Vlan concept question 2

[drewdown]

I have some equipment, mainly a cisco call manager in an office on the 3rd floor. I need it to have connectivity to a an isolated network on the 2nd floor and it needs remain isolated from my inside network. I cannot run a cable there at the moment, however I have a switch in the 3rd floor office that is trunked to my core switch, that switch is trunked to a stack in the office on the 2nd floor.

Will a separate vlan allow me to connect the equipment and section off all traffic to and from that vlan from my internal network?

 

[jeter]

You can insert a vlan for any purpose. You will need setup encapsulation dot1q sub interfaces on the gateway/router to route correclty....


Go Army!
Tek-TIP Member 19,650

 

[vipergg]

Unless you create a layer3 SVI for that vlan they will be isolated from everyone else.

 

[burtsbees]

If these are L3 switches, you can also put in access lists to isolate the 2nd floor.

Burt

 

[unclerico]

tee hee, you guys are good

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[drewdown]

Core switch is a Layer 3, the other 2 are just layer 2. However I don't want to route traffic for it. I set up the vlan on all 3 switches and allowed it across all the trunks. On the same switch I can ping devices connected to that vlan but across the switches I cannot.

 

[drewdown]

^ Which is obvious because I did not configure an IP/gateway for that vlan. I don't want to route traffic for that vlan either, I just want it isolated and allow the equipment in the 3rd floor to route it.

 

[burtsbees]

Cool.

Burt

 

[Viconsul]

Guys,

On the same switch I can ping devices connected to that vlan but across the switches I cannot.

I beg to differ on the above statement, because as long as the vlans transverse the three switches you should be able to ping devices on the same vlan irespective of the physical location of the switch port or whether there is a L3 SVI configured or not.

-Viconsul

 

[vipergg]

That is correct if the vlan is trunked across all the switches he would be able to ping any device on any switch within that vlan , if he cannot then his trunks are not configured or working correctly.

 

[drewdown]

Then I am confused as to why its not working. Because I assumed that I should be able to ping across the switches when I set it up, but then it didn't work and I couldn't for the life of me figure out why. Here are my trunks, all 3 of them, the vlan in question is 999.

2nd floor:

interface GigabitEthernet1/0/1
 description PRIMARY TRUNK TO SW-CORE
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 900
 switchport trunk allowed vlan 2,4,6,8-11,22,999
 switchport mode trunk
 switchport nonegotiate

999  TESTVLAN                     active    Fa2/0/1

3rd floor

interface GigabitEthernet1/0/1
 description TRUNK TO CORE
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 903
 switchport trunk allowed vlan 2,4,6,8-11,22,999
 switchport mode trunk
 switchport nonegotiate
 no mdix auto

999  TESTVLAN                     active    Fa2/0/1

Core Switch

interface GigabitEthernet1/0/1
 description PRIMARY TRUNK TO SW-02
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 900
 switchport trunk allowed vlan 2,4,6,8-11,22,999
 switchport mode trunk
 switchport nonegotiate

interface GigabitEthernet2/0/4
 description TRUNK TO SW-03
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 903
 switchport trunk allowed vlan 2,4,5,8-11,22
 switchport mode trunk
 switchport nonegotiate

 

[drewdown]

Ahhh! Typing it out always helps. I forgot add vlan999 to the trunk between the 3rd floor switch and the core.

interface GigabitEthernet2/0/4
 description TRUNK TO SW-03
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 903
 switchport trunk allowed vlan 2,4,5,8-11,22,[b]999[/b]
 switchport mode trunk
 switchport nonegotiate