We help IT Professionals succeed at work.

VLAN configuration

Medium Priority
886 Views
Last Modified: 2012-06-27
Hi,
     We are having 4 nos of 2960 on second floor, 2 nos on side A and 2 nos on side B. We have one 3560 on third floor with Firewall Fortigate and Router 3800.Router is for Internet and Point to point connection.  We want to setup some 16 Vlans for 15 depts and one VLAN for Server forms at third floor( 5 servers connected to 3560). All the depts should access server.
 There is three common network printer accessible by all. Let me know the exact configuration for all switches. I am trying with Network simulator but couldnt find any (Tried with GNS3 and Netsim but not able to simulate)

FInd the attached Existing Diagram.



VLAN.png
Comment
Watch Question

dinagaran2000manager

Author

Commented:
As of now no VLAN. So all are in 10 networks. We are going to maintain 10 networks for servers alone ( Connected to 3560). Rest of the systems going to introduce in 192.168.x.x. Need to plan accordingly.
CERTIFIED EXPERT

Commented:

What is your question?

harbor235 ;}

Commented:
1. create VLAN's in the database.
vlan 2
name trunk
vlan 3
name dept 1
vlan 4
name dept 2
and etc.

All switches need to have the same vlans database.

2. Connect switches together and configure trunk ports. Trunk ports should be in their own native vlan. That vlan shouldn't be used for anything else.

on 3560:
interface FastEthernet0/1
 description trunk to 2960A
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport trunk allowed vlan 1-1000
 switchport mode trunk
 speed 100
 duplex full

on 2960:

interface FastEthernet0/48
 switchport trunk native vlan 2
 switchport trunk allowed vlan 1-1000
 switchport mode trunk
 speed 100
 duplex full

3. if you want to route between vlans, you need to enable routing and create vlan interfaces on 3560.
ip routing
int vlan 3
description dept3
ip address 192.168.3.254 255.255.255.0

4. assign interfaces to vlans.
interface FastEthernet0/2
 switchport access vlan 3


dinagaran2000manager

Author

Commented:
Hi SIM50,

Point 1. is on all 2960? What about ponit no 4? is it on 2960 all?

Cant we have All vlans in 3560 and push it to all?  
VLAN-with-Trunking.png
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
dinagaran2000manager

Author

Commented:

Commented:
Did you create virtual interfaces for VLAN's? It is step 3 from my first post. If you have multi-layer switch, let the switch do the routing instead of the firewall. For each VLAN you created, set it's default gateway to be the corresponding virtual interface. On 3560, set the default route to point to your firewall:
ip route 0.0.0.0 0.0.0.0 10.10.2.10

For example, take VLAN 7.
int vlan 7
description OP
ip address 10.10.7.254 255.255.255.0

After you assign ports for PC6 and 12 to VLAN 7, change default gateway on those pc's to 10.10.7.254.
dinagaran2000manager

Author

Commented:
Hi SIM50,

     VLAN ip and Interface IP Should be in the same network? right. Systems in VLAN 7 assigned with 10.10.2.10 and 10.10.2.11. When i created interface Vlan7 at 3560 and assigned with 10.10.7.254 it is not working. Instead assigned with 10.10.2.200 it is working. Thanks. But the problem is i am having 10 VLANs in the same network of 10.10.2.x and 5 VLANs in  the same network of  172.16.16.x . When i created intefaces for individual VLANs.. e.g Interface for VLAN 6 in the ip 10.10.2.254 at 3560 it says 10.10.2.0 overlaps with vlan 7.

Any suggestions?
Marius GunnerudSenior Systems Engineer
Top Expert 2013

Commented:
you will need to change the subnet. Right now from the looks of things is that you are using 255.255.255.0 as the subnet?

you will need to state how many users there will be on each network, and what is the possibility for growth in the next 5 years.

