Link to home
Start Free TrialLog in
Avatar of CityofKerrville
CityofKerrvilleFlag for United States of America

asked on

Starting point for fiber Conversion

This is a question regarding the starting point for the following bigger picture

https://www.experts-exchange.com/questions/23688899/Need-VLAN-trunk-port-configuration-Metro-Ethernet-Cisco-Router-Catalyst-3560.html

...where to start.  We are about to begin our migration from a T1 infrastructure to Time Warner's Metro Ethernet. 4 of our 15 sites including our main site are already on the fiber.  I would like to get the core configurations done with these site first before I start moving others.  Being a local government entity, with police and fire and EMS, I am sure you can understand that down time is a major issue.  I have attache a diagram of the initial plan but will lay out a few minor requirements and some of what I have done so far for review and critique.

We will start with 4 Sites

Site A - This is our City Hall where most of our servers are located and where our internet comes in.  We will have a Cisco 2821 Router with 2 - GigabitEthernet, 4 FastEthernet, and 1 DSU.  I and pretty sure I need to configure a trunk port on this router to connect to the Metro-E.  Here a what I have done so far for the configuration of the router.
!
interface FastEthernet0/0                                                                            <--------MGMT on Diagram
 description VLAN10 MGMT-IT
 ip address 192.168.96.1 255.255.255.0
!
interface FastEthernet0/1
 description ASA FIREWALL
 ip address 192.168.110.1 255.255.255.224
!
interface FastEthernet0/2                                                                            <--------SITE A users on Diagram
 description VLAN20 CITYHALL
 ip address 192.168.99.1 255.255.255.252
!
interface FastEthernet0/3                             <--------To existing network where site to be migrate are
 description TEMPORARY LINK TO EXISTING ROUTERS
 ip address 192.168.109.1 255.255.255.252
!
interface GigabitEthernet0/0                                                                        <--------SITE A on Diagram
 description VLAN30 SERVERS
 ip address 192.168.101.1 255.255.255.0
!
interface GigabitEthernet0/1
 description dot1q trunk port to METRO ETHERNET
 no ip address
!
interface GigabitEthernet0/1.1
 description VLAN 10 NATIVE
 encapsulation dot1q 10 native
!
interface GigabitEthernet0/1.2
 description VLAN80 UNUSED
 encapsulation dot1q 80
 ip address 192.168.98.1 255.255.255.254
!
interface GigabitEthernet0/1.3                                                                   <--------SITES B and C on Diagram
 description VLAN COURT, FIREADMIN, LIBARY, KSP, STREETS, GOLF
 encapsulation dot1q 20
 ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1.4
 description VLAN40 WATER
 encapsulation dot1q 40
 ip address 192.168.104.1 255.255.255.0
!
interface GigabitEthernet0/1.5
 description VLAN50 WASTERWATER
 encapsulation dot1q 50
 ip address 192.168.105.1 255.255.255.0
!
interface GigabitEthernet0/1.6
 description VLAN90 UNUSED
 encapsulation dot1q 90
 ip address 192.168.107.1 255.255.255.254
!
interface GigabitEthernet0/1.7
 description VLAN100 UNUSED
 encapsulation dot1q 100
 ip address 192.168.109.1 255.255.255.254
!
interface GigabitEthernet0/1.8                                                                         <--------SITE D on Diagram
 description VLAN70 KPD
 encapsulation dot1q 70
 ip address 192.168.109.1 255.255.255.254
!
interface dsu0/1
 description VLAN60 AIRPORT
 ip address 192.168.1.25 255.255.255.248
!

We want to implement VLANS for are site that require extra security (i.e. Waster Plant and Police).  Aside from the site was really want to isolate, most everyone else will be on the same VLAN.

VLAN10 (I think this is the native but not sure about that)
This is our management VLAN  Everything on this VLAN is physically located at SITE A.  out IT staff will be on this VLAN and also our back-end Virtual Server management is here.  Devices on this VLAN should be able to access anything on the entire network.  Devices on the VLAN will have static ip addresses on the 192.168.96.0 network

VLAN20
Is the primary VLAN for most of the city's regular users.  For today's purposes, the users at SITE A, All of SITE B, and all of SITE C will be on this VLAN.  There will be more sites added to this VLAN, but our hope is to have everything ready so we easily transition them over when their time comes.  Devises on the VLAN should pull DHCP from our Domain controllers using the 192.168.100.0/24 address pool.

VLAN30
All of our Servers (Physical Machines and Virtual Front-ends) are on this VLAN.  Servers should be accessible from all devices on the network.  All addresses are static on the 192.168.101.0 network.  Management will be done through the back-end through the management network (VLAN10).

