6

I have a Cisco Catalyst Ethernet switch.

I would like to setup this configuration:

  • Ports 18 and 19 are on VLAN 10.
  • Ports 20 and 21 are on VLAN 20.
  • I would like port 22 to have access to both VLANs 10 and 20.

Here is the configuration I made through SSH:

conf terminal

Vlans creation:

vlan 10  
name VLAN0010  
exit  

vlan 20  
name VLAN0020  
exit

First, I cleared the configuration for the 5 affected ports:

interface range FastEthernet0/18 - 22  
no switchport nonegotiate  
no shutdown  
no switchport mode  
no switchport access vlan  
no switchport mode access  
no switchport trunk allowed vlan  
no switchport trunk native vlan  
no switchport mode trunk

Then, I configured the two ports assigned to VLAN 10 in access mode:

interface range FastEthernet0/18 - 19  
switchport mode access  
switchport access vlan 10  
switchport nonegotiate  
no shut

Then I configured the two ports assigned to VLAN 20 in access mode:

interface range FastEthernet0/20 - 21  
switchport mode access  
switchport access vlan 20  
switchport nonegotiate  
no shut

Then, I configured port 22 in trunk mode, so it can access both VLANs:

interface range FastEthernet0/22  
switchport mode trunk  
switchport trunk native vlan 10  
switchport trunk allowed vlan 10,20  
switchport nonegotiate  
no shut

Problem: Only the machines connected to ports 18 and 19 (VLAN 10) can communicate with the machine connected to port 22. Machines connected to ports 20 and 21 (VLAN 20) cannot ping the machine connected to port 22. It seems that only the native VLAN of the trunk port is allowed. If I change it to VLAN 20, the opposite happens. What is missing for port 22 to communicate with both VLANs?

Thank you.

Improve this question
2
  • 3
    Seems like the missing element here is the configuration of the machine on port 22. Is it configured for 802.1q VLAN tagging on its interface, with both VLANs 10 and 20 configured, VLAN 10 untagged/default, and appropriate protocols and addresses configured for each VLAN? Commented Mar 12, 2025 at 7:09
  • Can you add more info - what IP network is used for each vlan, and can you give the switch one IP in each vlan as a half-way point for testing ? That will help with troubleshooting. Commented Mar 12, 2025 at 22:17

3 Answers 3

Reset to default
4

This is what happens in your setup:

  • Traffic on ports 18 or 19 is regular Ethernet, and is forwarded to other ports in VLAN 10.
  • Traffic on ports 20 or 21 is regular Ethernet, and is forwarded to other ports in VLAN 20.
  • On port 22:
    • Traffic from VLAN 10 is sent as regular Ethernet frames (because you set it as "native")
    • Traffic from VLAN 20 is sent as 802.1Q-tagged frames with tag 20 (because it's a trunk and you did not set it as native)
    • Traffic received as regular Ethernet is forwarded to VLAN 10
    • Traffic received as 802.1Q-tagged frames with tag 20 is forwarded to VLAN 20

802.1Q-tagged frames are like Ethernet frames but with a short header that says "I'm 802.1Q tagged" and a tag number (the VLAN ID). Without specific configuration, a regular Ethernet device will ignore those frames.

From Wikipedia:

So it the device connected to port 22 is a regular end-device (e.g. a PC) and only sends/receives regular Ethernet frames, it will indeed only be able to communicate with devices on VLAN 10:

  • traffic from VLAN 20 will arrive as 802.1Q-tagged frames, which will be ignored
  • Traffic you intend for VLAN 20 is sent as non-tagged frames, which the switch then forwards to VLAN 10, not VLAN 20.

If that device supports it, you can configure a sub-interface on its Ethernet port, using VLAN ID 20. That sub-interface would then be on VLAN 20.

How you do this (and whether you can do it in the first place) depends on the type of device, the OS (and version), sometimes the Ethernet interface. If you tell us the details we may be able to tell you how to configure it.

