• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 698
  • Last Modified:

How to reconfigure Cisco 3560 switch to avoid using VLAN 1

Hello, Experts,

I have a Cisco network that is currently split into two functional VLANs& VLAN 1 is everything data, and VLAN 2 is my phone network.  I have attached the configuration of the switch as it is right now, and it looks like it was setup with all the ports in trunk mode& not how I want it to be.

We are making some changes to our organization and we now have the need to separate the data networks into 3 pieces (while still sharing the Internet, the phones, and some printers)&.. So, I envision it working something like this&. (please tell me if I am off track. And I will need some help configuring it)

CURRENT:
Data Network 1 = VLAN 1 (10.1.75.x/24)
Voice Network = VLAN 2 (10.1.68.x/24)

NEED TO GET TO:
Data Network 1 = VLAN 75 (10.1.75.x/24)
Voice Network = VLAN 2 (10.1.68.x/24)
Data Network 2 = VLAN 76 (10.1.76.x/24)
Data Network 3 = VLAN 77 (10.1.77.x/24)

The phones will still need to be available on each port (the phone system is shared  and there is only one drop in each office so they are using the phones as switches for the workstations)

The 3 data networks will need to be segmented, but will still have the same connection to the Internet (or Router), and will also share access to Printers.

The ports that will be configured for each network are as follows:

Data Network 1 = Everything except the ports listed below&
Data Network 2 = 0/5, 0/13, 0/16, 0/25, 0/32, 0/33, 0/34
Data Network 3 = 0/17, 0/19, 0/21, 0/22
Printers = 0/18, 0/42 (I am not sure how we need to configure these)


Any help in getting me started is greatly appreciated&
I just need a jump start getting the VLANs separated (but available to shared devices and phones) and moving everything off of VLAN 1.

Thank you.


EE-Example.doc
0
infinitybs
Asked:
infinitybs
  • 5
  • 2
  • 2
  • +2
2 Solutions
 
QuoriCommented:
Just to make sure I understand your requirement:

Devices on DN1 cannot communicate with devices on DN2, nor 2->1?

If the phones need to be available on every port, and you've only got one drop, thus using the phone as a switch then you need to extend a trunk out to the phone so it can add the VLAN ID into the packet so the phone ends up on its own VLAN.

If you do intend to offer no reachability between data networks then you should put the printers on their own VLAN.
0
 
lanboyoCommented:
If you have pcs on the ports beyond the phones, they are set up as trunks for that reason. When you configure a voice and data vlan on a switch, cisco is really doing 802.1q trunking to keep the voice and phones seperate. Additionally, you may need to keep the user or phone vlan as the native vlan depending on how the phone is set up.
0
 
infinitybsAuthor Commented:
Quori and Ianboyo....
Thank you for your responses.

Okay, so I understand that the ports need to be configured on the switch as trunks because I am sharing the phone system.... and that no matter what VLAN's I create - the devices plugged into the phones will be able to see all VLAN's... Can I specify certain VLAN's to be seen on the trunk port?

Let me take a step back,
Essentially, what has happened is - two new companies have subleased space in the building. We want to provide them secure networks, and security for our own network, but we want to share some resources....

Is there a way to set this up? If the phones are effectively trunks, then is it even plausible to segment this network?  Can I segment the voice network too? (but still have all the phone reporting back to one entity?

Do those questions make sense?

Thanks.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
KvChaosCommented:
You can define which VLAN is allowed in the trunk.
Hence, if you want to create office A and office B who can't access one another, but have a shared resources, then perhaps you want a total of 3 VLANs?
0
 
qf3l3kCommented:
You might want to have a look into that document:
http://www.baysidemedia.com/ShoreTel/best_practices_vlan.pdf

Quick 7 pages guide how to deal with voice/data VLANs.

As it comes from VoIP systems provider might show how to resolve your issue and network design.
 At the end of document you can find simple switch configuration with few VLANs on it.
0
 
infinitybsAuthor Commented:
Still having trouble....

I've configured the VLAN's I want to use

Vlan 2 (voice network)
ip address 10.1.68.2
Vlan 11 (data network 1)
ip address 10.1.74.250
Vlan 12 (data network 2)
ip address 10.1.76 250
Vlan 13 (data network 3)
ip address 10.1.77.250
Vlan 14 (shared resources)
ip address 10.1.75.250

And I have assigned DHCP pools for the 3 data networks
ip dhcp pool dn1
   network 10.1.74.0 255.255.255.0
   default-router 10.1.74.250
   dns-server 10.1.75.254 10.1.1.20
!
ip dhcp pool dn2
   network 10.1.76.0 255.255.255.0
   default-router 10.1.76.250
   dns-server 10.1.75.254 10.1.1.20
!
ip dhcp pool dn3
   network 10.1.77.0 255.255.255.0
   default-router 10.1.77.250
   dns-server 10.1.75.254 10.1.1.20

-------
I am able to get DHCP on my workstation, but cannot get to across the network -- I can only get to the individual VLAN IP addresses (the .250's I have listed above), but cannot get to my DNS Server I am using as a shared resource on VLAN 14.

Here is what my laptop's port looks like...
!
interface FastEthernet0/27
description DN3 Phone-Data
switchport access vlan 13
switchport trunk encapsulation dot1q
switchport trunk native vlan 13
switchport trunk allowed 2, 13-14
switchport mode trunk
switchport voice vlan 2
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape  10  0  0  0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
!

And here is the server....
!
interface FastEthernet0/5
description Connection to Server
switchport access 14
switchport trunk encapsulation dot1q
switchport trunk native vlan 14
switchport trunk allowed 2, 11-14
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape  10  0  0  0
priority-queue out
mls qos trust cos
auto qos voip trust
!


Any ideas about what I could be missing? It feels like a routing issue now. The fact that I can ping all the Vlan management IP's, but nothing on the other "allowed" vlans....

Thanks.
0
 
QuoriCommented:
enable
conf t
ip routing
0
 
KvChaosCommented:
I see trunk and access on a same port, which looks very wrong...
Trunk port is set on port(s) that are connected to other networking devices.
The port that is connected to your laptop should be an access port.
0
 
infinitybsAuthor Commented:
KvChaos,

That's probably it.... I'll try it again this morning and ensure that they are all just trunk ports (will need to be since they all have pc's and phones sharing each drop.

I will let you know how that works for me.

Thanks.
0
 
infinitybsAuthor Commented:
Didn't work.

I removed the references to Access on the port and got the same exact results.

How would you guys set this up?

Current network:
VLAN 1 (everything data)
VLAN 2 (Voice)

New network:
(Adding two new entities that need to share the phone systems and internet, but want to secure their networks from one another)

Thanks.

0
 
infinitybsAuthor Commented:
I think I'm getting it now.... one port works.... I will continue to push the changes through the network.

It was a routing problem.... my router needed to be my default-router in my DHCP Pools.... so I had to setup sub-interfaces on it's connection to the lan and configure those sub-interfaces to be part of their respective vlans.

I will update with a new config when I get it working.
Thanks!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now