• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1243
  • Last Modified:

Trunking VLANs over a Layer 3 network

Trunking VLANs over Layer 3 OSPF links.

What is the best way to trunk a Layer 2 VLAN over a routed layer 3 network? I have a problem whereby the network is split up into 3 seperate sites, each site has a number of VLANS which are routed using OSPF and Cisco layer 3 switches.

There are 2 VLANS which need to span ALL sites and can not be split into different IP segments.

Is it possible to just Trunk the VLANS over the current Layer 3 links? We are using a mixture of Cisco 6500, 3550 and 3750 switches to do the switching and routing.

There is only 1 physical connection between the sites.
0
ian_chard
Asked:
ian_chard
  • 8
  • 8
1 Solution
 
Don JohnstonInstructorCommented:
Most likely, no.

What type of link is connecting the sites? T1? MPLS? Frame-Relay?
0
 
ian_chardAuthor Commented:
It is a BT LES100 circuit, so on the switch the connection is actually a fast ethernet port on each end.

Surely if you make the port an access port AND a trunk port, and only allow the necessary VLANS over the trunk it will work?

We can use VLANS as the Layer 3 routing interfaces (SVI's) and make the same port an access port in this vlan?

Hmmmm, is a trinky one,
0
 
Don JohnstonInstructorCommented:
You can't have a physical port configured as an access port AND a trunk port at the same time.

If the carrier supports it, just trunk the link between the sites. For the VLANs you don't want on the trunk, remove those VLANs from the trunk.

0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
ian_chardAuthor Commented:
I am pretty sure you can configure a physical port to be a trunk and an access port at the same time. The OS certainly supports it on both Cisco and HP networking equipment.

(Things like connecting PCs through VoIP phones require you to 'tag' and 'untag' the same port in different VLANs)

Hmmm, this is a perplexing one. In theory, i don't see why it won't work, but unfortunately i haven't got the time or equipment to fully test it!
0
 
Don JohnstonInstructorCommented:
I think you're confusing this with "native VLAN".

When you connect a phone that has a PC port on it, you are doing 802.1q trunking between the switch and the phone. The PC traffic is sent over the native VLAN and is untagged while the voice traffic is tagged with the voice VLAN ID. The link however is still classified as an 802.1q trunk.
0
 
ian_chardAuthor Commented:
Thats correct, but the PC traffic does not HAVE to be in the native VLAN does it? Otherwise you would only be able to have 1 voice VLAN per PC/Data VLAN?

In comparison to this, i want the routed VLAN traffic to be untagged and the Layer 2 VLAN Traffic to be tagged.

It is very confusing, but i cannot see why a physical ethernet port can not send some traffic 'untagged' (I.e to its own VLAN) and other traffic 'tagged' depending on where it has originated.

0
 
Don JohnstonInstructorCommented:
>Thats correct, but the PC traffic does not HAVE to be in the native VLAN does it?

Yes, it does. The PC doesn't send 802.1q trunk frames. The phone simply sends those frames to the switch and the switch on seeing an untagged frames assumes it to be in the native VLAN.

>In comparison to this, i want the routed VLAN traffic to be untagged and the Layer 2 VLAN Traffic to be tagged.

That's fine. Just make the routed traffic in the native VLAN and it will be untagged. But you won't be accomplishing anything by doing it that way as opposed to tagging all the traffic.

0
 
ian_chardAuthor Commented:
Hello again,

I have configured similar things in the past and if my memory serves me correctly, the VoIP was always the 'Tagged' vlan and the PC the untagged.
So, if VLAN 200 was the VoIP Vlan and Vlan100 the Data Vlan the config (On a procurve device) would be something like:

VLAN 100
 name PC
 untagged 1

VLAN 200
 name VoIP
 tagged 1

I am guessing on Cisco, it would be something like (My cisco is pretty rusty on this!)

Int fa0/1
switchport mode trunk
switchport encap dot1q
switchport trunk allowed vlans 200 (???)
switchport access vlan 100

So, i don't want the PC to be sending 802.1q tagged frames, only the phones, which can do it. Does this make sense?
0
 
Don JohnstonInstructorCommented:
>I am guessing on Cisco, it would be something like (My cisco is pretty rusty on this!)

