Thanks Collin for Reply.

OK so if I choose VLAN for each BU I have couple of q's

looking at the picture I originally attached and if I use Cisco switches how should I do the following

1, allow all the departments to access servers and printer VLANs,

2, allow IT vlan to access all vlans but other vlans should not access PCs on IT vlan

3, how to allow communication between PC's that is in the ENG department to communicate with each other considering that they are on separate switches

4, how can I create one separate VLAN for wireless access, this vlan should only access internet and printers vlan

5, how DHCP server will lease IP adds to all the PCs on each vlans

6, should Active directory traffic be OK accross all vlans (ldap and dns)

I am doing this first time so many questions here, please bare with me.

Ask as many questions as you like, that's how we all learn.

I created a quick doc (forgive the errors) so you may want to review it for reference.

1, allow all the departments to access servers and printer VLANs,

Use an ACL, see the example. You simply permit the protocols you want allowed in & out and block the rest

2, allow IT vlan to access all vlans but other vlans should not access PCs on IT vlan

Use an ACL, see the example. You simply permit the protocols you want allowed in & out and block the rest

3, how to allow communication between PC's that is in the ENG department to communicate with each other considering that they are on separate switches

You can share VLANs between switches. You would configure a trunk between the two switches. This trunk carries all the VLANs between the switches so they communicate like they are on one switch.

4, how can I create one separate VLAN for wireless access, this vlan should only access internet and printers vlan

Just create another VLAN and apply the ACL

5, how DHCP server will lease IP adds to all the PCs on each vlans

Use an ACL, see the example. You simply permit the protocols you want allowed in & out and block the rest

6, should Active directory traffic be OK accross all vlans (ldap and dns)

Yes. MS can be a pain though because a bunch of their protocols use dynamic ports. You can permit all ports between 2 servers easily whil restricting or blocking others.

Please keep asking questions!

The following example just shows the ACL for the IT Dept. Each VLAN would have something similiar applied to the VLAN interface.

Great help Collin,

now as expected I have few more questions,

So  first I setup VLANs and give ip address to each vlans for repective BUs  and configure routing at vlan level and at global level with the use of  IP ROUTING command, this should enable routing accross all VLANs right?

Your suggestion I guess was to enable routing between  all VLANs and then restrict traffic using ACL? am I right?

if  that is the case can you shed some light on how to use and configure  ACLs? I mean where to apply on VLANs is it at VLAN level or global  level? I have just learn about configuring VLANs but still naive with  ACL, do you have any training video or article on ACL or explanation?

Second  thing I am trying to do is setup wireless VLAN, how can I achive this?

So  far my understanding is just create one VLAN with only one port from  the switch and connect this port to wireless device (cisco access point)  and then allow access to only printer vlan and access to default  gateway to access internet, is this a correct way to do it?

Collin,  do you have any material on how to setup wireless network using Cisco  access point? this project may come up soon with my company and I want  to be prepared. basically our facility is large multifloor building and  if I setup wireless access across the floors how to proceed?

As far as routing is concerned, you will need the layer 3 services IOS to route. If you post a "show version" I can tell if you have it or not. But here is the good part; because all your VLAN's are on the same switch, you don't need to route. The switch has a local routing table (even if routing is not enabled) and since all the VLANs are directly connected, the switch knows where each subnet is.

Your suggestion I guess was to enable routing between  all VLANs and then restrict traffic using ACL? am I right?

Yes you are correct. That's a great way to learn. Create a VLAN, assign the VLAN an IP address (which will become the default gateway of your client. Then put a PC on the VLAN with an IP the same as the VLAN default gateway. You should be able to hit your servers. Then start playing with ACL's on that test VLAN interface. The only thing you will break is the test VLAN. ACLs are applied to interfaces, typically at the layer 3 boundary. You can apply them inbound or outbound directions. Make sure you name them so you can easily identitfy them. Something like ENG_INBOUND and ENG_OUTBOUND.

So  far my understanding is just create one VLAN with only one port from  the switch and connect this port to wireless device (cisco access point)  and then allow access to only printer vlan and access to default  gateway to access internet, is this a correct way to do it?

With wireless, you'll be doing the same thing. Create a VLAN, give it an IP and create ACL's and apply to interfaces. If you have more than one access point, then each port that an access point is plugged into would need to be put into the wireless VLAN.

What kind of AP do you have? Do you a controller or does each access point run all by itself? I can help you with the wireless too, but lets worry about that after this OK?

There are two really good books on ACL's, my favorite is the first one. You can probably get it cheap at any used bookstore or the library.

http://www.amazon.com/Cisco-Access-Lists-Field-Guide/dp/0072123354/ref=sr_1_1?ie=UTF8&qid=1312829431&sr=8-1

http://www.amazon.com/Cisco-Access-Lists-Jeff-Sedayao/dp/1565923855/ref=sr_1_3?ie=UTF8&qid=1312829431&sr=8-3

Collin, I am planning to get layer three switches, right now we have all layer two switches but we are going to perform network upgrade soon and also segment traffic. we also be doing voip so considering that what model you suggest? altogather we have about 300 nodes requirement.

you said "because all your VLAN's are on the same switch, you don't need to route" but we have 8 switches right now.

You said "The switch has a local routing table (even if routing is not enabled)  and since all the VLANs are directly connected, the switch knows where  each subnet is" Does that means on layer 3 switch no need to do any routing at interface and global level? as it comes with it. so if I setup VLANs with the switch 1 is it possible to replicate changes on all 8 switches?

Right now only wireless device I have is two linksys wireless routers. connected on two different floors with the different switches with access to whole network. I would love to prepare my self with wireless network setup both design and configuration if you guide me, if I have two floor building with about 1000 meters wide, how can I start designing wireless? should I put one access point connected from separate vlan port and then next access point from same vlan at some distance away so I get full coverage of the whole floor and then do same thing on the next floor, connect access point from the same vlan ports?

Thanks for the book links.

I hope I can explain this well. You have two options; the first is that all 8 switches are connected at layer 2 with trunking. Only one switch would need layer 3 services to host the VLAN IP's. Your other option, since you will have the IOS to do it, is to ROUTE between your switches. If that is the case, the VLANs cannot be shared across the switches like in the layer 2 design. Each has its advantages and disadvantages. Either one will work in your situation, it's a matter of which way you prefer. VoIP & wireless will both work just fine in either model. Creating the ACL's on the VLAN interfaces will be much easier on the layer 2 model and that is the way I would suggest you go.

You said "The switch has a local routing table (even if routing is not enabled)  and since all the VLANs are directly connected, the switch knows where  each subnet is" Does that means on layer 3 switch no need to do any routing at interface and global level? as it comes with it. so if I setup VLANs with the switch 1 is it possible to replicate changes on all 8 switches?

Correct you do not need to enable routing on the one layer 3 switch that has all the VLAN's IP's. On the other 8 switches you only have layer 2 VLAN's, no layer 3 interfaces. You can run VTP which shares the VLANs automagically across all the other switches.

I think I understand your confusion about routing so I'll see if I can explain it. With the design we are talking about, 1 switch, we'll call it CORE1, hosts all the VLAN layer 3 interfaces. All the other switches only have layer 2 VLAN information. Those VLAN's are then shared across all switches. Now let's assume that you introduce a new switch into the network, CORE2. You move some of the layer 3 VLAN interfaces from CORE1 to CORE2. Now you need a routing protocol because not all the layer 3 interfaces are directly connected. Routing is used when a layer 3 device needs to learn about other remote networks. In your case there are no other networks, they are all on one switch. Does that make sense?

Here's a further explanation on VLANs across multiple switches. To keep it simple lets say we have two switches, ACCESS1 and ACCESS3. ACCESS1 contains all our layer 3 VLAN interfaces. It also has all the layer 2 VLAN information (it has to). We have 3 VLANs on each switch; ENG (vlan 10), SERVER (vlan 11), WIRELESS (vlan 11). Both switches must have the same VLAN number, but the names can be different (functionally the names don't matter, but keep them the same for troublshooting purposes). So we have vlan 10, 11, and 12 on both switches. We now need to connect the two switches. We plug a cable in between them and configure each port respectively to be trunk ports. Trunk ports can carry multiple VLANs across by using a special tag. So we have the trunk setup and all the layer 2 VLANs configured. Next we create the layer 3 interfaces for VLAN 10, 11 , & 12 on ACCESS1. ACCESS3 has no and needs no layer 3 information on it. We now plug in a user in ACCESS3 and configure their port to be in the ENG VLAN. When they want to send data to a server, the layer 2 path goes like this: the traffic enters the ACCESS3 switchport, gets tagged with VLAN 10 then goes across the trunk to ACCESS1 switch. ACCESS1 says, "Do I know where the server VLAN is? Yes I do,it's directly connected to me and it's VLAN 11, I'll send the traffic to the port the server is on and in VLAN 11."

Great help Collin,

I now got the very good understanding of how this is going to work for me, I have taken the same example from your reply and draw the diagram below with the subnet range. if I want all vlans to access server vlan and printer vlan, wireless vlan to access internet and printer vlan, eng vlan should be able to talk to members inside on both switches and I forgot one more vlan in the picture suppose there is IT vlan with subnet range 10.14.0.0/24, this IT vlan should be able to access all vlans but other vlan shuuld not be able to access IT vlan.if I have to do this what would be the configuration like on the switches?

I think I got the design concept right but now need help with configuration, is there any other tool you recommed where I can learn this, like simulation if I don't have actual hardware?

Example config of the VLAN interfaces

interface Vlan13

description Printer VLAN

ip address 10.10.0.254 255.255.255.0

ip helper-address [your DHCP server]

ip helper-address [your backup DHCP server]

no ip redirects

no ip unreachables

no ip proxy-arp

interface VLAN 10

description Engineering VLAN

ip address 10.11.0.254 255.255.255.0

ip helper-address [your DHCP server]

ip helper-address [your backup DHCP server]

no ip redirects

no ip unreachables

no ip proxy-arp

!

The port config would look something like this-

interface FastEthernet0/48

description HR Printer

switchport access vlan 13

switchport mode access

speed 100

duplex full

spanning-tree portfast edge

spanning-tree bpduguard enable

!

interface FastEthernet0/48

description Engineering Server

switchport access vlan 10

switchport mode access

speed 1000

duplex full

spanning-tree portfast edge

spanning-tree bpduguard enable

As far as learning, I think your best bet would be http://www.ciscopress.com/bookstore/product.asp?isbn=1587202174

Collin, what about IT vlan access to all but vice-versa is blocked, VTP configuration and wireless VLAN configuration also what should be the ACLs?

This ACL will block the other subnets from entering the IT VLAN

access-list 112 deny ip 10.10.0 0.0.0.255 10.14.0.0 0.0.0.255

access-list 112 deny ip 10.10.11.0 0.0.0.255 10.14.0.0 0.0.0.255

access-list 112 deny ip 10.10.12.0 0.0.0.255 10.14.0.0 0.0.0.255

access-list 112 deny ip 192.168.1.0 0.0.0.255 10.14.0.0 0.0.0.255

Then you apply it to the VLAN interface of the IT VLAN

interface VLAN 15

  ip access-group 112 out

Because you are allowing all traffic out from the IT VLAN, no ACL applied inbound is necessary 

Configuring VTP

http://www.cisco.com/en/US/tech/tk389/tk689/technologies_configuration_example09186a0080890607.shtml

Remind me again of the wireless restrictions

Thanks Collin, very good help.

as for wireless as discribe in my earlier post I have very limited knowledge but I like to learn as you can see from my earlier post here

Right now only wireless device I have is two linksys wireless routers.  connected on two different floors with the different switches with  access to whole network. I would love to prepare my self with wireless  network setup both design and configuration if you guide me, if I have  two floor building with about 1000 meters wide, how can I start  designing wireless? should I put one access point connected from  separate vlan port and then next access point from same vlan at some  distance away so I get full coverage of the whole floor and then do same  thing on the next floor, connect access point from the same vlan ports?

How I can setup wireless access across two floors, what is the best device to use and what should be the configuration like?

The first thing you MUST do is a wireless site survey. This will tell you exactly how many AP's you need and where they should be placed to get the appropriate coverage. This needs to be done by a VAR as they have the proper tools to do it successfully. As far as hardware I would look at a Wireless LAN Controller (WLC). What it does is provides a single point of administration for your wireless network. Currently your Linksys AP's run independent of each other and run their own operating system. Using a WLC your AP's download the config from the controller! It gives you a consistent configuration and allows plug-n-play of new AP's. You can also do administrative tasks like update the operating system on all the AP's with just a few clicks in the WLC. There are a ton of other features too. It is well worth the money and as a rough guess of the number of AP's you will need it will be worth its weight in gold.

As far as what you are doing today, you are correct in assigning each AP into a single VLAN and I believe you plan (and should) create a Wireless VLAN. As far as actual AP placement, that is dependant on what clients you need to serve until you can get a full wireless solution in.

Many Thanks Collin.

do you know how to change my email address on this forum? I have a new email address and would like to change it.

When I go to edit profile it does not allow me to change it.