Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VLAN configuration

Posted on 2011-04-23
22
Medium Priority
?
843 Views
Last Modified: 2012-06-27
Hi,
     We are having 4 nos of 2960 on second floor, 2 nos on side A and 2 nos on side B. We have one 3560 on third floor with Firewall Fortigate and Router 3800.Router is for Internet and Point to point connection.  We want to setup some 16 Vlans for 15 depts and one VLAN for Server forms at third floor( 5 servers connected to 3560). All the depts should access server.
 There is three common network printer accessible by all. Let me know the exact configuration for all switches. I am trying with Network simulator but couldnt find any (Tried with GNS3 and Netsim but not able to simulate)

FInd the attached Existing Diagram.



VLAN.png
0
Comment
Question by:dinagaran2000
  • 11
  • 5
  • 5
  • +1
22 Comments
 

Author Comment

by:dinagaran2000
ID: 35453217
As of now no VLAN. So all are in 10 networks. We are going to maintain 10 networks for servers alone ( Connected to 3560). Rest of the systems going to introduce in 192.168.x.x. Need to plan accordingly.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 35458740

What is your question?

harbor235 ;}
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35460814
1. create VLAN's in the database.
vlan 2
name trunk
vlan 3
name dept 1
vlan 4
name dept 2
and etc.

All switches need to have the same vlans database.

2. Connect switches together and configure trunk ports. Trunk ports should be in their own native vlan. That vlan shouldn't be used for anything else.

on 3560:
interface FastEthernet0/1
 description trunk to 2960A
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport trunk allowed vlan 1-1000
 switchport mode trunk
 speed 100
 duplex full

on 2960:

interface FastEthernet0/48
 switchport trunk native vlan 2
 switchport trunk allowed vlan 1-1000
 switchport mode trunk
 speed 100
 duplex full

3. if you want to route between vlans, you need to enable routing and create vlan interfaces on 3560.
ip routing
int vlan 3
description dept3
ip address 192.168.3.254 255.255.255.0

4. assign interfaces to vlans.
interface FastEthernet0/2
 switchport access vlan 3


0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 14

Expert Comment

by:SIM50
ID: 35460829
0
 

Author Comment

by:dinagaran2000
ID: 35464874
Hi SIM50,

Point 1. is on all 2960? What about ponit no 4? is it on 2960 all?

Cant we have All vlans in 3560 and push it to all?  
VLAN-with-Trunking.png
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 1200 total points
ID: 35466639
You can configure VTP (VLAN Trunking Protocol) to propagate VLAN information to the other switches. Here is the link: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swvtp.html
Basically, put 3560 in a server mode and 2960's in client modes. VTP domain needs to be the same on all the switches. Prior to configuring VTP, you need to configure trunk ports as VTP travels only through trunk links.

Let's say you want to add your 5 servers to VLAN 15. Identify the ports on a switch where they are connected and add them to VLAN 15. For example, they are connected to ports 1 through 5.

conf t
int range fa0/1 - 5
switchport access vlan 15



0
 

Author Comment

by:dinagaran2000
ID: 35475374
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35475750
Did you create virtual interfaces for VLAN's? It is step 3 from my first post. If you have multi-layer switch, let the switch do the routing instead of the firewall. For each VLAN you created, set it's default gateway to be the corresponding virtual interface. On 3560, set the default route to point to your firewall:
ip route 0.0.0.0 0.0.0.0 10.10.2.10

For example, take VLAN 7.
int vlan 7
description OP
ip address 10.10.7.254 255.255.255.0

After you assign ports for PC6 and 12 to VLAN 7, change default gateway on those pc's to 10.10.7.254.
0
 

Author Comment

by:dinagaran2000
ID: 35481876
Hi SIM50,

     VLAN ip and Interface IP Should be in the same network? right. Systems in VLAN 7 assigned with 10.10.2.10 and 10.10.2.11. When i created interface Vlan7 at 3560 and assigned with 10.10.7.254 it is not working. Instead assigned with 10.10.2.200 it is working. Thanks. But the problem is i am having 10 VLANs in the same network of 10.10.2.x and 5 VLANs in  the same network of  172.16.16.x . When i created intefaces for individual VLANs.. e.g Interface for VLAN 6 in the ip 10.10.2.254 at 3560 it says 10.10.2.0 overlaps with vlan 7.

Any suggestions?
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 35482115
you will need to change the subnet. Right now from the looks of things is that you are using 255.255.255.0 as the subnet?

you will need to state how many users there will be on each network, and what is the possibility for growth in the next 5 years.

