Help configuring Cisco 3560 switch

Ok our network guy quit and being the Pix firewall expert i got stuck trying to configuring some new equipment for net week.  Here is what i need to do but i don't know enough about Cisco Switch configs to do this without help.  This switch is blank so i can do anything i want to it, nothing is hooked into it yet. I tried doing this myself and i had some sucess but not enough and i can't get a network guy to come out early next week.  

I want to have 4 vlans out of the 48 ports on it.  
Port 1 for uplink to other switchs they are on the 10.1.1.x network.  Our Fiber connecters won't be in for a month they are on back order

1 for servers (24) ports IP Range 10.1.2.x 255.255.255.0 Gateway 10.1.2.1 will supply DHCP to the client pc's vlan

1 for Our DMZ (5) Ports for our web servers ip range 192.168.1.x 255.255.255.0 Gateway 192.168.1.1 Should not be able to get to anything else on the switch only access should be from the firewall

1 for our VPN network (1) port ip range 10.1.3.x 255.255.255.0 gateway 10.1.3.1 When people vpn in they should be able to get to the servers and client networks through the vlans and the DMZ through the firewall

1 for our pc's (The rest of the ports)that will also hold the connection to the internet that the servers need to get to and the pc's will need to get dhcp from the server network ip range 10.1.1.x 255.255.255.0 default gateway 10.1.1.1

Anyone have a config that i can use for this?  Thank you for any help you can give i am lost at this, the command are just to different from the pix to get this to work by myself.


LVL 1
charles18602Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pentrix2Commented:
Is this how your network looks like:

internet
    |
    |
  Router
    |
    |
  PIX--------DMZ
    |
 C3560
|   |   |
Servers/PCs

It looks like you'll have 2 DHCP servers, 1 for 10.0.2.0 network, and other for 10.1.1.0 network.  Also, the servers/PCs are on 10.1.2.0 network and another bunch of servers/PCs are on the 10.1.1.0 network.  Do you want both of these to do any routing between each other or not?

Let me label all the VLANs before I start the configuration:

:::::::VLAN 1::::::::
Port 1 for uplink to other switchs they are on the 10.1.1.x network.  Our Fiber connecters won't be in for a month they are on back order

:::::::VLAN 2::::::::
1 for servers (24) ports IP Range 10.1.2.x 255.255.255.0 Gateway 10.1.2.1 will supply DHCP to the client pc's vlan

:::::::VLAN 3::::::::
1 for Our DMZ (5) Ports for our web servers ip range 192.168.1.x 255.255.255.0 Gateway 192.168.1.1 Should not be able to get to anything else on the switch only access should be from the firewall

:::::::VLAN 4::::::::
1 for our VPN network (1) port ip range 10.1.3.x 255.255.255.0 gateway 10.1.3.1 When people vpn in they should be able to get to the servers and client networks through the vlans and the DMZ through the firewall

:::::::VLAN 1::::::::
1 for our pc's (The rest of the ports)that will also hold the connection to the internet that the servers need to get to and the pc's will need to get dhcp from the server network ip range 10.1.1.x 255.255.255.0 default gateway 10.1.1.1

Where is your client VPN being terminated?  The router, PIX or another appliance/software?
Pentrix2Commented:
switch# configure terminal
switch(config)# interface vlan 1
switch(config-vlan)# name uplink
switch(config-vlan)# end
switch(config)#vlan 2
switch(config-vlan)#
switch(config-vlan)#name network
switch(config-vlan)#end
switch(config)#vlan 3
switch(config-vlan)#name dmz
switch(config-vlan)#end
switch(config)#vlan 4
switch(config-vlan)#name vpn
switch(config)-vlan)#end
switch(config)#interface range fa1/0/1 - 2
switch(config-if-range)#switchport mode access
switch(config-if-range)#switchport access vlan 1
switch(config)#interface range fa1/0/3 - 27
switch(config-if-range)#switchport mode access
switch(config-if-range)#switchport access vlan 2
switch(config)#interface range fa1/0/28 - 32
switch(config-if-range)#switchport mode access
switch(config-if-range)#switchport access vlan 3
switch(config)#interface fa1/0/33
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan 2

Now it's to my understanding you want VLAN 4(VPN Network) to access VLAN 1, 2 because I see VLAN 1, 2 both having servers and PCs.

charles18602Author Commented:
Here is what i am trying to do.  Current our internet comes into the pix and goes into some really old mixture of equipment after that everything from a old cisco switch to some netgear, linksys and 3com hubs.

