Solved: Re: VLAN conflict options ?

mediaworksnz · ‎12-03-2019

Hello, my switch (WS-C3650-48PD )has an existing VLAN 10 which I use for office traffic.

Now I am connecting another router to this switch which also sends tagged VLAN 10 traffic. However this VLAN 10 is a totally diffferent network. So I now have a conflict of two VLAN 10s.

Is there any way to partition or maintain two instances of VLAN 10 on this WS-C3650-48PD switch ?

Meheretab Mengistu · ‎12-03-2019

Hi,

The easiest way to resolve the issue is to move one of the VLANs to a different VLAN number.

For any reason if you can not do that, I am thinking of VACL (VLAN ACL) as one way to solve your issue, assuming the two VLAN 10s have different subnets and do not need to talk to each other at all.

Example:-

access-list 100 permit ip X.X.X.X a.a.a.a Y.Y.Y.Y b.b.b.b

access-list 100 permit ip Y.Y.Y.Y b.b.b.b X.X.X.X a.a.a.a where X.X.X.X a.a.a.a is one of the VLAN10 network and wildcard mask, Y.Y.Y.Y b.b.b.b is the other VLAN10 network and its wildcard mask. You can also use mac address acl instead of ip address acl.

!

access-list 101 permit ip any any

!

vlan access-map BETWEEN-VLAN10s 10

match ip address 100

action drop

vlan access-map BETWEEN-VLAN10s 20

match ip add 101

action forward

exit

vlan filter BETWEEN-VLAN10s vlan-list 10

Another alternative could be to configure all VLAN 10 ports as protected ports using switchport protected command.

HTH,

Meheretab

HTH,
Meheretab

View solution in original post

Meheretab Mengistu · ‎12-03-2019

Hi,

The easiest way to resolve the issue is to move one of the VLANs to a different VLAN number.

For any reason if you can not do that, I am thinking of VACL (VLAN ACL) as one way to solve your issue, assuming the two VLAN 10s have different subnets and do not need to talk to each other at all.

Example:-

access-list 100 permit ip X.X.X.X a.a.a.a Y.Y.Y.Y b.b.b.b

access-list 100 permit ip Y.Y.Y.Y b.b.b.b X.X.X.X a.a.a.a where X.X.X.X a.a.a.a is one of the VLAN10 network and wildcard mask, Y.Y.Y.Y b.b.b.b is the other VLAN10 network and its wildcard mask. You can also use mac address acl instead of ip address acl.

!

access-list 101 permit ip any any

!

vlan access-map BETWEEN-VLAN10s 10

match ip address 100

action drop

vlan access-map BETWEEN-VLAN10s 20

match ip add 101

action forward

exit

vlan filter BETWEEN-VLAN10s vlan-list 10

Another alternative could be to configure all VLAN 10 ports as protected ports using switchport protected command.

HTH,

Meheretab

HTH,
Meheretab

mediaworksnz · ‎12-03-2019

Thank you Meheretab, with your VACL example, will this also block layer 2 traffic or is it only blocking L3 ?

Jon Marshall · ‎12-04-2019

Make your life simple and do what Reza suggested and just renumber one of the vlans.

Jon

Meheretab Mengistu · ‎12-04-2019

When you use mac address access-list you block Layer 2 traffic. You can read more about it https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html

As I said on my previous post, I would renumber one of the VLANs. Reza and Jon suggested the same.

HTH,
Meheretab

HTH,
Meheretab

Reza Sharifi · ‎12-03-2019

Hi,

Why do you have to use the same vlan? Just use a different one.

HTH

Joseph W. Doherty · ‎12-04-2019

I think the 3650 supports VRF(-lite). If so, that might allow the same VLAN assignment, i.e. one VLAN 10 per VRF (but I really don't know for sure - I don't recall the 3650 supporting a virtual router function).

As the others have posted, it might be easier to have both one VLAN 10s renumbered. If that would be difficult to do, i.e. renumbering both of the two L2 domains to support one of the VLAN 10s under a different number, you could just reassign one of the VLAN 10s to a different number on just one of the two L2 domains. At network demarcation points, it's possible to pass one VLAN into a different VLAN number. (The latter might be done using an access port, or native VLANs on trunk ports. Basically, you send the frames across, between the two networks untagged. This allows you to get those frames into different VLAN numbers.)