Windows 2000 Environment Across VLANs - PROBLEMS??

CanEHdian · ‎10-12-2004

Planning to use a L3 switch (3550) as the core with each port going to individual VLANs on separate 2950s.

- "ip helper-address" command to forward DHCP to the one server - at each interface?

- What about Windows 2K environment/services?(network neighborhood, browsing, mapped drives to servers in another VLAN, etc..) Any issues?

- Enable routing on L3 switch... but are routing statements necessary for VLANs to connect?

Any (other) issues/problems with a segmented network (VLANs)??

Thanks.

jswaim · ‎10-12-2004

Hello:

You will need to have ip routing enabled on the switch and IP addresses(subnets) assigned to each vlan for them to "talk" to each other.

The helper address will create a unicast packet from the workstation DHCP broadcast requests to the DHCP server to allocate the station ip address, default gateway, and name servers, among others...

You will need to define static routes, or enable a routing protocol for the vlans to reach networks not defined locally within the 3550.

You will want to create a reserved scope for IP addresses assigned to static devices, such as, printers.

As for W2K services: the workstation settings will be derived from the WINS/DHCP server response and should be able to browse the network, map drives, etc. if the server/workstation setup is correct.

You will find plenty of information regarding Cisco best practices on the web, as well as, on the CCO.

jswaim · ‎10-21-2004

I see from the thread that you will have Internet connectivity, as well as vpn.

You will want to review the Cisco SAFE documentation for guidance in "safe"guarding your network. At the very least, a firewall is required between the core and the Internet and VPN segments. Apply restrictions,such as, time of day and access to resources for VPN conenctivity.

It is recommended that you initiate a "best of class" anti-virus for desktops and servers, and review the appropriate vendor docs for hardening them from attack.

Cisco also offers Intrusion Detection sofware and/or hardware to monitor for suspicious activity within the network. If you are using the enhanced IOS on the 3500 and 2900s, then you can monitor remotely via RSPAN sessions to a centrally located probe. If you lack the staff or skill set, this can be outsourced to a number of security services companies to update signatures and monitor activity.

smif101 · ‎10-21-2004

I think the big question here is how many users will be on this network? Under 100, if so you wouldn't need to seperate all of these networks, keep it all on one network. But to answer your question, if you did seperate each into a seperate network, as long as you have the ip helper-address on each of the networks the WINS services will be fine and yes you will need to enable layer 3 routing to allow traffic to cross VLAN's. Will this be a private network with no connectivity anywhere else?

CanEHdian · ‎10-21-2004

Yes, more than 100 users and planning to grow. We're seeing some traffic and security issues (virus, etc..) that we'd like to contain within departments.

It is our corporate network, which has access to the Internet (web browsing and VPN access to remote users).

Seth Bjorn · ‎10-21-2004

On each VLAN interface, use the the "ip helper-address (ip of DHCP server)".

Make sure in the global configuration that "ip routing" is in there.

After setting up each VLAN interface for your corresponding VLANs, you should see them as connected routes if you issue a "show ip route".

Windows 2000/20003 environments work fine as long as you have DNS setup properly. Make sure you DHCP server assigns the correctly DNS ip addresses and that your DNS server are setup and working.

Also make sure your DHCP server has the appropriate subnet scopes setup corresponding to the subnets on your VLANs.

CanEHdian · ‎10-22-2004

Thanks for the input everyone.

Another question: I will obviously be trunking from the 3550 to each 2950. I guess I will need STP mode PVST - but just how funky does STP get with this type of nwk configuration? (I will not use VTP)

What more should I be doing STP-wise - without going overboard (there's a million ways to optimize STP...)

Thanks again,

Al

jswaim · ‎10-22-2004

You stated in your original post that you will have each 2950 assigned to its own vlan. In this scenario, it is not necessary to trunk, unless you plan to operate a separate vlan for management. In that case you will need to trunk the management vlan to each 2950, and assign a management vlan and ip address. PVST will work fine OOTB " out-of-the-box ", but you will need to set the core 3550 as ROOT for each created vlan by lowering the root priority (better platform).

If you were to deploy two 3550s in the core, you could provide high availability(HSRP), path diversity, core redundancy and load balance STP with alternating root placement between the two core 3550s(HSRP active should follow the root). In this scenario, do not trunk the 2950 vlans between the core, so that you can take advantage of both uplinks forwarding to each 2950.

Enable UDLD for all FIBER uplinks to protect them from physical issues. Trunk type dot1q, mode desirable. Refer to CISCOs best practices for additional guidance.

CanEHdian · ‎10-22-2004

Great info. So I'll have a 3550 set as root, routing enabled, a separate management vlan (VLAN-1), individual L3 ports with trunks (802.1Q) going to each 2950 (each with a VLAN-1 IP), PVST as it comes OOTB, "ip helper-" on each L3 interface for DHCP and Windows 2K services, indiv DHCP scopes for each VLAN, static routes to remote networks (def GWY to I/net firewall)... I'm sure I'm missing something, but will soon find out with my test lab config.

One last question: how does the single DHCP server know which scope to apply when it receives a request? (never done this before...)

jswaim · ‎10-22-2004

Here is the reader's digest version:

Routers, by default, will not forward broadcast packets. Since DHCP client messages use the destination IP address of 255.255.255.255 (all Nets Broadcast), DHCP clients will not be able to send requests to a DHCP server on a different subnet unless the DHCP/BootP Relay Agent is configured on the router. The DHCP/BootP Relay Agent will forward DHCP requests on behalf of a DHCP client to the DHCP server. The DHCP/BootP Relay Agent will append its own IP address to the source IP address of the DHCP frames going to the DHCP server. This allows the DHCP server to respond via unicast to the DHCP/BootP Relay Agent. The DHCP/BootP Relay Agent will also populate the Gateway IP address field with the IP address of the interface on which the DHCP message is received from the client. The DHCP server uses the Gateway ip address field to determine the subnet from which the DHCPDISCOVER, DHCPREQUEST, or DHCPINFORM message originates.

Link:http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a00800f0804.shtml#understanding

-jeff