Alternatively, you could set up routing between the two VLANs (either on the switch, as it's L3-capable, or on another router or device connected to both VLANs), but that means that (unless you set up ACLs), all devices on each of the VLANs will be able to communicate with all devices on the other, which is probably not what you are trying to do.

Improve this answer
1
  • In my personal opinion, this answer would be clearer if instead of "regular Ethernet" (which isn't a well-defined term) it said "untagged frames". Likewise, "regular end-device" would be better described as "device that doesn't support VLAN tagging". There are PC NICs that support tagging, so it's slightly misleading to say a "regular end-device (e.g. a PC) ... only sends/receives regular Ethernet frames". Commented Apr 10, 2025 at 6:42
5

That's not how VLANs work.

Think of a port-based VLAN, using access ports, as a dedicated, separate switch. Traffic between VLANs requires a router (or L3 switch) connected to those VLANs.

Tagged VLANs allow a physical port to link multiple VLANs at the same time. Tagging requires the link-partners to share the exact same configuration. Switches use trunk ports, routers or hosts use subinterfaces. Each subinterface connects to a specific VLAN.

So, whatever you connect on port FastEthernet0/22 needs to handle VLAN tagging. Short of that, it can't talk on any VLAN.

Catalyst switch support layer-3 switching = routing between subnets. For that you need to

  • activate routing
  • configure a switch virtual interface (SVI) with an IP address on each VLAN
  • configure the corresponding hosts to use the SVI within their VLAN as (default) gateway
  • if there are more VLANs/subnets that the L3 switch isn't connected to, you need to configure routing using either static routes or a protocol like OSPF
  • if you don't want certain end nodes or subnets to talk to each other, you can use ACLs to control traffic
Improve this answer
7
  • Do you mean a port should have at least one VLAN ? trunk ports are dedicated to inter-switch connexions ? Commented Mar 11, 2025 at 20:27
  • 1
    Trunk ports are for connecting the switch to another device which knows about vlans, either another switch or a router. They don't work for connecting a typical end device, because when the device sends a packet towards the switch, the switch would have no way to know which VLAN the packet was for, 10 or 20. Commented Mar 12, 2025 at 5:13
  • 1
    Aside from Zac67's approach, you could also configure the machine on port 22 (if there's only one machine) to be vlan-aware. This would involve connecting that machine directly to the switch port, and configuring it to treat that network interface like two virtual interfaces, one for each VLAN. How to do this depends on the OS. Commented Mar 12, 2025 at 5:17
  • @Bob5421 Each port has at least one VLAN associated, always. Trunk ports are dedicated to connections between VLAN-aware nodes that tag frames. Untagged frames on a trunk port without native VLAN are dropped. Commented Mar 12, 2025 at 7:44
  • "So, whatever you connect on port FastEthernet0/22 needs to handle VLAN tagging. Short of that, it can't talk on any VLAN." - Couldn't a device that doesn't support tagging participate in the native VLAN (only) on that port? Commented Apr 10, 2025 at 6:44
0

Most end devices do not supported tagged frames and will simply ignore tagged traffic.

What you need is a router between the 2 subnets. On a layer 3 switch it would look something like this

interface vlan 10
   ip address 192.168.10.1 255.255.255.0
interface vlan 20
   ip address 192.168.20.1 255.255.255.0

Make sure ip routing is on as well. And check that the default gateways are set correctly on the end devices

Improve this answer
1
  • "Most end devices do not supported tagged frames" - Since this stack is for business network questions, we can expect a greater proportion of end devices to be "business class", which despite being an imprecise term, often means a NIC that can VLAN tagging is more likely in a desktop, and laptops are more likely connecting through "business class" wifi, which usually supports tagging on the wired interface. It's mainly printers where in a business setting we would be very surprised if it supported tagging. Commented Apr 10, 2025 at 6:47

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.