linking "vlan"s

Unanswered Question
Dec 17th, 2009

I've got this topology:

  Switch1 <---> V100 CoreSwitch <-- V100/101 trunk --> Host

                                 V101

                                  ^

                                  |

  Switch2 <-----------------+

       ^

       |

       v

Watchguard

i.e. trunking a couple of vlans to a vm host, but splitting them out to non-vlan'd switches.  Except Switch2, a 2950 I picked up is configured for everything to be a vlan2 access port.  The Vlan101 port on CoreSwitch (a 6509) is configured as an access port as well, so if I understand things right, with both sides as access ports, it shouldn't matter if the internal vlan ids don't match because there's no vlan tagging going on --- should just be forwarding ethernet frames like any dumb switch?  I tried reconfiguring it to all vlan 101 access ports, and saw some indication that there *was* some vlan communication going on, but then lost the connection to an upstream router (a watchguard firewall) that isn't doing any vlan networking at all.  Like I said, with everything as access ports, I shouldn't think which vlan id is associated with the ports would make any difference (as long as they're all internally consistent, of course).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 12/18/2009 - 04:11

useopenid wrote:

I've got this topology:

  Switch1 <---> V100 CoreSwitch <-- V100/101 trunk --> Host

                                 V101

                                  ^

                                  |

  Switch2 <-----------------+

       ^

       |

       v

Watchguard

i.e. trunking a couple of vlans to a vm host, but splitting them out to non-vlan'd switches.  Except Switch2, a 2950 I picked up is configured for everything to be a vlan2 access port.  The Vlan101 port on CoreSwitch (a 6509) is configured as an access port as well, so if I understand things right, with both sides as access ports, it shouldn't matter if the internal vlan ids don't match because there's no vlan tagging going on --- should just be forwarding ethernet frames like any dumb switch?  I tried reconfiguring it to all vlan 101 access ports, and saw some indication that there *was* some vlan communication going on, but then lost the connection to an upstream router (a watchguard firewall) that isn't doing any vlan networking at all.  Like I said, with everything as access ports, I shouldn't think which vlan id is associated with the ports would make any difference (as long as they're all internally consistent, of course).

Alan

The diagrams not very helpful but in answer to your question from a L2 vlan perspective you are correct. If there is no tagging on the port then yes it will forward the frames ie.

switch 1 (vlan 10) -> (vlan 11) switch 2

in the above frames will leave sw1 in vlan 10 and arrive on sw2 in vlan 11.

However this isn't recommended obviously and communcation depends on more than just L2 ie. what subnets are you using for your 2 vlans is just as important.

Jon

ansalaza Fri, 12/18/2009 - 07:50

I suppose that the  watchguard firewall is in Vlan 2 and that is why you want to keep the 2950 in Vlan 2...

Not sure if you can configure your 6509 link to the 2950 as a trunk and enable a VLAN Translation between frames coming from Vlan 2 to Vlan 101.

"On trunk ports, you can translate one VLAN number to another VLAN number, which transfers all traffic received in one VLAN to the other VLAN."

Link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vlans.html#wp1044990

Note: To avoid spanning tree loops, be careful not to misconfigure the VLAN translation feature.

Hope this helps!

dkempthorne Fri, 12/18/2009 - 10:46
and saw some indication that there *was* some vlan communication going on

What makes you think there was VLAN "communication" going on beyond having connectivity issues to your watchguard?

If you've only configured the access vlan (ie, switchport access vlan 101) and have not configured the port mode as access (switchport mode access), the ports default to DTP (Dynamic Trunking Protocols - for VLANs). Your other option is to configure both ports as trunk and set the native VLAN on the ports.

You should also have seperate VTP domains or one switch (The 2950) configured as a transparent vtp domain.

Actions

This Discussion