cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2454
Views
17
Helpful
16
Replies

Re: Can we assign multiple Vlans to same physical switch port

mukesh chaubey
Level 1
Level 1

please guide me.. in my organisation there is approx 350 users and 15 catlyst switch 3750 series. .but only vlan 1 is create on root switch. and connet to other switch..some issue is frequenty facing in network. . i want to implement atleat two  vlan and stp .but issue is that i dont want to do changes on users desktop as their is no dhcp in our organistain. all have assign static ip address.4 network ip are user in our organisation network. but all are interconnete and able to ping each other. may be configured on fireware. there is large number of live user.. is there any possible way . to overcome form this issue. need your guide.

1 Accepted Solution

Accepted Solutions

Hello, Mukesh.

There is no way to implement several VLans on one interface, but you could use private VLANs to segment traffic.

You also could tune STP (RSTP) for better convergence time and apply best-practises.

You could apply storm-control... but to suggest you anything we need to know what issues do you face?

What exactly switch models do you have?

Could you share switch interconnection diagram?

Why do you need all the users within single L3 subnet?

View solution in original post

16 Replies 16

Hello, Mukesh.

There is no way to implement several VLans on one interface, but you could use private VLANs to segment traffic.

You also could tune STP (RSTP) for better convergence time and apply best-practises.

You could apply storm-control... but to suggest you anything we need to know what issues do you face?

What exactly switch models do you have?

Could you share switch interconnection diagram?

Why do you need all the users within single L3 subnet?

mukesh chaubey
Level 1
Level 1

Thanx.. for your replay.. I would like to share complete network stacture and if any better possible solution is  there than pls guide. there is techrouter router given by isp for link .than l3 cisco switch (3750) where vlan 1 has assigne ip 10.XX.XX.XX/22..from l3 swich(only l3 switch is accessable ) ,three cable are out for three different rack .all rack has multiple cisco switch series 2960.first is treated as master(physically ) from where cable is distributed to all switch . there is total 27 cisco switch (27X24 port)..

I found some issue of loop as l3 swich process was touching 24% 16% .than i check for root bridge .found some other switch is root. i made l3 swich as root for vlan 1 .somehowe issue is reloved .but i want some better resolution.i want to implement multiple root brigde for two vlan. i also know how to do. but issue is i dont want do any changed in user desktop like default gateway .as number of user is very high approk 350. i think due to only one vlan .network resouce is not proper utlize. i cound i implement any thing. cable from switch is reandomly distribute to 1.2 ,3 floor .there is no any segement. i think private vlan may be implement .as user static ip detail is availble. there is no dhcp implement in our organisation.

i hv join recently this company..thanks in advance .for ur suggestion. if anything is missing let me know..

Hello, Mukesh.

From you description I've crafted a couple of recommendations:

  1. Make sure that you are using RSTP.
  2. Make the 3750 (def. gateway) a root bridge.
  3. Make sure you have more than a single connection from 3750 to any rack (RSTP will block undesired ports).
  4. It would be much better if you use 3750 (2 switches) as Core/agg only (do not connect any users there) and every 2960 has uplinks only to 3750 (and no links to other 2960s in the rack).
  5. Make sure that all 2960 are using simular ports for uplinks (to 3750).
  6. Make sure all the end-user ports are configured for portfast, bpduguard and strom-control.
  7. Make sure 3750 is using span-tree guard root on all the links to 2960.
  8. Implement DHCP server (at least 2 for redundancy).

Sir

  Thanks for your wonderful reply . I know i'm  reply so late after a long month since we have faced serveral issue till today. now we are going to implement above solution  .will it be better to implement vrrp or hsrp (all are cisco switch). on 3750 (2 switch).manking exciting lan ip address as virtual address and also since we are using fortigate600C above it. how will we terminate on firewall?.  .once again thank you for your wonderful suggestion.(approx 350 users are there withing single vlan 1  .and ip are unmange.so i cant be able to create the multiple lan and restrutre the whole lg network .) so your above solution i find best for me .thanks.

Hello.

VRRP is cross-vendor standard, and you should use it if you plan migration to any other vendor.

Cisco recommends HSRP, as Cisco is much quicker to update HSRP protocol, than to wait for VRRP standard to be updated.

If your 3750 has stacking feature, you would better to build a stack.

Sorry, I didn't get your question about firewall. What are you going to achieve?

Regarding DHCP - anyway, it's highly recommended (regardless of required effort) to deploy DHCP and reconfigure all the clients to lease IP-addresses from server!

PS: after you change IP-address and assign it to HSRP, it will make time for your clients to learn new ARP, so traffic will be flowing via old switch (owned the IP-address previously).

Thankyou once again for your reply . i have two l3  switch (cisco WS-C3750G-24TS-1U )going to implement till only 1 l3 switch is in use .now i'm goind to use 2nd l3 switch on core level  as u have suggest . does it(cisco WS-C3750G-24TS-1U) support stacking as u suggest earlier .if not .then should i direclty interconnet both l3 switch with lan cable (or not). you had made me clear that hsrp is better as i hv all the switch is of save cisco vendor.and also may i use here 2 group for load sharing .(i know about hsrp ).

regarding . firewall .my question was that .. currenly we have one firewall fortigate600c  use as a gateway on l3 switch .which connect to outside .for any issue .see  the diagram . firewall is on top . anyway . my issue is how to connect to 2nd l3 switch .(any configuration required on firewall )currenly only one l3 is conneted to it . with gateway 10.1.x.x which is firewall interface ip address. if i will connetect 2nd l3 swich .than... how .and what to on firewall .does i need one more ip address of fortigate ..

 

Hello.

The digram should be like on the picture (see attachment).

Regarding firewall - it depends or routing capabilities it has: does it support OSPF, does it support more than 1 internal LAN and etc.

 

Hi Sir

  thanks for correcting picture . one small query still remain. you have suggest to implement hsrp(as all are of same cisco vedore switch ) and RSTP. if i implement that both at same time .from our access layer switch one port will block bcz of stp feature .(block the looping) side by side in hsrp, one L3 switch will be in stand by mode .in some condition will it not block my active l3 switch by using stp feature and my stand by switch port will remain unblock as won in stp election process .plz see the picture what i mean form above . (sorry for english)

 

important :- WS-C3750G-24TS is out of sale on cisco web site . .does any other model like WS-C3750G-24XX can be stackable with WS-C3750G-24TS.  

 

 

.

Hello.

Sorry, for confusion: if you run just 1 or 2 VLANs over your network, you would need L2 link between core switches (not L3).

Regarding your concern - yes, correct, STP root and HSRP active roles MUST match on single core device.

Yes .. there is only one vlan . then what should i do. plz reply . i can't introduce more vlan .(limitation is there ). in current secerio  what should be our network topology .. plz reply ...

if stackable then, if not stackable then .plz send picture and tel me wheither i should use portfast, bpduguard and strom-control on ur said topology ro not ..p;zzz   reply 

if i'm using (WS-C3750G-24TS) stacking feature . no stp /hsrp then should i use portfast, bpduguard and strom-control. feature ? so that in case by mistake user connect any switch .it will not create any loop on our organisation. plz reply .thanks for ur reply in advance .

Hello.

If user connects any switch then:

 - if the switch is STP aware -> the port will be blocked due to BPDU guard;

- if the switch is not STP aware, then this won't be detected... but if user creates loop via the switch, then ports will be blocked by storm-control and/or BPDUguard.

To block rogue non-STP aware switches, you may use port-security to limit a number of mac addresses allowed on the port.

Thankyou for expert advice . if i want to allow user to attaced unmanged swich just below to there desk .as in some case it requried for extension .it become costly to get separte cable for single workstation from access switch(2960 cisco switch) . then what should i do so that i didn't effact our root stp ..thanks

if any further detail recuired .plz reply .thankss

Hello.

If you want to use unmanaged switches, then on Cisco devices I would use:

 - BPDUGuard (to prevent looping);

 - strom-control 3-5% (to manage flooding if loop occurred);

 - port-security (to limit a number of users, who could use switches; also to manage floods).

Review Cisco Networking for a $25 gift card