Hi, another dumb question. We have ordered a Layer 2 Trunked Ethernet Point-to-Point connection with copper/RJ45 handoff at each end. My understanding is that these can be plugged directly into my 1638s at each site, but I'm not clear on port configuration or encryption.
Site A has these subnets/VLANs:
VLAN 1 - 10.101.0.0/24
VLAN 115 - 10.115.0.0/24
Site B has these:
VLAN 1 - 10.101.1.0/24
VLAN 115 - 10.115.1.0/24
How would this be configured? How is encryption done?
Thanks for your help.
Keith
Closer reading shows that you have different subnets on the same VLAN at both sides, but you specified a layer 2 trunked connection. The configuration I suggested was for a layer 2 bridge connecting each VLAN on one side to its mate on the other.
If you want a layer 2 setup work, hosts in a given VLAN should be in the same subnet on both sides of the link. No routing on the link.
If in fact you want routing between the two sites it gets more complex and giving a complete configuration isn't possible without knowing more about your network topology such as any other networks connected to each VLAN, where the default routes are, any dynamic routing protocols in use, etc.
diggly wrote:
Site A has these subnets/VLANs:
VLAN 1 - 10.101.0.0/24
VLAN 115 - 10.115.0.0/24Site B has these:
VLAN 1 - 10.101.1.0/24
VLAN 115 - 10.115.1.0/24How would this be configured? How is encryption done?
config t
vlan 115
exit
interface [number of interface on switch at each end]
switchport mode trunk
switchport trunk allow vlan 1, 115
no shutdown
[ctrl-Z]
write mem
Encryption, if desired, would be done elsewhere such as at the endpoints.
Thanks jayh, makes sense. Circuit goes live Monday, will let you know how it goes.
Keith
jayh --- our ISP finally got the circuit up today, and initial attempts at connecting are unsuccessful.
I tried the config above with no success, but I'll try it again when things quiet down. Note that the same VLAN numbers refer to different subnets on each switch. Not sure how a reference to a Site B address (like 10.101.1.50) from a Site A address (like 10.101.0.50) would know to take the assigned port and not fall through to the default route to our firewall, which makes the connection over a site-to-site VPN tunnel.
Thanks again for your help.
Keith
Closer reading shows that you have different subnets on the same VLAN at both sides, but you specified a layer 2 trunked connection. The configuration I suggested was for a layer 2 bridge connecting each VLAN on one side to its mate on the other.
If you want a layer 2 setup work, hosts in a given VLAN should be in the same subnet on both sides of the link. No routing on the link.
If in fact you want routing between the two sites it gets more complex and giving a complete configuration isn't possible without knowing more about your network topology such as any other networks connected to each VLAN, where the default routes are, any dynamic routing protocols in use, etc.
Thanks again jayh, I thought that might be the case.
To close the loop on this, the ISP did not in fact install a trunked circuit (which I don't really need but didn't but didn't know that when I ordered it), but gave me a single tagged VLAN to use. Once I cleared that up, it turned out the circuit was not even up, but eventually we got connectivity going, and I'll just set up routing over the tagged VLAN.
Keith
diggly wrote:
Thanks again jayh, I thought that might be the case.
To close the loop on this, the ISP did not in fact install a trunked circuit (which I don't really need but didn't but didn't know that when I ordered it), but gave me a single tagged VLAN to use. Once I cleared that up, it turned out the circuit was not even up, but eventually we got connectivity going, and I'll just set up routing over the tagged VLAN.
That works too! Most providers will offer Q-in-Q where the provider tag is stripped before the handoff to customer and you can add your own VLAN tag over the layer 2 circuit which is untagged at the customer handoff. This works transparently as long as the provider has sufficient MTU overhead within its network to support the customer VLAN tag.
Or, as you've done, just route it.