chekfu
asked on
Looking for practical steps in configuring the network using Cisco Catalyst
Your help is very much appreciated.
I have this design in my mind:
Cisco 877
||
||
Cisco ASA 5510 [inside interface: 192.168.100.1]
||
||
Core (1 x L3 Switch)
||
||==========| L2 Switch for servers | =========== [DC includes DHCP & DNS, 192.168.100.100]
||
Distribution (2 x L2 Switch)
||
||
Access (3 x L2 Switch)
|| || ||
|| || ||
Admin Sales MIS
(vlan10) (vlan20) (vlan30)
192.168.10.1/24 192.168.20.1/24 192.168.30.1/24
1. How do I configure between Core L3 switch and Cisco ASA5510?
2. How do I configure between Core L3 switch and Distribution L2 switch?
3. How do I configure between Distribution L2 and Access L2 switches?
I have this design in my mind:
Cisco 877
||
||
Cisco ASA 5510 [inside interface: 192.168.100.1]
||
||
Core (1 x L3 Switch)
||
||==========| L2 Switch for servers | =========== [DC includes DHCP & DNS, 192.168.100.100]
||
Distribution (2 x L2 Switch)
||
||
Access (3 x L2 Switch)
|| || ||
|| || ||
Admin Sales MIS
(vlan10) (vlan20) (vlan30)
192.168.10.1/24 192.168.20.1/24 192.168.30.1/24
1. How do I configure between Core L3 switch and Cisco ASA5510?
2. How do I configure between Core L3 switch and Distribution L2 switch?
3. How do I configure between Distribution L2 and Access L2 switches?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am assuming you have single ASA and single core L3 switch.
On the inside interface of ASA, assign IP address
say, 172.16.1.1 with mask 255.255.255.252.
On the Core L3 switch, Assign IP address to one of the port as 172.16.1.2 255.255.255.252.
Basically it's a configuration similar to any serial connection.
HTH
nayan panchal
On the inside interface of ASA, assign IP address
say, 172.16.1.1 with mask 255.255.255.252.
On the Core L3 switch, Assign IP address to one of the port as 172.16.1.2 255.255.255.252.
Basically it's a configuration similar to any serial connection.
HTH
nayan panchal
you will assign a separate network ID for each VLAN.
Lets say 192.168.1.0/24 for VLAN 1, 192.168.2.0/24 for VLAN 2, 192.168.3.0/24 for VLAN3 and 192.168.4.0/24 for VLAN 4
When i am saying point to point Link i mean a network that will have only 2 IP addresses, lets say 192.168.254.0/30
In the L3 switch you will gibe the interface command no switchport and then ip address 192.168.254.1/30
Dimitris
Lets say 192.168.1.0/24 for VLAN 1, 192.168.2.0/24 for VLAN 2, 192.168.3.0/24 for VLAN3 and 192.168.4.0/24 for VLAN 4
When i am saying point to point Link i mean a network that will have only 2 IP addresses, lets say 192.168.254.0/30
In the L3 switch you will gibe the interface command no switchport and then ip address 192.168.254.1/30
Dimitris
ASKER
Yes, 1 ASA and 1 newly bought core switch.
As seen, ASA is running 192.168.100.1 and also DC is 192.168.100.100. Am I doing right thing? Port #1 of core switch, I assign IP address 192.168.99.1/30. Inside interface IP of ASA will change to 192.168.99.2/30 from 192.168.100.1/24.
Port #2 of core switch will create VLAN100 and its interface IP is 192.168.100.1. So, I won't have to change default gateway for each server.
By doing this and IP routing enabled, will servers on VLAN100 able to ping to and communicate with ASA?
As seen, ASA is running 192.168.100.1 and also DC is 192.168.100.100. Am I doing right thing? Port #1 of core switch, I assign IP address 192.168.99.1/30. Inside interface IP of ASA will change to 192.168.99.2/30 from 192.168.100.1/24.
Port #2 of core switch will create VLAN100 and its interface IP is 192.168.100.1. So, I won't have to change default gateway for each server.
By doing this and IP routing enabled, will servers on VLAN100 able to ping to and communicate with ASA?
i strongly disagree with some suggetsions of nrpanchal.
First of all i have never seen anywhere intervlan routing in L2 switches. If this can happen i would like very musch an explanation about it!!!!
Cisco's hierarchical network design says that intervlan routing should happen on distribution layer switches, But here the distribution layer switches are L2 and not L3. So how can intervlan routing can happen on L2 switches????
Dynamic Desirable is a DTP trunking mode. Cisco suggests that for security purposes all trunks should be configured as trunk with DTP disabled (non negotiate).
Finally VTP can accept password for security purposes!!
Dimitris
First of all i have never seen anywhere intervlan routing in L2 switches. If this can happen i would like very musch an explanation about it!!!!
Cisco's hierarchical network design says that intervlan routing should happen on distribution layer switches, But here the distribution layer switches are L2 and not L3. So how can intervlan routing can happen on L2 switches????
Dynamic Desirable is a DTP trunking mode. Cisco suggests that for security purposes all trunks should be configured as trunk with DTP disabled (non negotiate).
Finally VTP can accept password for security purposes!!
Dimitris
Hi hau,
I didn't notice that distribution layer switch is L2. If switch is L2, no intervlan routing can be done by distribution switch.
for VTP, My assumption is that Author is not going to add/delete VLANs very frequently. Putting them in transparent mode is best thing to do.
Dear Aurthor,
Please provide model number of your distribution switch. If they support Layer3 functionality, use them.
HTH
nayan panchal
I didn't notice that distribution layer switch is L2. If switch is L2, no intervlan routing can be done by distribution switch.
for VTP, My assumption is that Author is not going to add/delete VLANs very frequently. Putting them in transparent mode is best thing to do.
Dear Aurthor,
Please provide model number of your distribution switch. If they support Layer3 functionality, use them.
HTH
nayan panchal
ASKER
What do you suggest the recommended topology based on devices I have:
1 x Cat-3750
2 x Cat-3500
4 x Cat-2950
Coming, I have 4 or 5 VLAN to be created. Is VTP Transparent still recommended?
Which is LAN environment (ADSL877-ASA-L3-L2-L2 or ADSL877-ASA-L2-L3-L2) recommended?
1 x Cat-3750
2 x Cat-3500
4 x Cat-2950
Coming, I have 4 or 5 VLAN to be created. Is VTP Transparent still recommended?
Which is LAN environment (ADSL877-ASA-L3-L2-L2 or ADSL877-ASA-L2-L3-L2) recommended?
Cat 3750 will be your core switch with L3 functionality enabled.
Cat 3500 also supports L3 functionality, they will peform role of Distribution Switch. Make this switch repsonsible for InterVLAN routing.
Cat 2950 will be your access Switches. Create One VLAN in each switch. Cat 2950 doesn't support L3 functionality.
I will still go with VTP transpernt mode.
For Trunking, digging further I would say go for Trunking ON mode. thanks for the suggestion, hau_it.
HTH
nayan
Cat 3500 also supports L3 functionality, they will peform role of Distribution Switch. Make this switch repsonsible for InterVLAN routing.
Cat 2950 will be your access Switches. Create One VLAN in each switch. Cat 2950 doesn't support L3 functionality.
I will still go with VTP transpernt mode.
For Trunking, digging further I would say go for Trunking ON mode. thanks for the suggestion, hau_it.
HTH
nayan
ASKER
Mine Cat-3500 one is actually referring Cat-3548XL. I was told that it is a layer 2 switch.
Okey, looks like Switch has gone into EoS and not able to find any info on Cisco.com
However, by googling it I can see it does not support L3 functionality.
So, now your design is pretty simpler. Your core switch would be the most critical device of your network. It's a single-point-of-failure.
I see no importance of distribution switches. If you are not going to connect anything to core switch apart from switches, you can skip using Distribution switch. Of course, this solution would not be scalable.
You can configure Etherchannel between Access Switch and Core switch to have link level redundancy and greater uplink speed. Etherlink between ServerSwitch and Core switch is strongly recommended.
You need to create SVIs now on Core switch. Core switch will be responsible for Inter VLAN routing.
HTH
nayan panchal
However, by googling it I can see it does not support L3 functionality.
So, now your design is pretty simpler. Your core switch would be the most critical device of your network. It's a single-point-of-failure.
I see no importance of distribution switches. If you are not going to connect anything to core switch apart from switches, you can skip using Distribution switch. Of course, this solution would not be scalable.
You can configure Etherchannel between Access Switch and Core switch to have link level redundancy and greater uplink speed. Etherlink between ServerSwitch and Core switch is strongly recommended.
You need to create SVIs now on Core switch. Core switch will be responsible for Inter VLAN routing.
HTH
nayan panchal
ASKER
Today, I've just added IP for those switches in initial setup.
