San Jose, CA
How to maintain VLAN Tags across Routers
Hey all, just to give you all a background on this. It's a challenge from my friend knowing that I'm definitely not "It" when it comes to things like this so I'm going to cheat and ask here.
The question that was posed was: Can this network be set up where the VLAN 10 PC on Switch 1 has connectivity to to VLAN 10 PC on Switch 2 while maintaining separation from VLAN 20 traffic? Likewise with VLAN 20 devices off the same switches. Also, VLAN 10 & 20 PCs both have connectivity to the internet. No access-lists allowed!
My first guess is no, it is impossible because the VLAN and MAC headers get stripped going from router to router. It should all be layer 3 routing so there is no need for the VLAN or MAC headers. Therefore VLAN 10 and VLAN 20 devices will have IP connectivity to each other. But I'm having second thoughts.
So how should I answer my friend? Is it or is it not possible?
Note: The switches are 2950s and the routers are 2801s.
"The real 'smart' people are successful because they make sure everyone else remains stupid and ignorant."
DomwilkoCCVP, CCNP, CCNA, CCDA
The quick answer is yes it is possible, using GRE or VPN tunnels setup between Routers 1 & 3 and using policy routing.
Domwilko - CCVP, CCNP, CCNA, CCDA
|reply to firefox |
Yes there are many ways to accomplish this.
In the real world, thats the scenario for a MPLS VPN. You would replace that middle router with MPLS L3 VPN service from a provider like verizon or AT&T, and run two different VRFs. One for each group of users at each site. That would be a true layer 3 solution to the problem and limit the complexity of the edge router config.
If a MPLS solution isnt possible, you can setup a L2TPv3 tunnel of your own and actually pipe the VLANs across the WAN side of the router.
Multiple GRE tunnels. Virtual routing and forwarding instances. Policy routing will also work. There are many ways to accomplish the goal with varying dagrees of functionality and complexity.
Edit: Since you're location is listed as "San Jose, CA" you could probablly stand on the street corner with that picture printed out. Some jobless CCIE laid off by cisco will probablly stumble up and offer to configure it for you ;P
Even without an MPLS cloud from a carrier, this could be accomplished with VRF lite within the existing routers. All it would do is provide logical segmentation within the common physical devices just like the other tunnel methodologies expressed earlier which are all valid alternatives.
Of course with any of these solutions you would be complicating your routing configuration. Not that its a huge deal, but it could throw some beginners off a little bit.
|reply to firefox |
To put more spice into this firefox , let me ask you this. Are you trying to have VLAN 10 PC on one end to be within the same broadcast domain as the VLAN 10 PC on the other end? Same question to VLAN 20 PCs.
If VLAN 10 PC on one end does not have to be within the same broadcast domain as the VLAN 10 PC on the other end, then you could implement MPLS VPN like nosx suggested. Basically you need to set the following
* Segment Switch 1 into multiple VLAN (in your case, VLAN 10 and VLAN 20)
* Switch 1 trunk with Router 1
* Router 1 terminates Layer-3 VLAN interfaces of left side
* Segment Switch 2 into multiple VLAN (in your case, VLAN 10 and VLAN 20)
* Switch 2 trunk with Router 3
* Router 3 terminates Layer-3 VLAN interfaces of right side
* Set Router 1 and Router 3 as CE and Router 2 as PE
* Assign one VRF for VLAN 10 and another VRF for VLAN 20
* Router 2 will leak default route to the Internet to both VRF labels to allow Internet access for both networks.
Now if you do want to have VLAN 10 PC on one end to be within the same broadcast domain as the VLAN 10 PC on the other end and to have VLAN 20 PC on one end to be within the same broadcast domain as the VLAN 20 PC on the other end, the approach will be a little bit different.
To maintain such broadcast domain consistency, you could implement the L2TPv3 like what nosx suggested or you could still implement VRF (in this case VRF lite) with a little creativity.
Either solution will provide some kind of "Ethernet network extension" across WAN. With these approaches, the WAN will be transparent to both networks since from PC perspectives, PC on left side will see PC on right side to be within the same LAN (same broadcast domain) without routing or hops.
Personally I like the second solution (the VRF lite with little creativity) instead of L2TPv3 since L2TPv3 might not be supported in the 2801. With this second solution, you could even use older model like 2600 series routers.