VLAN70
The is our Police Department and SITE D on the diagram.  This site has  Cisco 2811 router.  The reason for the router is Police specific to resources outside our network. Not sure how to configure the access port here.  All users and department specific server are on this VLAN.  Certain users on SITE C will need access to the servers on this VLAN.

The switches at all of the site are Cisco 3560 (port count varies)  Here is a sample config for the access port on each switch.

!
interface FastEthernet0/24
 description VLAN20 traffic from fe0/2 on CHR1
 switchport mode access
 switchport access vlan 20
!
interface VLAN10
 description MGMT ACCESS
 ip address 192.168.96.50 255.255.255.0
!

Obviously the VLAN tags and descriptions will change accordingly.

Like I said before, this a live migration and all the devices on the T1 site still need to be active while the migration is underway.  That being said, I think you have enough information to answer a few starting questions.

1 - What is the Native VLAN?  Is it the VLAN provided by the ISP for the Metro-E?  Should my management Network be on the native?

2 - When we migrate the Servers and put them on their new VLAN, will the devices on the old network not yet migrated to fiber still be able to access them?  Should I move them last?

3 - I know there is 1 access port on the remote switches to connect to the Metro-E.  Do the rest of the ports on these switches need VLAN tags too?

4 - From what you have looked at so far, are we on the right track?  Are we missing something?  Is there a better way?  What are some of the best practices for what we are trying to accomplish?  Please let me know any ideas or concerns you have with my design.
Starting-Point.jpg
Avatar of mikebernhardt
mikebernhardt
Flag of United States of America image

In answer to your questions:
1. The native vlan is a part of dot1q. It is the untagged vlan which also carries some control traffic and CDP. By default it is vlan 1 and you should leave it that way. Do NOT put data across this vlan.
2. This shouldn't be a problem as long as you set up routing correctly. It's good reason to use a dynamic routing protocol such as EIGRP or OSPF if you aren't already.
3. VLAN tags are dropped on access ports. Tags by definition means it's an 802.1q trunk port and the host would have to be configured to support it. The Metro Ethernet is probably a trunk port, which means you could access any vlan at any location by permitting it on the remote location trunk uplink. this gives you the control without them having to change things for you.
4. Since you have layer 3 devices at every location, you should use a routing protocol between each location and the 2821. Or are you? This would still mean using 802.1q but you would make all of the WAN vlans 30 bit networks (2 hosts). Run EIGRP everywhere and any changes you make or networks you add/delete will propagate with little or no effort.
Since all of your remote links are access ports the Vlan 10 MGMT interface will not work across the Metro-E. To manage your remote switches you need to put an IP address from their local range or a range that is unique to your entire networkn that is then advertised using a routing protocol.
 The setup for your main router is correct except for two things that the above poster recommended  that are correct.
1)Remove the Native VLAN as it is not needed and does no good.
2)Make all of the WAN vlans 30 bit networks (2 hosts).EXCEPT VLAN 20 because you have more hosts then 2. I would also change your scheme on your in between links off of the 192.168.x.x addresses to make them more noticable as a WAN link vs a LAN segment.
So your router links would look more like this
interface GigabitEthernet0/1.3                                        <--------SITES B and C on Diagram
 description VLAN COURT, FIREADMIN, LIBARY, KSP, STREETS, GOLF
 encapsulation dot1q 20
 ip address 172.16.20.1 255.255.255.248
With eigrp installed like this
router eigrp 1
no auto
network 192.168.100.1 0.0.0.0
network 192.168.101.1 0.0.0.0
network 192.168.111.1 0.0.0.0
network 172.16.20.1 0.0.0.0
network 172.16.30.1 0.0.0.0
network 172.16.70.1 0.0.0.0
 
This what your sites should look like (You may need to upgrade the IOS image on your switchs to the advanced IP services to accomplish this

interface FastEthernet0/24
 no switchport
 ip address 172.16.20.2 255.255.255.248
! 
interface VLAN1
 description MGMT ACCESS
 ip address 192.168.100.50 255.255.255.0
!
Router eigrp 1
no auto
network 172.16.20.2 0.0.0.0
network 192.168.100.50 0.0.0.0

Open in new window

Avatar of CityofKerrville

ASKER

This looks good.  I am glad I am on the right track.  I am waiting for my 2821 Router to come in so I can begin the migration.  I will check back in when I get started.  Any other ideas or thoughts before then are always welcome.
You need to be careful when using a Cisco 28xx router with a port that is not a WAN speed port (like a Metro Fiber LAN).  They are NOT switches they are routers and, depending on packet size and the types of packet processing you are doing can have MUCH lower through put than you are expecting.

