Nested VLAN's: Is this possible?

[Welby24]

We have several large schools for which we purchased Layer 3 switches with the intensions of setting up and routing VLANS within each location.

We are getting a new ISP. I was just informed that the ISP was connecting all our locations with a large layer 3 switch and that they had actually segregated each location using VLANS.

This means that we would be attempting to set up several VLAN’s within a VLAN. My first thought is that this would not be possible. Can anyone verify or correct me on this thought.

Thanks,

 

[jimbopalmer]

I have a site with 42 VLANs, so you can certainly put VLANs behind VLANs, so long as you use a Layer 3 switch or router to route between them.

Lets say your ISP, makes the schools VLAN 10, VLAN 20, etc.

You can put VLANs 11-19 off VLAN 10, and 21-29 off VLAN 20. (you can use any numbering scheme you like, but I would choose one that makes it easy)

Then set up a routing protocol, OSPF is my Faforite but RIP may be easier to get started with, so the devices do all the 'paperwork' for you.

I tried to remain child-like, all I acheived was childish.

 

[Welby24]

Thanks for your response jimbopalmer. I confused several people with the way I stated my situation so I will attempt to re-state it and see if anyone else responds. See if this makes any more scense.

I work for a school system that has 33 schools. At each location my ISP is handing me a Gig connection on copper. What I have found out is that each school is leading back to a layer 3 switch and that each locations data is separated by VLAN. So school 1 might be VLAN 2, school 2 will be VLAN 3, school 3 will be on VLAN 4, and so on, and so on.

We had bought layer 3 Cisco switches for each location. The idea being that each location will be segmented into several VLANs. Office staff will be on say VLAN 2, teachers on VLAN 3, and students on VLAN 4, and I will be able to route data between these VLANs. Keep in mind that one school’s VLANs have nothing to do with another. The office VLAN in school 1 does not know anything about the office VLAN in school 2 and so forth.

So say for school 2, my frames going back and forth with the ISP are tagged for VLAN 3. I will be taking that connection into my own layer 3 device and attempting to segment the LAN with my own VLANs again tagging the frames for VLAN 2, 3, 4, and so forth.

So it seems to me that data going out from a school will be tagged by my device as being in a particular VLAN, and then tagged by my ISP as being in another particular VLAN. My question is will this scenario work? Will the ISP VLAN even know that I have several VLANs set-up under it? Will I have a problem with frame size as some data will be double tagged?

I hope this makes a little more sense. Thanks for any info or suggestions.

 

[jimbopalmer]

1) try to convince the ISP NOT to use VLAN1, as that will just confuse new devices. Everything is delivered as VLAN1.

2)I would make each VLAN a subnet, so when you hear VLAN, also think subnet.

3) You can define about 4000 VLANs, so if the ISP orders them 1 to 33, you can use the 100s at school 1 and the 200s at school 2 if that is an easy nemonic. 10.s.v.d may be a good IP address scheme, where s is the school number, (ISP VLAN) v is the vlan in that school, and D is the device in the VLAN.

A printer in school 5 on VLAN 507 might have the address 10.5.7.220

That way you need never try to reuse a VLAN number


4) as packets move from VLAN to VLAN, they lose the ID of one VLAN, and pick up the ID of the next one.

Lets assume our printer is an untagged port on VLAN 507, packets it works with have NO tags of any VLAN, if the switch it is hooked to is tagged going to the Layer 3 switch at school 5, then those packets are tagged with 507. Once it gets to the layer 3 switch and goes to the ISPs switch it is tagged as VLAN 5.

The ISP sees all traffic to school 5 as VLAN 5, even though your layer 3 switch at school 5 may have many VLANs behind VLAN 5.

5) No data will be double tagged. It may carry several different tags as it traverses the network, but only one at a time.


I tried to remain child-like, all I acheived was childish.

 

[Welby24]

Good info. Thanks!