Re: Confused: Connecting 2 buildings with 3560 Switches - Page 2

mconway · ‎12-22-2011

Here goes ... the problem:

I will have 2 physically seperated buildings on the same lot connected via fiber optics at each end are 3560 switches that will do routing. Each building will be on it's own subnet.

Building A is 10.0.0.0/24 VLAN 1 (Which currently has (4) 3560 switches daisy chained together). I would like to move all the devices connected to these switches to a diffrent VLAN. This will be where the majority of the servers will remain.

Building B will be 10.1.0.0/24 VLAN 10.

My plan is to install a Domain Controller on 10.1.0.0/24.

How do I configure the switches to route correctly between themselves and have 10.1.0.0/24 route internet traffic through a PIX on 10.0.0.0/24 ip 10.0.0.1/24. I'm leary of making changes to the existing 10.0.0.0/24 because of it being live.

darren.g · ‎01-08-2012

Michael Conway wrote:

In the past when I have configured an LACP link between a server and a switch I could see the connection speed on the virtual adapter that is created when teaming on the server. How do I check the speed with 2 switches connected via a LACP Trunk?

In darren's example he creates the port-channel with the encapsulation dot1q then also configures each interface with dot1q encapsulation that will be in the port-channel. Is there a reason for this? Seems double redundant? Is this for failover?

The reson for that is simple - in a Cisco encironment, the individual interfaces won't join a port-channel group unless they are all meeting certain criteria - amongst those criteria are a requirement for the ports to be in the same mode as the port-channel interface. Hence, the same mode on the port-channel group and the individual ports.

Think of the individuaal ports as a sub-port of the port channel, if it helps. The configuration which holds on the port-channel interface flows down to the individual ports, something like this (I suck at ASCII art, so I hope this comes out OK)

|------------interface 1

| (inhereted configuration)

|

PO interface--|

|

|------------interface 2

(inhereted configuration)

The difference is that the configuration doesn't automatically "inheret" to the individual ports - you have to manually configure them to match,

Also, all ports in a port-channel have to be the same speed/duplex or they won't join the group either.

As far as checking the speed of the amaglamated interface - you can look at the port-channel interface itself- show interface po1, for example. This will show you the total throughput rate of the port channel across all its members.

Cheers.

mconway · ‎01-10-2012

Makes sense about interfaces needing defining thanks.

Next question about the PIX 506E that we use.

The existing internal network is 10.0.0.0/24 that we use.

What would be the correct NAT statement to use to allow NAT translation of 10.1.0.0/24?

Currently:

access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0 // Believe this is for VPN connection

nat (inside) 0 access-list 101

nat (inside) 1 10.0.0.0 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Also are there any open source VPN client software avaible to work this PIX?

darren.g · ‎01-10-2012