A 2821 can be as low as 6Mbps to maybe 81Mbps if the packets are all small.  Most networks do not run this way, but the GigE port is very misleading...  It might exceed 100Mbps, but keep an eye on the flowcontrol, interface counters and CPU loads as it will NOT do 100's of Mbps in most worlds...

Also the Linksys switch can have some issues with more than one VLAN and can be unstable at times.  Eventually you would might better off getting another 3560G for the server farm.  (I have had quite a few issues and had LinkSys/TAC tell me to use another brand of low cost switch when we had only 3 VLANs to support because of stability issues.)

Anyway letting the 3560s run the Metro Ethernet links might ultimately be easier and avoids the performance problems the routers can have with their Ethernet ports.   Let routers route WANs and everything else like LAN/MAN switches can handle much easier.

You did not say how fast your Metro LAN connections were...

Also using the

Here is a reference.

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

CityofKerrville,
Let me know how it goes once you get your router in.
I appreciate all the information y9ou have provided.  I will surely let you know when I move on the the next step.
Ok here goes nothing.  So we got out 2821 router in last week and I have spent all morning on the configuration.  here is my first attempt.  Tell me what you think.  Some obvious items omitted for security reasons.  There are some default items I think can be taken out.   I think I need a little with the routes.  Remember that this is the center of the spoke and wheel topology.  

CHR1#sh conf
Using 3056 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CHR1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 "OMITTED"
enable password "OMITTED"
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
no ip cef
!
!
!
username "OMITTED" privilege 15 secret 5 "OMITTED"
!
!
!
interface GigabitEthernet0/0
 description VLAN30 SERVERS
 ip address 192.168.101.5 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description dot1q trunk port to METRO ETHERNET
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 description VLAN80 UNUSED
 encapsulation dot1Q 80
 ip address 192.168.98.1 255.255.255.254
 no snmp trap link-status
!
interface GigabitEthernet0/1.2
 description VLAN20 COURT, FIREADMIN, LIBRARY, KSP, STREETS, GOLF
 encapsulation dot1Q 20
 ip address 192.168.100.1 255.255.255.0
 no snmp trap link-status
!
interface GigabitEthernet0/1.3
 description VLAN40 WATER
 encapsulation dot1Q 40
 ip address 192.168.104.1 255.255.255.0
 no snmp trap link-status
!
interface GigabitEthernet0/1.4
 description VLAN50 WASTEWATER
 encapsulation dot1Q 50
 ip address 192.168.105.1 255.255.255.0
 no snmp trap link-status
!
interface GigabitEthernet0/1.5
 description VLAN90 UNUSED
 encapsulation dot1Q 90
 ip address 192.168.107.1 255.255.255.254
 no snmp trap link-status
!
interface GigabitEthernet0/1.6
 description VLAN100 KPD
 encapsulation dot1Q 100
 ip address 192.168.109.1 255.255.255.248
 no snmp trap link-status
!
interface FastEthernet0/0/0
 description VLAN10 MGMT-IT
 switchport access vlan 10
!
interface FastEthernet0/0/1
 description ASA 5510 FIREWALL
!
interface FastEthernet0/0/2
 description VLAN20 CITY HALL
 switchport access vlan 20
!
interface FastEthernet0/0/3
 description LINK TO EXISTING ROUTERS
!
interface Serial0/1/0
 description VLAN60 AIRPORT
 ip address 192.168.1.25 255.255.255.248
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description FASTETHERNET0/0/0
 ip address 192.168.96.1 255.255.255.0
 shutdown
!
interface Vlan20
 description FASTETHERNET0/0/2
 ip address 192.168.99.1 255.255.255.0
 no mop enabled
!
router eigrp 1
 network 192.168.96.0
 network 192.168.97.0
 network 192.168.98.0
 network 192.168.99.0
 network 192.168.100.0
 network 192.168.101.0
 network 192.168.102.0
 network 192.168.103.0
 network 192.168.104.0
 network 192.168.105.0
 network 192.168.106.0
 network 192.168.107.0
 network 192.168.108.0
 network 192.168.109.0
 network 192.168.110.0
 network 192.168.111.0
 auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/1
!
no ip http server
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password "OMITTED"
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 password "OMITTED"
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end
 
CHR1#

Open in new window

The above config is for the 2821 router at site A and this config is for the 2811 router at site D.  Does everything look inline.  i still need help setting up the proper routes and will post my 3560 configs when I have one complete.

PDR1#sh conf
Using 871 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PDR1
!
boot-start-marker
boot-end-marker
!
enable secret 5 "OMITTED"
enable password "OMITTED"
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
no ip cef
!
!
!
!
!
!
interface FastEthernet0/0
 description VLAN100 traffic from ge0/0.6 on CHR1
 ip address 192.168.109.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description KPD SWITCH
 ip address 192.168.111.1 255.255.255.0
 duplex half
 speed auto
 no mop enabled
!
router eigrp 1
 network 192.168.109.0
 network 192.168.111.0
 auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.109.1
!
no ip http server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password "OMITTED"
 login
!
scheduler allocate 20000 1000
!
end
 
PDR1#

Open in new window

Here is the config for Site C' 3560 Switch.  Not sure if this is right.  Can some one have a look.

COURT#sh conf
Using 1526 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname COURT
!
enable secret 5 "OMITTED"
enable password "OMITTED"
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
~~INTERFACES OMITTED~~
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
 description VLAN20 traffic from ge0/1.2 on CHR1
 no switchport
 ip address 192.168.100.2 255.255.255.0
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description MGMT ACCESS
 ip address 192.168.96.51 255.255.255.0
!
ip classless
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
 password "OMITTED"
 login
line vty 5 15
 password "OMITTED"
 login
!
end
 
COURT#

Open in new window

And here is site B

FIREADMIN#sh conf
Using 1530 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname FIREADMIN
!
enable secret 5 "OMITTED"
enable password "OMITTED"
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
~~INTERFACES OMITTED~~
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
 description VLAN20 traffic from ge0/1.2 on CHR1
 no switchport
 ip address 192.168.100.3 255.255.255.0
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description MGMT ACCESS
 ip address 192.168.96.52 255.255.255.0
!
ip classless
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
 password "OMITTED"
 login
line vty 5 15
 password "OMITTED"
 login
!
end
 
FIREADMIN#

Open in new window

I had to upgrade the IOS in order to get one of my new HWIC to play nice.  Here si the new main Router config



CHR1#sh conf
Using 3309 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CHR1
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-20.T1.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 "OMITTED"
enable password "OMITTED"
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
no ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
username "OMITTED" privilege 15 secret 5 "OMITTED"
archive
 log config
  hidekeys
! 
!
!
interface GigabitEthernet0/0
 description VLAN30 SERVERS
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description dot1q trunk port to METRO ETHERNET
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 description VLAN80 UNUSED
 encapsulation dot1Q 80
 ip address 192.168.98.1 255.255.255.254
!
interface GigabitEthernet0/1.2
 description VLAN20 COURT, FIREADMIN, LIBRARY, KSP, STREETS, GOLF
 encapsulation dot1Q 20
 ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1.3
 description VLAN40 WATER
 encapsulation dot1Q 40
 ip address 192.168.104.1 255.255.255.0
!
interface GigabitEthernet0/1.4
 description VLAN50 WASTEWATER
 encapsulation dot1Q 50
 ip address 192.168.105.1 255.255.255.0
!
interface GigabitEthernet0/1.5
 description VLAN90 UNUSED
 encapsulation dot1Q 90
 ip address 192.168.107.1 255.255.255.254
!
interface GigabitEthernet0/1.6
 description VLAN100 KPD
 encapsulation dot1Q 100
 ip address 192.168.109.1 255.255.255.248
!
interface FastEthernet0/0/0
 description VLAN10 MGMT-IT
 switchport access vlan 10
!
interface FastEthernet0/0/1
 description ASA 5510 FIREWALL
!
interface FastEthernet0/0/2
 description VLAN20 CITY HALL
 switchport access vlan 20
!
interface FastEthernet0/0/3
 description UNUSED
 shutdown
!
interface Serial0/1/0
 description VLAN60 AIRPORT
 ip address 192.168.1.25 255.255.255.248
!
interface FastEthernet0/2/0
 description LINK TO OLD NETWORK
 ip address 192.168.101.5 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description FASTETHERNET0/0/0
 ip address 192.168.96.1 255.255.255.0
 shutdown
!
interface Vlan20
 description FASTETHERNET0/0/2
 ip address 192.168.99.1 255.255.255.0
 no mop enabled
!
router eigrp 1
 network 192.168.96.0
 network 192.168.97.0
 network 192.168.98.0
 network 192.168.99.0
 network 192.168.100.0
 network 192.168.101.0
 network 192.168.102.0
 network 192.168.103.0
 network 192.168.104.0
 network 192.168.105.0
 network 192.168.106.0
 network 192.168.107.0
 network 192.168.108.0
 network 192.168.109.0
 network 192.168.110.0
 network 192.168.111.0
 auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/1
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password "OMITTED"
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 password "OMITTED"
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end
 
CHR1#

Open in new window

Moving forward tomorrow afternoon and sure could use some feedback.  anyone?
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial