Thanks, that's a huge help.

If I have DHCP server running on fa0/2 and this is then patched to a another switch outside of my control with multiple users are they still secure as long as they are in the same VLAN or is it based on actual physical ports?

Thanks

Rip.

Hi,

That depends on the config on the physical port that user connect to. By default, switch will forward traffic within same vlan; you have no control on the router. On the router, you can control the traffic pass through between different vlans. Apply ACL on the SVI, you can permit/deny communication from host in one vlan to host in another vlan.

HTH,

Lei Tian

Hi,

OK I configured the 3560 with default route and IP address from the 851 which is connected to WAN. I set NAT on the 851 and have configured DHCP on Vlan2 on the 3560. I connected a laptop to the 3560 and am getting an IP address however when I try to ping outside world or even ping the 851 from the laptop I get nothing, I can ping the static IP address assigned to the 3560 from 851 and when I telnet in to the 3560 I can ping the outside world, I'm thinking it might be to do with the static route in 3560. Any help you can offer would be much appreciated. I have given the config of the 3560 below:

Switch#show run

Building configuration...

Current configuration : 1879 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

enable secret 5 $1$nXfE$74CePIuEwZEvvquv1LpPw.

!

no aaa new-model

clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00

system mtu routing 1500

ip subnet-zero

ip routing

!

ip dhcp pool cisco

   network 10.10.2.0 255.255.255.0

   default-router 10.10.2.1

   domain-name mydomain.com

   dns-server 10.10.2.10

   lease 7

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

!

interface FastEthernet0/2

switchport access vlan 2

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

ip address 10.10.10.3 255.255.255.248

!

interface Vlan2

description Cisco DHCP

ip address 10.10.2.1 255.255.255.0

!

ip default-gateway 10.10.10.1

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 10.10.2.0 255.255.255.0 10.10.10.1

ip http server

!

!

control-plane

!

!

line con 0

line vty 0 4

Hi,

Remove "ip route 10.10.2.0 255.255.255.0 10.10.10.1" from 3560. Add 'ip route 10.10.2.0 255.255.255.0 10.10.10.3" on 851.

HTH,

Lei Tian

Wow thanks it worked. Could you possibly explain what I just did and why it was not working before? I would like to be able to understand? No problem if your too busy.

Many, many thanks,

Rip.

Hi,

Thanks for the rating and glad to help!

The reason it doesn't work before is because 851 doesn't have a route back to VLAN 2 on 3560.  VLAN 2 is only configured on 3560, so you need to tell 851 in order to reach VLAN 2 network send the traffic to 3560.

Regards,

Lei Tian

Ah OK I see, thanks. When I deploy this in to the live environment we will have Vlan1 with IP address given to us from the tier 1 transit provider with their default gateway address. All IP addresses we provide via DHCP in Vlan2 will be public IP addresses so am I right in thinking we wont run in to this issue as long as the tier 1 is announcing our address space?

Thanks

Rip.

Yes, your understanding is correct. If the 851 is managed by provider, they will config the route.

Regards,

Lei Tian

Thats great. Thanks so much for your help. I'm not sure if this is your area but I am now looking at using 802.1q to use qinq on Vlan2. If I use qinq does the user actualy have to configure anything on their PC/CPE or does the 3560 just automatically place them in their own vlans?

Thanks

Rip.

Hi,

What is need for qinq at here? qinq typically is used in provider network, to tag customer traffic with a dedicate number, so traffic from one customer will not leak to another customer.

Regards,

Lei Tian

I am creating a service provider network on a smallish scale over a region. We are trying to start small and then scale up later once we get to a few hundred users, hence the 3560. All traffic is deliverd to us from customers in one Vlan so we need to ensure that the customers cannot see eachother. I tried the "switchport protection" command you suggested and it works but I understand one of the other service providers is doing qinq so wanted to ensure we are providing the right level of security. I'm not sure of the security differences between the two.

We first started off planning a central switch with PPPoE with AAA etc as would be expected but realised its not required as this is taken care of before the traffic reaches us.

We plan to upgrade to bigger better Cisco kit once we reach 500 users.

Thanks

Rip.

Hi,

A qinq is no more than regular vlans; it prevents communication between different vlans. The only difference is a qinq tunneling port doesn't care what traffic is sent to it; it can be L3 or L2.  switchport protected will prevent communication within same vlan. So, you can see the difference.

If support qinq is the requirement, you can just add 'switchport mode dot1qtunnel' to the customer facing port. Few best practice rules you need to follow when deploy qinq:

1 change the system mtu to 1504 to support the additional 4 bytes header

2 enable dot1q tag native

3 don't use vlan 1 for native vlan ID, and do not pass any data traffic via native vlan.

Configuration example of qinq on 3560 can be found at

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_46_se/configuration/guide/swtunnel.html#wp1001998

HTH,

Lei Tian