• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 847
  • Last Modified:

VLAN configuration

Hi,
     We are having 4 nos of 2960 on second floor, 2 nos on side A and 2 nos on side B. We have one 3560 on third floor with Firewall Fortigate and Router 3800.Router is for Internet and Point to point connection.  We want to setup some 16 Vlans for 15 depts and one VLAN for Server forms at third floor( 5 servers connected to 3560). All the depts should access server.
 There is three common network printer accessible by all. Let me know the exact configuration for all switches. I am trying with Network simulator but couldnt find any (Tried with GNS3 and Netsim but not able to simulate)

FInd the attached Existing Diagram.



VLAN.png
0
dinagaran2000
Asked:
dinagaran2000
  • 11
  • 5
  • 5
  • +1
2 Solutions
 
dinagaran2000Author Commented:
As of now no VLAN. So all are in 10 networks. We are going to maintain 10 networks for servers alone ( Connected to 3560). Rest of the systems going to introduce in 192.168.x.x. Need to plan accordingly.
0
 
harbor235Commented:

What is your question?

harbor235 ;}
0
 
SIM50Commented:
1. create VLAN's in the database.
vlan 2
name trunk
vlan 3
name dept 1
vlan 4
name dept 2
and etc.

All switches need to have the same vlans database.

2. Connect switches together and configure trunk ports. Trunk ports should be in their own native vlan. That vlan shouldn't be used for anything else.

on 3560:
interface FastEthernet0/1
 description trunk to 2960A
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport trunk allowed vlan 1-1000
 switchport mode trunk
 speed 100
 duplex full

on 2960:

interface FastEthernet0/48
 switchport trunk native vlan 2
 switchport trunk allowed vlan 1-1000
 switchport mode trunk
 speed 100
 duplex full

3. if you want to route between vlans, you need to enable routing and create vlan interfaces on 3560.
ip routing
int vlan 3
description dept3
ip address 192.168.3.254 255.255.255.0

4. assign interfaces to vlans.
interface FastEthernet0/2
 switchport access vlan 3


0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
SIM50Commented:
0
 
dinagaran2000Author Commented:
Hi SIM50,

Point 1. is on all 2960? What about ponit no 4? is it on 2960 all?

Cant we have All vlans in 3560 and push it to all?  
VLAN-with-Trunking.png
0
 
SIM50Commented:
You can configure VTP (VLAN Trunking Protocol) to propagate VLAN information to the other switches. Here is the link: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swvtp.html
Basically, put 3560 in a server mode and 2960's in client modes. VTP domain needs to be the same on all the switches. Prior to configuring VTP, you need to configure trunk ports as VTP travels only through trunk links.

Let's say you want to add your 5 servers to VLAN 15. Identify the ports on a switch where they are connected and add them to VLAN 15. For example, they are connected to ports 1 through 5.

conf t
int range fa0/1 - 5
switchport access vlan 15



0
 
dinagaran2000Author Commented:
0
 
SIM50Commented:
Did you create virtual interfaces for VLAN's? It is step 3 from my first post. If you have multi-layer switch, let the switch do the routing instead of the firewall. For each VLAN you created, set it's default gateway to be the corresponding virtual interface. On 3560, set the default route to point to your firewall:
ip route 0.0.0.0 0.0.0.0 10.10.2.10

For example, take VLAN 7.
int vlan 7
description OP
ip address 10.10.7.254 255.255.255.0

After you assign ports for PC6 and 12 to VLAN 7, change default gateway on those pc's to 10.10.7.254.
0
 
dinagaran2000Author Commented:
Hi SIM50,

     VLAN ip and Interface IP Should be in the same network? right. Systems in VLAN 7 assigned with 10.10.2.10 and 10.10.2.11. When i created interface Vlan7 at 3560 and assigned with 10.10.7.254 it is not working. Instead assigned with 10.10.2.200 it is working. Thanks. But the problem is i am having 10 VLANs in the same network of 10.10.2.x and 5 VLANs in  the same network of  172.16.16.x . When i created intefaces for individual VLANs.. e.g Interface for VLAN 6 in the ip 10.10.2.254 at 3560 it says 10.10.2.0 overlaps with vlan 7.

Any suggestions?
0
 
Marius GunnerudSenior Systems EngineerCommented:
you will need to change the subnet. Right now from the looks of things is that you are using 255.255.255.0 as the subnet?

you will need to state how many users there will be on each network, and what is the possibility for growth in the next 5 years.

