How to use Vlan with one DLCI in frame-relay

kurniahar · ‎12-26-2005

Dear Cisco's Guru

I will implement a vlan from my headoffice to the branchoffice via frame-relay (see attachment). my ask is :

1. it's posible to route each vlan to my branch's vlan which each vlan can't connect to other vlan?

2. if this can't doing what protocol must i implemented for the best result.

Thank you, for your best answer

Regard's

Haris

Patrick Laidlaw · ‎12-26-2005

Well there are several things to ask here. One is this actually frame-relay provided to you by your LEC or are you just using frame-relay on a point-to-point T1.

Option 1 If your using frame-relay on a point to point T1 you can create multiple frame-relay subinterfaces and then you can bridge vlan to vlan across you T1 this in effect would give you the connectivity your asking for. Problem with that solution is it is very inefficient kind of ruins your ability to do qos and really control your traffic across your WAN.

Option 1 config sample.

RTR A

interface fa0/0

interface fa0/0.1

description ***vlan 1***

encapsulation dot1q native 1

bridge group 1

interface fa0/0.2

description ***vlan 2***

ecapsulation dot1q 2

bridge group 2

interface s0/0

encapsulation frame-relay

frame-relay lmi-type ansi

interface s0/0.1 point-to-point

frame-relay interface-dlci 21

bridge group 1

interface s0/0.2 point-to-point

frame-relay interface-dlci 22

bridge group 1

bvi 1

ip address x.x.x.x

bvi 2

ip address x.x.x.x

RTR B

interface fa0/0

interface fa0/0.1

description ***vlan 1***

encapsulation dot1q native 1

bridge group 1

interface fa0/0.2

description ***vlan 2***

ecapsulation dot1q 2

bridge group 2

interface s0/0

encapsulation frame-relay

frame-relay lmi-type ansi

interface s0/0.1 point-to-point

frame-relay interface-dlci 21

bridge group 1

interface s0/0.2 point-to-point

frame-relay interface-dlci 22

bridge group 1

bvi 1

ip address x.x.x.x

bvi 2

ip address x.x.x.x

Option 2 is much simpler you would just route normally and setup access-lists to deny traffic from source networks to destination networks on each side. of course you would have to have different ip space in each of the different vlans.

Option 2

sample config

RTR A

interface fa0/0

interface fa0/0.1

description ***vlan 1***

encapsulation dot1q native 1

ip address 1.1.1.1 255.255.255.0

access-group 111 in

access-group 111 out

interface fa0/0.2

description ***vlan 2***

ecapsulation dot1q 2

ip address 2.2.2.1 255.255.255.0

access-group 122 in

access-group 122 out

interface s0/0

encapsulation frame-relay

frame-relay lmi-type ansi

frame-relay interface-dlci 21

access-list 122 remark ***VLAN 2 to VLAN 2***

access-list 122 permit ip 2.2.22.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 122 permit ip 2.2.2.0 0.0.0.255 2.2.22.0 0.0.0.255

access-list 111 remark ***VLAN 1 to VLAN 1***

access-list 111 permit ip 1.1.11.0 0.0.0.255 1.1.1.0 0.0.0.255

access-list 111 permit ip 1.1.1.0 0.0.0.255 1.1.11.0 0.0.0.255

RTR B

interface fa0/0

interface fa0/0.1

description ***vlan 1***

encapsulation dot1q native 1

ip address 1.1.11.1 255.255.255.0

access-group 111 in

access-group 111 out

interface fa0/0.2

description ***vlan 2***

ecapsulation dot1q 2

ip address 2.2.22.1 255.255.255.0

access-group 122 in

access-group 122 out

interface s0/0

encapsulation frame-relay

frame-relay lmi-type ansi

frame-relay interface-dlci 20

access-list 122 remark ***VLAN 2 to VLAN 2***

access-list 122 permit ip 2.2.22.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 122 permit ip 2.2.2.0 0.0.0.255 2.2.22.0 0.0.0.255

access-list 111 remark ***VLAN 1 to VLAN 1***

access-list 111 permit ip 1.1.11.0 0.0.0.255 1.1.1.0 0.0.0.255

access-list 111 permit ip 1.1.1.0 0.0.0.255 1.1.11.0 0.0.0.255