cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1291
Views
13
Helpful
13
Replies

VLAN help needed . . . !!!

csco_sai9k
Level 1
Level 1

I am new to the VLANS , so i would like to have suggestions from you people .

I have a 10 MB Internet >> connected to Firewall >> connected to L3 Switch >> There are about 40 L2 switches beneath this L3 Switch with no STP as the physical design itself was not done for switch to switch redundancy .

And for your information I have Windows DHCP Server which assigns IPs to the clients . As of now I haven't created any VLANS . My clarifications are :

1>> How can I create VLANS here ? Do I need to create the same in L3 switch ?

2>> If i am assigning different subnets to different VLANS how would the clients get IP from DHCP ?

3>> If possible can anyone here provide some basic configuration here to give me the idea ?

Thanks in Advance,

Max

13 Replies 13

lamav
Level 8
Level 8

Max:

When you need to create a new vlan, these are the things you have to do:

1.) On the L2 switch, create the vlan and give it a name (name is optional).

vlan 10

nam management_vlan

2.) Add the new vlan to the existing trunk that faces the L3 switch:

interface gi1/0/1

switchport

switchport trunk encapsulation dot1q

switch trunk allowed vlan 2,3,4,10

switchport mode trunk

3.) On the L3 switch, allow the vlan on the trunk port, create the vlan and give it a name (name is optional).

vlan 10

nam management_vlan

Then add the vlan to the trunk that faces the L2 switch:

interface gi1/0/1

switchport

switchport trunk encapsulation dot1q

switch trunk allowed vlan 2,3,4,10

switchport mode trunk

4.) On the L3 switch, create the routed L3 interface (SVI) for that new vlan:

interface vlan 10

ip address 10.10.10.0 255.255.255.0

These are the basic steps you need to perform.

As far as DHCP is concerned, if the DHCP server sits on another subnet, then you must configure the ip helper address under the routed SVI interface:

interface vlan 10

ip address 10.10.10.0 255.255.255.0

ip helper-address 10.10.50.5 <---ADDRESS OF DHCP SERVER

Remember that DHCP clients send out a L3 and L2 broadcast known as a DHCPDISCOVER. The router, by default, will not forward broadcasts, so you need the ip helper address to forward the DHCP clients message to the DHCP server.

HTH

Feel free to come back for more info.

Please rate all helpful posts.

Victor

Hi Victor,

You explained a lot and thanks...

If the DHCP server sits on another subnet then will use ip helpder address under the interface.

If we have many subnets like switch#1 10.28.1.5 switch#2 10.28.2.5 switch#10.28.3.5

I assigned ip helpder address 10.28.2.55 (Address of DHCP server)

Then how it can recognise different subnets as different switchs having it.

Regards,

Naidu.

Naidu:

"Then how it can recognise different subnets as different switchs having it."

Im not sure I understand the question.

You configure a helper address on the L3 switch, under the SVI, for each vlan that requires DHCP services. If the DHCP server sits on a different subnet than the SVI interface, you need the helper address to forward the DHCP traffic.

Subnet 10.28.2.0/24 will not need the helper address configured on it because the DHCP server sits on the same subnet as the SVI interface. Therefore, the L2 broadcast will reach the server on its own, without the help of the SVI.

I hope I answered your question.

Please rate all helpful posts.

Victor

Hii Victor,

I am very happy the way you have responded . Thanks a lot . But, being a newbie in LAN i would like to put some more queries in front of you .

1>> If my network is divided into subnets as follows ( assuming my plan ), 10.45.25.1/24, 10.45.26.1/24, 10.45.27.1/24, 10.45.28.1/24 assigned to 4 different VLANS, how does the configuration is applied . Do I need to create different scopes in DHCP server ? Please do let me know with the subnets provided in a example ...

2>> And i need configure in such a way that people will be able to access resources between VLANS ? How can i go for it ?

3>> And suppose If I am having /24 and all the clients using Internet , How can i limit them to only 10 users ( for Internet access in that VLAN .

Mostly Internet access being my end application , I don't wanna my all end users eating my bandwidth and my Boss complaining about that to me . . .

4>> Do I need to make any changes in my Firewall related to VLAN or in Router ??? I don't think so it is necessary as I have L3 switch .

Please do help me in suggesting on the above queries . . .

Thanks a lot,

Max

Hi, Max:

1.) You would create a DHCP scope for each subnet defined on your switch. A vlan can have more than one subnet, but it is a best practice to try to keep it a 1-to-1 configuration.

interface vlan 10

ip address 10.10.0.0 255.255.254.0

This vlan has two Class "C" subnets.

10.10.0.0/24

10.10.1.0/24

2.) When you create routed vlan interfaces (SVIs) on a L3 switch with "ip routing" configured, each vlan will be a "directly connected" route. So, the L3 switch will forward all inter-vlan traffic naturally.

If those vlans need to communicate with hosts on other parts of your enterprise network, you would run a routing protocol on the interface under the routing process.

ex:

router ospf 1

network 10.45.27.1 0.0.0.0

network 10.45.28.1 0.0.0.0

3.) I dont think that is possible, quite frankly. Theoretically, you can create a policy on your Internet router or firewall that only NATs traffic from some source address and not others. You can do that using access-lists and route maps. But that isnt really a solution because you will have to define the exact host address that will be NAt'ed.

ex:

ip nat inside source list 10 interface s1/0 overload

access-list 10 permit 10.45.27.3

access-list 10 permit 10.45.27.4

access-list 10 permit 10.45.27.5

access-list 10 permit 10.45.28.3

access-list 10 permit 10.45.28.4

etc...

you could summarize the wildcard masks, but I presented it this way to make it more clear to you.

This is an unorthodox soluton, to say the least.

4.) Who is performing the NAT/PAT for Internet-bound traffic, the router or the firewall?

HTH

Please rate all helpful posts.

Victor

Hii Victor,

As you mentioned above ,

1>> What do you mean by " creating DHCP Scope for each subnet defined on the switch " , I am using microsoft DHCP server in my LAN .

2>> And as of now my internal servers , such as FTP,Anti-Virus,DHCP,WLAN controller are connected to the ports of the same core switch . Can I place them in seperate VLAN ? Does this have any impact on my exsisting network . Or is that Ok if I leave them connected to my core switch ?

3>> And as you have asked about where my NAT is being done ? Its being taken care by my Sonicwall NSA 2400 which is between my Router and L3 switch .

Any Suggestions !!!

Rgds,

Max

MaX:

Have you ever configured a DHCP server before?

Each subnet uses a "scope" of IP addresses - a pool. When a client requests an IP address from the server, it takes it from the pool. You need to have a DHCP server agent running on the Microsoft box, something like QIP, for example.

2.) I recommend you place all your servers in a server vlan and do not connect them directly into the core switch. In theory, and I stress, IN THEORY, the network should be segmented loosely, as follows:

CAMPUS (Users) MODULE:

L2 access switches

L3 distribution switches

SERVER FARM MODULE:

L2 access switches

L3 Distribution layer

DATA CENTER EDGE MODULE:

WAN Edge Routers

Edge Distribution Layer

Each module gets connected to the core switches using routed connections.

3.) OK, so your firewall does the NATing, fine. I imagine it has a default route that points to the Internet router's HSRP VIP - or something like that. I dont know what your NAT statement looks like, but you have to make sure that the new subnets are going to be NATed to the public IP address that you will use for Internet traffic.

HTH

Please rate all helpful posts.

Victor

Hii Victor & Everybody in the forum,

Let me clear your doubts about my network, I had attached the details of the same in the text document . Just let me know how can I configure and design my network according to the exsisting IP scheme , which I don't wanna change it .

And Victor thanks for your earlier replies too , It was very informative , but still I have some clarifications .

Also attached my Router configuration modifying according to the forum rules . .

Thanks,

Max

***************************************

I got 2 no of 2Mb leased lines which I had clubbed into Multilink and given first available public IP on my fastethernet port .

The next available public IP on Router , where Router is taking care of NAT .

My Firewall LAN port given ip of 10.45.1.1/16

The Firewall LAN port connected to one of my ports of L3 Switch (24ports) with 4 GBIC shared ports .

The above mentioned L3 switch has some Access Switches ( 8 in number ) connected along with my WLAN controller , DHCP Server , FTP Server , Anti-Virus Server and couple of free ports .

There are 2 other buildings in the Campus connected on Fibre to the GBic ports of L3 Switch.

My Devices have following Ip alloted . . .

L3 Switch - 10.45.10.1/16

WLAN Controller - 10.45.10.2/16

DHCP Server - 10.45.10.2/16

FTP Server - 10.45.10.6

My Access Switches - 10.45.10.21 onwards to 10.45.10.68 ( 43 L3 switches )

The Ip given to the L3 and L2 switches are for management purpose and serving NMS functionality .