Close. :-)

int fa0/1
switchport mode trunk
switchport trunk encap dot1q
switchport trunk native vlan 100

0
 
ian_chardAuthor Commented:
Nice one, what effect does making an interface an access port AND a trunk port? I know that the IOS will accept the config, will it only act as either an access port OR a trunk port?

AND the bottm line is, there is no way to have a Layer 3 (Routed) connection between 2 switches and have 1 or 2 VLANS trunked over it as well? (I hope my boss takes this news well!!!)

Cheers


0
 
Don JohnstonInstructorCommented:
>Nice one, what effect does making an interface an access port AND a trunk port?

Like I said, you can't make an interface a trunk port AND an access port at the same time.

>AND the bottm line is, there is no way to have a Layer 3 (Routed) connection between 2 switches and have 1 or 2 VLANS trunked over it as well?

You can't have a single physical interface behave as a layer 2 and a layer 3 interface at the same time. However, you can have a routing protocol carried over one VLAN and user traffic over a different VLAN at the same time.
0
 
ian_chardAuthor Commented:
Bearing this in mind, Can you see any possible solution to the problem i am having then?

You can use VLANs as the layer 3 interfaces can;t you? instead of making the interface itself a layer 3 interface, so in theory, in actual Physical interface would not be a Layer 2 and Layer 3 as all of the Layer 3 stuff would be done at the VLAN level?

0
 
Don JohnstonInstructorCommented:
Here how you can do it.

Switch 1 has VLANs 10, 11, 13, 15, 17, 19 and 20
it has SVI's with ip addresses of 192.168.vlan.1
Running OSPF on all SVI's

Switch 2 has VLANs 10, 12, 14, 16, 18 and 20
it has SVI's with ip addresses of 192.168.vlan.2
Running OSPF on all SVI's

The link between the two switches is a trunk link with only VLANs 10 and 20 allowed.

Any traffic from the 11,12,13,14,15,16,17,18 or 19 VLAN's will have to be routed. However, VLAN 10 and 20 traffic will be able to cross between sites without any layer 3 processing.
0
 
ian_chardAuthor Commented:
Excellent, you are a star. I am going to start planning this now...
0
 
ian_chardAuthor Commented:
Hi Don,

Taking into account the following :

VLANS 10,11,100,101,102,103 need to be trunked and the rest need to be routed, do the following commands fit?

Any help much appreciated!!!

Ip routing

Vlan 33
Description CV3750-NP3550
Ip address 172.16.10.14 255.255.255.252

Vlan 6
Description CVNetMan
Ip address 172.25.1.1 255.255.255.0

Vlan 7
Description CV Devices
IP address 172.25.2.1 255.255.255.0

Vlan 52
Description CVPrint
Ip address 172.25.4.1 255.255.252.0

Vlan 202
Description CVStaff
IP address 172.25.48.1 255.255.240.0

Vlan 302
Description CVStudents
IP address  172.25.64.1 255.255.240.0

Vlan 402
Description CVComp
Ip address 172.25.80.1 255.255.255.0

Vlan 412
Description CVInfoServ
Ip Address 172.25.81.1 255.255.255.0

Int fa1/0/48
Switchport mode trunk
Switchport trunk encap dot1q
Switchport trunk allowed vlans add 10 11 33 100 101 102 103

Router ospf 1
Network 172.25.1.0 0.0.0.255 area 0
Network 172.25.2.0 0.0.0.255 area 0
Network 172.25.4.0 0.0.3.255 area 0
Network 172.25.48.0 0.0.15.255 area 0
Network 172.25.64.0 0.0.15.255 area 0
Network 172.25.80.0 0.0.0.255 area 0
Network 172.25.81.0 0.0.0.255 area 0
0
 
Don JohnstonInstructorCommented:
I assume the commands towards the top are for something other than a Cisco switch?

On the Cisco side, you'll need a VLAN interface for each VLAN that the switch is routing.

int VLAN 11
 ip address x.x.x.x 255.255.255.0
 no shutdown

Also, trunks carry all VLANs by default so there's no need to add them. That would only be necessary if you had previously removed them.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 8
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now