long17
asked on
Setting up intervlan routing between a cisco 4507R and a cisco 2960
Hello I've been asked to set up Multiple vlans between a cisco 4507R and a number of cisco 2960s each with 2 vlans on them I have a little knowledge of cisco switches
Cisco 4507R 10.248.32.0 255.255.255.224 subnet 10.248.32.31 broadcast address 10.248.32.20 router address vlan 1
Cisco 2960 (1) 10.248.33.0 255.255.255.224 subnet 10.248.33.31 broadcast address 10.248.32.30 router address vlan 2
10.248.37.96 255.255.255.224 subnet 10.248.32.27 broadcast address 10.248.32.26 router address vlan3
Cisco 2960 (2) 10.248.35.96 255.255.255.224 subnet 10.248.35.127 broadcast address 10.248.35.126 router address vlan 4
10.248.38.224 255.255.255.224 subnet 10.248.38.255 broadcast address 10.248.38.254 router address vlan 5
Cisco 4507R 10.248.32.0 255.255.255.224 subnet 10.248.32.31 broadcast address 10.248.32.20 router address vlan 1
Cisco 2960 (1) 10.248.33.0 255.255.255.224 subnet 10.248.33.31 broadcast address 10.248.32.30 router address vlan 2
10.248.37.96 255.255.255.224 subnet 10.248.32.27 broadcast address 10.248.32.26 router address vlan3
Cisco 2960 (2) 10.248.35.96 255.255.255.224 subnet 10.248.35.127 broadcast address 10.248.35.126 router address vlan 4
10.248.38.224 255.255.255.224 subnet 10.248.38.255 broadcast address 10.248.38.254 router address vlan 5
ASKER
HI
thanks for the quick answer could you send me a more detailed CLI as i have never set up vlans or
routing ? also will the ip ranges i supplied work ?
thanks for the quick answer could you send me a more detailed CLI as i have never set up vlans or
routing ? also will the ip ranges i supplied work ?
hi!
to do that:
let us assume you have gi0/1 on 4507 to 1st 2960(into gi0/1) and gi0/2 to the second one (also into gi0/1)
connect to the switch with console
login with admin rights
issue on 4500
conf t
! creating vlans
vlan 10
name test10
vlan 11
name test11
! if you need ips for these vlans
int vlan10
ip address 10.1.1.1 255.255.255.0
no shutdown
int vlan11
ip address 10.1.2.1 255.255.255.0
! configure ports
int range gi0/1 - 2
switchport encap dot1q
switchport mode trunk
switchport allowed vlan 10,11
end
on 2960s
conf t
! creating vlans
vlan 10
name test10
vlan 11
name test11
! configure port
int gi0/1
switchport encap dot1q
switchport mode trunk
switchport allowed vlan 10,11
end
to do that:
let us assume you have gi0/1 on 4507 to 1st 2960(into gi0/1) and gi0/2 to the second one (also into gi0/1)
connect to the switch with console
login with admin rights
issue on 4500
conf t
! creating vlans
vlan 10
name test10
vlan 11
name test11
! if you need ips for these vlans
int vlan10
ip address 10.1.1.1 255.255.255.0
no shutdown
int vlan11
ip address 10.1.2.1 255.255.255.0
! configure ports
int range gi0/1 - 2
switchport encap dot1q
switchport mode trunk
switchport allowed vlan 10,11
end
on 2960s
conf t
! creating vlans
vlan 10
name test10
vlan 11
name test11
! configure port
int gi0/1
switchport encap dot1q
switchport mode trunk
switchport allowed vlan 10,11
end
If your 2960's have IP addresses on VLAN1 you might want to include 1 in the allowed vlan list
Else you will not be able to contact the 2960's
If you enable VTP you won't have to create the vlans on every switch, only on the 4507
Else you will not be able to contact the 2960's
If you enable VTP you won't have to create the vlans on every switch, only on the 4507
ASKER
so if i make vlan 1 on the 2960 i can use it for management ? also if i enter a subnet on the 4507
for a range of ip s on a vlan how can i give the 2960 a ip for each vlan i install ?
for a range of ip s on a vlan how can i give the 2960 a ip for each vlan i install ?
Yes, you can manage the 2960 with an IP address assigned to vlan1 (this is default), as long as you allow vlan 1 on the switchports.
You will not have to put any other IP's on the 2960 because it is a Layer2 switch only.
All routing between vlans is handled on the 4507.
To enable VTP, do this on all switches:
switch(config)#vtp domain VTPDOM <== VTPDOM = string can be anything you want
switch(config)#vtp password PASSWORD <== password can be anything
switch(config)#vtp mode client <== only do this on the 2960's.
This leaves the 4507 as VTP domain server. Any vlan that you create on this switch will automatically be propogated to all the 2960's. You can test by using "show vlan" command on a 2960 after creating a new vlan on the 4507.
You will not have to put any other IP's on the 2960 because it is a Layer2 switch only.
All routing between vlans is handled on the 4507.
To enable VTP, do this on all switches:
switch(config)#vtp domain VTPDOM <== VTPDOM = string can be anything you want
switch(config)#vtp password PASSWORD <== password can be anything
switch(config)#vtp mode client <== only do this on the 2960's.
This leaves the 4507 as VTP domain server. Any vlan that you create on this switch will automatically be propogated to all the 2960's. You can test by using "show vlan" command on a 2960 after creating a new vlan on the 4507.
On your switches that handle inter-vlan routing, you should first think about the 'source vlan'
If 'vlan 500' is already present on the switch, and traffic will exist on say vlan 500, and you will want to route traffic on that vlan to networks on other vlans, then you need to give the routing switch a "presence" on that vlan in the subnet used by other
hosts on that vlan, that they will route inter-vlan traffic to.
For example:
!
ip classless
ip routing
!
vlan 500
!
interface vlan 500
ip address 10.5.0.1 255.255.255.0
no shut
!
This 'interface' section is the notation that gives the switch a "presence" on vlan 500.
in this case, you have assigned ip "10.5.0.1" to the VLAN interface.
Now vlan 500 is a directly connected interface, and if this switch receives
traffic destined for say "10.5.0.2" it will by default be sent to this vlan interface.
If you have vlan 500 trunked to a second multilayer switch, you might have
on the second switch:
interface vlan 500
ip address 10.5.0.2 255.255.255.0
no shut
!
And with that, both switches have virtual "router interfaces" on that vlan.
Now on the second switch, you could statically route traffic to another switch,
if you so desired.
ip route 10.6.0.0 255.255.255.0 10.5.0.1
Who knows, perhaps on the first switch you have
!
interface vlan 600
ip address 10.6.0.1 255.255.255.0
no shut
!
In that case *poof* now the second switch will send its traffic for 10.6.0.0/24 to the first switch,
and the first switch has a connected interface for that subnet
(it will route to vlan 600, unless you create rules on switch1 that say otherwise)
If you are just getting this environment built,
A perhaps normal thing to do here in a typical enterprise environment with many workstations and few routers, is to use a hidden backbone VLAN for your routing and switch management, have a separate VLAN for actually connecting with your ISP, also, and disable/make routing protocols passive on non-trusted VLANs, to secure against rogue workstations.
It also standardizes how you route traffic from vlan X on switch A to vlan Y on switch B. You don't just pick one of Switch B's many ip addresses at random to route to.
Give all switches a VLAN interface on that management VLAN (for layer2 non-router switches, that's usually their only ip address), turn on a dynamic routing protocol such as OSPF or ISIS on only the management interfaces, so you don't have to create all your needed routes by hand.
i.e. if your management subnet is on 10.254.0.0/24
you might have something on Switch 1 like
!
router ospf 1
router-id 10.254.0.1
network 10.254.0.0 0.0.0.255 area 0
redistribute connected
I.E. You don't want to need to manually tell 4507 switch2 how to get traffic
from vlan 403 to vlan 456.
Ideal if (most likely) you want to be fully connected at layer 3 on most VLANs.
If you want to restrict traffic, you can apply ACLs on the VLAN interface also.
There are further refinements that would be advisable, especially if scaling beyond a few dozen VLANs or a few dozen switches.
Your routing tables will be smallest if only one of your switches handles all layer 3 routing.
Second best, is to design your ip addressing so each switch's responsibilities are a continuous block.
And better yet, to use VRRP for key VLANs, in a configuration where if one switch fails, another switch takes over L3 responsibilities for a given VLAN.
If 'vlan 500' is already present on the switch, and traffic will exist on say vlan 500, and you will want to route traffic on that vlan to networks on other vlans, then you need to give the routing switch a "presence" on that vlan in the subnet used by other
hosts on that vlan, that they will route inter-vlan traffic to.
For example:
!
ip classless
ip routing
!
vlan 500
!
interface vlan 500
ip address 10.5.0.1 255.255.255.0
no shut
!
This 'interface' section is the notation that gives the switch a "presence" on vlan 500.
in this case, you have assigned ip "10.5.0.1" to the VLAN interface.
Now vlan 500 is a directly connected interface, and if this switch receives
traffic destined for say "10.5.0.2" it will by default be sent to this vlan interface.
If you have vlan 500 trunked to a second multilayer switch, you might have
on the second switch:
interface vlan 500
ip address 10.5.0.2 255.255.255.0
no shut
!
And with that, both switches have virtual "router interfaces" on that vlan.
Now on the second switch, you could statically route traffic to another switch,
if you so desired.
ip route 10.6.0.0 255.255.255.0 10.5.0.1
Who knows, perhaps on the first switch you have
!
interface vlan 600
ip address 10.6.0.1 255.255.255.0
no shut
!
In that case *poof* now the second switch will send its traffic for 10.6.0.0/24 to the first switch,
and the first switch has a connected interface for that subnet
(it will route to vlan 600, unless you create rules on switch1 that say otherwise)
If you are just getting this environment built,
A perhaps normal thing to do here in a typical enterprise environment with many workstations and few routers, is to use a hidden backbone VLAN for your routing and switch management, have a separate VLAN for actually connecting with your ISP, also, and disable/make routing protocols passive on non-trusted VLANs, to secure against rogue workstations.
It also standardizes how you route traffic from vlan X on switch A to vlan Y on switch B. You don't just pick one of Switch B's many ip addresses at random to route to.
Give all switches a VLAN interface on that management VLAN (for layer2 non-router switches, that's usually their only ip address), turn on a dynamic routing protocol such as OSPF or ISIS on only the management interfaces, so you don't have to create all your needed routes by hand.
i.e. if your management subnet is on 10.254.0.0/24
you might have something on Switch 1 like
!
router ospf 1
router-id 10.254.0.1
network 10.254.0.0 0.0.0.255 area 0
redistribute connected
I.E. You don't want to need to manually tell 4507 switch2 how to get traffic
from vlan 403 to vlan 456.
Ideal if (most likely) you want to be fully connected at layer 3 on most VLANs.
If you want to restrict traffic, you can apply ACLs on the VLAN interface also.
There are further refinements that would be advisable, especially if scaling beyond a few dozen VLANs or a few dozen switches.
Your routing tables will be smallest if only one of your switches handles all layer 3 routing.
Second best, is to design your ip addressing so each switch's responsibilities are a continuous block.
And better yet, to use VRRP for key VLANs, in a configuration where if one switch fails, another switch takes over L3 responsibilities for a given VLAN.
ASKER
Hi each switch has two vlans and ip ranges i have attacted the ip numbering need for this project
ciscoip.xls
ciscoip.xls
That's quite a project. We've given you the basics, what exactly do you need help with, or not understand?
ASKER
for each 2900 i need creat Vlan trunks to support the two subnets that are required at each site.
The Cat 4500 will need to do layer 3 (routing) between the sites.
The Cat 4500 will need to do layer 3 (routing) between the sites.
Both of which have been demonstrated above. Simply scale it out using your vlan and ip addressing scheme. All vlans get created on the 4507, all layer3 vlan interfaces get created on the 4507 with the "router" ip addresses.
Setup VTP so that you don't have to create the vlans on every switch.
You do not have to limit the vlans allowed. Without the allowed command, all vlans are allowed on all trunk links to simplify configuration. Change it later if you want.
All switches retain a management IP address on VLAN1 only
You determine which individual switch ports on which individual switch belong to which individual VLAN.
Highly recommend using (free!) Cisco CNA to manage the switches: http://www.cisco.com/go/cna
Setup VTP so that you don't have to create the vlans on every switch.
You do not have to limit the vlans allowed. Without the allowed command, all vlans are allowed on all trunk links to simplify configuration. Change it later if you want.
All switches retain a management IP address on VLAN1 only
You determine which individual switch ports on which individual switch belong to which individual VLAN.
Highly recommend using (free!) Cisco CNA to manage the switches: http://www.cisco.com/go/cna
If u r new to VLAN plz avoid VTP.
And if u r doing soo ple make sure whenever u add new switch to network , plz change vtp mode to client
else , u will be messsed up
And if u r doing soo ple make sure whenever u add new switch to network , plz change vtp mode to client
else , u will be messsed up
ASKER
i have set up vlans in transparant mode only should i keep away from VTP ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Now with your help i can ping each subnet on alll the switches from the 4007R if my laptop
is on the same subnet. Is it possible to connect a different subnet and route packets to the
different vlans from the 4700R ?
is on the same subnet. Is it possible to connect a different subnet and route packets to the
different vlans from the 4700R ?
can you clarify your last question, please
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Configure trunk port on all switch
on 4500 create two trunk port
switch port mode trunk and add one more commande ip routing
on both 2960
create
trunk port on each switch
switchpoet wncapsulation dot1.q
switcport mode trink
connetc both switch to core in trunf port
done
and creat vlan on all switches.