One workstation requires access to two VLANS

gdwingnuts · ‎11-29-2010

We have a situation that requires one laptop to have access to two our three VLANS. We have a Cisco Catalyst L3 4948. The three VLANS are VLAN10, VLAN20, and VLAN30. The workstation currently is a member of VLAN10 and needs to also have access to VLAN30. The laptop has only one NIC but is multi-homed with VLAN10 and VLAN30 IP addresses. We tried configuring the laptop port as a trunk but have yet to successfully ping across to the VLAN30 collision domain. Your help is appreciated.

~c

jeffjadryev · ‎11-29-2010

Hello,

I'm pretty sure trunking is the only way to do this if you are restricted by one NIC on the laptop. If the laptop has USB ports, I would look at either purchasing a USB to ethernet adapter to give the laptop a second physical network connection or troubleshoot trunking to the laptop.

What OS is the laptop running? Also, what encapsulation was the laptop interface using when you set it as a trunk port?

- Jeff

gdwingnuts · ‎11-29-2010

Because of sensitive network issues I can't use the USB to ethernet method. I configured the port on the 4948 with 801.q encapsulation. The Laptop has Vista OS...unfortunately. Can you provide a link or sample of the command set for configuring the port as a trunk, we may have missed something?

Thanks,

~c

Leo Laohoo · ‎11-29-2010

switchport trunk encapsulation dot1q

switchport trunk native vlan xxx (OPTIONAL)
switchport trunk allowed vlan 10,20,30
switchport mode trunk

gdwingnuts · ‎01-26-2011

We were wondering if we can directly connect a laptop to a vlan on our 4948 using the trunk commands listed below? We currently have three VLANS on the switch and would like this maintenance laptop have the ability to access all three vlans. The thing I'm unclear about are the settings on the Windows Laptop. Is there a special protocol I need to configure? I understand the encapsulation is 801.q. Do I need to multihome the laptop with suitable IP addresses? I hope I am not too confusing.

Thanks,

~c

Sergey_Yakovets_2 · ‎01-26-2011

Hi,

It doesn't only rely on the switch itself. It all depends on if your laptop OS and NIC drivers support 802.1q

I have a HP laptop under Windows XP with some Broadcom NIC onboard and they (Broadcom) have a special set of optional software and drivers that allow single NIC to be configured for trunking and participate in several VLANs at the same time with dediacted IP addressing for each VLAN.

mohseen patel · ‎01-26-2011

Hi,

Linux OS dose support your requirement please have a look on below link.

http://www.techonia.com/create-vlan-on-linux-with-cisco-catalyst-switch

Mohseen Patel

bmuggall · ‎01-26-2011

Hi,

I dont think I understood your topology correctly. But as per my understanding, one possible solution would be if you configure SVIs on all three VLANs, then you can access all other VLANs from laptop through layer 3. Again, I am not sure whatz ur topology and requirement.

Thanks,

Balajee

gdwingnuts · ‎01-27-2011

The SVIs may be a solution for us. We have no security issues since this is a closed network with priviledged users only. So lets see if I understand this. I configure a secondary ip address on one interface in each VLAN. I then configure the windows laptop with multiple ip addresses (i.e. multi-homed) for those virtual interfaces correct? That will allow the laptop to communicate across our VLANS using Layer 3? Let me know if I have it right.

Out topology is pretty simple. We have three VLANS on a 4948 Cisco Catalyst with a few servers and a couple of laptops.

hobbe · ‎01-27-2011

No you do not do it that way.

Make the svi in the switch
Enable routing in the switch
Setup the ip plan and make shure that the endstations know what to route towards, if there is no default gateway today why not set that to the svi of the vlan they belong to.
Optional setup access-lists to control what different ip addresses can reach.
Now your switch is also a router and no dualhoming of any computers are needed.

Commands to do this on a 3750 (what I have infront of me for the moment)

Interface Vlan10

ip address 192.168.10.254 255.255.255.0

Interface vlan 20

ip address 192.168.20.254 255.255.255.0

Interface vlan 30

ip address 192.168.30.254 255.255.255.0

now you have done the svi´s

to enable static routing use the command

ip route static inter-vrf

on the laptop of vlan 20 set the default gw to 192.168.20.254

on the units in vlan 30 the laptop needs to speak to, set the default gw to 192.168.30.254

Good luck

HTH

hobbe · ‎01-27-2011

Well

this is just my view on the topic and there could be others better.

First of all I do not believe in vlan as a security measure as you are using it here.

If you whack that switch/switches hard enough with the right stick it will start misbehaving and who knows what you will be able to do from there.

Since you are using it we would have to go from there, I would start with adding routing between the VLAN 10 and 30.

I would then secure access between the vlans with inbound and outbound access-lists.

setup the laptop with a static ip address.

if there is concerns that only one person must be able to use it then I would look into the possibility to not use a svi and instead I would use a physical interface so that one can disconnect the cable when the user is not there. effectively severing any connection possibilities.

if this is not possible then you need a laptop that supports 802.1q vlan trunking and you will need to trunk the port that goes to that user with both vlans you want to have access to, that will give you several problems and it will be harder to change that setup to accomodate more computers if need would arise.

If you want to secure the communications between laptop and the other vlan you could setup a firewall and vpn connections.

that gives you alot more security than routing with a switch, but it will cost you some also, but the smallest version of the asa5505 would be nice here.

Good luck

HTH