We recently had a scenario in a network migration where a network in one location had to be physically split into two locations, but must logically remain the same. Of course, the less reconfiguration and re-addressing the better.
In order to tackle the above scenario the ISP had provisioned us with a L2 link, effectively acting as a long ethernet cable from one physical location to another. The requirements were:
– The internal VLAN already used by the network was VLAN 54
– The L2 link provided by the ISP was a trunk that carried VLAN 100
From the above it becomes clear that we need a way to “bridge” or “map” vlan 100 to vlan 54. There is a cisco IOS feature that supports this, but only in the MetroEthernet range of switches, which was an overkill in our situation.
Based on some often overlooked VLAN theory however, it is possible to convert VLANs at a particular demarcation point without too much hassle. This piece of theory is that VLANs are local to each and every switch. So, if you avoid using trunks (which extend the same VLAN to separate switches) you are able to allow traffic to flow from one switch tagged with vlan 100, and flow from another switch tagged with vlan 54.
The scenario I’ll used to illustrate the above will be based on the following:
Both VLAN 100 and VLAN 54 are internal VLANs. However, vlan 54 is defined on the firewall, while vlan 100 is only being used to accommodate the L2 private link. So to avoid reconfiguring the firewall, or re-subnetting the network, switch R5 must somehow “convert” vlan 100 to vlan 54
To achieve this:
– Define vlan 100 on both R6 and R5
– Define vlan 54 on R8
– Instead of defining the link between R5 and R8 as a trunk link, define it as an access link
(this of course means one link per vlan since we’re not using a trunk, but hopefully you wont have too many of these vlans)
So on R5, on the interface connecting R5 to R8, you’d configure something along the lines of:
switchport mode access
switchport access vlan 100
Similarly on the interface of R8 interlinking R8 and R5 you’d configure:
switchport mode access
switchport access vlan 54
With such a configuration, vlan 100 and vlan 54 are able to communicate, and PCs within the VLANs (192.168.0.1 and 192.168.0.2 in my diagram) are allowed to be in the same subnet (hence no need for changing IP addresses), while the original internal VLAN 54 does not need to be changed to the ISP’s vlan, saving reconfiguration of switches and firewalls
Testing the above will show that the two PCs can communicate with each other as well as the firewall and out to the internet.
The explanation is quite simple – even though we normally consider VLAN IDs to segregate traffic between subnets, the packets leaving the switches are not tagged when traversing an access port. So in the above situation, when we connected R5 and R8 with an access point, each switch considered traffic traversing that port to be part of the locally configured VLAN. R5 considered traffic traversing it’s port to be on vlan 100 and R8 considered traffic traffic it’s port to be in VLAN 54, and each switch then tags the packets with that VLAN ID when passing it through trunks.
In essence the two ports interlinked on R5 and R8 perform a vlan converstion.