Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1686
Views
0
Helpful
10
Replies

Is this doable - VLAN and routing

Go to solution
jon.dufour
Level 1
Level 1

‎02-16-2013 02:26 PM - edited ‎03-07-2019 11:45 AM

I'm building a Hyper-V Cluster and normally have a networking specialist available but this time I have to do the switch part. It's been a long time since I did networking.

Switch is a Catalyst 3560V2

I need to create a VLAN for the SAN but still be able to access the SAN for management from the client LAN and use an ACL to block out all other traffic other than my workstation. The SAN needs to be able to send email alerts through the internet gateway.

Client LAN is 10.10.40.0/23

This is the client / server subnet and connects to other switches on the same subnet and internet gateway of 10.10.40.1

VLAN 10  10.10.10.0/24   This is the SAN.

I'm planning on a gateway of 10.10.10.1 for this VLAN.

All servers and SAN are on this switch. The servers have multiple NICS and are multi-homed.

I'm thinking ports 1 - 24 are for servers and then ports 25 - 32 are the VLAN 10 for the SAN.

 

My big question is, can I do this with this single switch? Is there something else required for this to work that I'm not currently aware of?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎02-16-2013 02:41 PM

Yes, you can and it should work just fine.  The only thing that you may have to do on the switch is to turn on

"ip routing" since you will have multiple vlans with multiple SVIs on it, if it does not currently exist.

use this command to find out if it is already enabled:

Switch#sh run | inc ip routing

ip routing

Switch#

If you don't see this command then

config t

ip routing

HTH

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎02-16-2013 02:41 PM

Yes, you can and it should work just fine.  The only thing that you may have to do on the switch is to turn on

"ip routing" since you will have multiple vlans with multiple SVIs on it, if it does not currently exist.

use this command to find out if it is already enabled:

Switch#sh run | inc ip routing

ip routing

Switch#

If you don't see this command then

config t

ip routing

HTH

0 Helpful

Go to solution
jon.dufour
Level 1
Level 1
In response to Reza Sharifi

‎02-16-2013 03:09 PM

That does help thank you! I expecting that's off, the switch is new and essentially out of the box. I have to do the full config with it.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to jon.dufour

‎02-16-2013 03:19 PM

Yes, out of the box, the 3560 series switches do not have IP routing enabled.  You would need to turn it on when you have multiples vlans on it.

Good Luck

0 Helpful

Go to solution
jon.dufour
Level 1
Level 1

‎02-16-2013 04:11 PM

I re-read my post and don't feel I was perfectly clear about the internet gateway. There is already a firewall in place and that's of course the internet gateway. There are already other client switches and those will connect to this new switch. Does that change anything?

I'm curious about how does the traffic from a client pc on 10.10.40.0 who's gateway is 10.10.40.1 get routed to VLAN 10 if that client PC is not connected to the layer-3 switch but to one of the other switches?

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to jon.dufour

‎02-16-2013 05:44 PM

Ok, so if there are other switches in your network, I am assuming they are just layer-2 with vlan(s) and they all connect to this new switch and the SVI (layer-3/default gateways) are located on this new switch.  Now, since this new switch will be layer-3 and I am assuming it will connect to the firewall using a layer-3 link. Finally, the firewall connects the network to the outside world. Is this what the network going to look like:

client switch----------layer-2----------3650-------layer-3 link-----------firewall-----------Internet

If you don't think the above is correct can you attach a diagram?

0 Helpful

Go to solution
jon.dufour
Level 1
Level 1
In response to Reza Sharifi

‎02-16-2013 07:10 PM

I threw this together in Visio.

https://dl.dropbox.com/u/585949/Network%20Drawing.jpg

I had to put it on my public dropbox, the image uploaded isn't working at the moment.

You're correct the other switches are layer-2 using default vlan, nothing special about them at all. After what you wrote it seems to me that the layer-3 switch should be the one that connects to the firewall. It makes logical sense.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to jon.dufour

‎02-16-2013 07:41 PM

Ok, it seems to me that firewall is acting as a router today and all the other devices in the network are just layer-2.  If you want to keep the same design, then you need to add this new switch also as a later-2 device and only the firewall does the layer-3.  But in order for that to work you have to add the SAN vlan (vlan 10) to all your switches including the one that is connected to the firewall, so vlan 10 can communicate with server/workstation vlan.

The next step is firewall configuration changes:

If you look at the firewall interface that connects to the switch you probably only have one vlan with the gateway 10.10.40.1 and that is probably an access port on the switch and the firewall.   Now that you have a second vlan, you need to make the connection between the switch and the firewall trunk so it can carry both vlans.  Finally you need add 2 sub-interfaces to the firewall (one for vlan 10 and one for the server/workstation vlan.

Are you comfertable with making all these changes and have access to all these devices?

HTH

0 Helpful

Go to solution
jon.dufour
Level 1
Level 1
In response to Reza Sharifi

‎02-17-2013 09:46 AM

The firewall is managed by a 3rd party. I can request changes to be made to it but it of course having to do so makes it more difficult to get something done. If it's at all possible I would prefer to avoid that.

Does it change anything if I move the connection to the firewall to the 3560? Like so?

https://dl.dropbox.com/u/585949/NetworkDrawing2.jpg

Or I could also connect my workstation to the 3560 but with keeping it on the default 10.10.40.0 vlan?

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to jon.dufour

‎02-17-2013 11:12 AM

Does it change anything if I move the connection to the firewall to the 3560? Like so?

yes, it does make it a little easier, as you don't have to create vlan 10 on the other switches. I actually like that better. It makes more sense.

As for the firewall config changes, as long as you are using more then one vlan/subnet, you have to make the changes I mentioned before on the firewall.  The other solution maybe that you add the NAS devices to the existing vlan/subnet

(10.10.40.0/23) so you just have one vlan.

If you decide to go with 2 vlan design, you need on after hours outage to do all the changes, because there will be downtime for your users.

The other thing you have to make sure is that the firewall support sub-interfaces.

HTH

0 Helpful

Go to solution
jon.dufour
Level 1
Level 1
In response to Reza Sharifi

‎02-18-2013 09:07 PM

Ok, what I'm understanding is the firewall needs the route back to vlan 10. So if I ping 10.10.10.5 that goes out to the firewall and the firewall sends it back to the 3560 which routes it into that vlan?

This is new to me but it's bending my mind a little bit because I keep thinking the layer-3 switch as able to see that traffic and route it itself to that vlan without letting it pass to the firewall.

0 Helpful
Customers Also Viewed These Support Documents