Please let us know the exact number of users per vlan and what is the expected user growth for the next 5 to 10 years.
0
 
dinagaran2000Author Commented:
VLAN 14 [(server)will be on 3560 ] and VLAN 15 should be accessible by all pcs.
 
vlan5-pcs.xlsx
0
 
Marius GunnerudSenior Systems EngineerCommented:
Which vlans belong to the 10.10.2.x network and which belong to the 172.16.16.x network? you may need to rethink your IP addressing scheme.
0
 
dinagaran2000Author Commented:
Sorry MAG03 and SIM50,

          Correction pls...

           Only the server VLAN(14) will be on 10.10.2.x , Upto Vlan 10 it will be 172.16.16.x
VLAN 11,12,13 WIll be on 192.168.168.x..

What about Network Printer VLAN.. it is on VLAN15

Thanks
0
 
dinagaran2000Author Commented:
Hi Guys,
 
   My friend says that PrivateVlan is the best solution for the above scenario. i didnt used to that

any suggesstions?

0
 
SIM50Commented:
I am sorry but I am a bit at loss of what you are trying to do. Can you please elaborate?
Also, if you don't mind, please take a look at this link: http://www.petri.co.il/csc_setup_a_vlan_on_a_cisco_switch.htm
0
 
Marius GunnerudSenior Systems EngineerCommented:
Well you don't need private VLANs to configure the same subnet in different VLANs as VLANs work in layer 2. And you could set up arp proxy on the router to help route traffic between the similar networks but then you can not have the same IP address configured on both the networks. Things can become quite irritating to troubleshoot and document not to mention having to remember what addresses are in use and which are not. I do not recommend doing this.

The problem now is that for VLAN 1 - 10 the expected users require more IP addresses than the 172.16.16.x network will be able to offer (254 available for lease but 288 required). So that network will need to be changed to 172.16.x.x to be able to support the ammount of IP's required. Keep in mind that the current amount of users can be supported on the 172.16.16.x network.  So this can be set up with the understanding that it will need to be changed in the future. This is why subnetting will be needed.

Is there a reason why you must use 172.16.16.x or are you in a position to amend this?

Could you also elaborate on what subnets need to access eachother?
0
 
dinagaran2000Author Commented:
Hi SIM50,

     To recall, we have 4 nos 0f 2960 and one 3560 Switch connected with each other. 3560 switch is connected to Firewall, and firewall to ROUTER for outside. This setup is working well. All are in 10.10.2.x network. Now we are trying to setup 15 VLANs with three network. Server (10.10.2.x) for Users network (172.16.16.x) and 192.168.168.x. We want all users to access Server. Users should not communicate with each other VLANs. We want to position 4 nos of Network Printers.

Can you recollect now?
0
 
dinagaran2000Author Commented:
Hi MAG03,

    Network will not be the issue.We need three Networks two for users and one for SERVERS. Existing 10.10.2.x will be retained or Server VLAN.

To recall, we have 4 nos 0f 2960 and one 3560 Switch connected with each other. 3560 switch is connected to Firewall, and firewall to ROUTER for outside. This setup is working well when all are in same 10.10.2.x network. Now we are trying to setup 15 VLANs with three network. Server (10.10.2.x) for Users network (172.16.16.x) and 192.168.168.x. We want all users to access Server. Users should not communicate with each other VLANs. We want to position 4 nos of Network Printers.

Is it clear pls?


0
 
Marius GunnerudSenior Systems EngineerCommented:
Well, to set up the network for future users you would need to use 172.16.0.0 255.255.255.0 where the 3rd octet will increase by 1. for example 172.16.1.0, 172.16.2.0, etc. This way the subnet will remain constant. If you don't mind the subnet changing then you could do the following.

VLAN's 2,3,8,10 use 172.16.16.0 255.255.255.240

VLAN's 1,4,5,6,7,9 use 172.16.17.0 255.255.255.224

VLAN's 11,12,13 use 192.168.168.0 255.255.255.192

VLAN 14 use 10.10.2.0 255.255.255.224

VLAN 15 use 10.10.2.32 255.255.255.224

you could then use EIRGP or RIP for routing and then configure ACLs on the VLANs to restrict access.
0
 
Marius GunnerudSenior Systems EngineerCommented:
If you want to use the same address range for several vlans you will need to implement NAT in order to sort out the routing issue to common devices.
0
 
dinagaran2000Author Commented:
Hi Team,

     Sorry i was on vacation. Thanks for the support. FInally 90% of solution reached.

IN 3560
VTP domain
15 VLANs created with different NETWORK.
SERVER VLAN not created. (Since server,FW and router are in the same network and we didnt  
                                               change)
Trunk created.
INTERFACE for all VLANs created

(ACL is Pending, planning for future)

IN2960
VTP Client
port assigned.

NOW it is working. To take a copy of config VLAN.DAT in all siwtches will be okay?
Thanks.
0
 
dinagaran2000Author Commented:
Great.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 11
  • 5
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now