Re: Stupid question on VLAN terminations

bgibson · ‎02-23-2008

I haven't mucked with VLAN partitioning in a while so I am drawing a blank. I hope you guys can help out.

I have a carrier who is bringing in an ethernet connection to me and separating different customers by vlan. Each customer has their own distinct VLAN ID.

This connection is terminating into a 2970. I have set up in the ingress port for trunking. However the egress port for these connections connects to a Juniper ISG2000 which does not support VLAN trunking. As such I need to setup the egress port as an access port that is able to accept multiple VLANs.

Is this possible? Or do I need to either swap out the switch with a L3 switch?

Richard Burts · ‎02-23-2008

Brian

On the 2970 if it is an access port it will process only a single VLAN (or 2 if you configure a voice VLAN - but that does not help you). It sounds to me like you need a layer 3 switch.

HTH

Rick

HTH

Rick

bgibson · ‎02-23-2008

So how do you configure Layer 2 partitions using VLANs? If you have a bunch of customers that you want to connect to one server but not to others, how would you do it?

Is this simply not possible?

Richard Burts · ‎02-23-2008

Brian

I am not sure that I completely understand your situation. But I do not see any way to enforce the restrictions that you describe just with VLANs. With layer 3 and intervlan routing - and with access lists it is quite possible. But I do not see how to do it with only layer 2 VLANs.

HTH

Rick

HTH

Rick

bgibson · ‎02-23-2008

As I said I haven't done this sort of thing in years. Way back in the day, before L3 switching was so prevalent, VLAN tagging was a way to separate traffic. You could have multiple groups connect to one server but then each group could have their own.

Sadly I don't remember how I did it, since it was a LONG time ago. And maybe this simply isn't an option any more.

Richard Burts · ‎02-23-2008

Brian

Maybe I did not correctly understand what you were asking and where you were going with it. What you describe in this post sounds like extending the trunk (containing multiple VLANs) to a server which has a NIC that does VLAN trunking. So the server connects to the trunk and can logically identify and process each individual VLAN. That remains possible.

But I thought that your question (at least the original one) was about passing a connection to a Juniper that did not process VLANs. If your requirement is to accept multiple VLANs on one side and is to pass only a single VLAN out the other side, I would think that the solution would be a layer 3 switch which would terminate the multiple input VLANs and intervlan route/forward to the Juniper single VLAN. If I have not understood something please clarify.

HTH

Rick

HTH

Rick

bgibson · ‎02-23-2008

No you're correct Rick. I don't recall the servers in the past understanding the trunking information. But I could easily be wrong.

glen.grant · ‎02-23-2008

I don't know you should be able to do this . After looking at the isg2000 specs it appears to be a firewall ids box which says it supports up to 4000 vlans . I would think if its like other firewalls you would just trunk from the 2960 down to the isg2000 where you would create the vlans via subinterfaces on the connecting link on the 2000 . Its something to check into , in the docs that I looked at the 2000 does support vlans so it may just be a matter of setting up a trunk to the 2000 from the 2960 . I don't maybe its not possible as i don't really know about the juniper box but the specs kind of lean that way and frankly i can't imagine any modern box that can't do this . There seems to be 2 conversations here , one about connecting to a juniper box and then another concerning links to servers so I'm not sure what the question is at this point.

bgibson · ‎02-23-2008

Hi Glen,

Yes it is possible to create the subinterfaces on the Juniper but I really don't want to do that.

Ideally I was hoping to use one Class C address to connect each customer. That doesn't look like it is doable though.