Solved: Nested VLAN's: Is this possible?

MarkJeffers · ‎05-20-2006

We have several large schools for which we purchased Cisco Layer 3 switches with the intensions of setting up and routing VLANS within each location.

We are getting a new ISP. I was just informed that the ISP was connecting all our locations with a large layer 3 switch and that they had actually segregated each location using VLANS.

This means that we would be attempting to set up several VLAN’s within a VLAN. My first thought is that this would not be possible. Can anyone verify or correct me on this thought.

Thanks,

MhnsITSolutions · ‎05-20-2006

Hello MarkJeffers,

No problem this informations looks much better for some answers. If i understood you correctly then there shouldnt be any problem with "your" vlan´s. It isnt importent whether your isp use vlan or not. You will need at least one device that supports vlan on each school (at their location).

You have to setup the switches and (if needed) you can let transfer vlan tagging ID´s between "your" switches. This is based on the number of network devices (clients , servers , printers ect) that you have to place on the same vlan. For example if you have more computers so that the number of available ports on the switch are not enough then you can connect one switch with an other and let them "share" the vlan tagging ID´s (to place more computers in the same vlan).

I understood you correct that you didnt asked for a way that a lan from one school should be connected directly with a lan from a other school is that right?

Sorry if my english sounds ugly - english isnt my native language ;)

By the way ... Feel free to Rate Postings here ;)

View solution in original post

johansens · ‎05-21-2006

Hi there Mark,

First of all; Yes, it will work.

You don't need to concern yourself with the ISP. The concept of "VLAN Tagging" is only *internal* to the switch you are doing the tagging on. The only way the tag's are shared with other switches, is with a special link which you specifically configure as a "trunk" for exchanging packets *with* VLAN tags still in place. The protocol used for this is the 802.1q (or dot1q as used in cisco ios config) or ISL (cisco proprietary) protocol.

Your ISP will most certainly deliver you a "access port" which is mapped to a internal VLAN in their network. This internal mapping will not have any impact on your local LAN's. You will have to use a standard "access port" as well towards the ISP, which you of course will map to a VLAN of your choice in your Layer 3 switch.

Frame size is not a problem. The "internal VLAN tagging" is done as an addition to the existing frame, also in dot1q trunks.

Did it help? If so, please rate it.

View solution in original post

MhnsITSolutions · ‎05-20-2006

Hello MarkJeffers,

I am not sure whether i understand the question(s)

and/or the problem(s) correctly. You Work for a ISP

that offer services/uplinks to some schools?

Or you work for one of that schools?

Normaly it should not be importent whether (or not)

the ISP use vLAN on their network(s). The schools

and the ISP can use vLAN for their own needs.

Please go a head and make your questions more clear.

Then i can try to give you some help afaik the answer.

MarkJeffers · ‎05-20-2006

Sorry I was not clear. Let me try again.

I work for a school system that has 33 schools. At each location my ISP is handing me a Gig connection on copper. What I have found out is that each school is leading back to a layer 3 switch and that each locations data is separated by VLAN. So school 1 might be VLAN 2, school 2 will be VLAN 3, school 3 will be on VLAN 4, and so on, and so on.

We had bought layer 3 Cisco switches for each location. The idea being that each location will be segmented into several VLANs. Office staff will be on say VLAN 2, teachers on VLAN 3, and students on VLAN 4, and I will be able to route data between these VLANs. Keep in mind that one school’s VLANs have nothing to do with another. The office VLAN in school 1 does not know anything about the office VLAN in school 2 and so forth.

So say for school 2, my frames going back and forth with the ISP are tagged for VLAN 3. I will be taking that connection into my own layer 3 device and attempting to segment the LAN with my own VLANs again tagging the frames for VLAN 2, 3, 4, and so forth.

So it seems to me that data going out from a school will be tagged by my device as being in a particular VLAN, and then tagged by my ISP as being in another particular VLAN. My question is will this scenario work? Will the ISP VLAN even know that I have several VLANs set-up under it? Will I have a problem with frame size as some data will be double tagged?

I hope this makes a little more sense. Thanks for any info or suggestions.

