Solved: Advice on optimizing simple network structure

scottcummins · ‎01-10-2013

Good Day Cisco World

I inherited a small network with multiple VLANS, I have always set the access ports as just an "access" access port with inter-VLAN traffic passed to a Gateway. I have a few questions that I have wanted to clarify

1. Is it better to just not do anything with the native VLAN, use i,t or configure each port as "No Native VLAN"

2. What is the best way to configure an access port that is connected to an actual server, or workstation?

3. When tieing my VLAN access switches to a "gateway" switch, is trunking optima?l and how would you configure that Trunk port if so?

4: what is the best way to configure Spanning Tree?

5. If I pass all my internal network Traffic to a gateway, then all traffic not destined for anything on that internal network to a firewall, what is the optimal configuration for that port that forwards out traffic to a firewall?

The way I have done it has always worked, But I am looking to streamline and at the same time provide the best access possible. Any help or suggestions would be greatly appreciated

Peter Paluch · ‎01-10-2013

Hello Scott,

First off, it would be helpful if you posted a topology of your network. Some of your questions depend on what is your topology.

1. Is it better to just not do anything with the native VLAN, use i,t or configure each port as "No Native VLAN"

The general recommended practice is to avoid using the native VLAN altogether. By default, the native VLAN is 1, so the recommendation is to avoid using VLAN1 for anything. For all purposes, create different VLANs (data, voice, management, etc.) and use those. More stringent designs even create a separate native VLAN and avoid using both VLAN 1 and the native VLAN.

I am not sure what you mean by "no native VLAN" - there's no such command.

2. What is the best way to configure an access port that is connected to an actual server, or workstation?

switchport mode access

switchport access vlan N

spanning-tree portfast ! or use spanning-tree portfast default in global configuration level

3. When tieing my VLAN access switches to a "gateway" switch, is  trunking optima?l and how would you configure that Trunk port if so?

I am not sure what you mean by a "gateway" switch. In any case, though, in a network that uses VLANs, you want at least the management VLAN to span all devices, and in addition, you want particular VLANs to be led towards your access swiches from the distribution switches. Therefore, except specific situations, switches should be interconnected using trunks. A typical trunk configuration involves these commands:

switchport encapsulation dot1q ! This command is used only on 3550 and higher switches

switchport mode trunk

switchport nonegotiate

If you want to use a different native VLAN N, all trunk ports should be configured with an additional command

switchport trunk native vlan N

In addition, if you want to strictly limit which VLANs should be carried over a particular trunk, use the following command:

switchport trunk allowed vlan VLAN-LIST

where VLAN-LIST is a list of allowed VLANs in the form 1-5,12,100-105 (this would allow VLANs from 1 to 5, 12 and 100 to 105 - you may uses ranges and individual values)

4: what is the best way to configure Spanning Tree?

Depending on what your switches support, it is recommended to run either RSTP or MSTP. In a small network with a few VLANs, the RSTP is probably the easiest choice. The root bridge should be placed at the distribution layer. Depending on your network and its topology, you may use different root bridges for different VLANs, thereby possibly spread the network load through different links - but this is where the diagram of your topology would really help.

If using RSTP or MSTP, configuring the access ports as PortFast is a must! Otherwise, these ports may become blocked during a topology change event in the network and become unblocked again only after 30 seconds. Often, this fact is overlooked - to the detriment of the users.

Access ports are sometimes protected by Spanning Tree BPDU Guard, i.e. spanning-tree guard root on an access port interface level, or spanning-tree portfast bpduguard default in the global configuration level. This is an additional protection against looping two access ports or against attaching an additional switch into access ports.

5. If I pass all my internal network Traffic to a gateway, then all  traffic not destined for anything on that internal network to a  firewall, what is the optimal configuration for that port that forwards  out traffic to a firewall?

At this point, nothing out of ordinary - either a trunk port if the firewall is directly connected to multiple VLANs, or an access port if the firewall is already behind the inter-VLAN router.

Feel welcome to ask further!

Best regards,

Peter

View solution in original post

Peter Paluch · ‎01-10-2013

Hi Scott,

You are welcome!

When i Use the word "gateway" I am refering to the switch that all my access switches up link to

Okay. We usually call this a distribution layer switch.

When you say having my management VLAN "spanned" across all network Switches, what does that config look like?

A management VLAN is a VLAN on which the switches have their IP address configured for management purposes. The management VLAN does not use any special configuration. From the viewpoint of Cisco switches, a management VLAN must first be created and then an interface VLAN, a so-called Switched Virtual Interface or SVI, must be created for it, assigned an IP address and activated. Plus, the default gateway must be configured on the switches so that they can be managed from a different IP network.

The configuration would be like this (I am adapting the look of the configuration to the fact you have very old Cisco switches - this is the old syntax):

enable

vlan database

vlan 999 name Management

exit

configure terminal

interface Vlan999

ip address 192.168.255.11 255.255.255.0

no shutdown

exit

ip default-gateway 192.168.255.1

end

Here, I assume that the management VLAN is 999 and the router in this VLAN has an IP address of 192.168.255.1. On the trunks, the VLAN 999 must be allowed.

Regarding your old switches, I am not sure if the RSTP is available. You will have to test it. The VRRP is for certain not available on them. HSRP perhaps is but Cisco added the VRRP support only in the very new IOSes that are not released for your switch types anymore.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎01-10-2013

Hello Scott,

First off, it would be helpful if you posted a topology of your network. Some of your questions depend on what is your topology.

1. Is it better to just not do anything with the native VLAN, use i,t or configure each port as "No Native VLAN"

The general recommended practice is to avoid using the native VLAN altogether. By default, the native VLAN is 1, so the recommendation is to avoid using VLAN1 for anything. For all purposes, create different VLANs (data, voice, management, etc.) and use those. More stringent designs even create a separate native VLAN and avoid using both VLAN 1 and the native VLAN.

I am not sure what you mean by "no native VLAN" - there's no such command.

2. What is the best way to configure an access port that is connected to an actual server, or workstation?

switchport mode access

switchport access vlan N

spanning-tree portfast ! or use spanning-tree portfast default in global configuration level

3. When tieing my VLAN access switches to a "gateway" switch, is  trunking optima?l and how would you configure that Trunk port if so?

I am not sure what you mean by a "gateway" switch. In any case, though, in a network that uses VLANs, you want at least the management VLAN to span all devices, and in addition, you want particular VLANs to be led towards your access swiches from the distribution switches. Therefore, except specific situations, switches should be interconnected using trunks. A typical trunk configuration involves these commands:

switchport encapsulation dot1q ! This command is used only on 3550 and higher switches

switchport mode trunk

switchport nonegotiate

If you want to use a different native VLAN N, all trunk ports should be configured with an additional command

switchport trunk native vlan N

In addition, if you want to strictly limit which VLANs should be carried over a particular trunk, use the following command:

switchport trunk allowed vlan VLAN-LIST

where VLAN-LIST is a list of allowed VLANs in the form 1-5,12,100-105 (this would allow VLANs from 1 to 5, 12 and 100 to 105 - you may uses ranges and individual values)

4: what is the best way to configure Spanning Tree?

Depending on what your switches support, it is recommended to run either RSTP or MSTP. In a small network with a few VLANs, the RSTP is probably the easiest choice. The root bridge should be placed at the distribution layer. Depending on your network and its topology, you may use different root bridges for different VLANs, thereby possibly spread the network load through different links - but this is where the diagram of your topology would really help.

If using RSTP or MSTP, configuring the access ports as PortFast is a must! Otherwise, these ports may become blocked during a topology change event in the network and become unblocked again only after 30 seconds. Often, this fact is overlooked - to the detriment of the users.

Access ports are sometimes protected by Spanning Tree BPDU Guard, i.e. spanning-tree guard root on an access port interface level, or spanning-tree portfast bpduguard default in the global configuration level. This is an additional protection against looping two access ports or against attaching an additional switch into access ports.

5. If I pass all my internal network Traffic to a gateway, then all  traffic not destined for anything on that internal network to a  firewall, what is the optimal configuration for that port that forwards  out traffic to a firewall?

At this point, nothing out of ordinary - either a trunk port if the firewall is directly connected to multiple VLANs, or an access port if the firewall is already behind the inter-VLAN router.

Feel welcome to ask further!

Best regards,

Peter

scottcummins · ‎01-10-2013

Peter

that is AWESOME thanks so much Peter. I have always had doubts about whether I was missing something or configured something differently that may cause latency and backlog

well the current architecture is a bunch of DELL powerconnects configured as layer two with 4 different VLANS, just passing through traffic to the next switch.

they all end up at a TWO Dell 6224 and the entire archeticure uses the LAN port on the SONICWALL as it's gateway. I have some older Cisco devices I am going to place in the architecture as a gateway switch for switching between the VLANS and for forwarding all NON-internal traffic and take the Gateway off the firewall

All I could find right now were a pair of 3524 XL"s which I am hoping to VRRP and configure to do the Job, I know they are old. But I need to remedy this ASAP. I was concerned about how to configure the port that would connect directly to the Firewall on this because it is an older model

I have another Network which is slightly Bigger I have 1(one) Catalyst 4948, i am going to use on this additional network.. This Network is almost Identical with it's Gateway another Sonicwall Firewall.

So as you can see, I basically have to reconfigure the whole environment and was looking to do it right the first time..:)

scottcummins · ‎01-10-2013

Peter

When i Use the word "gateway" I am refering to the switch that all my access switches up link to, so that aay inter- VLAN switching is done one level up , then traffic bound for a VLAN on my internal network is pass back down to the switch that VLAN lives on any Traffic bound for the internet or a Co_location is router out the default route from that "gateway" to the Firewall and routed there?

also When you say having my management VLAN "spanned" across all network Switches, what does that config look like?

Peter Paluch · ‎01-10-2013

Hi Scott,

You are welcome!

When i Use the word "gateway" I am refering to the switch that all my access switches up link to

Okay. We usually call this a distribution layer switch.

When you say having my management VLAN "spanned" across all network Switches, what does that config look like?

A management VLAN is a VLAN on which the switches have their IP address configured for management purposes. The management VLAN does not use any special configuration. From the viewpoint of Cisco switches, a management VLAN must first be created and then an interface VLAN, a so-called Switched Virtual Interface or SVI, must be created for it, assigned an IP address and activated. Plus, the default gateway must be configured on the switches so that they can be managed from a different IP network.

The configuration would be like this (I am adapting the look of the configuration to the fact you have very old Cisco switches - this is the old syntax):

enable

vlan database

vlan 999 name Management

exit

configure terminal

interface Vlan999

ip address 192.168.255.11 255.255.255.0

no shutdown

exit

ip default-gateway 192.168.255.1

end

Here, I assume that the management VLAN is 999 and the router in this VLAN has an IP address of 192.168.255.1. On the trunks, the VLAN 999 must be allowed.

Regarding your old switches, I am not sure if the RSTP is available. You will have to test it. The VRRP is for certain not available on them. HSRP perhaps is but Cisco added the VRRP support only in the very new IOSes that are not released for your switch types anymore.

Best regards,

Peter

scottcummins · ‎01-10-2013

Peter

again, thanks so much. Yes, I was hoping to use it, I figured they were too old. I can utilize the HSRP though. And thanks, I had totally forgotten about management VLANS, and all that. that is something I cetain want to implement. thanks again for all the help

.

Peter Paluch · ‎01-10-2013

Hello Scott,

Thank you! Please feel welcome to join us here on Cisco Support Community anytime. Good luck with your network!

Best regards,

Peter