Please let us know the exact number of users per vlan and what is the expected user growth for the next 5 to 10 years.
0
 

Author Comment

by:dinagaran2000
ID: 35483934
VLAN 14 [(server)will be on 3560 ] and VLAN 15 should be accessible by all pcs.
 
vlan5-pcs.xlsx
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 35484259
Which vlans belong to the 10.10.2.x network and which belong to the 172.16.16.x network? you may need to rethink your IP addressing scheme.
0
 

Author Comment

by:dinagaran2000
ID: 35484851
Sorry MAG03 and SIM50,

          Correction pls...

           Only the server VLAN(14) will be on 10.10.2.x , Upto Vlan 10 it will be 172.16.16.x
VLAN 11,12,13 WIll be on 192.168.168.x..

What about Network Printer VLAN.. it is on VLAN15

Thanks
0
 

Author Comment

by:dinagaran2000
ID: 35485252
Hi Guys,
 
   My friend says that PrivateVlan is the best solution for the above scenario. i didnt used to that

any suggesstions?

0
 
LVL 14

Expert Comment

by:SIM50
ID: 35486801
I am sorry but I am a bit at loss of what you are trying to do. Can you please elaborate?
Also, if you don't mind, please take a look at this link: http://www.petri.co.il/csc_setup_a_vlan_on_a_cisco_switch.htm
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 35488984
Well you don't need private VLANs to configure the same subnet in different VLANs as VLANs work in layer 2. And you could set up arp proxy on the router to help route traffic between the similar networks but then you can not have the same IP address configured on both the networks. Things can become quite irritating to troubleshoot and document not to mention having to remember what addresses are in use and which are not. I do not recommend doing this.

The problem now is that for VLAN 1 - 10 the expected users require more IP addresses than the 172.16.16.x network will be able to offer (254 available for lease but 288 required). So that network will need to be changed to 172.16.x.x to be able to support the ammount of IP's required. Keep in mind that the current amount of users can be supported on the 172.16.16.x network.  So this can be set up with the understanding that it will need to be changed in the future. This is why subnetting will be needed.

Is there a reason why you must use 172.16.16.x or are you in a position to amend this?

Could you also elaborate on what subnets need to access eachother?
0
 

Author Comment

by:dinagaran2000
ID: 35489225
Hi SIM50,

     To recall, we have 4 nos 0f 2960 and one 3560 Switch connected with each other. 3560 switch is connected to Firewall, and firewall to ROUTER for outside. This setup is working well. All are in 10.10.2.x network. Now we are trying to setup 15 VLANs with three network. Server (10.10.2.x) for Users network (172.16.16.x) and 192.168.168.x. We want all users to access Server. Users should not communicate with each other VLANs. We want to position 4 nos of Network Printers.

Can you recollect now?
0
 

Author Comment

by:dinagaran2000
ID: 35489242
Hi MAG03,

    Network will not be the issue.We need three Networks two for users and one for SERVERS. Existing 10.10.2.x will be retained or Server VLAN.

To recall, we have 4 nos 0f 2960 and one 3560 Switch connected with each other. 3560 switch is connected to Firewall, and firewall to ROUTER for outside. This setup is working well when all are in same 10.10.2.x network. Now we are trying to setup 15 VLANs with three network. Server (10.10.2.x) for Users network (172.16.16.x) and 192.168.168.x. We want all users to access Server. Users should not communicate with each other VLANs. We want to position 4 nos of Network Printers.

Is it clear pls?


0
 
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 800 total points
ID: 35489534
Well, to set up the network for future users you would need to use 172.16.0.0 255.255.255.0 where the 3rd octet will increase by 1. for example 172.16.1.0, 172.16.2.0, etc. This way the subnet will remain constant. If you don't mind the subnet changing then you could do the following.

VLAN's 2,3,8,10 use 172.16.16.0 255.255.255.240

VLAN's 1,4,5,6,7,9 use 172.16.17.0 255.255.255.224

VLAN's 11,12,13 use 192.168.168.0 255.255.255.192

VLAN 14 use 10.10.2.0 255.255.255.224

VLAN 15 use 10.10.2.32 255.255.255.224

you could then use EIRGP or RIP for routing and then configure ACLs on the VLANs to restrict access.
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 35499491
If you want to use the same address range for several vlans you will need to implement NAT in order to sort out the routing issue to common devices.
0
 

Author Comment

by:dinagaran2000
ID: 35726551
Hi Team,

     Sorry i was on vacation. Thanks for the support. FInally 90% of solution reached.

IN 3560
VTP domain
15 VLANs created with different NETWORK.
SERVER VLAN not created. (Since server,FW and router are in the same network and we didnt  
                                               change)
Trunk created.
INTERFACE for all VLANs created

(ACL is Pending, planning for future)

IN2960
VTP Client
port assigned.

NOW it is working. To take a copy of config VLAN.DAT in all siwtches will be okay?
Thanks.
0
 

Author Closing Comment

by:dinagaran2000
ID: 35726578
Great.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question