Please let us know the exact number of users per vlan and what is the expected user growth for the next 5 to 10 years.
dinagaran2000manager

Author

Commented:
VLAN 14 [(server)will be on 3560 ] and VLAN 15 should be accessible by all pcs.
 
vlan5-pcs.xlsx
Marius GunnerudSenior Systems Engineer
Top Expert 2013

Commented:
Which vlans belong to the 10.10.2.x network and which belong to the 172.16.16.x network? you may need to rethink your IP addressing scheme.
dinagaran2000manager

Author

Commented:
Sorry MAG03 and SIM50,

          Correction pls...

           Only the server VLAN(14) will be on 10.10.2.x , Upto Vlan 10 it will be 172.16.16.x
VLAN 11,12,13 WIll be on 192.168.168.x..

What about Network Printer VLAN.. it is on VLAN15

Thanks
dinagaran2000manager

Author

Commented:
Hi Guys,
 
   My friend says that PrivateVlan is the best solution for the above scenario. i didnt used to that

any suggesstions?

Commented:
I am sorry but I am a bit at loss of what you are trying to do. Can you please elaborate?
Also, if you don't mind, please take a look at this link: http://www.petri.co.il/csc_setup_a_vlan_on_a_cisco_switch.htm
Marius GunnerudSenior Systems Engineer
Top Expert 2013

Commented:
Well you don't need private VLANs to configure the same subnet in different VLANs as VLANs work in layer 2. And you could set up arp proxy on the router to help route traffic between the similar networks but then you can not have the same IP address configured on both the networks. Things can become quite irritating to troubleshoot and document not to mention having to remember what addresses are in use and which are not. I do not recommend doing this.

The problem now is that for VLAN 1 - 10 the expected users require more IP addresses than the 172.16.16.x network will be able to offer (254 available for lease but 288 required). So that network will need to be changed to 172.16.x.x to be able to support the ammount of IP's required. Keep in mind that the current amount of users can be supported on the 172.16.16.x network.  So this can be set up with the understanding that it will need to be changed in the future. This is why subnetting will be needed.

Is there a reason why you must use 172.16.16.x or are you in a position to amend this?

Could you also elaborate on what subnets need to access eachother?
dinagaran2000manager

Author

Commented:
Hi SIM50,

     To recall, we have 4 nos 0f 2960 and one 3560 Switch connected with each other. 3560 switch is connected to Firewall, and firewall to ROUTER for outside. This setup is working well. All are in 10.10.2.x network. Now we are trying to setup 15 VLANs with three network. Server (10.10.2.x) for Users network (172.16.16.x) and 192.168.168.x. We want all users to access Server. Users should not communicate with each other VLANs. We want to position 4 nos of Network Printers.

Can you recollect now?
dinagaran2000manager

Author

Commented:
Hi MAG03,

    Network will not be the issue.We need three Networks two for users and one for SERVERS. Existing 10.10.2.x will be retained or Server VLAN.

To recall, we have 4 nos 0f 2960 and one 3560 Switch connected with each other. 3560 switch is connected to Firewall, and firewall to ROUTER for outside. This setup is working well when all are in same 10.10.2.x network. Now we are trying to setup 15 VLANs with three network. Server (10.10.2.x) for Users network (172.16.16.x) and 192.168.168.x. We want all users to access Server. Users should not communicate with each other VLANs. We want to position 4 nos of Network Printers.

Is it clear pls?


Marius GunnerudSenior Systems Engineer
Top Expert 2013
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Marius GunnerudSenior Systems Engineer
Top Expert 2013

Commented:
If you want to use the same address range for several vlans you will need to implement NAT in order to sort out the routing issue to common devices.
dinagaran2000manager

Author

Commented:
Hi Team,

     Sorry i was on vacation. Thanks for the support. FInally 90% of solution reached.

IN 3560
VTP domain
15 VLANs created with different NETWORK.
SERVER VLAN not created. (Since server,FW and router are in the same network and we didnt  
                                               change)
Trunk created.
INTERFACE for all VLANs created

(ACL is Pending, planning for future)

IN2960
VTP Client
port assigned.

NOW it is working. To take a copy of config VLAN.DAT in all siwtches will be okay?
Thanks.
dinagaran2000manager

Author

Commented:
Great.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.