vlan tagging & encapsulation and routers

murray-davis · ‎03-23-2010

I have the following LAN:

Multiples Cisco layer 2 switches with a single Layer 3 - 3750 switch. Multiple vlans in this switched network.

This 3750 connects to a Cisco 2821 router that then connects to a Juniper firewall and another router that points to a separate MetroNet. The DG for the switched network is out the Juniper firewall.

We were having issues with bandwidth so I put a Packetshaper 7500 between the 2821 and the Juniper in bridged mode.

I then wanted to segment traffic on the PS7500 by vlans and then set different policies.

I am having some issues doing this because my understanding of vlans is a bit shaky.

On the 3750, on each port, the following line appears:

switchport trunk encapsulation dot1q

This, I assume, means that I am using 802.1q tagging for vlans and not ISL?

If I log onto the Cisco 2821 and issue the command: sh vlans, the response is: No Virtual LANs configured.

So, how does the router enscapsulate the vlan information? That is, will it pass through vlan information to the Packetshapper 7500.

In terms of routing, the Cisco 2821 uses the dynamic routing protocol, OSPF.

The Juniper firewall is configured to NAT the internal IP info from the inside LAN.

Thank you,

Collin Clark · ‎03-23-2010

Your router may be configured with subinterfaces each being the default gateway for your VLANs. If you post your config, we can help determine what is what.Here's an example of a trunked router interface.

interface FastEthernet0/0
description Connection to 2950
no ip address
ip directed-broadcast 150
speed 100
full-duplex

!

interface FastEthernet0/0.100
description Client Vlan
encapsulation dot1Q 100
ip address 10.11.1.254 255.255.255.0
ip helper-address 10.10.12.7
ip helper-address 10.10.11.13
no ip redirects
no ip unreachables
ip directed-broadcast 150
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1360
!
interface FastEthernet0/0.500
description Management
encapsulation dot1Q 500
ip address 10.10.44.254 255.255.255.0
ip access-group MNA out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1360
!
interface FastEthernet0/0.501
description Native Vlan
encapsulation dot1Q 501 native
ip flow ingress
!

Cisco will donate $1 to the Red Cross Haiti fund for every rated post!

https://supportforums.cisco.com/docs/DOC-8727

Giuseppe Larosa · ‎03-23-2010

Hello Murray,

if your C2821 hasn't a configuration like the following:

int f0/0

no ip address

int f0/0.1

enc dot1q 1

ip address 1.1.1.1 255.255.255.0

int f0/0.5

enc dot1q 5

ip address 1.1.5.1 255.255.255.0

and so on, you are using the C2821 only on the native vlan (vlan1 if not explicitly changed on C3750 port) and no other vlans are involved.

The C3750 is probably doing the inter vlan routing so dot1Q vlan information is not available in the C2821 and what is more important it is not available on the link where the packet shaper is placed.

if so you will need to configure the packet shaper using the source IP address as the criteria (like using ACLs) instead od the vlan-id.

Each vlan-id is related to an IP subnet so you should be able to implement policies per source IP subnet (or even single hosts)

This depends from features of the packet shaper and if it is able to inspect IP packets when working in bridging mode.

I would expect this.

Hope to help

Giuseppe

be aware of Haiti helping initiative !!

murray-davis · ‎03-23-2010

Thank you Collin and Giuslar.

I am attaching the relevant snip of the Cisco 2821. So, following Giuslar's discussion, I would tend to agree that the 3750 is handling the vlan tagging and that info does not get passed on to the PS7500. So, my only option is to work at layer 3 and identify traffic based on the source subnets.

interface Tunnel0
description Tunnel to 2821-02
ip vrf forwarding sam
ip address 192.168.200.78 255.255.255.240
ip mtu 1450
ip tcp adjust-mss 1410
ip ospf message-digest-key 1 md5 7 15221F252338243138
ip ospf network point-to-multipoint
ip ospf 1 area 0.0.0.0
qos pre-classify
tunnel source GigabitEthernet0/1
tunnel destination 192.168.102.1
!
interface GigabitEthernet0/0
description To Internet Firewall
ip vrf forwarding PTI
ip address 192.168.100.21 255.255.255.252
ip ospf 1 area 0.0.0.1
duplex full
speed 100
service-policy output CBWFQ
!
interface GigabitEthernet0/1
description To WAN
ip address 192.168.100.17 255.255.255.252
duplex full
speed 10
service-policy output CBWFQ
!
interface GigabitEthernet0/0/0
description To LAN distribution switch
ip vrf forwarding sam
ip address 192.168.100.6 255.255.255.252
ip ospf message-digest-key 1 md5 7 023610722C1400345C
ip ospf 1 area 0.0.0.0
negotiation auto
!
router ospf 1 vrf sam
log-adjacency-changes detail
area 0.0.0.0 authentication message-digest
default-information originate
!
ip route 0.0.0.0 0.0.0.0 192.168.100.18
ip route vrf sam 0.0.0.0 0.0.0.0 192.168.100.22