6

I have a Cisco Catalyst Ethernet switch.

I would like to setup this configuration:

  • Ports 18 and 19 are on VLAN 10.
  • Ports 20 and 21 are on VLAN 20.
  • I would like port 22 to have access to both VLANs 10 and 20.

Here is the configuration I made through SSH:

conf terminal

Vlans creation:

vlan 10  
name VLAN0010  
exit

vlan 20

name VLAN0020

exit

First, I cleared the configuration for the 5 affected ports:

interface range FastEthernet0/18 - 22  
no switchport nonegotiate  
no shutdown  
no switchport mode  
no switchport access vlan  
no switchport mode access  
no switchport trunk allowed vlan  
no switchport trunk native vlan  
no switchport mode trunk

Then, I configured the two ports assigned to VLAN 10 in access mode:

interface range FastEthernet0/18 - 19  
switchport mode access  
switchport access vlan 10  
switchport nonegotiate  
no shut

Then I configured the two ports assigned to VLAN 20 in access mode:

interface range FastEthernet0/20 - 21  
switchport mode access  
switchport access vlan 20  
switchport nonegotiate  
no shut

Then, I configured port 22 in trunk mode, so it can access both VLANs:

interface range FastEthernet0/22  
switchport mode trunk  
switchport trunk native vlan 10  
switchport trunk allowed vlan 10,20  
switchport nonegotiate  
no shut

Problem: Only the machines connected to ports 18 and 19 (VLAN 10) can communicate with the machine connected to port 22. Machines connected to ports 20 and 21 (VLAN 20) cannot ping the machine connected to port 22. It seems that only the native VLAN of the trunk port is allowed. If I change it to VLAN 20, the opposite happens. What is missing for port 22 to communicate with both VLANs?

Thank you.

Bob5421
  • 163
  • 2
  • 3
    Seems like the missing element here is the configuration of the machine on port 22. Is it configured for 802.1q VLAN tagging on its interface, with both VLANs 10 and 20 configured, VLAN 10 untagged/default, and appropriate protocols and addresses configured for each VLAN? – Todd Wilcox Mar 12 '25 at 07:09
  • Can you add more info - what IP network is used for each vlan, and can you give the switch one IP in each vlan as a half-way point for testing ? That will help with troubleshooting. – Criggie Mar 12 '25 at 22:17

3 Answers3

5

That's not how VLANs work.

Think of a port-based VLAN, using access ports, as a dedicated, separate switch. Traffic between VLANs requires a router (or L3 switch) connected to those VLANs.

Tagged VLANs allow a physical port to link multiple VLANs at the same time. Tagging requires the link-partners to share the exact same configuration. Switches use trunk ports, routers or hosts use subinterfaces. Each subinterface connects to a specific VLAN.

So, whatever you connect on port FastEthernet0/22 needs to handle VLAN tagging. Short of that, it can't talk on any VLAN.

Catalyst switch support layer-3 switching = routing between subnets. For that you need to

  • activate routing
  • configure a switch virtual interface (SVI) with an IP address on each VLAN
  • configure the corresponding hosts to use the SVI within their VLAN as (default) gateway
  • if there are more VLANs/subnets that the L3 switch isn't connected to, you need to configure routing using either static routes or a protocol like OSPF
  • if you don't want certain end nodes or subnets to talk to each other, you can use ACLs to control traffic
Zac67
  • 90,111
  • 4
  • 75
  • 141
4

This is what happens in your setup:

  • Traffic on ports 18 or 19 is regular Ethernet, and is forwarded to other ports in VLAN 10.
  • Traffic on ports 20 or 21 is regular Ethernet, and is forwarded to other ports in VLAN 20.
  • On port 22:
    • Traffic from VLAN 10 is sent as regular Ethernet frames (because you set it as "native")
    • Traffic from VLAN 20 is sent as 802.1Q-tagged frames with tag 20 (because it's a trunk and you did not set it as native)
    • Traffic received as regular Ethernet is forwarded to VLAN 10
    • Traffic received as 802.1Q-tagged frames with tag 20 is forwarded to VLAN 20

802.1Q-tagged frames are like Ethernet frames but with a short header that says "I'm 802.1Q tagged" and a tag number (the VLAN ID). Without specific configuration, a regular Ethernet device will ignore those frames.

From Wikipedia:

So it the device connected to port 22 is a regular end-device (e.g. a PC) and only sends/receives regular Ethernet frames, it will indeed only be able to communicate with devices on VLAN 10:

  • traffic from VLAN 20 will arrive as 802.1Q-tagged frames, which will be ignored
  • Traffic you intend for VLAN 20 is sent as non-tagged frames, which the switch then forwards to VLAN 10, not VLAN 20.

If that device supports it, you can configure a sub-interface on its Ethernet port, using VLAN ID 20. That sub-interface would then be on VLAN 20.

How you do this (and whether you can do it in the first place) depends on the type of device, the OS (and version), sometimes the Ethernet interface. If you tell us the details we may be able to tell you how to configure it.

Alternatively, you could set up routing between the two VLANs (either on the switch, as it's L3-capable, or on another router or device connected to both VLANs), but that means that (unless you set up ACLs), all devices on each of the VLANs will be able to communicate with all devices on the other, which is probably not what you are trying to do.

jcaron
  • 1,003
  • 5
  • 10
0

Most end devices do not supported tagged frames and will simply ignore tagged traffic.

What you need is a router between the 2 subnets. On a layer 3 switch it would look something like this

interface vlan 10
   ip address 192.168.10.1 255.255.255.0
interface vlan 20
   ip address 192.168.20.1 255.255.255.0

Make sure ip routing is on as well. And check that the default gateways are set correctly on the end devices

0p3r470r
  • 1
  • 1