?
Solved

Need Help Configuring My Network for VLANs across multiple Layer 2 Switches (Visio PDF Provided)

Posted on 2006-06-05
16
Medium Priority
?
1,108 Views
Last Modified: 2012-06-27
I need some assistance developing my plan to deploy Sonicpoints across my network of managed switches as well as a DMZ for my mail server.  I am not a networking guru, but I do know enough to potentially avoid needing explanations of elementary networking concepts.   My main weakness is when it comes to routing, so be very clear when discussing that.

First, about my Sonicwall:  If you're not familiar with a Sonicwall 3060, it has five physical interfaces (X1 - X5) that can be configured for zones such as LAN/WAN/WLAN/DMZ.  

Currently, my switches are all Dell PowerConnect (all VLAN capable) but are all configured as one default VLAN.   So basically, they aren't being used for VLAN.

What I need is to be able to configure VLAN 1 for internal LAN.  VLAN 2 for DMZ.  And VLAN 3 for WLAN. Eventually a VLAN 4 for a VOIP system.  What is MOST IMPORTANT due to the geographic size of my network is that I need the VLANs to traverse my managed switches.  I believe this is called "VLAN trunking" but I am not sure.  

I believe to accomplish this i need Layer 3 routing between the switches.  Currently, as you can see from my Visio PDF diagram, there is NO routing equipment anywhere on the LAN (Sonicwall does not count.)  So it is a given I will need to buy some.  

The questions are:

1.  Is there a better scheme that I haven't considered?
2a.  What type of routers/ layer 3 switches do I need to make this plan happen?
2b.  What models do you recommend?
3.  How many do I need?
4.  Where SPECIFICALLY should they be deployed on the diagram?
5.  What are the negative side effects of deploying the recommended equipment (speed loss, etc?)

I would *LIKE* to minimize the amount of new equipment necessary, maintain the ability to go 1Gbps on my fiber runs if possible, all the while maximizing the ability of the VLANs to traverse my network.   But please do not rule out 100mbps routers if they are very cheap.

Thanks!
0
Comment
Question by:Colebert
  • 9
  • 7
16 Comments
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16841573
1.  I'll assume this roughly follow your topology - which is fine.  Perhapps some kind of alternative paths between the 3248, 3324, and 5324 in the middle for fault tolerance.

2.  I would recommend putting in a Layer 3 switch in the "core" of your network - perhaps a Dell PowerConnect 6024.  This would provide multiple ports for your fiber and network aggregation and layer 3 switching.

3.  1 at least.  2 would be better for fault tolerance.

4.  In the middle, so everything collapses into them.

5.  Negative side effects - none, I guess except for less $$ in your pocket.
0
 

Author Comment

by:Colebert
ID: 16844304
So I wouldn't need more than one 6024 to do all the routing even though some are those switches are more than on "hop" (I know its a routing term, but work with me here) away from that switch?  I assume by "core" you mean the 3324 connected to the Sonicwall?

My network is a little deceiving.  The core might look like its all those 5324s, but its not really.  That's just one building we remodeled and I beefed up.  

I know the topology is a little jacked up.  I was working with existing fiber deployment when does not allow for redunancy!  :-(

0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16844843
If you use vlan trunking, it doesn't matter where the vlans are, as long as they trunk all the way back to you layer 3 device - in this case a layer 3 switch.  

Yes, I would put it attached to the firewall - so everything aggregates into it.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Colebert
ID: 16844925
ok, to wrap this up, how does the trunking work in the abstract?  i'm not asking you to hand-hold me through configuring, just sketch out for me what I have to do on the layer 2 switches if I put the 6024 next to the firewall.

do i just give the other switches the IP address/MAC address of the 6024 and tell them to forward, or what?
0
 

Author Comment

by:Colebert
ID: 16844940
also, to be explict, it doesn't matter if they trunk back over multiple non-layer-3 switches to get to the 6024?
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16845192
Ok.

VLANs are layer 2 only.  They know nothing of layer 3.

On your layer 3 switch - in english, it would be like this

create vlan 100
assign ip 10.1.1.1/24 interface vlan 100
create vlan 200
assign ip 10.2.2.2/24 interface vlan 200

port 10 enable vlan trunking
port 10 tag all traffic
port 10 member vlan 100, vlan 200
port 1 member vlan 100


On the middle switch
create vlan 100
port 10 enable vlan trunking
port 10 member vlan 100, vlan 200

create vlan 200
port 20 enable vlan trunking
port 20 member vlan 200

On the end switch
create vlan 200
port 20 enable vlan trunking
ports 1-24 member vlan 200

This would allow a device on port 1 on the end switch in vlan 200 to ping a device on port 1 on your layer 3 switch in vlan 100 - routed at your layer 3 switch.

Your switches would have to have uplink & downlink ports for the vlans which are downstream from them - back to the core.  Those backbone ports would have to have vlan trunking.
0
 

Author Comment

by:Colebert
ID: 16845900
Still confused.  How many physical connections to I need to be have between two non-layer3 switches in order for this to work with only having 1 layer 3 switch?  

So if I have

LAYER-3-SWITCH -- LAYER-2-SWITCH -- LAYER-2-SWITCH -- [a VLAN100 port]
          |
          |
LAYER-2-SWITCH
          |
          |
LAYER-2-SWITCH
          |
          |
  [a VLAN100 port]


Can that device on the vlan port climb all the way up the network to the layer-3 switch, then go out to the other port while maintaining my single fiber uplinks?


Probably not very clear.
0
 

Author Comment

by:Colebert
ID: 16845934
What I'm hoping can happen is I drop a 6024 in place of that 3324 at the firewall and with some programming it be a turnkey solution without needing to do any re-wiring or purchasing of additional hardware.  Given my stated topology with all those layer 2 switches, is that a realistic hope?
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 1500 total points
ID: 16846109
Here's the traffic flow on a three switch network.

10.1.1.10
vlan 100
pc
   |
Switch1
port 1 (is in vlan 100)
port 10 (is also in vlan 100, trunk with tagging)
   |
Switch2
Port 10 (is in vlan 100 trunk with tagging)
port 2 (is in vlan 200) ------------------------10.2.2.20 vlan 200 pc
port 20 (is in vlan 100 and vlan 200 trunk with tagging)
   |
Switch3 LAYER 3 SWITCH
Port 10 (is in vlan 100 and 200 trunk with tagging)
vlan 100 ip 10.1.1.1
vlan 200 ip 10.2.2.1

In this scenario, pc 1 wants to ping pc 2.
PC1 is in vlan 100 - IP of 10.1.1.10, dfgw of 10.1.1.1
PC1 determines PC2  is on a different layer 3 network
PC1 ARPs for MAC for its DFGW, gets it - it's the MAC for switch 3.
PC1 sends out a frame with a destination address of switch 3's MAC, which it thinks is the DFGW
Switch 1 consults MAC forwarding table for VLAN100 and detemines MAC is out port 10
Frame goes out port 10 and into port 10 on Switch 2
Switch 2 consults MAC forwarding table for VLAN100 and determines MAC is out port 20
Frame goes out port 20 and into port 10 on Switch 3
The routing process gets it and routes it to VLAN200
VLAN200 consults ARP table and sees MAC for IP of 10.2.2.20 and determines its out port 10
Switch 2 consults MAC forwarding table for VLAN200 and determines MAC is out port 2
Frame goes out port 2 and is received by PC2 10.2.2.20

Reverse the process for the reply to the ping.

So, as long as your backbone ports support the necessary vlans along the path, everything is OK.
0
 

Author Comment

by:Colebert
ID: 16849782
DFWG = ?

When you say "as long as your backbone ports support the necessary vlans along the path" does that translate to "as long as every switch in between source and destination support VLANs?"

How does configuring an arrangement like this affect network latency seeing how the packet has to go all the way to switch 3 then back down to switch 2?  

Looking at my diagram, would you say throwing in one 6024 should accomplish what I want given that the 32xx, 33xx, 34xx, and 53xx switches are all VLAN capable?
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16851482
DFWG typo for my short hand of DeFault GateWay.

>>When you say "as long as your backbone ports support the necessary vlans along the path" does that translate to "as long as every switch in between source and destination support VLANs?"

Well, obviously all your switches would have to support vlans, right?  What I mean is that if the switch on the edge is vlan x, then all the intermediary switches in between will have to have vlan X configured as well and on their backbone links.


>>How does configuring an arrangement like this affect network latency seeing how the packet has to go all the way to switch 3 then back down to switch 2?

It would add to the latency, but it would be minimal.  This is a standard 3 layer design.

>>Looking at my diagram, would you say throwing in one 6024 should accomplish what I want given that the 32xx, 33xx, 34xx, and 53xx switches are all VLAN capable?

Yes.  However, do up a design and submit it to Dell.  I'm sure they would love to give you pre-sale tech support - get your local sales guy and his Field Engineer to give you a visit.  Don't have one?  Problem with buying Dell equipment.  We're a Cisco and Nortel shop.
0
 

Author Comment

by:Colebert
ID: 16853548
Yeah, but I can pull down a 6024 off the 'bay for $600 or less if I'm patient.  We don't have the coin to go Cisco.  :-(

Thanks!
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16853602
Thanks for the points, Colebert - but after all the help, why the B Grade?
0
 

Author Comment

by:Colebert
ID: 16853741
I didn't know B grade made a big difference?  

No malice intended, just reflecting that it was slightly hard to follow the way it was formatted and presented.  It is certainly not a reflection of your networking ability and definitely had nothing to do with that last part about Dell vs. Cisco/Nortel (of which I agree!)  
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 16853800
Ok.  Cool - no problems.

FYI, the better the letter grade, the more portion on the points are awarded.  So, like an A is 100%, B 75%, C 50%, etc.
0
 

Author Comment

by:Colebert
ID: 16853886
bah, I thought the grade as perfunctory.  i'll just remember I owe 125pts next time I have a networking question. ;-)
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question