12-26-2005 07:31 PM - edited 03-03-2019 11:18 AM
Dear Cisco's Guru
I will implement a vlan from my headoffice to the branchoffice via frame-relay (see attachment). my ask is :
1. it's posible to route each vlan to my branch's vlan which each vlan can't connect to other vlan?
2. if this can't doing what protocol must i implemented for the best result.
Thank you, for your best answer
Regard's
Haris
12-26-2005 09:32 PM
Well there are several things to ask here. One is this actually frame-relay provided to you by your LEC or are you just using frame-relay on a point-to-point T1.
Option 1 If your using frame-relay on a point to point T1 you can create multiple frame-relay subinterfaces and then you can bridge vlan to vlan across you T1 this in effect would give you the connectivity your asking for. Problem with that solution is it is very inefficient kind of ruins your ability to do qos and really control your traffic across your WAN.
Option 1 config sample.
RTR A
interface fa0/0
interface fa0/0.1
description ***vlan 1***
encapsulation dot1q native 1
bridge group 1
interface fa0/0.2
description ***vlan 2***
ecapsulation dot1q 2
bridge group 2
interface s0/0
encapsulation frame-relay
frame-relay lmi-type ansi
interface s0/0.1 point-to-point
frame-relay interface-dlci 21
bridge group 1
interface s0/0.2 point-to-point
frame-relay interface-dlci 22
bridge group 1
bvi 1
ip address x.x.x.x
bvi 2
ip address x.x.x.x
RTR B
interface fa0/0
interface fa0/0.1
description ***vlan 1***
encapsulation dot1q native 1
bridge group 1
interface fa0/0.2
description ***vlan 2***
ecapsulation dot1q 2
bridge group 2
interface s0/0
encapsulation frame-relay
frame-relay lmi-type ansi
interface s0/0.1 point-to-point
frame-relay interface-dlci 21
bridge group 1
interface s0/0.2 point-to-point
frame-relay interface-dlci 22
bridge group 1
bvi 1
ip address x.x.x.x
bvi 2
ip address x.x.x.x
Option 2 is much simpler you would just route normally and setup access-lists to deny traffic from source networks to destination networks on each side. of course you would have to have different ip space in each of the different vlans.
Option 2
sample config
RTR A
interface fa0/0
interface fa0/0.1
description ***vlan 1***
encapsulation dot1q native 1
ip address 1.1.1.1 255.255.255.0
access-group 111 in
access-group 111 out
interface fa0/0.2
description ***vlan 2***
ecapsulation dot1q 2
ip address 2.2.2.1 255.255.255.0
access-group 122 in
access-group 122 out
interface s0/0
encapsulation frame-relay
frame-relay lmi-type ansi
frame-relay interface-dlci 21
access-list 122 remark ***VLAN 2 to VLAN 2***
access-list 122 permit ip 2.2.22.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 122 permit ip 2.2.2.0 0.0.0.255 2.2.22.0 0.0.0.255
access-list 111 remark ***VLAN 1 to VLAN 1***
access-list 111 permit ip 1.1.11.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 111 permit ip 1.1.1.0 0.0.0.255 1.1.11.0 0.0.0.255
RTR B
interface fa0/0
interface fa0/0.1
description ***vlan 1***
encapsulation dot1q native 1
ip address 1.1.11.1 255.255.255.0
access-group 111 in
access-group 111 out
interface fa0/0.2
description ***vlan 2***
ecapsulation dot1q 2
ip address 2.2.22.1 255.255.255.0
access-group 122 in
access-group 122 out
interface s0/0
encapsulation frame-relay
frame-relay lmi-type ansi
frame-relay interface-dlci 20
access-list 122 remark ***VLAN 2 to VLAN 2***
access-list 122 permit ip 2.2.22.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 122 permit ip 2.2.2.0 0.0.0.255 2.2.22.0 0.0.0.255
access-list 111 remark ***VLAN 1 to VLAN 1***
access-list 111 permit ip 1.1.11.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 111 permit ip 1.1.1.0 0.0.0.255 1.1.11.0 0.0.0.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: