Re: vlan bridging by physically wiring two ports on the same swi

anadichaturvedi · ‎10-26-2012

q1. Recently i came to know to about vlan brdiging. i was told that suppose i have two ports say 1 and 2 belonging to vlan -x .now i have two other ports say 3 and 4 belonging to another vlan -y. now i have a pc connected to port 1 and another in port 4. ideally they should not be able to ping, right. but if i connect port 2 and 3 with a cable then everything works fine. why is that?

q2. Can we configure vlan bridging as well?

q3. Is it covered in ccnp?

kindly help

thanks in advnace

cadet alain · ‎10-26-2012

Hi,

bridging whether it be transparent bridging or IRB are not covered in the CCNP curriculum and these are used on routers.

You can connect a switch in vlan 2 to a switch in vlan 3 with an access port and have clients in vlan 2 and 3 communicate without any routing device but i would not name this vlan bridging but rather vlan leaking and i would highly recommend against such practice.

Regards.

Alain

Don't forget to rate helpful posts.

milan.kulik · ‎10-26-2012

Hi Alain,

in some special cases such a design might help.

In a case you need to monitor all communication between two parts of a single subnet, e.g.

BR,

Milan

cadet alain · ‎10-26-2012

Hi Milan,

Could you explain further and explain the advantages versus a port mirroring for monitoring.

Regards.

Alain

Don't forget to rate helpful posts.

milan.kulik · ‎10-26-2012

Hi Alain,

sorry, I should have used a term "inspect" or "protect" instead of "monitor".

Imagine following scenario:

You've got a DMZ subnet with two internal routers (for high vailability) peering to several provider routers.

And you want to put an expensive IPS (or traffic shaper) between them.

So you need to put the device in-line, not only to a mirrored port.

The device provides a capability to fall into a simple pass-through (wire-like) mode in a case of failure.

You don't want to route on that device, because the device would create a single point of failure then (and the routing might also be too complex).

One solution for all these requests is to put your routers to one VLAN and provider routers to second VLAN.

Then interconnect the VLANs by connecting the IPS device to an access port in each of those VLANs.

The IPS is running like an invisible bridge then just forwarding all the traffic through (as long as it does not detect anything to drop).

(If you want a 100% reliability, you involve two pairs of VLANs and an IPS device with two pairs of ports connected to different switches, but it's another story of a complex design.)

Is this a good example?

BR,

Milan

cadet alain · ‎10-26-2012

Hi,

ok I understand what you mean now, but could we say it is the topology that the original poster talked about, i'm no quite sure. But thanks for clarification anyway.

Regards.

Alain

Don't forget to rate helpful posts.

schaef350 · ‎10-26-2012

The connection between the two VLANs should actually be shutdown when a BPDU flows from one port to another unless of course someone disable BPDUs on the interfaces. I also am not sure what switch you are using so that plays in as well as differnt vendors switches had differnt defaults.

I would agree with cadet alain that its not best practice but can be done for differnt reasons with caution....

- Be sure to rate all helpful posts

milan.kulik · ‎10-27-2012

Hi,

actually, the BPDUs will not shutdown the connection between the VLANs.

They will simply create one common STP tree with a single root bridge.

Generally, I agree this is a rare design for special purposes only.

BR,

Milan

schaef350 · ‎10-27-2012

Thanks for correcting me on that Milan. I beleive I am thinging of access ports that have portfast enabled. Is that correct?

- Be sure to rate all helpful posts

milan.kulik · ‎10-27-2012

Hi,

possibly portfast ports with bpduguard enabled?

See another recent discussion here : https://supportforums.cisco.com/thread/2179326?tstart=0

BR,

Milan

vlan bridging by physically wiring two ports on the same switch