So far I had not created any VLANS . . .

**************************************

I would like to know , What is the best configuration I can do on the above setup ???

and very important factor , there is no redundancy between switches or no scope of STP . We have redundant cables for all the Uplinks between the switches .

**************************************

My DHCP is configured with 10.45.10.5 static address with scope range 10.45.20.1 - 10.45.255.254

So, Do I need to create seperate Scope for the below mentioned subnets as per VLAN ?

**************************************

I may need to create some 20 to 25 VLANS according to the different departments . . .

Suppose there are four departments,

Finance , Management , IT , R&D , Guests .

Finance - as VLAN10 with vlan ip address 10.45.20.1 and I want the users for this particular VLAN be alloted with IP between 10.45.20.2 - 10.45.20.254 , so do I need to create a scope for this in DHCP . . . How does this work ???

R&D - as VLAN20 with vlan ip address 10.45.21.1 and I want the users for this particular VLAN be alloted with IP between 10.45.21.2 - 10.45.21.254 , so do I need to create another scope for this in DHCP . . .

What I understand from your earlier posts is when i create a VLAN 10 , i need to assign ip-helper 10.45.10.5 ( which is DHCP server ) under that VLAN so that the nodes connected to the switch port with VLAN 10 will automatically gets an IP within that particular range 10.45.20.2 as per my scenario .

How a single host from VLAN 10 on some particular port needs to access local server in VLAN 20 , what config needs to be done ? Does the config need to be done in Access Switch or in Core switch ( L3 Switch ) . I assume this will be done through InterVLAN Routing on L3 Switch !!!

*************************************

And do i need to create any default route towards firewall ???

ip route 0.0.0.0 0.0.0.0 10.45.1.1 ( where 10.45.1.1 is my Firewall LAN port which is connected to my L3 switch )

And any routes need to be added in L3 switch for InterVLAN Routing

*************************************

PLEASE DO CLARIFY ON THE ABOVE , I regret for writing so much , but find the forum here so helpful that i cannot restrict myself to add points to it

Thanks & Regards,

Max

Hii Everybody,

The above mentioned string 43 L3 switches ,

that is 43 L2 switches instead .

Regds,

Max

Hi Max,

Firstly I would strogly recommend that you go and complete at least a CCNA. This will teach you about everything you need to get your network up and running.

You have said that you don't want to readdress your servers, but can you readdress the other stuff? Are you restricted to addressing within the 10.45.0.0/16 subnet or can you use, say 10.1.0.0, 10.2.0.0 ?

If you have to re-use the existing 10.45.0.0/16 subnet then there is going to be downtime - your servers will be able to keep their IP addresses, but their default gateway and subnet mask settings will have to change.

You need to take the following steps:

Step 1)

Separate your firewall from the 10.45.0.0 subnet

a) On your firewall:

- Change the LAN port to 192.168.2.1 255.255.255.252

- Add Static route 10.45.0.0 255.255.0.0 via 192.168.2.2

b) On your L3 switch (assuming that F1/0/1 connects to the firewall)

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.2.1

!

int f1/0/1

no switchport

descr Link to Firewall

ip address 192.168.2.2 255.255.255.252

!

int vlan 1

ip address 10.45.1.1 255.255.0.0

!

You should now be able to connect to the internet the same as you did before - the only difference is that your default gateway is now your L3 switch, not the firewall. The L3 switch will forward all non-local traffic to the firewall, and the firewall will forward any local (10.45.x.y) traffic to your L3 switch.

--note that your L3 switch is now on 10.45.1.1, and not 10.45.10.1--

Step 2)

Enable VTP and create your VLANs

1) On your L3 switch:

!- enable VTP

vtp domain mycompany

vtp status server

!- Create VLANS

vlan 5

name servers

exit

vlan 10

name Finance

exit

vlan 20

name RandD

exit

Step 3)

Create your trunk links

As Victor described above, but I wouldn't stop VLAN1 from being sent down the trunk links - you are currently using VLAN1, and stopping it from being sent down the trunks will completely break your existing network.

On every switch (except the L3) do:

vtp mode client

vtp domain mycompany

Then on BOTH ends (interfaces) of EVERY link between EVERY switch (including the L3) do:

switchport trunk enc dot

switchport mode trunk

When you have done this, if you do a "show vlan" on any switch you will see the vlans 5,10,20 that you created earlier.

The VTP setup ensures that your VLAN config across your network is the same, so if you create a vlan on the core switch then that vlan will appear on every other switch.

Step 4)

Re-address your switches.

Your switches VLAN1 (Management) IP addresses need to be changed. They don't need to be in the 10.45.0.0 subnet as there isn't any reason for them to connect to the internet.

On your L3 switch do:

int vlan 1

ip address 192.168.3.1 255.255.255.0 secondary

Then on each of your L2 switches:

int vlan 1

ip address 192.168.3.X 255.255.255.0

Note the secondary address on the L3 switch that is NOT used on the L2 switches.

Step 5)

Prepare your servers

(I'm assuming here that all your servers that you don't want to change the addresses of are in the 10.45.10.0-255 range)

On the L3 switch:

int vlan 1

ip address 10.45.10.1 255.255.0.0 secondary

(Note that your VLAN1 interface now has 3 IP addresses!)

On each of your servers change the default gateway to 10.45.10.1, then check that they still have access to everything

More to Follow...

....Continued

Step 6)

Remove the old 10.45.0.0/16 subnet and start creating the new VLAN interfaces

--NOTE--

The following will break your existing network

--NOTE--

On your L3 Switch:

int vlan 1

no ip address 10.45.10.1 255.255.0.0 secondary

no ip address 192.168.3.1 255.255.255.0 secondary

ip address 192.168.3.1 255.255.255.0

int vlan 5

descr Server VLAN

ip address 10.45.10.1 255.255.255.0

no shut

Now on all your servers you need to chage the subnet mask from 255.255.0.0 to 255.255.255.0

Now on each interface that a server is connected to you need to do:

int G1/0/X

switch mode access

switch access vlan 5

Your servers should all have access to the internet, and they should be able to ping any of your switches on their 192.168.3.X Ip addresses.

Step 7)

create your other Vlan Interfaces

On your L3 switch:

int Vlan 10

descr Finance

ip address 10.45.20.1 255.255.255.0

ip helper-address 10.45.10.5

no shut

int vlan 20

descr RandD

ip address 10.45.21.1 255.255.255.0

ip helper-address 10.45.10.5

no shut

Step 8)

DHCP Scopes

Delete your old 10.45.20.1-10.45.255.254 scope and create 1 new scope per vlan

i.e.

Scope : 10.45.20.5 - 254

Mask : 255.255.255.0

Router: 10.45.20.1

Scope : 10.45.21.5 - 254

Mask : 255.255.255.0

Router: 10.45.21.1

Step 9)

Configure access ports

Assign switch ports on any switch to the correct VLANS, so for finance PC's set their ports:

Switchport mode access

switchport access vlan 10

And you're done!

Please rate this post if it has been useful.

Nick

Hii Nick & Victor,

Thanks a lot for that detailed explination .

First of all I would like to tell you that this network is a live one and users are just settling done after some issue in firewall couple of weeks before . So i don't want to go for a very huge change in the IP scheme .

Can't i continue using the exsisting 10.45.0.0 ??? and subnet it accordingly for my use ? example : 10.45.20.1 - 10.45.20.254 for VLAN_10 , 10.45.21.1 - 10.45.21.127 for VLAN_20 & 10.45.21.129 - 10.45.21.254 for VLAN_30 and so on . . . based on number of users per VLAN !!!

And half of users will be accessing internet , at the same time I want to limit some users in the same VLAN from accessing Internet .

example: VLAN_20 , which is 10.45.21.1 - 10.45.21.127 , where i would want to give access to the internet to only some users which are connected to that VLAN .Any possibility to do this on Switch side ?

Or atleast can I limit my users using any time based polices for accessing internet ?? Again can this be achieved by doing any configuration at switch end ?

Please do suggest . . .

Thanks & Regards,

Max

Hi Max,

Yes you can continue using 10.45.0.0 - I just spent 2 Hours typing up how to do this with minimal downtime. ;-)

Please read my instructions carefully.

As for restricting access to the internet - Victor already answered this above...

The only way you can do it is either to restrict access to specific IPs. This can be applied at the Vlan Interfaces, but it would be better to be done on your firewall.

You could also disallow access to the internet for all users, and force then through a proxy server with authentiaction - users would have to log in to get access.

Nick

Review Cisco Networking for a $25 gift card