05-02-2024 12:24 PM
So this is a topic that's been mentioned time and time again I'm sure but i wanted to get a bit more specific to my situation. We're replacing our core switch with a C9300 (we currently have a 3750). We have a pretty simple network. Any desk with a cisco phone, the computer plugs into the phone and the phone plugs into the switch. We have vlan 100 for voice and the dhcp range set up on the core switch and one of our dhcp servers. Everything else, wifi, management, access points literally anything else that isn't a phone uses vlan 1. We'll have to schedule some downtime and just do a cold swap as there's really no room in the rack. So my first main objective:
1. Get off of vlan 1.Configure vlan 10 along with any other vlans on the new switch with the current switches SVI We don't use VTP or anything like that so I'll need to create like vlan 10 and any other vlans on every other switch. So i'd start with the access switches and work my way back to the core (which will already be configured). I'd still allow vlan 1 along with vlan 10 and vlan 100 on the trunk ports and change the native trunk vlan to vlan 10
My other objective would be to have our APs use VLAN 3 since per the documentation all APs use the 172.31.3.x network but again our overall network is a 172.31.0.0/16. I assume I'd need to set up a subnet like 172.31.3.1/24how for VLAN 3 on the core switch like how the voice vlan is set up up. Though I'll probably need to check all the switches to see what ports have APs connected so i can put them in the right vlan.
Lastly, I'd like our server to be in a different vlan as well like vlan 20
We're a pretty simple set up, as far as routing goes, we literally just have a default static route back to our edge firewall. the rest of the routes on it are just local/connected routes for our network and voice vlan network.
I'm just wanting to get a good idea of the actual scope of things that need to be done because the way I see it is:
VLANS:
10 - Regular data traffic from computers and printers
20 - Servers
3 - Access points
1. Configure new core switch with VLANs 3,10,20,100. Make sure those vlans along with vlan 1 are allowed over the trunk and set native vlan for trunk as vlan 10.
2. Configure those same vlans on the other switches as well.
3. Once the new core is up and running and all the switches have the appropriate vlans set up then start to move appropriate ports over to the new vlan 10 so the computers, printers etc vlan and access point ports to vlan 3
I'm sure there are more steps and other things i must do so I apologize if i'm not fully understanding but at the very least I'd like us to get off vlan 1 and improve our traffic segmentation.
05-03-2024 01:38 AM - edited 05-03-2024 09:29 PM
@jsherman31DollarTreeCompass wrote:So this is a topic that's been mentioned time and time again I'm sure but i wanted to get a bit more specific to my situation. We're replacing our core switch with a C9300 (we currently have a 3750). We have a pretty simple network. Any desk with a cisco phone, the computer plugs into the phone and the phone plugs into the switch. We have vlan 100 for voice and the dhcp range set up on the core switch and one of our dhcp servers. Everything else, wifi, management, access points literally anything else that isn't a phone uses vlan 1. We'll have to schedule some downtime and just do a cold swap as there's really no room in the rack. So my first main objective:
1. Get off of vlan 1.Configure vlan 10 along with any other vlans on the new switch with the current switches SVI We don't use VTP or anything like that so I'll need to create like vlan 10 and any other vlans on every other switch. So i'd start with the access switches and work my way back to the core (which will already be configured). I'd still allow vlan 1 along with vlan 10 and vlan 100 on the trunk ports and change the native trunk vlan to vlan 10
My other objective would be to have our APs use VLAN 3 since per the documentation all APs use the 172.31.3.x network but again our overall network is a 172.31.0.0/16. I assume I'd need to set up a subnet like 172.31.3.1/24how for VLAN 3 on the core switch like how the voice vlan is set up up. Though I'll probably need to check all the switches to see what ports have APs connected so i can put them in the right vlan.
Lastly, I'd like our server to be in a different vlan as well like vlan 20
We're a pretty simple set up, as far as routing goes, we literally just have a default static route back to our edge firewall. the rest of the routes on it are just local/connected routes for our network and voice vlan network.
I'm just wanting to get a good idea of the actual scope of things that need to be done because the way I see it is:
VLANS:
10 - Regular data traffic from computers and printers
20 - Servers
3 - Access points
1. Configure new core switch with VLANs 3,10,20,100. Make sure those vlans along with vlan 1 are allowed over the trunk and set native vlan for trunk as vlan 10.
2. Configure those same vlans on the other switches as well.
3. Once the new core is up and running and all the switches have the appropriate vlans set up then start to move appropriate ports over to the new vlan 10 so the computers, printers etc vlan and access point ports to vlan 3
I'm sure there are more steps and other things i must do so I apologize if i'm not fully understanding but at the very least I'd like us to get off vlan 1 and improve our traffic segmentation.
Hello, @jsherman31
I can see your post and I give you some information please see all info...
Your plan to migrate from VLAN 1 to more segmented VLANs is a good strategy for improving network organization and security. Here’s a step-by-step approach to achieve your objectives:
Certainly! Here’s a concise plan for your network upgrade:
1. Configure VLANs: Set up VLANs 3, 10, 20, and 100 on the new C9300 core switch and all access switches.
2. Adjust Trunks: Allow VLANs 1, 3, 10, 20, and 100 on trunk ports, with VLAN 10 as the native VLAN.
3. Assign Ports: Move computer and printer ports to VLAN 10, AP ports to VLAN 3, and server ports to VLAN 20.
4. Test: Ensure all devices communicate correctly within their VLANs and inter-VLAN routing functions as needed.
5. Monitor: Keep an eye on the network post-migration for any issues.
Remember to back up configurations and have a rollback plan ready. Conduct these changes during a scheduled downtime to minimize impact.
I hope My suggestion is helpful for you.
05-03-2024 06:33 AM
@angela683huey Thank your for your suggestion. I would imagine, I'd need to set up IP addresses for the SVIs for VLAN 10 20 and 3 on the core switch such as
VLAN 20: 172.31.20.1/24
VLAN 3: 172.31.3.1/24 < Our Access Points are all configured with a 172.31.3.x ip address there's just no VLAN segmentation
Vlan 20: 172.31.20.1/24 < this is the one that I'm most curious about as it seems I'd have to manually re-assign IP address to each of our physical and virtual servers.
VLAN 10: will just use the ip address of the core switch with a 255.255.0.0 subnet .
05-05-2024 04:36 AM
Make sure you subnet correctly for the /16 network to small subnet as per the requirement.
Also if you have any SVI created with /16, that need to change as per the subnet for the vlan.
yes once that is done, you Layer3 gateway on Core or Access depends on the location you looking to be Gateway.
VLAN 20 and VLAN 3 and so on.
if you looking to use VLAN 10 172.31.0.0/16 0 that will overlap with other VLAN 3 and 20 you looking to create.
If the VLAN 10 need /16, then for VLAN 3 and 20 you need to use different RFC 1918 address for the requirement.
Note : if the subnet mask change on the subnet, you need your end host need to change that subnet mask too.
Look at the some of the guide lines for campus LAN
05-07-2024 06:08 AM
@balaji.bandi so I'm not sure why it was set up this way but on vlan 1 it seems to use just the default /16 subnet so if i try to make any other vlan and provide an SVI, as you said, I'll get an error that it overlaps. It seems I would need to reconfigure the whole IP addressing scheme of our network? Right now, apart from vlan 100 for our phones we're using vlan 1 using /16 which encapsualtes our whole network. There seems to be signs of segmentations: Printers are a using .11, APs are using .3 Items on the floor are using .4 and these are using \24. That's what it shows on paper and I do see devices are configured with those IP addresses but they're using the /16 subnet mask.
05-07-2024 11:38 PM
You need to take a bite here - one of the Services has to move to new IP address schema
there are plenty RFC1918 address, so build new VLAN with new IP address schema, slowly Migrate one service at a time (it time consume, but it will give you more time to move).
05-05-2024 05:08 AM
Can you draw your suggest design
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide