We have several large sites that use Cisco Vlan trunking to keep a complex network environment humming along. This works well for us.
Between sites we have gigabit metro ethernets providing WAN services, over which we are using layer 3 and EIGRP. This works well for us.
On several campuses, we have gigabit fibers linking buildings together, with VLAN trunking across those Gig links. Works great.
We have one campus that has building on two sides of a highway, and we were not able to secure a fiber right-of-way to do our customary gig link. So instead we used a Metro ethernet provided by one of our Metri-E vendors. This is not working so well for us.
Things work fine in the native VLAN, and for the trunked VLANs, most things work fine as well. However we are having problems with some very specific areas involving Authentication. Several different systems are failing to authenticate across trunked vlans. The WAN is using 802.1q vlan tagging, this is managed by the WAN vendor. As long as we don't use any VLANs, the affected applications work fine. As soon as we trunk a vlan across the link, and put the systems in that vlan, they work for everything except secure authentication.
The 802.1q vlan over the WAN is invisible to us, the vendor is telling us we should treat the connection as if it were dark fiber. However we are finding that this is not the case. The vendor uses Cisco gear, and they opened a TAC case when we had problems, however they came back telling us that Cisco has blessed their configuration as being transparent to anything we should be able to do.
We are convinced that this is almost true, however secure authentication systems fail on anything other than the native vlan.
We are a health-care system, and have many unrelated vendors using the network for data that must be kept secure, so isolating the vendors and applications on their own vlan segments is a requirement for our environment.
What do we need to do to make Cisco Vlan trunking work correctly across a third party 802.1q vlan?