Multiple VLANs all connecting to the Internet

SteveOSUMMD · ‎01-29-2002

Let me start by saying that I am a novice when it comes to switches and VLAN configuration.

I have two Cisco Catalyst 3548-XL switches running my network. Connected to one of the ports on one of the switches is my firewall. I need to segment my network into two (more in the future) VLANs that will be completely separate from each other except that they will both have access to the Internet through the firewall.

First, I set up a VLAN ID 2 on each switch independently. I do not believe I can use VTP as I will be using a multi-vlan port. Is this right? Next, I set the firewall port to be a multi-vlan port on vlan's 1 and 2. Currently, my entire network is on VLAN 1. I reconfigured a port on the same switch as the firewall to VLAN 2 and tested. All worked great. I could ping the firewall, but nothing else. Next, I configured a port on the second switch to VLAN 2. I could not access anything, not even the firewall.

So here are my questions:

1. Is there something special I have to do to get the same VLAN on each switch to be able to talk back and forth (i.e. shy did it not work when I plugged the smae machine into the second switch's port configured as VLAN 2.)?

2. Is there anyway to do this using VTP?

3. Being a novice, is there a better way to do this?

Thanks in advance

Steve

jkemery · ‎01-29-2002

Several things you need to look into.

1. VLAN Trunking, search CCO and learn it.

2. Inter-VLAN routing, you need a router to move packets from one VLAN to another, ie. VLAN1 to VLAN2 where your gateway/firewall resides on VLAN2 so VLAN1 clients need a route to get to VLAN2 to access the gateway.

3. Once you figure out trunking and intervlan routing you can then use a router (router on a stick) to make your routing decisions for you. Don't be intimedated here, its really not that hard. Read up on it and get back to the forum if you need to .

:)

jk, ccnp

SteveOSUMMD · ‎01-30-2002

OK, I have read up on trunking and that is definitely what I need between the two switches to get the vlans talking across switches.

However, are you saying the only way to route traffic to my firewall is with a router (or router on a stick <- what is this?)? I know we do not want to buy a router for just this purpose. Is there no way to make this work with the multi-vlan port (i.e. assign the firewall port to all of the vlans)? I tried it and I could not configure trunking if the switch had a multi-vlan port - what a viscious circle that appears to force you to buy more hardware. Is there nothing built in to the switch to accomplish this?

mmoscoso · ‎01-30-2002

Hi., Now that you know how to get the vlans talking across switches. And as you say your VLANS are completely separate from each other (you don´t need routing interVLANs) and all that you need is to connect this VLANs to the Internet. I can suggest the following: Before to try using multiVLAN ports, why you don´t use another interface from the firewall to connect it your other VLAN? Is just add another NIC to your firewall and plug in separately to the orther VLAN. Is more secure and reliable.,

Hope this help,

Mauricio

SteveOSUMMD · ‎01-30-2002

I cannot do that as our firewall is an appliance and not a computer and I cannot add any NICs. Even if I could, eventually, we will have up to ten vlans and I do not want my firewall to have twelve interfaces (10 vlans, 1 DMZ and 1 external).

What are my options since I have to use trunking which forces me not to use multi-vlan ports? Please tell me that a router is not required. If it is required, I will probably not use trunking and limit all of my vlans (except the default) to the switch with the firewall and configure the firewall's port as multi-vlan. I can only hope that I do not end up connecting more than 47 computers over all of the extra vlans.