Re: help with vlans

amirarama · ‎11-28-2006

hello everybody

i have a job to do, and I'm not close on it.

in a company there is a cisco 2950 "backbone" SW and it's connected to a checkpoint FW.

now i need to add 2 cisco 2950 switches in another floor. i need to connect them each other with fiber, and connect one of them to the backbone SW with fiber.

they want to create to vlans on the 2 switches I will add.

my question is how i need to do that.

creating tunnel port between the 2 new switches, and another tunnel port to the backbone SW, and the vlans will go until the FW and then routed?

am i need to create those vlans on the backbone SW too? should I create then only at the backbone SW as vtp server, and configure the new SW as vtp client?

ssmaling · ‎11-28-2006

connect the switches and configure each port where you plugged in a fiber with the following lines:

switchport mode trunk

Default encapsulation is isl, if you want dot1q also use the next line:

switchport trunk encapsulation dot1q

By default, all vlans will be trunked. Next, configure the existing switch as a vtp server and the others as clients. Within moments you should see all vlans on the other switches too ("sh vlan" command)

ankbhasi · ‎11-28-2006

Hi Friend,

2950 only supports dot1q so "sw tr encapsulation dot1q" is not supported and not required also.

Also I believe if you just have 2 vlans which is already available on your core switch then you need to create VTP domain even just manually create vlans on 2 new switches and if those vlans are not available on core switch then add them there also.

HTH

Ankur

amirarama · ‎11-28-2006

thanks a lot for both replyes

what about the trunk from the CORE SW to the CHECKPOINT FW, what I need to configure there? except sw mode trunk?

thanks

mahmoodmkl · ‎11-29-2006

Hi

U need to define it in a vlan.it should be a access link.btw which switch is doing inter-vlan routing in u r case.i dnot see anything about routing of vlans in u r posts.

Thanks

Mahmood

amirarama · ‎11-29-2006

yeah i was thinking that the FW will route them, but I understood in my other post that i can't create vlans in 2950 sw.

so:

now i need another solution

I have a core 2950 SW that connected to a checkpoint FW, and a 2 cisco 2950 SWitces

i want to different networks,

so i connect 1st sw to the core, and the 2nd to the core to (without connecting the 2 new together, 1st will be 192.168.1.x and 2nd will be 192.168.2.x) and i will connect 1 port in the core SW to a dmz NIC in the cp fw. 192.168.2.x

and the existing port connected to the lan nic in 192.168.1.x

it's now so securly but less broadcast i think i have.

anyway, does it work?

and if u have something to add/modify

please tell me

5d-swan · ‎11-30-2006

Hi

A Checkpoint firewall supports dot1q VLANs if the OS it is running on does (CP SecurePlatform does). If you make the port that the FW is connected to on your core 2950 a trunk port (use switchport mode trunk) and create VLAN subinterfaces with the corresponding VLAN numbers (VLAN 1 doesnt have a VLAN number assigned on SPLAT so it is just the IP address bound to the pysical interface), the firewall can route between the VLANs for you.

HTH