.250.0)
no ip address
!

interface GigabitEthernet0/20
description *** connecto to switch A GE0/1 ***
switchport mode trunk
switchport trunk native vlan 250
switchport trunk allowed vlan 100,150,200
!

Best regards

 

Hello Anita,

I would not use the trunk configuration with native Vlan mismatch, as it may lead to problems with STP consistency checks.

 

Go with the access ports solution to join safely Vlan 1 and Vlan 250.

If you need to propagate other Vlans between the two networks use a separate link that allows the Vlans of interest over a trunk link (it can be a different port-channel if needed)

 

Hope to help

Giuseppe

 

"I would not use the trunk configuration with native Vlan mismatch, as it may lead to problems with STP consistency checks."

Giuseppe can you provide a specific issue? Assuming there are none, STP might even function correctly within the combined/merged VLANs.

Hello Joseph,

I have had a big issue in an hospital network, where it was enough to connect two ports in different Vlans to create real big impact.

The root cause of the problem was the configuration of:

spanning-tree loop guard default

 

This command was present also on distribution switches that had root guard configured on links towards access layer switches.

When we join two Vlans STPs with access ports with PVST or Rapid PVST and using the modern way to configure STP priority (extended system-id for MAC address reduction) the STP root bridge of Vlan X is better then STP root bridge of Vlan Y if Vlan Y id > Vlan X id.

The access layer switch would try to send the new Root Bridge ID for vlan Y on the upstream link, on the other side the distribution switch would put the port in inconsistent root state for the root guard protection triggered.

At this point the distribution switch stopped to send BPDUs for Vlan Y and on the other side the access layer switch would trigger loop guard waiting for a BDPU from distribution.

It was a dead lock.

 

So it is not true that joining two STP domains is always without impact.

 

We solved with a change campaign

removing

spanning-tree loop guard default on all switches.

 

Enabling loop guard per interface on uplinks of access layer switches.

 

Hope to help

Giuseppe

 

Joseph W. Doherty
Hall of Fame
Hall of Fame
As Seb describes, you can interconnect different VLANs using access mode ports. On Cisco switches, you can also do it using trunk ports but setting the native VLAN differently on each port.

Also, BTW, on Cisco switches if CDP is active on the ports it will "complain" about a VLAN mismatch.

Dear Expert,

Thanks Joseph, Giuseppe and Seb help to describe the approach and potential issue.

Best regards
Anita

Review Cisco Networking for a $25 gift card