Re: Multiple vlan access to port connecting phone system

mvaldez83 · ‎10-26-2012

Hi guys,

I'm new to networking and was looking for some assistance. First off im using packet tracer to diagram my senario as I will be receiving my equipment next week to deploy.

Hardware to be used:

1. 2 catalyst 3560 switches

2. all connect to a sonic wall router

I have two companies that work in the same office space. I need to keep these companies seperate on their own vlan. They will however need to share the phone system.

(Packet tracer file uploaded to give those who have the time to see what I put together.)

Here is my current test senario

on switch 0 i have:

company A on vlan 2 computers 172.16.1.100 and 101 255.255.0.0 FA0/10 FA0/11

company B on vlan 3 computers 172.16.2.102, 255.255.0.0 FA0/12

pbx on a trunk port 172.16.0.5, 255.255.0.0 FA0/5

trunk port on FA0/1 to connect the switches

on switch 1 i have:

company A on vlan 2 computers 172.16.1.102, 255.255.0.0

company B on vlan 3 computers 172.16.2.100 and 101, 255.255.0.0

trunk port on FA0/1 to connect the switches

now I can ping the respective computers on the same vlan but cant ping company A to B which is what I want. However neither company can talk (ping) the pbx.

Here are the commands I used to configure what I have.

switch 0

en

conf t

vlan 2

name A

vlan 3

name B

int fa0/10

switchport mode access

switchport access vlan 2

int fa0/11

switchport mode access

switchport access vlan 2

int fa0/12

switchport mode access

switchport access vlan 3

int fa0/5

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1-3

int fa0/1 (to connect the switches)

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1-3

Switch 1

en

conf t

vlan 2

name A

vlan 3

name B

int fa0/10

switchport mode access

switchport access vlan 3

int fa0/11

switchport mode access

switchport access vlan 3

int fa0/12

switchport mode access

switchport access vlan 2

int fa0/1 (to connect the switches)

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1-3

Thanks in advance, trying to figure out how all this networking stuff works.

pjmonline · ‎10-26-2012

Looks like you need to enable IP routing

Config t
ip routing
exit
wr

You will then have to implement acl to stop vlan2 and vlan3 from talking to each other.

Sent from Cisco Technical Support iPhone App

Stuart Gall · ‎10-27-2012

Or if they are not L3 switches you could trunk both VLANS into the sonic wall and route in that.

If they are l3 switches apart from enabling routing you must assign an ip to each vlan on one of the switches.

Sent from Cisco Technical Support iPad App

mvaldez83 · ‎11-05-2012

Stuart,

If i did this say. I had switch one trunk and connect to the sonic wall and then on the 2nd switch trunked a port and connected it to another port on the sonic wall and on the sonic wall created dhcp to hand out IPS on the network range i specified ex 172.16.2.1 -254 for vlan 2 and 172.16.3.1-254 for vlan 3. what would i need to do on the switches to prevent them from talking? assigning ACL's right? would this be a standard acl an extended acl? would these need to be applied on both switches?

Stuart Gall · ‎11-05-2012

You do not have to do anything on the switches. VLANS are completely separate. No routing occurs.
Unless you enable ip routing on a L3 switch. But why do that only to block it again with an acl.

Probably the sonic wall is doing the routing.

Sent from Cisco Technical Support iPad App

mvaldez83 · ‎11-05-2012

Sturart,

Sorry I guess I am getting confused here. So I have two seperate switches and I have created their vlan's and made the ports i needed members of the configured vlan. so say switch one i made all ports a member of vlan 2 with the exception of my trunking ports and switch two all ports are a member of vlan 3 again besides the trunking ports. each switch independantly connects to seperate ports on the sonicwall. Where again is the blocking of vlan 2 and 3 from being able to talk to one another occuring?

mvaldez83 · ‎11-05-2012

Remember I need to have these seperated companys not talk to eachother on the network but I need them to talk to the shared phone system.

Stuart Gall · ‎11-06-2012

Ok can you answer a few questions
1) is there a trunk link between the switches ?
2) is ip routing enabled on either switch "ip routing" global configuration command?
3) are you connecting to the sonic wall with a trunk or an access port?

Sent from Cisco Technical Support iPad App

mvaldez83 · ‎11-06-2012

1.) yes

2.) when i checked the config, it was not. For some reason my settings were not saved. I was then told my IOS IP base did not support it on another forum. Paul in this thread however said it was a feature in IP base. I cant really test this until after hours when people leave.

3.) I am connecting to the sonicwall with a trunk. Should this be an access port?

Stuart Gall · ‎11-06-2012

It does not matter if you use a trunk or access. But if you use a trunk you have to configure the appropriate interfaces with tags on the sonic wall.

The way you describe the configuration only the sonic wall can or could be routing between the VLANS.

You should avoid enabling ip routing on the switches it will probably cause more issues.

Sent from Cisco Technical Support iPad App

mvaldez83 · ‎11-05-2012

Paul I was told since im running IP base image and not IP sservices image that I cannot do this is that correct?

pjmonline · ‎11-05-2012

IP routing is available in IP base. I have this working on several switches in the environment.

Sent from Cisco Technical Support iPhone App

pjmonline · ‎11-06-2012

The sonicwall should be able to do what you need with out vlans. Port 1 can talk to port 3 but not port 2. Port 3 is the phone system network. And port 2 talk to port 3 and not to port 1.

Sent from Cisco Technical Support iPhone App

mvaldez83 · ‎11-06-2012

Thanks for your reply Paul. I'll deffenately look into this option.