Core (1) - L3 - Cat 3750 - 192.168.50.11
Distribution (2) - L2 - Cat 3548XL - 192.168.50.12 & 192.168.50.13
Access (4) - L2 - Cat 2950 - 192.168.50.14, 192.168.50.15, 192.168.50.16 & 192.168.50.17
Server switch is running 192.168.50.14.
Back to my previous question, yet to get reply.
As seen, ASA is running 192.168.100.1 and also DC is 192.168.100.100. Am I doing right thing?
In ASA:
- Inside interface IP of ASA will change to 192.168.99.2/30 from 192.168.100.1/24.
In CORE:
- IP Routing enabled.
- Port #1 of core switch, I assign IP address 192.168.99.1/30.
- Port #2 of core switch created a VLAN100 and its interface IP is 192.168.100.1. So, I won't have to change default gateway for each server.
Will it work? From servers on VLAN100 ping to ASA and Internet browsing?
Core (1) - L3 - Cat 3750 - 192.168.50.11
Distribution (2) - L2 - Cat 3548XL - 192.168.50.12 & 192.168.50.13
Access (4) - L2 - Cat 2950 - 192.168.50.14, 192.168.50.15, 192.168.50.16 & 192.168.50.17
Server switch is running 192.168.50.14.
Back to my previous question, yet to get reply.
As seen, ASA is running 192.168.100.1 and also DC is 192.168.100.100. Am I doing right thing?
In ASA:
- Inside interface IP of ASA will change to 192.168.99.2/30 from 192.168.100.1/24.
In CORE:
- IP Routing enabled.
- Port #1 of core switch, I assign IP address 192.168.99.1/30.
- Port #2 of core switch created a VLAN100 and its interface IP is 192.168.100.1. So, I won't have to change default gateway for each server.
Will it work? From servers on VLAN100 ping to ASA and Internet browsing?
ASKER
Due to busy work in daily operation, I didn't have chance to test after performing initial setup by only assign IP address.
In CORE
- Port #1 of core switch, I assign IP address 192.168.99.1/30. I wonder that I need to create custom VLAN ID or use VLAN1? or I am wrong, no VLAN require.
In CORE
- Port #1 of core switch, I assign IP address 192.168.99.1/30. I wonder that I need to create custom VLAN ID or use VLAN1? or I am wrong, no VLAN require.
ASKER
Hi Experts
I couldn't connect to Internet. In L2 switch console, ping request time out to Cisco ASA inside IP. Ping OK to other SVI for each VLAN. However, ping success to ASA in L3 switch console. Ping success to any external IP address.
Is my configuration wrong? Can you help? Below running script is L2 Cat-2950 with VTP client mode enabled.
Current configuration : 1311 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname L2SW04
!
enable secret 5 $1$y1HJ$QRihupYbC2sw1Dgd/f
!
clock timezone WST 8
errdisable recovery cause link-flap
errdisable recovery interval 60
ip subnet-zero
!
udld aggressive
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
macro global description cisco-global
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/3
!
interface FastEthernet0/4
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
description to L3SW01
switchport mode trunk
!
interface Vlan1
ip address 192.168.50.14 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.50.11
ip http server
snmp-server community public RO
snmp-server community private RW
snmp-server contact Test
!
line con 0
line vty 0 4
password CISCO
login
line vty 5 15
password CISCO
login
!
!
end
L2SW04#
I couldn't connect to Internet. In L2 switch console, ping request time out to Cisco ASA inside IP. Ping OK to other SVI for each VLAN. However, ping success to ASA in L3 switch console. Ping success to any external IP address.
Is my configuration wrong? Can you help? Below running script is L2 Cat-2950 with VTP client mode enabled.
Current configuration : 1311 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname L2SW04
!
enable secret 5 $1$y1HJ$QRihupYbC2sw1Dgd/f
!
clock timezone WST 8
errdisable recovery cause link-flap
errdisable recovery interval 60
ip subnet-zero
!
udld aggressive
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
macro global description cisco-global
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/3
!
interface FastEthernet0/4
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
description to L3SW01
switchport mode trunk
!
interface Vlan1
ip address 192.168.50.14 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.50.11
ip http server
snmp-server community public RO
snmp-server community private RW
snmp-server contact Test
!
line con 0
line vty 0 4
password CISCO
login
line vty 5 15
password CISCO
login
!
!
end
L2SW04#
ASKER
192.168.100.0/24 is currently a main LAN. It seems that I would be suggested to create other than VLAN1 for my main LAN. Probably, I will create VLAN100.
What do you mean by point to point link between ASA and L3 core switch? How should I create?