07-24-2018 12:28 AM - edited 03-08-2019 03:43 PM
Hi Everyone
i have question i hope someone can help me with
i have ws-c2960x-24td-l stack switches for our customer
I have configured new VLAN (VLAN 53) same way as (VLAN50 & VLAN51) as requested from customer ,and now they informed me that one of the servers moved from VLAN50 to VLAN53 and will make new virtual servers in future (VLAN 53) and needs to be allowed to access from both of them ?
as i know The separate VLANs must communicate through a layer-3 device (Routers) which is located in ISP
If the host on one VLAN wants to communicate to a host on another VLAN, it must perform the routing between them.
So in order to perform that ,shell i contact ISP to do that or make NAT or ROUTING in Firewall
?
i have no experance with FW so your help please
07-24-2018 01:17 AM
Hi there,
Ask you ISP to configure a SVI for the VLAN at the local router. Looking at your topology this router should advertise the new subnet to other routers via an IGP (OSFP, EIGRP?) to provide access.
Unless you require remote access to the new server VLAN then there will be no need to adjust the firewall configuration.
cheers,
Seb.
07-24-2018 02:16 AM
Hi Seb Rupik
thanks for your reply
if i ask the ISP to do the routing so i don't need to configured anything in firewall cuz for vlan 50 and 51 they are configured inside fw ???
07-24-2018 01:23 AM - edited 07-24-2018 01:24 AM
So... You have Vlan 50 / 51 and 53
What are the default gateways on all the devices in these vlans ??
Lets say - they are 192.168.50.1 / 192.168.51.1 and 192.168.53.1
Are these all on different sites ?? Seems that two of the vlans are on the same site.
If they are on the same site and the router is the default gateway for both - they will communicate without and issue.
Ideally you should have different Home Subnets on all the different sites - otherwise it will get confusing.
So lets say its configured like this...
Site 1 = Vlan 50 - 192.168.50.0/24
Site 2 = Vlan 60 - 192.168.60.0/24
Site 3 - Vlan 70 - 192.168.70.0/24
Site 4 - Vlan 81 - 192.168.80.0/24
Vlan 81 - 192.168.81.1/24
If you have hosts/machines in different sites communicating - you will needs to allow inbound communication between the sites - this would typically be done using Site-to-Site VPNs.
To get this working - you need DNS entries locally on each site for the remote machines.
The router then has two routes - one for default (internet) and one for the other site.
This second route points to the Site to Site VPN.
If its a HQ / Branch situation - which it often is - then you would have - 3 Site to Site VPNs
HQ to Site 1 / HQ to Site 2 and HQ to Site 3 -
Im presuming your double vlan is the HQ.
Anyway - hope that helps
James
07-24-2018 02:07 AM - edited 07-24-2018 04:39 AM
07-24-2018 01:54 AM
You configure the switchport to trunk und allow both VLANs on that port. The Serverside admin has to enable trunking on its own side to tag the VLANs. This is the usual way to to host virtualized hosts on one switchport. This way the virtualized Server can communicate to the ISP gateway directly.
07-24-2018 02:11 AM
Thanks for your reply
i already configured them as trunk allowed the two vlans in same portchannels
but how can the The Serverside admin enable trunking on its own side to tag the VLANs ???
can you explain that in more details please ??
07-24-2018 03:12 AM - edited 07-24-2018 03:13 AM
below you can find the switch configuration , might be helpful to understand what i mean
and please inform me if something missing or need to be changed its same like config that i have
vlan 50
name Groun
!
vlan 51
name GLeem
!
vlan 53
name Glees
!
vlan 52
name Test
!
interface Port,channel1
switchport access vlan 50
switchport mode access
spanning,tree portfast
spanning,tree bpduguard enable
!
interface Port,channel2
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning,tree portfast trunk
spanning,tree bpduguard enable
!
interface Port,channel3
switchport access vlan 50
switchport mode access
spanning,tree portfast
spanning,tree bpduguard enable
!
interface Port,channel4
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning,tree portfast trunk
spanning,tree bpduguard enable
!
interface Port,channel5
switchport access vlan 50
switchport mode access
spanning,tree portfast
spanning,tree bpduguard enable
!
interface Port,channel6
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning,tree portfast trunk
spanning,tree bpduguard enable
!
interface Port,channel7
switchport access vlan 50
switchport mode access
spanning,tree portfast
spanning,tree bpduguard enable
!
interface Port,channel8
switchport access vlan 50
switchport mode access
spanning,tree portfast
spanning,tree bpduguard enable
!
