Complex VLAN Routing On 2821 ISR--Need Ideas and Configs

frivers · ‎04-16-2010

I'm replacing an Adtran layer 3 switch at our operations center with a Cisco 2821. I have the configurations for the Adtran from the ISP and I want to mimmick what they're doing on the switch. Basically, we have an MPLS circuit coming in on an Ethernet trunk that's carrying both secure traffic and Internet traffic. The secure traffic is on VLAN 360 (dot1q) and the Internet is VLAN 560 (dot1q). The secure traffic on 360 gets dumped right onto our LAN on VLAN 1 (default vlan) and the Internet traffic gets firewalled on a Sonicwall device which is then connected to LAN.

My 2821 has two gigabit ports G0/0 and G0/1 and I have a FastEthernet HWIC on the way which I'll call FA0/0.

The configuration I have in mind is to use FA0/0 as the trunk connection that will dump VLAN 360 and VLAN 560 tagged packets into the MPLS cloud. The confusion I'm having now is what to do with G0/0 and G0/1. I'm thinking about connecting G0/0 to the Sonicwall WAN port on VLAN1 and then connecting G0/1 to the LAN. What I'm unsure of is how to tag the packets coming out of G0/0 as VLAN 560 and the packets coming out of G0/1 as VLAN 360.

Can someone post a sample config that I can mull over? Let's use these IP addressesses:

2821 LAN IP: 170.87.49.2/24 (VLAN 1)

Secure MPLS traffic: 192.168.1.2 (VLAN 360)

Internet traffic: (VLAN 560)

Trunk Port: FA0/0 (VLAN 360 + VLAN 560)

LAN computers: 170.87.49.0/24 (VLAN 1)

frivers · ‎04-16-2010

So far I've come up with:

Int fa0/0/0

no ip address

int fa0/0/0.1

encap dot1q 1 native

int g0/0

no ip address

int g0/0.1

encap dot1q 1 native !-- gives g0/0 access to VLAN 1 (Sonicwall) as well--!

int g0/0.560

encap dot1q 560

ip address 170.87.49.2 255.255.255.0

int g0/1

no ip address

int g0/1.360

encap dot1q 360

192.168.1.2 255.255.255.0

Let's assume I have static routes in there. How does this look?

frivers · ‎04-16-2010

Is it possible to create a trunk to another router? All I'm finding are instructions for a trunk from a switch to a router.

Giuseppe Larosa · ‎04-16-2010

Hello Frank,

it is possible to create a trunk to another router both sides are configured using 802.1Q subinterfaces, vlan-ids and IP subnet must match to work.

About static routes you should use the IP address of the next-hop as next-hop in this way the router will understand what subinterface to use to reach a specific destination

Hope to help

Giuseppe

frivers · ‎04-16-2010

Are there any sample configs anywhere? I was thinking of not worrying about what kind of other device is at the other end of the cable. I just have one fiber cable coming from a closet where I have to pass dot1q vlan traffic to.

frivers · ‎04-16-2010

A little more info for you guys. Basically I think I just need instructions on how to do a vlan trunk between an Etherswitch HWIC and other interfaces in the same router.