Thx for reply,

situation is bit more complex:

looks like this:

Main switch (several trunk ports, one to Myswitch, all Vlans allowed

|

Trunk

|

Myswitch1 (Cisco 3750,port fa1/0/48=trunk)

|

Trunk

|

Vlan2

|

Baystack ( IS OWNED by 3rd party )

|

Tagged Vlan2

|

Baystack ( IS OWNED by 3rd party )

|

Tagged Vlan2

|

Baystack( IS OWNED by 3rd party )

|

Vlan2

|

Trunk

|

Myswitch2 (Cisco 3750,port fa1/0/48=trunk)

Vlans configured on Myswitches :

1, 12, 101, 102, 103,

So the baystacks are managed by 3rd party

Trunk between Main switch and Myswitch1 works

If Myswitch2 is directly coupled to Myswitch1 with both fa1/0/48 ports, trunking works fine.

Now we have to connect Myswitch2 over the 3rdparty network

What do they need to setup/change to get me over their network with my trunk

(or what do I need to change)

Does this help?

Hi Fon,

either you need to create vlan 2 on your switch bcoz you have tagged vlan 2 or ask them to create the vlans which you hav created on you switch & tag all the vlans. it will work.

Thx, I'll get in contact with 3rd party and request them to create the vlans I need on remote site

But how can I prevent them from accessing my network if the Baystack's don't use vtp domains (Mac filtering?? )If they make a port member of one of my vlans they automaticly hav access to all resources on my vlan! (ok I know it's a trade off for using their network .. but still..)

Thx, I''l let u know how things progress

grtz Fons

what you can do is juz put an ACL on ur cisco switch, since ur network is allowed to access by a 3rd party, the best way is create a seperate vlan for ur 3rd party, then put an ACL on ur cisco switch by allowing that particular vlan only to a certain host on ur network(which is required for him to access), rest make it denied.

Update: The Tagged Vlans will be made by 3rd party somewhere today, as per your suggestion, I'll test it this afternoon and let you know!

The ACL's were already in place, the 3rd party Vlan also, but I can't prevent the 3rd party creating additionel Vlan untagged ports on MY Vlans on HIS baystacks, enabeling him to look into and accessing the other VLANS.

Ergo, I was looking for something like metro Vlans that could be created on the Baystacks, but I have not found anything on the Nortel websites.

Any Idea if it is at all possible to use VPN over HIS Vlan, or something else that would prevent the 3rd party from accessing our Vlans, and at the same time having VTP working between my remote sites?

Any other suggestions? VTP tunneling? (without the need to add another Cisco router, using our 3750's only?? )

Thx

Fons

Hi Fon,

you can simply allow only the 3rd partly vlan in the trunking on ur cisco 3750, so that even though what ever vlans he can put & try to access you network will be not be allowed.

eg."switchport trunk allowed vlan 3"

which means only vlan 3 will be allowed via this uplink which is connected to nortel switch, so that if ur 3rd party users is making 1 port as vlan 2 in his nortel switch, he cannot access ur network since it will never allow vlan 2 traffic, only vlan 3 traffics are allowed.

hope this helps.

No, no, Remember that 3rd party has to make the same vlans that I want to use on my remote switch, in order to heve my vlan trunk to work? Say that those Vlans are 102 and 103.

3rd party now makes vlans 102 and 103, makes both the ports on witch I connect tagged vlans, so that I can connect my remote vlan102 ports to my own network. Now, becaus 3rd party has those 2 vlans tagged, his networ knows those vlans also.

All he has to do in his network is create a port with access to vlan 102 and he can work on my vlan!

He is allowed to access my vlan103, the ACL there only alows traffic to a specific ftp server on my network and deny for the rest.

But I cannot stop him from using my vlan 102 !

so, again, is there a way to create a "tunnel" through 3rd party's network for my Vlans ? Then I could ask for 1 port where he can access my vlan103 (closed down with acl) and two ports for my tunnel to go to my remote site, where 3rd party is not allowed to look into the tunnel, only allows the traffick to travel through his network.

I read about metro vlans, I read about dot1q vlan-tunnels, but those are to create a tunnel throug MY network, I want to make a tunnel through 3d party network

thx Fons

Howdy Folks,

Several weeks later, had serious problems with the above actions.

Now we have resolved this situation:

Our own network ends on a Cisco 3740. Connected to port fa1/0/48 (Vlan33) we have the Baystack switch from 3rd party.

This Vlan33 has an interface with an IP address from 3rd party network. All nescesary hosts on that lan have their def. gateway pointing to THAT IP address. Our MER cisco 6506 does the routing AND accesslist filtering. The 6506 is connected via Trunk with the 3750 unit. This setup works ok, On that 3650 we have all Vlans we need, en vlan33 kan access our network in a secure way.

Now for the other side of our "tunnel"

There we placed another 3750, and this unit has its own VTP domain and also its own Vlans.

The 3rd party LAN is also connected to fa1/0/48 with (LOCAL)VLAN33 and our own server and PC's on that location have their own Vlan( again LOCAL) 102

Routing and accesslists on this Cisco takes care of connectivity and security, the def. GW is the unit on the other side's IP address (the VLan interface) and vice versa (the 6506 knows how to route to the remote vlan via Vlan33)

Thx for the help.

Grtz Fons