All of that is going to get replaced in the next week by 2 3560 switches, 1 is a 48 port and 1 is a 24 port.  Currently only the 48 port is in but that's ok because it is more than enough for me to start with.  I want the servers to be on their own subnet. i don't want the clients causing problems with performance during backups and stuff.  so i was going to put the internet connection in with the clients and they can use it there.  i still need to have access to the internet for the servers.  We have a cisco vpn concentrator that i am bringing in it's connection into the switch but i have been having to put static routes on all of the servers to route it back to the vpn concentrator since our last network guy couldn't figure out how to put another route on our router to it.  i think if i change the inside ip address of the pix to be like 10.1.1.2 and put 10.1.1.1 on the 3560 it can do all of my routing for me with the vlans???  but i am not sure on that.  is this making any sense?  and then to get rid of a piece of junk switch that this guy has on the DMZ i wanted to replace it with a few ports off of this switch that no one could break into from the outside kinda a seperate vlan on it entirely.  This really isn't my kinda thing where i work the other guy went to training on the routers/switches and i went for the PIX/concentrator.  on vlan 1,2,4 i want them to be able to see each other and share information like DHCP, DNS, WINS, fileshares etc  Servers will only be on VLAN2 clients will only be on vlan1.     I am not sure if what i want will work but i am trying to fix a lot of problems all in one swoop.
Pentrix2Commented:
So you want the servers to have their own subnet in their own VLAN and PCs in their own subnet/vlan but you want these two vlans to do inter-vlan routing.

I'm kind of confuse here.  You want a separate internet connection for the servers and PCs?  For a router/vpn concentrator you can only have 1 default route unless you are multihomed.  You would want the inside IP of the PIX to be 10.1.1.1 then subinterface the inside to see the different VLANs then 10.1.1.2 on the 3560 switch with a default route to 10.1.1.1.

You could make a DMZ VLAN off of this switch which will work fine.  May I ask what kind of Cisco PIX you have?  If it's a PIX 515e then you have a DMZ port which provides true DMZ services which will free up some ports off of your switch.  Also, for uplink I recommend having two ports dedicated for each switch for Fast EtherChannel until you get your SPFs (fiber uplinks) in because this will give you a 200MBPS compare to only having 100MBPS.

It is to my understanding you want VLAN 1, 2, 4 to be able to route all traffic between them.  On my last post I provided Phase I configuration.  I can provide other Phase configuration but would like to get a clear picture what your requirements are before going any deeper.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
charles18602Author Commented:
The Internet connection had to go somewhere and since i didn't want to have to change the router (It's some weird offbrand thing) and the clients are already using 10.1.1.x for their ip address range i figured i would just leave it alone. (I thought this would be easier but maybe not.)  I need to have a seperate vlan for the servers as that is a requirement for a software package they bought to isolate some of the traffic.  So i want these two to be able to talk to each other.  For the DMZ i have a PIX 515e but it only has one port on it and i have 4 web servers.  I need to hook those servers into something more reliable than a linksys hub that they are using right now.  I figured if i just used some avaible ports on my switch and isolated them to themselves the pix could use them for the dmz.  I just need more ports for the pix to use.  For the VPN the problem i have is that currently it is on the same network as the clients and the router they have is not capable of expanding to more ports.  I thought it would be easier to put a seperate vlan on the switch and have it route back to the clients but maybe not.  I open to suggestions on it.  I agree on the 200mbs uplink and i can do that with no problem.  Just trying to figure out the best way to make this as clean as possible.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.