Showing results for 
Search instead for 
Did you mean: 

vlan and internet


i have following setup -

edge switches

core switch


ISP line is connected to firewall and from firewall, it goes to core switch.

Edge swiches are connected directly to core switch. finally users are connected to edge swicth.

There are vlans defined in core and edge switches.

when user connects to internet, first it is authenticated from firewall and then allows internet connection.

vlan 201 is defined in edge switch and core switch also. suppose this user wants to connect to internet,

first it will be authenticated and then he will able to browse.

my question is how ISP identifies that to which vlan this traffic belongs to or how user will get identified?

Glenn Matthys

If I understand your setup correctly, all traffic, whatever VLAN tag, received by the firewall destined for the internet will be routed to the internet interface. Once routing has taken place and the internet interface on the firewall does not have any vlans defined, the traffic from there on will be untagged (the vlan tag is lost), so the ISP will not see any tagged traffic.

If you post your "show running-config" from the firewall we'd be able to tell you exactly.

Jon Marshall
VIP Community Legend

The ISP has no need to know which vlan this traffic came from. The vlan is only relevant within your LAN. It should also be noted that if vlan 201 is using private addressing this would be natted to a public IP on the firewall as it goes to the internet.

The ISP only needs to know how to route traffic back to this public IP for the return traffic, it doesn't care about vlans. When the return traffic from the internet reaches your firewall it is then natted back to a vlan 201 address and sent onto the core switch. The core switch will then know which vlan this address is in.

The above assumes your core switch is doing all the inter-vlan routing in your LAN.

As for user identification/authentication, again the ISP doesn't need to know that. To them it is just an IP packet.


The VLAN uses a vlan tag, by vlan tag router identifies the traffic coming from which subnet it stores the relevant "Source IP and Destination IP" and forwards the traffic(packet) towards the destination so when your ip packet reaches to your first hop or gateway then this is the end point of your vlan concept. Vlan is nothing more than a lan.

When traffic comes from a ISP via firewall then router checks the source ip in received packet and it forwards back to the appropriate source.

There is no role of firewall in routing.