MhnsITSolutions · ‎05-20-2006

Hello MarkJeffers,

No problem this informations looks much better for some answers. If i understood you correctly then there shouldnt be any problem with "your" vlan´s. It isnt importent whether your isp use vlan or not. You will need at least one device that supports vlan on each school (at their location).

You have to setup the switches and (if needed) you can let transfer vlan tagging ID´s between "your" switches. This is based on the number of network devices (clients , servers , printers ect) that you have to place on the same vlan. For example if you have more computers so that the number of available ports on the switch are not enough then you can connect one switch with an other and let them "share" the vlan tagging ID´s (to place more computers in the same vlan).

I understood you correct that you didnt asked for a way that a lan from one school should be connected directly with a lan from a other school is that right?

Sorry if my english sounds ugly - english isnt my native language ;)

By the way ... Feel free to Rate Postings here ;)

rseiler · ‎05-20-2006

Still missing several key pieces of information.

1. What is the purpose for the network you are buying from the provider? What connectivity between sites is required?

2. Are you buying an MPLS service from a service provider? If so are you purchasing a layer2 service that provides VLAN connectivity at L2 between sites (similar to ATM or Frame Relay) or are you purchasing a L3 service similar to the Internet? at&t calls the L3 service nVPN, other providers use different names.

3. What is the topology? Do all schools talk to each other (full mesh) or do all schools go back to a central data center (hub&spoke)? What is the VLAN design?

4. Why do you care what VLAN the service provider or ISP uses?

5. What do you mean by the service provider is providing a L3 switch? What is your handoff to the provider, a trunk with multiple vlans or a layer 3 link?

6. If the provider is giving you multiple vlans at each site, is one of them connectivity to the Internet?

This sounds most likely like the service provider is connecting you to their MPLS backbone. Depending on the service that they are providing you would either get a trunk with multiple VLANs mapped between sites (per VLAN) or a L3 handoff in which they route between your sites.

With answers to the above questions this forum will be able to provide better answers...

Cheers.

johansens · ‎05-21-2006

Hi there Mark,

First of all; Yes, it will work.

You don't need to concern yourself with the ISP. The concept of "VLAN Tagging" is only *internal* to the switch you are doing the tagging on. The only way the tag's are shared with other switches, is with a special link which you specifically configure as a "trunk" for exchanging packets *with* VLAN tags still in place. The protocol used for this is the 802.1q (or dot1q as used in cisco ios config) or ISL (cisco proprietary) protocol.

Your ISP will most certainly deliver you a "access port" which is mapped to a internal VLAN in their network. This internal mapping will not have any impact on your local LAN's. You will have to use a standard "access port" as well towards the ISP, which you of course will map to a VLAN of your choice in your Layer 3 switch.

Frame size is not a problem. The "internal VLAN tagging" is done as an addition to the existing frame, also in dot1q trunks.

Did it help? If so, please rate it.

MarkJeffers · ‎05-21-2006

I thank all of you for your responses. My primary question has been answered. The question of; Will this work? I wish I had more information, but as it is the weekend and my ISP is not available for questions, I had to go on the info I had.

I can hatch out all the details later I just wanted to know that we didn’t just spend a bunch of money on a plan that may not work as we had previously thought.

Thanks again!

MhnsITSolutions · ‎05-21-2006

Hi MarkJeffers,

Everything should work for your needs. Rseiler and johansens sayed the same like me (but more technical specific). You just need to make sure (if the switch should do IP Routing too) that it support this functions. Some devices have this features already included, and others can only do Routing Services only with an additional module. That is based on the hardware that you bought and its specifications.

Have a nice weekend :-)

Marvin Rhoads · ‎05-22-2006

Q-in-Q

That is the short term for what you are asking about - 802.1q tagged frames inside another (e.g., provider's) 802.1q tagged frame (that is, a VLAN). This is technically possible, but depends on whether or not the provider supports it as part of their service offering. Most of Cisco's enterprise switches support the feature.

While Q-in-Q would support your connectivity scheme if offered, you could likewise segregate your administrative domains based on Layer 3 boundaries, routing, access lists, etc. One shortcoming of running a Layer 2 (VLAN) domain across the WAN is that you will use bandwidth unnecessarily for local broadcasts.

Hope this helps, please rate helpful posts.