interface Port,channel9
switchport access vlan 50
switchport mode access
spanning,tree portfast
spanning,tree bpduguard enable
!
interface Port,channel10
switchport access vlan 50
switchport mode access
spanning,tree portfast
spanning,tree bpduguard enable
!
interface Port,channel11
switchport access vlan 50
switchport mode access
spanning,tree portfast
spanning,tree bpduguard enable
!
interface Port,channel12
switchport access vlan 50
switchport mode access
spanning,tree portfast
spanning,tree bpduguard enable
!
interface GigabitEthernet1/0/1
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 1 mode on
!
interface GigabitEthernet1/0/2
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
channel-group 2 mode on
!
interface GigabitEthernet1/0/3
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 3 mode on
!
interface GigabitEthernet1/0/4
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
channel-group 4 mode on
!
interface GigabitEthernet1/0/5
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 5 mode on
!
interface GigabitEthernet1/0/6
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
channel-group 6 mode on
!
interface GigabitEthernet1/0/7
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 7 mode on
!
interface GigabitEthernet1/0/8
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 8 mode on
!
interface GigabitEthernet1/0/9
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 9 mode on
!
interface GigabitEthernet1/0/10
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 10 mode on
!
interface GigabitEthernet1/0/11
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 11 mode on
!
interface GigabitEthernet1/0/12
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 12 mode on
!
interface GigabitEthernet1/0/13
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/14
switchport access vlan 53
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/15
switchport access vlan 53
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/50
switchport access vlan 53
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/51
description Support port i VLAN 50
switchport access vlan 53
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/53
!
interface GigabitEthernet1/0/19
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
switchport trunk allowed vlan 1,50-53
switchport mode trunk
shutdown
spanning-tree bpdufilter enable
!
interface GigabitEthernet1/0/24
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface GigabitEthernet2/0/1
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 1 mode on
!
interface GigabitEthernet2/0/2
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
channel-group 2 mode on
!
interface GigabitEthernet2/0/3
switchport access vlan 50
switchport mode access
channel-group 3 mode on
!
interface GigabitEthernet2/0/4
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
channel-group 4 mode on
!
interface GigabitEthernet2/0/5
switchport access vlan 50
switchport mode access
channel-group 5 mode on
!
interface GigabitEthernet2/0/6
switchport trunk allowed vlan 1,50-53
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
channel-group 6 mode on
!
interface GigabitEthernet2/0/7
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 7 mode on
!
interface GigabitEthernet2/0/8
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 8 mode on
!
interface GigabitEthernet2/0/9
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 9 mode on
!
interface GigabitEthernet2/0/10
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 10 mode on
!
interface GigabitEthernet2/0/11
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 11 mode on
!
interface GigabitEthernet2/0/12
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 12 mode on
interface GigabitEthernet2/0/13
switchport access vlan 50
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/14
switchport access vlan 53
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/15
switchport access vlan 53
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/16
switchport access vlan 53
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
interface GigabitEthernet2/0/25
!
interface GigabitEthernet2/0/26
!
interface TenGigabitEthernet2/0/1
!
interface TenGigabitEthernet2/0/2
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
!
interface Vlan52
ip address 192.168.52.254 255.255.255.0
!
interface Vlan50
ip address 192.168.50.254 255.255.255.0
!
interface Vlan51
ip address 192.168.51.254 255.255.255.0
!
interface Vlan53
ip address 192.168.53.254 255.255.255.0
!
ip default-gateway 192.168.50.1
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 8.8.8.8 255.255.255.255 192.168.1.1
ip route 192.168.0.0 255.255.0.0 192.168.1.1
ip route 192.168.0.0 255.255.0.0 192.168.50.1
ip route 192.168.0.0 255.255.0.0 192.168.51.1
ip route 192.168.0.0 255.255.0.0 192.168.53.1
ip route 192.169.0.0 255.255.0.0 192.168.1.1
ip route 192.169.0.0 255.255.0.0 192.168.50.1
ip route 192.169.0.0 255.255.0.0 192.168.51.1
ip route 192.169.0.0 255.255.0.0 192.168.53.1
ip route 200.55.120.21 255.255.255.255 192.168.50.1
ip route 400.60.20.22 255.255.255.255 192.168.1.1
ip route 192.168.25.0 255.255.255.0 192.168.1.1
ip route 192.168.25.0 255.255.255.0 192.168.50.1
ip route 192.168.25.0 255.255.255.0 192.168.51.1
ip route 192.168.25.0 255.255.255.0 192.168.53.1
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide