• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 986
  • Last Modified:

VLANs setup using Cisco 3750G

Hello Experts:

I have been assigned a task to re-organize network with very minimum resources and in a very short time, below is the current setup:

There are 5 different locations with distance of 200-300 meter among them, each location has multiple small 8-ports or 16-ports unmanaged network switches, but these 5 locations are connected to a central location through fibre optic backbone.

As of now there is no organization of IPs, 4 different series of IP addresses are used in clients and servers, 128.128.x.x, 192.168.1.x, 192.168.2.x, 192.168.10.x, all PCs are assigned fixed IP addresses and most of them have multiple IP addresses assigned to reach servers available on different IP address range, very bad network, i know, but that is how it came to me.

Now my task is to bring everyone on one IP address which should be assigned by a DHCP address, I'm planning to divide this network in different VLANs managed by a 3750G switch, but challenge is we cannot stop/change existing servers IP addresses untill unless all clients are new IP address scheme which is not a very easy task.

My plan:

5 VLANs, 1 for each location + Server VLAN for devices/servers directly connected to core switch (3750G)

Connect all servers (10 in number) to 3750G switch.
Connect all 5 cables coming from 5 different locations to 3750G switch
Let servers running in their old IP addresses until all clients are on new IP address scheme, let 3750G do the routing for us.

Suppose, cable coming from location A is connected to port number 12 of switch and we configure it as VLAN1, we have to change all clients to obtain IP addresses automatically, we'll configure a proper scope in our DHCP server to assign IP addresses for VLAN1 but request will come from 3750G switch, please note that DHCP server would be running in old IP address range i.e. 128.128.x.x

First of all, I would like to know what I'm thinking, is it practically possible? if yes, then how client and server which are on different IP address range will communicate to each other? How about internet traffic which has to pass through an internet gateway (also connected to core switch 3750G switch) but on a different IP address range?

Please note that I have only 1 manageable switch in this whole network and that is at core.

Sorry for such a long post.

Cheers,
Tayyab
0
tayyabq8
Asked:
tayyabq8
  • 11
  • 10
  • 3
2 Solutions
 
SouljaCommented:
I think your biggest constraint are the unmanaged switches. What kind are they?
0
 
SouljaCommented:
Now that I think about it. Try assigning the port that the unmanaged switch connects to to the vlan you want that switch to be on. Create your vlan interfaces also.

For example:
On 3750.
interface vlan x
ip address x.x.x.x x.x.x.x
ip helper x.x.x.x (ip of dhcp server)

for each vlan

Then:
interface fa0/x
switch access vlan x

for the port that connect to unmanaged switch. Do this also for the ports you want the server to connect to.


0
 
tayyabq8Author Commented:
Hi Soulja,

Thanks for your reply, my unmanged switches are d-link, 3-com etc

so you think what I'm planning is practically possible? you have written commands for individual ports, what about inter-vlan routing? can i have some servers running on old Ip address range permanently because I see some complications in changing their IP addresses. Thanks again.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
FideliusCommented:
Hello,

Yes it is possible. As you said in your post "let 3750G do the routing for us" so you don't have to worry about inter-vlan routing.
By configuring interface vlan x you will configure L3 interface for each VLAN. By issuing ip routing you will enable routing on the switch, as all L3 interfaces will be on 3750G, they will be directly connected to 3750G. You can verify that by issuing show ip route. That is enough for inter-vlan routing.
You will yust need to enter one default static route for internet traffic:
ip route 0.0.0.0 0.0.0.0 <ip of internet router>

ip helper x.x.x.x (ip of dhcp server) configuration (posted by Soulja) will take care of reaching right server for DHCP.

If your servers with their current addresses will not overlap with addresses from new VLANs, you don't need to change them at all. Just create VLAN and interface VLAN for every subnet in which servers reside and routing will take care of everything else.

Of course you have to put interface vlan IP address as default gateway on every server in particular VLAN.
For example:
interface vlan 5
ip address 10.10.10.1 255.255.255.0

IP 10.10.10.1 will be default GW for all servers in VLAN 5.

Regards!

0
 
SouljaCommented:
Thanks for clarifying Fidelius.
0
 
tayyabq8Author Commented:
Hello Gurus,

Just a small question, it is a 24 port switch, 12 ports curretly used I want to leave without VLAN configurations, and I want to configure VLANs on rest of 12 ports and test it before roll-out, is it possible? or once VLAN configured on 1 port rest cannot stay flat?
0
 
FideliusCommented:
Hello,

Yes it is possible, but it will not work as expected. I don't recommend it. If you do a good preparation, and if you subnet it correctly there should be no problem.

To do it right do the following:
- for each of 5 location pick a subnet (be careful not to overlap it with existing one)
- for each subnet choose one VLAN
- for each VLAN create L3 interface with sintax provided by Soulja (interface vlan x)
- configure 5 free ports, each in one VLAN
interface fa0/x (x number of port)
switchport mode access
switchport access vlan x (x number of VLAN)

Till now there is no interruption in service.
Next you will need to move cables of each location to corresponding VLAN configured port.
If your servers are all on same subnet, you will just need to create L3 interface for VLAN1 (default VLAN).

After that everything should work.
To be 100% sure, post current 3750 configuration so we can check it, an d confirm that it will not colide with new config.

Regards!
0
 
tayyabq8Author Commented:
Hello Fidelius,

Thanks for your reply. 3750 has no configurations, its a brand new switch. I have chosen following subnets for each location:

172.16.51.0/24 & 172.16.52.0/24 untill172.16.55.0/24

these subnets don't interfere with existing one.
You mentioned --> for each subnet choose one VLAN (how to choose VLAN for subnet, plesae elaborate)?

I have another related question, since I can't move all locations on one single day to VLANs, I'll do it step-by-step, one location/day.

Now suppose location1 cable I connected to port which I configured, as you mentioned, remaining ports (unconfigured ones) are still in default vlan1, will users be able to reach servers? please notice that only location 1 is configured for vlan for new subnet & gateway, rest all locations are uncofigured, I hope I am able to make my point clear.


0
 
tayyabq8Author Commented:
If your servers are all on same subnet, you will just need to create L3 interface for VLAN1 (default VLAN).
My servers are not on same subnet, they are on different subnets, what you suggest in this case? Thanks.
0
 
FideliusCommented:
To choose VLAN for each subnet do the following:
# subnet 172.16.51.0/20 -> VLAN 10
interface vlan 10
 description --Location1 Uplink--
 ip address 172.16.51.1 255.255.255.0
 ip helper x.x.x.x (ip of dhcp server)
 no shutdown
!
# subnet 172.16.52.0/20 -> VLAN 20
interface vlan 20
 description --Location2 Uplink--
 ip address 172.16.52.1 255.255.255.0
 ip helper x.x.x.x (ip of dhcp server)
 no shutdown
!
... an so on.

So, when you move location 1 to let's say port Gi 1/0/1 configured for VLAN 10 as follows:
interface Gi1/0/1
 switchport mode access
 switchport access vlan 10
!

it will be unable to reach any other host or location until you configure:
ip routing

and multiple IP addreses under VLAN 1 (be aware that this VLAN 1 configuration is just transitional, and after all locations migrate, and you separate servers into appropriate VLANs you should remove all but primary IP adresses from VLAN 1, in this example I have chosen 128.128.x.x as primary, you can choose differently regarding your needs)

interface vlan 1
 ip address 128.128.x.x 255.255.255.0
 ip address 192.168.1.x 255.255.255.0 secondary
 ip address 192.168.2.x 255.255.255.0 secondary
 ip address 192.168.10.x 255.255.255.0 secondary

You can test this configuration prior moving Location 1 cable to port Gi 1/0/1 by connecting your PC to that port. If you can reach all you need, then everything is fine.
0
 
tayyabq8Author Commented:
Dear Fidelius,

Thanks for all your support, I tested your solution, worked like a charm.

Best Regards,
0
 
tayyabq8Author Commented:
Dear Fidelius,

Although above things were tested, but one practical issue I'm facing now.

Suppose location 1 uses 128.128.x.x network IP address, and location 1 is connected on port 1 of switch, when I make port 1 member of vlan 51, all users won't be able to communicate to rest of network because 99% of them have static IP address, any work around?

I want to avoid downtime as much as possible.

Regards.
0
 
FideliusCommented:
Hello tayyabq8,

If subnet 128.128.x.x is only on location 1, and nowhere else there is solution. :)

Configure VLAN 51 with secondary IP (if you configured same subnet under VLAN 1 you must remove it from there)

interface vlan 1
 no ip address 128.128.x.x 255.255.255.0
!
interface vlan 51
 ip address 128.128.x.x 255.255.255.0 secondary
!

In case you have some servers in subnet 128.128.x.x on central location, you must put them in VLAN 51 after you do this configuration, to be accessible.

After you migrate all clients from static to DHCP, you can remove secondary address with:
interface vlan 51
 no ip address 128.128.x.x 255.255.255.0 secondary
!
0
 
tayyabq8Author Commented:
Dear Fidelius,

Thanks a lot for your support, I got it what you mean, unfortunately I have 128.128.x.x in other locations as well.

But no worries, I'll overcome this with more manpower, thanks again for your support, I have been active in many online forums, never saw someone like you who understands issues so well and gives a plug-in solution, usually people get fed-up with too many scenarios but you were patient.

Cheers.
0
 
FideliusCommented:
Thanks!
No problem. Glad to be of help!

Your questions were very clear so it wasn't hard to provide you with solutions.
Till next time, stay well!

Regards!
0
 
FideliusCommented:
Hello,

One thing crossed my mind, if you are using PC's on location 1 are on domain, there should be a way to push Group policy to change IP settings from static to DHCP.
Unfortunately I'm not so good in Active Directory administration, but I can look how to do it, if it will help.

Regards!
0
 
tayyabq8Author Commented:
Dear Fidelius,

It'll be really great help if you can find a simple solution for that, yes my users are on Domain.

Cheers.
0
 
FideliusCommented:
Enter in Google search following:
static ip to dhcp group policy

You will find lot of solutions. Hope it will help!
0
 
tayyabq8Author Commented:
Fidelius,

Thanks for suggestion, I have done almost 60% of shifting manually. There is one related issue.

Earlier there used to be 3 ADSL connections in 3 different locations, 128.128.0.3, 192.168.1.50, 192.168.2.50.

As temporary solution, I have added a route in switch and all internet traffice is going through one ADSL gateway. I want to utilize rest of the ADSL gateways as well, is it possible if I can divert internet traffic say, for VLAN use this gateway, for VLAN 2 & 3 use this gateway and for VLAN 5 use this?

Cheers.
0
 
FideliusCommented:
I think you can do it with policy-based routing (PBR), but be aware, traffic from all location will come to 3750 and then be distributed to ADSL gateways. So traffic on your location uplinks will be almost doubled.

Also be aware that you need at least IP SERVICES feature set to be able to do PBR.

I think it should look something like this (you should do that for each VLAN):

ip access-list extended VLAN5_PBR
 deny ip <vlan 5 subnet> 192.168.0.0 0.0.255.255
 deny ip <vlan 5 subnet>  128.128.0.0 0.0.255.255
 # for deny you have to add all your local subnets if they are not in above lines
 permit ip <vlan 5 subnet> 0.0.0.255 any
!
route-map VLAN5_RM permit 10
 match ip address VLAN5_PBR
 set ip next-hop <IP of ADSL router>
!
interface vlan 5
 ip policy route-map VLAN5_RM
!
0
 
tayyabq8Author Commented:
So traffic on your location uplinks will be almost doubled.

Can you please elaborate that? I think there was kind of misunderstanding, all ADSL routers are connected directly to 3750, does your statement is still applicable? Thanks.
0
 
FideliusCommented:
Sorry, my mistake!
I misunderstood topology. I taught that ADSL routers are on locations not on central site. You can ignore that statement.
0
 
tayyabq8Author Commented:
Fidelius,

No need to apologize, I could guess it was misunderstanding. I'm bit lost in these PBR commands, I give you real IP addresses so that you can write exact commands:

VLANs
,
192.168.50.x/24 (vlan50), 192.168.51.x/24 (vlan51), and so on till vlan55.

routers
ADSL routers IP addresses: router 1: 192.168.50.40, router 2: 192.168.50.41, route 3: 192.168.50.42

I want to route:

vlan 51, 52 through router1
vlan 53, 54, 55 through router 2
vlan 1 through router 3

Cheers,
0
 
FideliusCommented:
Hre are PBR for VLANs 51 and 52, so you can follow config for other VLANs.

ip access-list extended VLAN51_PBR
 # for deny you have to add all your local subnets if they are not listed below
 deny ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255
 deny ip 192.168.51.0 0.0.0.255 192.168.52.0 0.0.0.255
 deny ip 192.168.51.0 0.0.0.255 192.168.53.0 0.0.0.255
 deny ip 192.168.51.0 0.0.0.255 192.168.54.0 0.0.0.255
 deny ip 192.168.51.0 0.0.0.255 192.168.55.0 0.0.0.255
 deny ip 192.168.51.0 0.0.0.255  128.128.0.0 0.0.255.255
 # permit rule is for all other traffic
 permit ip 192.168.51.0 0.0.0.255 any
!
route-map VLAN51_RM permit 10
 match ip address VLAN51_PBR
 set ip next-hop 192.168.50.40
!
interface vlan 51
 ip policy route-map VLAN51_RM
!

ip access-list extended VLAN52_PBR
 # for deny you have to add all your local subnets if they are not listed below
 deny ip 192.168.52.0 0.0.0.255 192.168.50.0 0.0.0.255
 deny ip 192.168.52.0 0.0.0.255 192.168.51.0 0.0.0.255
 deny ip 192.168.52.0 0.0.0.255 192.168.53.0 0.0.0.255
 deny ip 192.168.52.0 0.0.0.255 192.168.54.0 0.0.0.255
 deny ip 192.168.52.0 0.0.0.255 192.168.55.0 0.0.0.255
 deny ip 192.168.52.0 0.0.0.255  128.128.0.0 0.0.255.255
 # permit rule is for all other traffic
 permit ip 192.168.52.0 0.0.0.255 any
!
route-map VLAN52_RM permit 10
 match ip address VLAN52_PBR
 set ip next-hop 192.168.50.40
!
interface vlan 52
 ip policy route-map VLAN52_RM
!

If you use secindary addresses on VLAN 1, ACL will be more complex depending how many secondary addresses you have.
Hope this helps!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
  • 10
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now