kingcastle
asked on
Vlans and Inter Vlan Routing
Hi
Ok so heres my setup, i have a small network of aound 70 pcs and 6 servers, some network printers and a sonicwall firewall that acts as my gateway for internet access and site to site vpn's for users.
Now i have a dept that i would like to segregate from the lan. I still want this segment to access my servers and use the sonicwall for internet and vpn traffic.
I have thought of using a vlan to do this so im my simple view all i need to do is
1) create a vlan on my cisco switch
2) assign all the devices i want t segregate to ports in that vlan
3) buy a cisco router and configure inter vlan routing so the vlan can talk to my own lan
Now this is were i have the problem:
1) obviously my two networks are now on different subnets how does the new vlan access the internet
2) how will the vlan subnet get access to vpn tunnels like they do now on the main LAN
3) how will the new vlan get ip address from my windows DHCP server as they do currently under single LAN
4) i have everything on a gig network if i add a 100MB connection router into the mix for van routing will the slow the network communication down any
5)
Ok so heres my setup, i have a small network of aound 70 pcs and 6 servers, some network printers and a sonicwall firewall that acts as my gateway for internet access and site to site vpn's for users.
Now i have a dept that i would like to segregate from the lan. I still want this segment to access my servers and use the sonicwall for internet and vpn traffic.
I have thought of using a vlan to do this so im my simple view all i need to do is
1) create a vlan on my cisco switch
2) assign all the devices i want t segregate to ports in that vlan
3) buy a cisco router and configure inter vlan routing so the vlan can talk to my own lan
Now this is were i have the problem:
1) obviously my two networks are now on different subnets how does the new vlan access the internet
2) how will the vlan subnet get access to vpn tunnels like they do now on the main LAN
3) how will the new vlan get ip address from my windows DHCP server as they do currently under single LAN
4) i have everything on a gig network if i add a 100MB connection router into the mix for van routing will the slow the network communication down any
5)
How the second lan will get its internet is by using the subinterface created on the sonicwall (assuming its able) for example
Subinterface A IP 192.x.2.1 mask 255.255.255.0
Subinterface B IP 192.x.3.1 mask 255.255.255.0
host on sub interface A IP 192.x.2.x mask 255.255.255.0 default gateway 192.x.2.1
host on sub interface B IP 192.x.3.x mask 255.255.255.0 default gateway 192.x.3.1
With this setup the two LAN's are segmented and you can control the traffic between the two with the zones/firewall of the sonicwall.
Hope that helps
Subinterface A IP 192.x.2.1 mask 255.255.255.0
Subinterface B IP 192.x.3.1 mask 255.255.255.0
host on sub interface A IP 192.x.2.x mask 255.255.255.0 default gateway 192.x.2.1
host on sub interface B IP 192.x.3.x mask 255.255.255.0 default gateway 192.x.3.1
With this setup the two LAN's are segmented and you can control the traffic between the two with the zones/firewall of the sonicwall.
Hope that helps
ASKER
ah i see excellent answer, so to clarify
i fancied using a ciso 2600 router for this vlan routing just wanted to keep all the switches/vlans on cisco kit will this cause me any problems?
so i wont have to change anything on my main lan ip wise? i mean i can leave those users happily working away its just the vlan users who ip's will change?
if this is the case and currently my sonicwall pro2040 is the internet gateway for all devices when the vlan ip range changes and i point vlan users to new ip and defualt gateway that was created on subinterface on cisco router how does these pc get to internet/vpn?
if i use the cisco do i need to configure rip routing on the router or does simply creating the subinterfaces enough?
cheers
i fancied using a ciso 2600 router for this vlan routing just wanted to keep all the switches/vlans on cisco kit will this cause me any problems?
so i wont have to change anything on my main lan ip wise? i mean i can leave those users happily working away its just the vlan users who ip's will change?
if this is the case and currently my sonicwall pro2040 is the internet gateway for all devices when the vlan ip range changes and i point vlan users to new ip and defualt gateway that was created on subinterface on cisco router how does these pc get to internet/vpn?
if i use the cisco do i need to configure rip routing on the router or does simply creating the subinterfaces enough?
cheers
I think I am a little confused on your network design.
My thought it was:
INTERNET <--------------> PUBLIC IP [Sonicwall] LAN IP <----------- > Hosts
Please clarify so I don't give a more confusing network layout.
Thanks!
My thought it was:
INTERNET <--------------> PUBLIC IP [Sonicwall] LAN IP <----------- > Hosts
Please clarify so I don't give a more confusing network layout.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok brillaint answer, and to clarify network is as follows.
internet ------public ip sonicwall --- lan hosts
now what i want is
intenet----pubic ip sonicwall ------ existing lan no changes
new vlan
interconnected via the purchased cisco 2600 router. My understaning is that the newly created vlan pc's will have to use the subinterface of the 2600 as their default gateway. where does that leave me in terms of getting that vlan internet access/vpn access? i mean do i still need the subinterface on the sonicwall and then somehow route traffic for the web/vpn from the 2600 to the sonicwall?
also if you would stay away from the 192 range what would you suggest?
cheers
internet ------public ip sonicwall --- lan hosts
now what i want is
intenet----pubic ip sonicwall ------ existing lan no changes
new vlan
interconnected via the purchased cisco 2600 router. My understaning is that the newly created vlan pc's will have to use the subinterface of the 2600 as their default gateway. where does that leave me in terms of getting that vlan internet access/vpn access? i mean do i still need the subinterface on the sonicwall and then somehow route traffic for the web/vpn from the 2600 to the sonicwall?
also if you would stay away from the 192 range what would you suggest?
cheers
I like to use the 172.x.x.x range or the 10.x.x.x range, you can use the 192.168.x.x if you like but I would stay away from 192.168.1.x - 192.168.20.x
Here are the private addresses available to use.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
In my suggested scenario, you will not need a Cisco router, the SonicWall will do all your routing for you. What you will need is a switch environment that supports VLANS. Adding a Cisco router would only make your environment more (and unnecessarily) complex.
What brand/model switches do you have?
KMC
Here are the private addresses available to use.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
In my suggested scenario, you will not need a Cisco router, the SonicWall will do all your routing for you. What you will need is a switch environment that supports VLANS. Adding a Cisco router would only make your environment more (and unnecessarily) complex.
What brand/model switches do you have?
KMC
ASKER
we have all cisco switches and already got the router to do this job so the boss wants it in the loop.
any ideas?
cheers
any ideas?
cheers
What is it that your boss is looking to get out of the Cisco router? You have the hardware you need to get the job done. All of your Cisco switches can support the VLANs that you want, be sure to bone up on VTP and get that setup to make easy work of VLANs.
http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
If your boss wants the router in the mix, I would power it up and let him look at the lights on it... honestly your environment doesn't need it.
If I were going to add any complexity, I would get a core Cisco switch and do your routing there, but that is only one thing I would do if I were going to be a 1000 plus node environment.
Sorry your getting pushback from the higher ups...
Good luck.
KMC
http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
If your boss wants the router in the mix, I would power it up and let him look at the lights on it... honestly your environment doesn't need it.
If I were going to add any complexity, I would get a core Cisco switch and do your routing there, but that is only one thing I would do if I were going to be a 1000 plus node environment.
Sorry your getting pushback from the higher ups...
Good luck.
KMC
If your boss really wants a Cisco router in place, I would recommend replacing your Pro2040 with an ASA 5510 or ASA 5520...
ASKER
do you use the 172.x.x with the default subnet ie 255.255.0.0?
ASKER
i think boss just wants the cisco doing the vlan routing and the sonicwall doing the internet/vpn's
You can use your Cisco router as the internal router but it is WAY over kill.
I'm affraid that I don't know the correct commands to create the interfaces and VLANs on the Cisco router.
Do you have a 3750 or a core switch?
If you have a layer 3 switch that could do your routing if your boss doesn't want the SonicWall doing the routing.
Just curious, does your boss have any LAN/WAN experience?
KMC
I'm affraid that I don't know the correct commands to create the interfaces and VLANs on the Cisco router.
Do you have a 3750 or a core switch?
If you have a layer 3 switch that could do your routing if your boss doesn't want the SonicWall doing the routing.
Just curious, does your boss have any LAN/WAN experience?
KMC
The second network will route through the Sonicwall to the internet just as it does now except from a different network.
you will have to allow access from your VPN zone to the desired subnets/vlans (you will add the new subnet/vlan to the address object group)
The only thing I dont do with this scenario is route DHCP requests, but I believe all you will have to do is either create a DHCP scope for the second LAN on the sonicwall device, or create another scope on your server and allow DHCP requests/traffic between the server on LANA and all hosts on LANB.
you won't need to add a 100mb router, so dont sweat that. Even if you did, I have over 800 hosts and still only hover around 25Mb direct to my firewall, I don't have any client/server connection that uses more than 100Mb even though its available. Now server/server is another story.
Hope that helps.
KMC