I am implementing a VLAN per subnet plan, that at the moment is a flat network with secondary addresses on the 4503 switch:
I have a customer that has his router uplinked to my switch with an ethernet interfrace. He has two of the subnets with NATed address on them.
He has the second subnet added with a secondary address on his ethernet interface.
All subnets are in VLAN 1 on my side at the moment and everything is working with no problem.
When I start moving the subnets into their own VLAN, how can I make sure he maintains connection with his single interface.
Do I need to have him trunk his interface and me do the same on the switch port?
Or is there a way to do it without him doing anything?
Could you explain a bit more about the way the NAT works for your customer.
As far as connectivity you have three options for the customer
1) You can make the link to his router a trunk link ( his link ethernet interface will need to be fastethernet or better). You can then create subinterfaces for all vlans on the router interface - it's called routing on a stick. Whether the router can do it depends on both the hardware and the IOS he is running (assuming it is a Cisco router).
2) Second solution is to to put them into one of the vlans and address the ethernet interface out of one of the vlans. You then add routes on the customer router for the other subnets.
3) Third solution is to create a P2P link between your 4503 and his router. Again you would need to add routes or run a routing protocol between your 4503 and the customer router. Which version of software are you running on your 4503 ?
All of the above will work but a bit more info on the NAT setup would help.
Personally i would go with option 3. They are a customer and so i would not add them straight onto one of your vlans. Better they route to them and if needed you can then apply access-lists on this link.
Thanks for the rreply jon
What the customer is doing:
On one of our subnets, he has two print servers at his site, our users on our network scheme, point to our local addresses to print to his print servers on his network.
The print servers just look like thay are local to us, when in fact they are in his network.
On the other subnet, it will be the reverse of that, he is going to access one of our servers from his network, but his addressing is flipped to our network on his router.
Everything looks local to us, which is how I don't understand how option 3 would work.
Could you explain?
Also, he is connected physically through several switches via fiber to get to the 4503, so would I do a layer 2 vlan to the 4503?
Switch has 12.2
Okay i understand now what you are doing and yes you would need to have the router interface on the same subnet as the print server addresses (your local print server addresses that is) so option 3 will not work.
As long as the "local addresses" are out of the same subnet option 2 is probably the way to go then. Allocate the router interface out of the vlan range of the local printer addresses and then make sure you have routes for the other subnets on the router going via the 4503 vlan interface.
Yes you will need to extand the vlan across the switches to the switch that the router interface connects into.
With this setup you can still filter traffic if needed on the vlan interface on the 4503.
Thanks again jon,
He is using two of our subnets, he just has added a secondary interface to his interface.
Primary address is my subnet 10.10.10.0
secondary address is my subnet 10.10.11.0
An I wanted to VLAN those subnets to different VLANs
Which is where the problem lies.
Also, I have seen theis suggested before in diffent posts,
Can you explain how I would filter the traffic on the interface of the 4503?
I keep thinking in terms of access lists and dont see how to apply it when the interface would be in the same subnet as what you are trying to filter (thinking in terms of limiting access to what the customer can get to).
Apologies for not explaining clearly, i had to do something else.
You are right in what you say that a layer 3 access-list would't work. But assuming that all your devices that are in those vlans are attached to your 4500 switch you can use VACL's/vlan maps to filter traffic within the same vlan.
Note that if any of the devices you want to restrict access to are on those switches that link the customer to your 4500 you would need to apply the same there as well. Attached is a link to 4500 configuration of VACLs/vlan maps:-
Many thanks for ratings
Thanks Jon, I appreciate the help.
Since what I said:
that he is using my subnet 1 as his primary address and my subnet 2 as a secondary address, then it looks like he is going to have to make changes to get this to work.
Another option is that I can leave those two subnets in the same VLAN and just trunk that up to the server he is trying to get to.
The only problem is that his traffic is going to get trunked with all the other (my company) traffic on that subnet, which will limit what I can do security wise, is this correct?
A lot depends on how happy you are with the customer having access to your network in the way they do at present.
To isolate their traffic more effectively would require quite a bit of new configuration both for you and the customer.
If you are creating vlans to segregate your traffic then it would make sense to create subinterfaces on the customer router and connect it via a trunk to your 4500 switch. This still is dependant on the customer being able to run dot1q encapsulation.
If you trunk to your 4500 switch via the intermediate switches you can still filter the traffic on your 4500 switch. However as said before if any of your servers are on the intermediate switches then you need to filter traffic there. A trunk will just carry that vlan traffic to the correct switch, you can still filter it once it has come out of the trunk.
If you leave both subnets in the same vlan you wouldn't need a trunk but you then cannot segregate these subnets into separate vlans on the switch as the traffic will not be tagged so the 4500 would not know how to send it to the correct vlan.
I hope this makes sense
Yes, you are explaining it very well.
The reason for all of this is to VLAN out the voice and data along with printers.
Also, I do want to be able to control what they have access to.
So, I use the VLAN maps on the 4503.
Thanks for all of the help