Solved: Vlans on small sites with no core switch

mano.hernandez · ‎03-15-2018

I have several small sites that are part of an MPLS network. Most of the sites have Cisco 1921 routers that are handing out DHCP for about 6 machines. Looking to add VOIP at these sites and thought about doing VLANS, but don't want to spend money on a layer 3 switch since we are going to do POE.

What would be the proper way to do this for those smaller sites?

Config:

Here is the config.

hostname Site_A

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

no ipv6 cef

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

ip dhcp excluded-address 10.13.16.0 10.13.16.100

!

ip dhcp pool Site_A

network 10.13.16.0 255.255.255.0

domain-name

dns-server 10.13.5.35 10.13.5.32

default-router 10.13.16.1

lease 60

!

ip cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

license udi pid CISCO1921/K9 sn FGL154720V6

!

redundancy

!

class-map match-any COS3-NON_Critical_APPS

match access-group name COS3-Traffic

class-map match-any COS2-Critical

match access-group name COS2-Traffic

class-map match-any COS1

match ip dscp ef

match protocol rtp

!

policy-map COS

class COS1

priority percent 20

set ip dscp ef

class COS2-Critical

bandwidth remaining percent 80

set ip dscp af31

class COS3-NON_Critical_APPS

bandwidth remaining percent 10

set ip dscp af21

policy-map CE_EGRESS_SHAPING

class class-default

shape average 9856000 39424 0

service-policy COS

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

duplex full

speed 100

service-policy output CE_EGRESS_SHAPING

!

interface GigabitEthernet0/0.50

description .AT&T CIRCUIT ID

encapsulation dot1Q 50

ip address 172.16.1.230 255.255.255.252

ip flow ingress

ip flow egress

!

interface GigabitEthernet0/1

ip address 10.13.16.1 255.255.255.0

duplex auto

speed auto

!

router bgp 65007

no bgp log-neighbor-changes

network 10.13.16.0 mask 255.255.255.0

neighbor 172.16.1.229 remote-as 13979

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip flow-export source GigabitEthernet0/0

ip flow-export version 5

ip flow-export destination 10.13.5.169 2055

!

ip access-list extended COS2-Traffic

permit tcp any host 10.13.5.132

permit tcp any host 10.13.5.37

permit tcp any host 10.13.5.51

permit tcp any host 10.13.5.116

permit tcp any host 10.13.5.90

ip access-list extended COS3-Traffic

permit tcp any host 10.13.200.10

permit tcp any host 10.13.5.67

!

snmp-server community NxCP21ac RO

snmp-server location Anywhere, AL

snmp-server contact

snmp-server enable traps tty

snmp-server enable traps entity-sensor threshold

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password 2ckaMp79

login

transport input all

!

scheduler allocate 20000 1000

ntp server 10.13.5.35

!

end

Site_As#

Richard Burts · ‎03-15-2018

Your posting seems to assume that doing vlans requires a layer 3 switch. That is not the case. Doing vlans does require a switch but it could be a layer 2 switch or a layer 3 switch. If you have a layer 3 switch you have the advantage that inter vlan routing can be done on the switch and it reduces the load on the router. But layer 3 switch is not required. With a layer 2 switch you configure the multiple vlans, assign access ports to vlans, and configure one switch port as a trunk and use that to connect to the router. On the router you configure a subinterface for each of the vlans and use the router both for routing between the vlans and for connectivity to outside.

From your preceding response it seems that you have two reasons to want to change to an environment that uses vlans. That would require a switch for each site but could be layer 2 or layer 3.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-15-2018

Your 1921 has two interfaces both of which are used. If your want to implement VOIP it seems to me that you have two options.

1) use vlans with one for the existing data traffic and one for VOIP. This would require provisioning a switch at the site and using a trunk port on the switch to connect to the 1921.

2) combine phones and hosts in the existing subnet.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎03-15-2018

" . . . thought about doing VLANS, but don't want to spend money on a layer 3 switch since we are going to do POE."

How do you understand VLANs, L3 and PoE intermix?

Regardless, for so few hosts, I would suggest you just go with Rick's 2nd suggestion, i.e. have data hosts and VoIP on same network. (What a VoIP dedicated VLAN provides you, generally an easy way to control traffic to/from a VoIP network, if you so chose. If also shields VoIP devices from processing data host broadcasts.)

mano.hernandez · ‎03-15-2018

I guess, I should say I've never done router on a stick.

So I've created VLANS on a layer 3 switch and done the interVLAN routing, but never configured sub-interfaces.

The other issue is that all our sites have wireless with a company SSID and then a guest SSID, but they are all on the same network, which I have been looking to fix as well. (Previous setup by the Network Guy)

So, I want to create

VLAN 80 -Voice

VLAN 60 - Guest Access

VLAN 16- Data.

Even our bigger sites that have 20-40 employees, everyone is on the same VLAN and if there is a layer 3 switch, it isn't being used.

Richard Burts · ‎03-15-2018

Your posting seems to assume that doing vlans requires a layer 3 switch. That is not the case. Doing vlans does require a switch but it could be a layer 2 switch or a layer 3 switch. If you have a layer 3 switch you have the advantage that inter vlan routing can be done on the switch and it reduces the load on the router. But layer 3 switch is not required. With a layer 2 switch you configure the multiple vlans, assign access ports to vlans, and configure one switch port as a trunk and use that to connect to the router. On the router you configure a subinterface for each of the vlans and use the router both for routing between the vlans and for connectivity to outside.

From your preceding response it seems that you have two reasons to want to change to an environment that uses vlans. That would require a switch for each site but could be layer 2 or layer 3.

HTH

Rick

HTH

Rick

mano.hernandez · ‎07-24-2018

Thanks for that.

Richard Burts · ‎07-28-2018

Glad that our responses and suggestions have been helpful. Thank you for marking this question as answered. This will help other participants in the forum to identify discussions which have helpful information.

HTH

Rick

HTH

Rick

Joseph W. Doherty · ‎03-15-2018

What a L3 switch provides is much more capacity for on-site routing, which if almost all your flows need to go out a branch WAN router, does little for you.

As Rick describes, using a router for local routing with a L2 switch is pretty straight forward.

Even for 40 employees, with 80+ hosts, for network capacity you still should be fine with a single VLAN. Generally, on switches, the traditional class C, or /24, isn't too big.

Again, though, if you envision the need to control traffic between groups of users and/or hosts devices, than different VLANs/networks help to manage that.

Keep in mind, everything in a network has trade-offs. When you create more VLANs/networks, you now have more sloshing around in your L3 topology, which can create their own set of problems.

From what you've described, so far, you would probably want to have your "Guess Access" in a separate VLAN/network, but you likely could, if desired, keep your data and VoIP hosts in the same VLAN/network.