03-15-2002 07:14 AM - edited 03-01-2019 08:53 PM
Hi,a costumer of mine asked to segment his lan using vlan.
I want to create 4 vlans distributed across the building floors. So, for example at floor 1 are present vlan 1 and 2, at floor 2 are present vlan 2 and 3, at ground flor is present vlan 4 (where I have the servers).
Each pc must talk ONLY with other pc within the same vlan and with servers on vlan 4. No comunication between vlan 1-2, 1-3, 2-3.
Another requirement is that I cannot change the pc's ip addresses. So I cannot create different ip subnet for each vlan, but all the vlan must share the 10.1.0.0/16 network.
I'm using some cat3500xl at the wiring closet and cat 4006 at the core level. The uplink are in f.o. Gb.
Any idea on how realize this job?
Thanks to all.
Andrea.
03-15-2002 08:53 AM
if your customer doesn't want to re-address the PC, than there is no way of doing this.
The reason is that a VLAN is by definition a Virtual Lan that needs is one ip segment.
You also need a L3 device to route between the VLANs.
If you don't segment your ip block, then you can't route between the vlan and therefore you need bridging which is the equivalent of not configuring vlans.
03-16-2002 03:00 AM
gdufour,
if PCs of VLAN 1,2 and 3 did not need to connect to servers in VLAN4, i think we can segment the network by using trunking, is it true?
then suppose we can put each server in all VLAN 1,2 and 3 so i think it will be OK too. but i'm afraid a server can not belong to many VLAN if we use trunking.
is this true for all cisco switches?
03-17-2002 06:14 AM
PC in vlan 1,2,3 need to connect to server in vlan4.
No, a single port can belong to a single vlan.
03-18-2002 07:53 AM
you can bridge between vlan. But as I said before, if you do this, you get back to a flat topology which is just more difficult to manage.
The reason to go to a Vlan design is to separate the broadcast domains. Therefore, you need re-addressing.
Your customer might be affraid of down time due to this task. But if you can find a nice way to re-address all devices it might be better than try to find a solution with no re-addressing.
03-18-2002 08:50 AM
Hello,
thanks for your messages.
No, the costumer isn't afraid about down-time to change ip addressing. The problem is that he has a cobol application that works with the mac-address references.
What about private vlan?
Do you think they can help me?
Many thanks
03-18-2002 11:05 PM
Hi,
First I just want to tell you that you can assign on a Catalyst 2900XL/3500XL a port to several VLANs. This allows you to have the same IP subnet for all your VLANs and the there would be a Layer 2 separation between the different VLANs, preventing communication between hosts eventhough they belong to the same subnet.
The overlapping-VLAN port (not a trunk port) can be connected to the server (or common resource) and communication can take place since the IP network is the same.
On the other hand, the private VLAN could also be an option. The users that you need to communicate with each others can be connected to community ports, they will be able to communicate with ports within the same community and to the promiscuous port (where you server should be connected).
You can create several community VLANs within the same primary VLAN and a single isolated VLAN where your server(s) will be positionned.
Hope I could be of any help.
Regards.
03-19-2002 01:57 AM
Wassim, thank for your post.
Ok, cat 2900xl/3500xl support multi/overlapping vlan, but my servers (or common resource) are connected to the cat 4006 at the data center which doesn't support multi/overlapping vlan.
About Pvlan: If i'm not wrong, I belive that cat 2900xl/3500xl don't support comunity ports. My end users are connected on the 3500xl switches.
so the problem persist.
Many Thanks
Andrea.
03-19-2002 03:00 PM
I think Wassim had a good point with the PVLAN.
BTW, how many devices are we talking about ?
How many PC and how many servers ?
03-19-2002 07:44 PM
I'm new at this but have you thought about Dynamic Vlans with VTP pruning?
03-19-2002 09:10 PM
Hi,
If you go along with the PVLAN suggestion, remember that VTP and PVLANs can't be configured together on the same switch. You also can't trunk PVLANs. At least this is the last I knew but maybe things have changed in newer code releases.
03-20-2002 12:50 AM
Hugginsa,
yes, I have thought, Ok for dynamic vlan (but I can also assign vlan based on port, it's not a problem because there isn't a very often user mobility).
VTP Pruning is another thing. It prevents to sending out vlan traffic over a trunk if this vlan doesn't exist on the spoke (for example) switch.
Bye and thanks for your thinking!
03-20-2002 12:42 AM
I'm talking about 400 PCs and 20 Serves.
03-20-2002 10:51 AM
And I suppose the PC have a fix IP address. No DHCP ?
I still think you should re-address and use DHCP (except for the servers).
You could do this by keeping the server addresses.
Then, you take a new range of address in the 10.x.0.0/16 and you start migrating 1 floor at a time. And I would go with DHCP so next time your customer wants to change sth, it's easier to manage.
Once a floor is migrated, it will be using a new VLAN and a new range of addresses.
A Layer 3 switch will route between the VLANs.
The floors that are still not migrated will still be in the same vlan as the servers.
At the end, all floors are migrated and only the servers are left in the initial VLAN.
You should have not much downtime by doing this.
03-21-2002 12:45 AM
My problem is not downtime related the changeover of IP Address. Pls see post (1.1.2.1)and (1.1.2.1.2)
Bye
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: