Solved

Cisco Catalyst 3550 VLAN's

Posted on 2004-08-19
18
3,825 Views
Last Modified: 2007-02-13
I have a Cisco 3550 switch - connected to 1 WAN link on 1 port, another WAN link on another port, and my servers and workstations on the other ports - I want to create 3 VLAN's in total - 1 for each WAN link, and 1 for the LAN.  Then I want the switch to have 2 default gateways - each WAN link set in priority in case one goes down the other will be used.  Can someone tell me how to do this or point me in the right direction?  I am much more familiar with routers than switches but I have some experience.  I am not familiar with the concept of trunking...and not sure if it will even play in here.  Sorry if this is vague.
0
Comment
Question by:mrsmileyns
  • 10
  • 7
18 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
ID: 11842576
If your WAN links are directly connected to the switch, you can assign an IP address directly to the interface they are connected to using the "no switchport" interface configuration command.  You can then use the "ip address <address> <mask>" command to assign it the appropriate IP address.  I would do this instead of creating VLAN's for each WAN link.  Once you use the "no switchport" command, the interfaces are treated as routed interfaces.  You can keep all the PC's in the one and only VLAN on the switch.  Trunking is not necessary unless you are connecting VLAN's using multiple switches.

To set two default gateways on the switch, use the following commands:

ip route 0.0.0.0 0.0.0.0 <next hop router address>      <---preferred route using default administrative distance.
ip route 0.0.0.0 0.0.0.0 <next hop router address> 10  <---set the administrative distance higher on the backup link.
0
 

Author Comment

by:mrsmileyns
ID: 11842815
Well - I am not sure if I meet the criteria of directly connected on the WAN links - 1 link is connected to a 2600 on the e0 - which is then connected via point to point t1 to the main office - where the main internet connectivity comes through

the other secondary WAN link is connected to the internal side of a Watchguard firebox firewall - which is then VPN'd to the main office - this is the backup connectivity

Does your solution still apply under these conditions?
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11843568
Yes, still works.

The suggested static routes will send all traffic over the primary link, as long as it's up, and fail all traffic over to the secondary link whenever the primary is down.  If you want to actually balance the load, or host servers, you'll need to get a bit more complicated....

0
 

Author Comment

by:mrsmileyns
ID: 11843628
nope - no load balance - just a failover

but lets say this...i will try to explain the thought i have in my head - lets say...my primary link is to the cisco 2600 which is then connected to the home office - now let's say, the point to point t1 back to the home office goes down - but the internal side...which will be the primary defualt gateway of the switch is really not down...it is only down on the WAN side - will the switch get the picture, and start sending packets to the secondary gateway?  does my question make sense?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11843731
Well now that complicates things.

The switch will never know that the WAN link is down beyond the 2600 and will continue to send to the 2600 router even though the link is down.

Is the 3550 the EMI version?  Can you run a routing protocol with the 2600 and Watchguard instead of using static routes?  The switch would reroute appropriately over the backup link.  If you had another Cisco router versus the Watchguard, you could run HSRP and have default gateway redundancy.
0
 

Author Comment

by:mrsmileyns
ID: 11843781
I see...on the back the switch says SMI as part of the model # or S/N - I assume that means it is not the EMI version?

The network currently does have EIGRP set up, but I am not sure if that will work with the Watchguard - I will have to find out.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11843807
It won't with the Watchguard.  EIGRP is Cisco proprietary.

Unfortunately, the SMI version does not support EIGRP.
0
 

Author Comment

by:mrsmileyns
ID: 11843852
ah - just as I typed it I remembered EIGRP is cisco prop - hmm - just so you know, this wasn't my idea - it was half in place when I got here  :)  I think my boss may need to rethink this backup solution - I am not sure it is going to work this way with the current hardware - unless of course...during an outage...if I were on site, I suppose if the WAN link went down on the 2600, then I could unplug the LAN side of the 2600 - that would force the switch to see its gateway down, and send the packets to the backup gateway...the watchguard....I know that is an ugly undesirable answer, but for my own edification, do you think it would work?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11843915
Yes, that would work, if you shutdown the ethernet interface on the 2600 or pulled the cable, the switch interface would go down and the route would be removed from the switch's routing table.  The switch would then use the Watchguard route.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:mrsmileyns
ID: 11843969
OK - last question and then I will leave you alone :)  if the preferred route to the e0 of the 2600 is set as a static route - and then that destination suddenly becomes unavailable to the switch - shutdown or cable pulled...the switch will stop using that route or it wil be removed...even though it is set as a static route? and then it will use the route with the next highest priority to the watchguard?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11844500
Yes, although it is a static route, it will still be removed from the routing table if the interface is down and the Watchguard route will be used.
0
 

Author Comment

by:mrsmileyns
ID: 11844555
OK - I think all that answers my questions for now - I think I have a way to make it work ugly, and a way to make it work right, but it will cost some money - that part is not my call - thanks for the help here.
0
 

Author Comment

by:mrsmileyns
ID: 11845015
one last thing - tell me if you think this can work - on my 2600 - I have 2 WIC's that are plugged into the 2 multilinked T1's going back to the home office - that is the primary gateway

I have 1 ethernet interface - 192.168.10.1 e0 - that is the primary gateway for my PC's on the LAN - and the 2600 uses the multilink IP as its gateway

now...I have an e1 that was unused - I just thought - what if I give that the IP of 192.168.11.1 and plug it into the internal side of the Watchguard and give that an IP of 192.168.11.2 and set a secondary route in my 2600 to 192.168.11.2 - in the event for primary gateway failure which is the WAN multilink IP, do you think it would defualt to the Watchguard connectivity?  I am going to try, but what do you think?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11845034
Sounds like a plan to me!  Yes, that would work great...
0
 

Author Comment

by:mrsmileyns
ID: 11845052
will take me a day or 2 to get the downtime to try...I will let you know...thanks for the help - I am excited to get this solved  :)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 11845092
Remember though, the interface to the Watchguard will remain up if the watchguard is still on and working but the line beyond it is down.  Since it is the backup line, it isn't that huge of a deal.

Also, the backup routes will also need to be configured on the routers at the other end of the connections.
0
 

Author Comment

by:mrsmileyns
ID: 11845243
gotcha - thanks
0
 

Author Comment

by:mrsmileyns
ID: 11880058
I think I need another Cisco router between my existing 2600 and the Watchguard - that would let me use HSRP or EIGRP or both when the WAN on the primary 2600 went down.  Then packets can start routing to the secondary Cisco 2600 which can use the internal side of the Watchguard as its gateway of last resort.  I'd like to ditch the Watchguard and set up a Cisco VPN back to the home office - but I can't do that.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now