Solved

How to reconfigure Cisco 3560 switch to avoid using VLAN 1

Posted on 2009-05-11
11
686 Views
Last Modified: 2012-05-06
Hello, Experts,

I have a Cisco network that is currently split into two functional VLANs& VLAN 1 is everything data, and VLAN 2 is my phone network.  I have attached the configuration of the switch as it is right now, and it looks like it was setup with all the ports in trunk mode& not how I want it to be.

We are making some changes to our organization and we now have the need to separate the data networks into 3 pieces (while still sharing the Internet, the phones, and some printers)&.. So, I envision it working something like this&. (please tell me if I am off track. And I will need some help configuring it)

CURRENT:
Data Network 1 = VLAN 1 (10.1.75.x/24)
Voice Network = VLAN 2 (10.1.68.x/24)

NEED TO GET TO:
Data Network 1 = VLAN 75 (10.1.75.x/24)
Voice Network = VLAN 2 (10.1.68.x/24)
Data Network 2 = VLAN 76 (10.1.76.x/24)
Data Network 3 = VLAN 77 (10.1.77.x/24)

The phones will still need to be available on each port (the phone system is shared  and there is only one drop in each office so they are using the phones as switches for the workstations)

The 3 data networks will need to be segmented, but will still have the same connection to the Internet (or Router), and will also share access to Printers.

The ports that will be configured for each network are as follows:

Data Network 1 = Everything except the ports listed below&
Data Network 2 = 0/5, 0/13, 0/16, 0/25, 0/32, 0/33, 0/34
Data Network 3 = 0/17, 0/19, 0/21, 0/22
Printers = 0/18, 0/42 (I am not sure how we need to configure these)


Any help in getting me started is greatly appreciated&
I just need a jump start getting the VLANs separated (but available to shared devices and phones) and moving everything off of VLAN 1.

Thank you.


EE-Example.doc
0
Comment
Question by:infinitybs
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 13

Expert Comment

by:Quori
Comment Utility
Just to make sure I understand your requirement:

Devices on DN1 cannot communicate with devices on DN2, nor 2->1?

If the phones need to be available on every port, and you've only got one drop, thus using the phone as a switch then you need to extend a trunk out to the phone so it can add the VLAN ID into the packet so the phone ends up on its own VLAN.

If you do intend to offer no reachability between data networks then you should put the printers on their own VLAN.
0
 
LVL 10

Expert Comment

by:lanboyo
Comment Utility
If you have pcs on the ports beyond the phones, they are set up as trunks for that reason. When you configure a voice and data vlan on a switch, cisco is really doing 802.1q trunking to keep the voice and phones seperate. Additionally, you may need to keep the user or phone vlan as the native vlan depending on how the phone is set up.
0
 
LVL 1

Author Comment

by:infinitybs
Comment Utility
Quori and Ianboyo....
Thank you for your responses.

Okay, so I understand that the ports need to be configured on the switch as trunks because I am sharing the phone system.... and that no matter what VLAN's I create - the devices plugged into the phones will be able to see all VLAN's... Can I specify certain VLAN's to be seen on the trunk port?

Let me take a step back,
Essentially, what has happened is - two new companies have subleased space in the building. We want to provide them secure networks, and security for our own network, but we want to share some resources....

Is there a way to set this up? If the phones are effectively trunks, then is it even plausible to segment this network?  Can I segment the voice network too? (but still have all the phone reporting back to one entity?

Do those questions make sense?

Thanks.
0
 
LVL 3

Expert Comment

by:KvChaos
Comment Utility
You can define which VLAN is allowed in the trunk.
Hence, if you want to create office A and office B who can't access one another, but have a shared resources, then perhaps you want a total of 3 VLANs?
0
 
LVL 5

Assisted Solution

by:qf3l3k
qf3l3k earned 200 total points
Comment Utility
You might want to have a look into that document:
http://www.baysidemedia.com/ShoreTel/best_practices_vlan.pdf

Quick 7 pages guide how to deal with voice/data VLANs.

As it comes from VoIP systems provider might show how to resolve your issue and network design.
 At the end of document you can find simple switch configuration with few VLANs on it.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 1

Author Comment

by:infinitybs
Comment Utility
Still having trouble....

I've configured the VLAN's I want to use

Vlan 2 (voice network)
ip address 10.1.68.2
Vlan 11 (data network 1)
ip address 10.1.74.250
Vlan 12 (data network 2)
ip address 10.1.76 250
Vlan 13 (data network 3)
ip address 10.1.77.250
Vlan 14 (shared resources)
ip address 10.1.75.250

And I have assigned DHCP pools for the 3 data networks
ip dhcp pool dn1
   network 10.1.74.0 255.255.255.0
   default-router 10.1.74.250
   dns-server 10.1.75.254 10.1.1.20
!
ip dhcp pool dn2
   network 10.1.76.0 255.255.255.0
   default-router 10.1.76.250
   dns-server 10.1.75.254 10.1.1.20
!
ip dhcp pool dn3
   network 10.1.77.0 255.255.255.0
   default-router 10.1.77.250
   dns-server 10.1.75.254 10.1.1.20

-------
I am able to get DHCP on my workstation, but cannot get to across the network -- I can only get to the individual VLAN IP addresses (the .250's I have listed above), but cannot get to my DNS Server I am using as a shared resource on VLAN 14.

Here is what my laptop's port looks like...
!
interface FastEthernet0/27
description DN3 Phone-Data
switchport access vlan 13
switchport trunk encapsulation dot1q
switchport trunk native vlan 13
switchport trunk allowed 2, 13-14
switchport mode trunk
switchport voice vlan 2
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape  10  0  0  0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
!

And here is the server....
!
interface FastEthernet0/5
description Connection to Server
switchport access 14
switchport trunk encapsulation dot1q
switchport trunk native vlan 14
switchport trunk allowed 2, 11-14
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape  10  0  0  0
priority-queue out
mls qos trust cos
auto qos voip trust
!


Any ideas about what I could be missing? It feels like a routing issue now. The fact that I can ping all the Vlan management IP's, but nothing on the other "allowed" vlans....

Thanks.
0
 
LVL 13

Expert Comment

by:Quori
Comment Utility
enable
conf t
ip routing
0
 
LVL 3

Accepted Solution

by:
KvChaos earned 300 total points
Comment Utility
I see trunk and access on a same port, which looks very wrong...
Trunk port is set on port(s) that are connected to other networking devices.
The port that is connected to your laptop should be an access port.
0
 
LVL 1

Author Comment

by:infinitybs
Comment Utility
KvChaos,

That's probably it.... I'll try it again this morning and ensure that they are all just trunk ports (will need to be since they all have pc's and phones sharing each drop.

I will let you know how that works for me.

Thanks.
0
 
LVL 1

Author Comment

by:infinitybs
Comment Utility
Didn't work.

I removed the references to Access on the port and got the same exact results.

How would you guys set this up?

Current network:
VLAN 1 (everything data)
VLAN 2 (Voice)

New network:
(Adding two new entities that need to share the phone systems and internet, but want to secure their networks from one another)

Thanks.

0
 
LVL 1

Author Comment

by:infinitybs
Comment Utility
I think I'm getting it now.... one port works.... I will continue to push the changes through the network.

It was a routing problem.... my router needed to be my default-router in my DHCP Pools.... so I had to setup sub-interfaces on it's connection to the lan and configure those sub-interfaces to be part of their respective vlans.

I will update with a new config when I get it working.
Thanks!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now