cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1283
Views
0
Helpful
9
Replies

VLAN conceptual dude

Hi:

I'm trying to setup three VLANs with no routing between them using two Cisco SG-300, and sharing internet access using a Cisco 1921. My desing is to define three VLANs (10, 20 and 101) with ports asigned in access mode for each one in the two switches.

I'm not using layer 3 in the switches.

I have defined the same two VLANs (10, 20 and 101) as subinterfaces of the routers 0/0 interfaz (0/0.1 for VLAN 10, 0/0.2 for VLAN 20 and 0/0.3 for VLAN 101), and I have asigned to each of these subinterfaces the IP address of the default gateway used in the hosts of each VLAN.

Finally I connect physical router interfaz 0/0 to a port in trunk mode for VLANs 10, 20 and 101 in one of the switches, and also I have defined as trunk ports for the same VLANs and the default VLAN the uplink ports between the two switches.

This desing is not working, but I'm not sure if the problem is a configuration one or a desing one. All information I'm reading is talking about using switches in layer-3 mode for achieve this goal so maybe I'm wrong from the beggining, but from my modest networking knowledge I think that layer-3 mode in switches is not necessary. Can somebody help me pelase? Thanks.

9 Replies 9

amabdelh
Level 1
Level 1

What exactly is not worling? The internet access or the isolation between the vlans?
I expect you mean the hosts in these clans are still able to reach each other and that because the router does the routing. You have number of options, either use an access-list and block the traffic between these vlans, or use private vlans

Sent from Cisco Technical Support iPhone App

Hosts asociated to each VLAn can communicate between them, and there is no communication at all between hosts in differents VLANs. This is what I want to happen.

The problem is that the trunk port that shloud give access to internet to the two VLANs using two subinterfaces defined on the router (router-on-a-stick) is not working. Host in each VLAN can not communicate withe the router subinterface assignated to its same VLAN.

Let's see a sample of the problem:

- Host1 (10.10.10.1 / 24) connected directly to port1 in switch1, defined as access port for VLAN 10.

- Host1 has the default gateway defined as 10.10.10.254

- Subinterface 0/0.1 defined on the router as encapsulated with dot1q 10 (I suppose this means that it belongs to VLAN 10 too), and with IP address 10.10.10.254 /24.

- Interface 0/0 of the router (the physical router interface over which the logical subinterface 0/0.1 has been defined) connected directly to port 24 in the switch, which is defined as a trunk port for several VLANs, including VLAN 10.

- There is no communication between Host1 and subinterface 0/0.1

Hi,

and there is no communication at all between hosts in differents VLANs. This is what I want to happen.

this shouldn't be the case without ACLs if the inter-vlan routing was working.

Can you provide the running config from the router and the vlan assignment on the SG-300.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I think that I'm not understanding you well. In my design I don't want inter-vlan routing. I want the two VLANs completly isolated between themselves, and this is working well without the need of ACLs, just because there is no inter-vlan routing.

The problem is in the trunk port: in theory hosts in each VLAN would be able to access to the router sub-interface defined in its same VLAN without routing, because this sub-interfaces are connected to the trunk port, and trunk port can be accessed by the two VLANs.

Routing is done in the router for sharing WAN interface between the two sub-interfaces. In my design there is no layer-3 switch mode or inter-vlan routing needed at all. This is what I need to confirm.

Miguel

It seems the issue is with the trunk between your switch and the router, can you send the configuration on both devices? in addition to "show vlan" from the switch?

if you are using standard vlans with no ACL, then the router will do the routing between the two vlans because the two vlans are directly connected to the router, so if it is receives a packet from vlan A destined to vlan B, it will forward the packet. To stop this, you need either to add ACL on the routed interface on the router or configure something called private vlan on your switch.

Hi Amjad:

As I told Alain before I'm not using inter-vlan routing, so I think if the router receives a packet in the VLAN A for the VLAN B it is not going to forward it, regardless of the ACL configurions. It isn't truth?

The problem with the trunk is that packets received in the VLAN A of the switch for the VLAN A in the router are not reaching their destiny.

I'm attaching the configuration files and the sh vlan output.

As I mentioned and not using inter-vlan routing but I agree that this is a poor security desing to isolate the two VLANs so I'm interested in what you're saying about private VLANs. Can this be configured in a SG-300.

Thanks.

Hello Miguel

it looks private vlans feature is supported with your switch

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10898/data_sheet_c78-610061.html

can you send me the output of this command from the two switches

show interface trunk

and one more question, I thought you have only one switch and now I see two switches, which one of them is directly connected to the router?

Hi Amjad:

I have two switches (two identical SG-300) and two routers too (two identical 1921) in this desing. It is a litlle complex desing that includes VLANs, HSRP, subinterfaces, router-on-stick...

The concrete problem in the trunk port is afecting to switch Sw1 and router Rt1, regardless of if switch Sw2 and router Rt2 are connected or not (Surely I will have the same problem between Sw2 and Rt2, but I have not installed Rt2 yet). That's why I don't talk about second router and switch before, to not make more difficult to find the problem

Rt1 physical interface is connected to port 24 of Sw1; port 28 of the two switches is used as uplink port.

Here's the oputput of the two switches when both are conected:

Sw1#sh vlan

Vlan       Name                   Ports                Type     Authorization
---- ----------------- --------------------------- ------------ -------------
1           1          gi3,gi6-10,gi12-28,Po1-8     Default      Required
10      ?????       gi1-2,gi11,gi24,gi28        static      Required
101      ?????           gi4-5,gi24,gi28          static      Required

Sw2#sh vlan

Vlan       Name                   Ports                Type     Authorization
---- ----------------- --------------------------- ------------ -------------
1           1          gi3,gi6-10,gi12-28,Po1-8     Default      Required
10      ?????        gi1-2,gi11,gi24,gi28        static      Required
101      ?????            gi4-5,gi24,gi28          static      Required

Thanks.

and regarding the intervlan routing, because you have the two vlans terminated at the router interface, and the router see the two vlans (subnets) are directly connected, it will route the packets between them

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco