Solved

VLAN Design - Metro Ethernet - 4 Sites to start with more to add on

Posted on 2008-10-03
22
1,347 Views
Last Modified: 2012-05-05
Ok, so today is ZERO day.  We are moving forward with our fiber conversion and I would really like to keep my job.  This is a continuation from this abandoned post.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23703126.html

Here are the details.  We are starting with 4 sites.

Site A is the center point and where all servers and internet are located.  We have a Cisco 2821 router (configs posited below).  This site will have traffic on VLANS, 1(native),10 , 20 and 30.

Site B is a security critical site.  We have a Cisco 2811 router (configs posted below).  This site will be on his very own VLAN 100, and should be able to access VLAN30

Site C is part of VLAN20, and should be able to access VLAN 30, and certain resources on VLAN 100.

Site D is part of VLAN 20 and only needs access to VLAN 30

----------------
Vlans
----------------

VLAN 1 native
VLAN 10 Management <------should be able to access everything
VLAN 20 Basic Users
VLAN 30 Servers
VLAN 40 High Security

Like I said above.  This is only a starting point.  We have several other sites that will either be part of VLAN20 or on there very own VLAN.  I firegure once I get these 4 up and talking the rest will fall in to place as needed.

Please see my diagram and the configs that I will post in comments below

Drawing1.jpg
0
Comment
Question by:CityofKerrville
  • 15
  • 6
22 Comments
 

Author Comment

by:CityofKerrville
ID: 22633882
This is Site A's config.  Cisco 2821.

CHR1#sh conf

Using 3309 out of 245752 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CHR1

!

boot-start-marker

boot system flash:c2800nm-adventerprisek9-mz.124-20.T1.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

enable secret 5 "OMITTED"

enable password "OMITTED"

!

no aaa new-model

!

dot11 syslog

ip source-route

!

!

no ip cef

!

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

voice-card 0

 no dspfarm

!

!

!

!

!

username "OMITTED" privilege 15 secret 5 "OMITTED"

archive

 log config

  hidekeys

! 

!

!

interface GigabitEthernet0/0

 description VLAN30 SERVERS

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 description dot1q trunk port to METRO ETHERNET

 no ip address

 duplex auto

 speed auto

!

interface GigabitEthernet0/1.1

 description VLAN80 UNUSED

 encapsulation dot1Q 80

 ip address 192.168.98.1 255.255.255.254

!

interface GigabitEthernet0/1.2

 description VLAN20 COURT, FIREADMIN, LIBRARY, KSP, STREETS, GOLF

 encapsulation dot1Q 20

 ip address 192.168.100.1 255.255.255.0

!

interface GigabitEthernet0/1.3

 description VLAN40 WATER

 encapsulation dot1Q 40

 ip address 192.168.104.1 255.255.255.0

!

interface GigabitEthernet0/1.4

 description VLAN50 WASTEWATER

 encapsulation dot1Q 50

 ip address 192.168.105.1 255.255.255.0

!

interface GigabitEthernet0/1.5

 description VLAN90 UNUSED

 encapsulation dot1Q 90

 ip address 192.168.107.1 255.255.255.254

!

interface GigabitEthernet0/1.6

 description VLAN100 KPD

 encapsulation dot1Q 100

 ip address 192.168.109.1 255.255.255.248

!

interface FastEthernet0/0/0

 description VLAN10 MGMT-IT

 switchport access vlan 10

!

interface FastEthernet0/0/1

 description ASA 5510 FIREWALL

!

interface FastEthernet0/0/2

 description VLAN20 CITY HALL

 switchport access vlan 20

!

interface FastEthernet0/0/3

 description UNUSED

 shutdown

!

interface Serial0/1/0

 description VLAN60 AIRPORT

 ip address 192.168.1.25 255.255.255.248

!

interface FastEthernet0/2/0

 description LINK TO OLD NETWORK

 ip address 192.168.101.5 255.255.255.0

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan10

 description FASTETHERNET0/0/0

 ip address 192.168.96.1 255.255.255.0

 shutdown

!

interface Vlan20

 description FASTETHERNET0/0/2

 ip address 192.168.99.1 255.255.255.0

 no mop enabled

!

router eigrp 1

 network 192.168.96.0

 network 192.168.97.0

 network 192.168.98.0

 network 192.168.99.0

 network 192.168.100.0

 network 192.168.101.0

 network 192.168.102.0

 network 192.168.103.0

 network 192.168.104.0

 network 192.168.105.0

 network 192.168.106.0

 network 192.168.107.0

 network 192.168.108.0

 network 192.168.109.0

 network 192.168.110.0

 network 192.168.111.0

 auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/1

no ip http server

no ip http secure-server

!

!

control-plane

!

!

line con 0

 login local

line aux 0

line vty 0 4

 access-class 23 in

 privilege level 15

 password "OMITTED"

 login local

 transport input telnet

line vty 5 15

 access-class 23 in

 privilege level 15

 password "OMITTED"

 login local

 transport input telnet

!

scheduler allocate 20000 1000

end

 

CHR1#

Open in new window

0
 

Author Comment

by:CityofKerrville
ID: 22633886
This is Site B's config.  Cisco 2811.

PDR1#sh conf

Using 871 out of 245752 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname PDR1

!

boot-start-marker

boot-end-marker

!

enable secret 5 "OMITTED"

enable password "OMITTED"

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

no ip cef

!

!

!

!

!

!

interface FastEthernet0/0

 description VLAN100 traffic from ge0/0.6 on CHR1

 ip address 192.168.109.2 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 description KPD SWITCH

 ip address 192.168.111.1 255.255.255.0

 duplex half

 speed auto

 no mop enabled

!

router eigrp 1

 network 192.168.109.0

 network 192.168.111.0

 auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.109.1

!

no ip http server

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

 password "OMITTED"

 login

!

scheduler allocate 20000 1000

!

end

 

PDR1#

Open in new window

0
 

Author Comment

by:CityofKerrville
ID: 22633899
This is Site C's config.  Catalyst 3560.

COURT#sh conf

Using 1526 out of 524288 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname COURT

!

enable secret 5 "OMITTED"

enable password "OMITTED"

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

!

~~INTERFACES OMITTED~~

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

 description VLAN20 traffic from ge0/1.2 on CHR1

 no switchport

 ip address 192.168.100.2 255.255.255.0

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan10

 description MGMT ACCESS

 ip address 192.168.96.51 255.255.255.0

!

ip classless

ip http server

!

!

control-plane

!

!

line con 0

line vty 0 4

 password "OMITTED"

 login

line vty 5 15

 password "OMITTED"

 login

!

end

 

COURT#

Open in new window

0
 

Author Comment

by:CityofKerrville
ID: 22633905
And this is Site D's config.  Catalyst 3560

FIREADMIN#sh conf

Using 1530 out of 524288 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname FIREADMIN

!

enable secret 5 "OMITTED"

enable password "OMITTED"

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

!

~~INTERFACES OMITTED~~

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

 description VLAN20 traffic from ge0/1.2 on CHR1

 no switchport

 ip address 192.168.100.3 255.255.255.0

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan10

 description MGMT ACCESS

 ip address 192.168.96.52 255.255.255.0

!

ip classless

ip http server

!

!

control-plane

!

!

line con 0

line vty 0 4

 password "OMITTED"

 login

line vty 5 15

 password "OMITTED"

 login

!

end

 

FIREADMIN#

Open in new window

0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 22635230
Is it an absolute requirement that the other sites be on the same broadcast domain as some of the VLAN's on Site A?

If not, don't trunk through the metro cloud. Simply put, treat the metro cloud as a separate network. Every device connect to the cloud is layer 3 capable.

I.E.
Site A:
int g0/1
 ip address 192.168.1.1 255.255.255.248

Site B:
int f0/0
 ip address 192.168.1.2 255.255.255.248

Site C:
int G0/2
 no switchport
 ip address 192.168.1.3 255.255.255.248

Site D:
int G0/2
no switchport
 ip address 192.168.1.4 255.255.255.248

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22635712
Agree with Don. Each site will have their own vlans designated with their own subnets on those vlans.
All interfaces touching the MetroE should be in the same subnet.
Just don't forget to enable routing. The 3560 can do basic EIGRP to advertise its locally connected subnets



0
 

Author Comment

by:CityofKerrville
ID: 22635895
"donjohnston: Is it an absolute requirement that the other sites be on the same broadcast domain as some of the VLAN's on Site A?If not, don't trunk through the metro cloud. Simply put, treat the metro cloud as a separate network. Every device connect to the cloud is layer 3 capable."

Outside of Site B (Police Department), and our Water Treatment facilities (Not included in this question), we would like every site to be on the same subnet (i.e. 192.168.100.X) and VLAN20 pulling DHCP.  Site C (Municipal Court) needs limited access to some resources at Site B (Police Department).  our MGMT (VLAN10) and our SERVER (VLAN30).  This is the way I have been planning it out for months and really don't have the time to tear down and start over.  I just need to know if the configs I have in place will work properly.
0
 

Author Comment

by:CityofKerrville
ID: 22635920
"lrmoore:            

Agree with Don. Each site will have their own vlans designated with their own subnets on those vlans.
All interfaces touching the MetroE should be in the same subnet.
Just don't forget to enable routing. The 3560 can do basic EIGRP to advertise its locally connected subnets"

So what you are saying is regardless of their VLAN, the ports plugged into the ME at all sites should all be on something like 192.168.1.x?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 22636016
The metroE is typically a VLAN of its own, and every port assigned to you is assigned to this vlan, so yes they would all be in the same subnet unless you have other instructions or information from the MetroE provider that you have not shared with us.

If you want to do it the way you have planned, since you are vlan tagging and trunking at one site you have to do it at all sites. So site B would have to look something like this:

interface FastEthernet0/0
  no ip address
!
interface FastEthernet0/1.100
 description VLAN100 traffic from ge0/0.6 on CHR1
 encapsulation dot1Q 100
 ip address 192.168.109.2 255.255.255.248

Personally, I would do all L3 interfaces and not do any trunking across the MetroE. It is much more efficient use of the bandwidth and you can build in redundancy easier later if you need it.

0
 

Author Comment

by:CityofKerrville
ID: 22636060
"lrmoore:

Personally, I would do all L3 interfaces and not do any trunking across the MetroE. It is much more efficient use of the bandwidth and you can build in redundancy easier later if you need it."

Let say I choose to go this route;  how can I do it with having to put each site on their own subnet?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22636186
You can't do all Layer 3 without each site being in their own subnet.
you can still have a centralized DHCP server if you want, but each site has their own subnet or multiple subnets if they have multiple vlans.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:CityofKerrville
ID: 22636272
I can appreciate you position.  For our purpose, I think I am going to press on down the road I am on.  We are a small city government with a whole whopping 3 people in IT.  That being said.  Back to what you said above...

"If you want to do it the way you have planned, since you are vlan tagging and trunking at one site you have to do it at all sites."

I have made the changes you suggested.  Now on the main router at Site A, you will notice I have not put any routes in the config yet.  Can you offer some guidance on routing VLAN traffic?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22636441
Since you have EIGRp enabled, you shouldn't need any other routing. Except..
  >ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/1
This can't work. You need to use the upstream IP address of the ASA and not the interface
Interface Fast 0/0/1 needs to have an IP address in the same IP subnet as the ASA inside

And you need a vlan 10 interface at SiteA
!
interface GigabitEthernet0/1.10
 description MANAGEMENT VLAN
 encapsulation dot1Q 10
 ip address 192.168.96.1 255.255.255.254

On Switches C an D, use a trunked port, and define the vlans on each switch
Identical configs on both switches
Easier to configure an unused port than reconfigure what you have

interface GigabitEthernet0/1
 switch mode trunk
 switch trunk encap dot1q

ip default-gateway 192.168.96.1

vlan 10
vlan 20
vlan 30
vlan 40

all user-attached switchport should be in vlan 20

interface FastEthernet0/1
 switch mode access
 switch access vlan 20
 spanning-tree portfast

0
 

Author Comment

by:CityofKerrville
ID: 22636833
"lrmoore:

>ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/1
This can't work. You need to use the upstream IP address of the ASA and not the interface
Interface Fast 0/0/1 needs to have an IP address in the same IP subnet as the ASA inside."
this has since been changed




"And you need a vlan 10 interface at SiteA
"
VLAN10 is local to Site A and used as a Management VLAN (IT and Virtual Server Management).  It is referenced later on in the config....see below

!
interface FastEthernet0/0/0
 description VLAN10 MGMT-IT
 switchport access vlan 10
!
!
interface Vlan10
 description FASTETHERNET0/0/0
 ip address 192.168.96.1 255.255.255.0
!




"On Switches C an D, use a trunked port, and define the vlans on each switch
Identical configs on both switches.interface GigabitEthernet0/1 switch mode trunk switch trunk encap dot1q"

Do I need and IP address on this interface still?




"ip default-gateway 192.168.96.1"


This address is not the default gateway.  It is the address on the Management VLAN interface.




"vlan 10
vlan 20vlan 30vlan 40"

Not sure what you are suggesting here....




"all user-attached switchport should be in vlan 20
interface FastEthernet0/1 switch mode access switch access vlan 20 spanning-tree portfast"

done

See new configs below
NEW SITE A CONFIG
 

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CHR1

!

boot-start-marker

boot system flash:c2800nm-adventerprisek9-mz.124-20.T1.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

enable secret 5 $1$ydTM$2i8T9lHDPxVq2BZKwsz37.

enable password 1@maBle2

!

no aaa new-model

!

dot11 syslog

ip source-route

!

!

no ip cef

!

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

voice-card 0

 no dspfarm

!

!

username netmaster privilege 15 secret 5 $1$opcE$by08koIp7qNOkIeqMwE5/1

archive

 log config

  hidekeys

!

!

interface GigabitEthernet0/0

 description VLAN30 SERVERS

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 description dot1q trunk port to METRO ETHERNET

 no ip address

 duplex auto

 speed auto

!

interface GigabitEthernet0/1.1

 description VLAN80 UNUSED

 encapsulation dot1Q 80

 ip address 192.168.98.1 255.255.255.254

!

interface GigabitEthernet0/1.2

 description VLAN20 COURT, FIREADMIN, LIBRARY, KSP, STREETS, GOLF

 encapsulation dot1Q 20

 ip address 192.168.100.1 255.255.255.0

!

interface GigabitEthernet0/1.3

 description VLAN40 WATER

 encapsulation dot1Q 40

 ip address 192.168.104.1 255.255.255.0

 shutdown

!

interface GigabitEthernet0/1.4

 description VLAN50 WASTEWATER

 encapsulation dot1Q 50

 ip address 192.168.105.1 255.255.255.0

 shutdown

!

interface GigabitEthernet0/1.5

 description VLAN90 UNUSED

 encapsulation dot1Q 90

 ip address 192.168.107.1 255.255.255.254

!

interface GigabitEthernet0/1.6

 description VLAN100 KPD

 encapsulation dot1Q 100

 ip address 192.168.109.1 255.255.255.248

!

interface FastEthernet0/0/0

 description VLAN10 MGMT-IT

 switchport access vlan 10

!

interface FastEthernet0/0/1

 description ASA 5510 FIREWALL

!

interface FastEthernet0/0/2

 description VLAN20 CITY HALL

interface Serial0/1/0

 description VLAN60 AIRPORT

 ip address 192.168.1.25 255.255.255.248

!

interface FastEthernet0/2/0

 description LINK TO OLD NETWORK

 ip address 192.168.101.5 255.255.255.0

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan10

 description FASTETHERNET0/0/0

 ip address 192.168.96.1 255.255.255.0

 shutdown

!

interface Vlan20

 description FASTETHERNET0/0/2

 ip address 192.168.99.1 255.255.255.0

 no mop enabled

!

router eigrp 1

 network 192.168.96.0

 network 192.168.97.0

 network 192.168.98.0

 network 192.168.99.0

 network 192.168.100.0

 network 192.168.101.0

 network 192.168.102.0

 network 192.168.103.0

 network 192.168.104.0

 network 192.168.105.0

 network 192.168.106.0

 network 192.168.107.0

 network 192.168.108.0

 network 192.168.109.0

 network 192.168.110.0

 network 192.168.111.0

 auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.101.1

no ip http server

no ip http secure-server

!

!

control-plane

!

!

line con 0

 login local

line aux 0

line vty 0 4

 access-class 23 in

 privilege level 15

 password 1@maBle

 login local

 transport input telnet

line vty 5 15

 access-class 23 in

 privilege level 15

 password 1@maBle

 login local

 transport input telnet

!

scheduler allocate 20000 1000

end
 

NEW SITE C CONFIG
 

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname COURT

!

enable secret 5 $1$72IH$X.yga1kNm4WV2kSR4JJEE1

enable password 1@maBle2

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/2

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/3

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/4

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/5

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/6

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/7

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/8

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/9

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/10

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/11

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/12

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/13

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/14

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/15

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/16

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/17

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/18

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/19

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/20

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/21

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/22

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/23

 switchport mode access

 switchport access vlan 20

 spanning-tree portfast

!

interface FastEthernet0/24

 description VLAN20 traffic from ge0/1.2 on CHR1

 switchport mode trunk

 switchport trunk encapsulation dot1q

 ip address 192.168.100.2 255.255.255.0

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan10

 description MGMT ACCESS

 ip address 192.168.96.51 255.255.255.0

!

ip classless

ip http server

!

!

control-plane

!

!

line con 0

line vty 0 4

 password 1@maBle

 login

line vty 5 15

 password 1@maBle

 login

!

end

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22637007
First, let's discuss the management vlan.
If the trunk port on Router A does not have a VLAN 10, then none of the remote switches with VLAN 10 will be accessible.
The default-gateway setting on the switch is for management purposes only and does need to point to the RTRA's vlan 10 interface. It is not the default route for end users. They will all point to the router A's corresponding vlan subinterface.

The 4-port switch on RTRA has no relevance to vlan tagging on the trunked port gig 0/0/0, so don't think that you can assign a switchport to a vlan and have it communicate with the dot1q tagged subinterfaces of the trunk port.

So right now, RTRA is a total mess. I'll work out my suggested configuration and post it shortly. Question - do you have another switch in Site A that you can connect the Gig 0/0 to and trunk to that switch?

On switches, do NOT put an ip address on the interface
interface FastEthernet0/24
 description VLAN20 traffic from ge0/1.2 on CHR1
 switchport mode trunk
 switchport trunk encapsulation dot1q
 
You also must actually define the vlans on the switches. You do this by simply creating them in the config. I think that you only need 10 and 20 on these two switches.
switch(config)#vlan 10
switch(config-vlan)#exit
switch(config)#vlan 20
switch(config-vlan)#end
switch# show vlan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22637102
The more I look at this, the more I'm inclined to say that the 2800 at Site A is unnecessary if you have another 3560 switch at that location.
It would make the whole scenario so much easier to configure and manage.

If you want to go that way, I'll work up a suggested configuration.

0
 

Author Comment

by:CityofKerrville
ID: 22637244
That's not really an option.  Beside it is necessary for the one site that will remain on a T1...hence the CSU/DSU serial interface.
0
 

Author Comment

by:CityofKerrville
ID: 22637387
Its go time in 10 minutes.  I am running with what I have and troubleshoot along the way.  I'll get back to you.
0
 

Author Comment

by:CityofKerrville
ID: 22651443
"donjohnston:

Is it an absolute requirement that the other sites be on the same broadcast domain as some of the VLAN's on Site A?"


Let say for the sake of 'I just want it to be done" that I would entertain going this way, can I still use VLAN tags?  I guess I should address the DHCP questions elsewhere also unless someone here want to tackle that.  I am just ready to get past this as painless as possible.  Here is what I have so far for the router.  I think I got a decent handle on it with exception of the local devices connected toto the 4-port switch hwic (I have marked them with <------ on the config below) and how to route traffic to devices on these ports.  Do I need to set up VLAN interfaces?

!

interface GigabitEthernet0/0

 description VLAN30 SERVERS

 ip address 192.168.101.6 255.255.255.0

 shutdown    <------shutdown until servers are migrated

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 description METRO ETHERNET

 ip address 10.10.10.1 255.255.255.240

 duplex auto

 speed auto

!

interface FastEthernet0/0/0    <------4-port HWIC

 description VLAN10 MGMT-IT

 switchport access vlan 10

!

interface FastEthernet0/0/1    <------4-port HWIC

 description ASA 5510 FIREWALL

!

interface FastEthernet0/0/2    <------4-port HWIC

 description VLAN20 CITY HALL

 switchport access vlan 20

!

interface FastEthernet0/0/3    <------4-port HWIC

 description UNUSED

!

interface Serial0/1/0

 description VLAN60 AIRPORT

 ip address 192.168.1.25 255.255.255.248

!

interface FastEthernet0/2/0

 description LINK TO OLD NETWORK

 ip address 192.168.101.5 255.255.255.0

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

 shutdown

!

router eigrp 1

 network 192.168.96.0

 network 192.168.97.0

 network 192.168.98.0

 network 192.168.99.0

 network 192.168.100.0

 network 192.168.101.0

 network 192.168.102.0

 network 192.168.103.0

 network 192.168.104.0

 network 192.168.105.0

 network 192.168.106.0

 network 192.168.107.0

 network 192.168.108.0

 network 192.168.109.0

 network 192.168.110.0

 network 192.168.111.0

 network 192.168.112.0

 network 192.168.113.0

 network 192.168.114.0

 network 10.10.10.0

 auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/2/0

ip route 192.168.99.0 255.255.255.0 10.10.10.3

ip route 192.168.102.0 255.255.255.0 192.168.101.9

ip route 192.168.103.0 255.255.255.0 192.168.101.9

ip route 192.168.114.0 255.255.255.0 192.168.101.9

ip route 192.168.104.0 255.255.255.0 10.10.10.5

ip route 192.168.105.0 255.255.255.0 10.10.10.6

ip route 192.168.106.0 255.255.255.0 10.10.10.7

ip route 192.168.107.0 255.255.255.0 10.10.10.9

ip route 192.168.108.0 255.255.255.0 Serial0/1/0

ip route 192.168.110.0 255.255.255.0 10.10.10.8

ip route 192.168.111.0 255.255.255.0 10.10.10.2

ip route 192.168.112.0 255.255.255.0 10.10.10.10

ip route 192.168.113.0 255.255.255.0 10.10.10.4

no ip http server

no ip http secure-server

!

Open in new window

0
 

Author Comment

by:CityofKerrville
ID: 22651665
0
 

Author Comment

by:CityofKerrville
ID: 22651718
Here is diagram of the new idea.  I have grayed out site that are not important as of yet.  Still working with sites A, B, C, & D.



Drawing1.jpg
0
 

Author Closing Comment

by:CityofKerrville
ID: 31502755
Thanks Guys.  this is the direction we are going to move in.  I have more questions but will start new threads.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now