Non Routable VLAN 2

[kcbell]

I am in a campus environment with multiple buildings. I would like to setup a private VLAN and want to know where should I start.

Typical vlan would have configuration like below at the router

interface Vlan2
description Legal
ip address 10.128.128.1 255.255.252.0
no ip redirects
no ip directed-broadcast

But how do one configure a non routable VLAN. It is similar to a multi-tenants building use multiple switches and one router. One company will not know the other company exist because one company doesn’t see the other company’s network.

Please help!

 

[vipergg]

To be honest that is "not" how you create a vlan , what you doing in your description is creating a layer 3 interface for a specific vlan . If you do not create a layer 3 interface for a particular vlan it will be non routable , hence it will be isolated to only its own broadcast domain . Just create a layer 2 vlan and it will be isolated . To do this it depends on what switches you are dealing with so it's hard specify without knowing what gear you are dealing with .

 

[kcbell]

vipergg:

We use non routable VLAN for visitors coming on site and would like to have total Internet access. This VLAN has a DHCP server and a router to the Internet. The colleague set this up no longer with the company. I checked the router and it has no statement specifies the ip range of this VLAN. So I wonder how does one configure a VLAN that is totally separated from our office LAN.

We have some enterprise version of 1900 and 3550. Should I use a 3550 to setup a new layer 2 VLAN like VLAN50 and specified the range then also setup the 3550 as VTP server?

KC

 

[lambent]

A VLAN, by definition, is a broadcast domain boundary which is layer-2 and thus "non-routable". When we're talking about "inter-vlan" routing, we use a router or a layer-3 device to connect different VLANs and enable routing between them. On a layer-3 switch like Cat3550 or Cat3750, we need to use a switched virtual interface (i.e. interface VLAN X) with a layer-3 address like IP address in order to make that VLAN to participate in the routing process.

In other words, VLANs that do not have IP addresses on their SVIs will be "non-routable".

Say you have VLAN 10, 11, 12 and 13:

!
ip routing
!
vlan 10-13
!
interface vlan 10
ip address a.b.c.d 255.255.255.0
!
interface vlan 12
no ip address
!
interface vlan 13
ip address w.x.y.z 255.255.255.0
!

In this case, routing is only enable between VLAN 10 and VLAN 13.

 

[kcbell]

lambert:

Excellent explanation!

Question: I don't see vlan 11 configured in your example. Can vlan 11 be defined with other switch within the network? If it can, should one also configure this device a VTP server in order to update other switches?

Thanks

KC

 

[vipergg]

Vlan 11 is defined at the layer 2 end but he did create a SVI (layer 3) interface for it so it is isolated .

 

[kcbell]

vipergg:

Then, what is the different between vlan 11 and vlan 12?

KC

 

[vipergg]

Actually there is no difference because vlan 12 doesnt have an address applied either , what you are looking at is the layer 3 interfaces but vlan 12 does not have a address applied so really there is no difference between the 2 . I think you may be getting a little confused between layer 2 and 3 . To create a simple layer 2 vlan on a switch like the 3550 , just enter "conf t" , then type vlan 50 , enter . This creates the layer 2 vlan , that's all there is to it , if you want to route between the vlans then you create a layer 3 SVI with the "interface vlan 50 " command and add your address .

 

[kcbell]

vipergg:

If I do what you said on a 3550, am I able to assign another port on another switch across campus to vlan 50? I thought one of the switch has to be a server in order for the VTP to update all switches the existing of VLAN 50. Thanks for your help!

KC

 

[lambent]

1) It depends on what type of connectivity is used across the campus.

VLAN-ID is used to differentiate different broadcast domains. So it's only significant in a layer-2 environment.

If the connectivity is a layer-3 one (i.e. routing), we'll use layer-3 addressing for the differentiation. The layer-2 VLAN-ID in this case becomes insignificant.

2) It also depends on your VLAN ID to subnet relationship.

Say if you have the following VLAN-ID to subnet mapping in your inventory:

VLAN 10 = 192.168.10.0/24
VLAN 11 = 192.168.11.0/24
VLAN 12 = 192.168.12.0/24

And you want to span your VLAN 10 - 12 across a layer-2 connectivity like this:

VLAN 10-12 (site A) ===L2 connection===VLAN 10-12 (site B)

Then you need some sort of VLAN tagging (or VLAN trunking in Cisco terms). Normally we use 802.1q cos it's an open standard. However if you're using Cisco switches only, you may want to try ISL trunking which is Cisco proprietary.

In the case of spanning VLANs across L3 connection like this:

VLAN 10-12 (site A) ===L3 connection===VLAN 10-12 (site B)

and the VLAN-ID to subnet mapping remains the same for both site, then there may be routing issues depending on the routing protocols you used. So this is normally not applicable unless you have a different VLAN-ID to subnet mapping. And as I said b4, actually in this case the VLAN-ID is insignificant cos we're using layer-3 addressing.

So in other words, using the same subnet in different locations across layer-3 connectivity may not be applicable.

 

[kcbell]

lambent & vipergg:

Thanks for the details answer. My connectivity is layer-3 (routing). So I will use the vlan12 example with no ip address.

Thanks again.

KC