Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
5
Helpful
3
Replies

VLANs configuration

rbt2016
Level 1
Level 1

‎01-11-2018 12:25 AM - edited ‎03-08-2019 01:22 PM

Hello everyone,

I have few concerns about my company new net config. I am a newbie in Cisco world, I've got some experience with Catalyst switches and routing, but I grew basically with HPE switches and other hardware.

 

This may be a dumb request, but I'm struggling trying to understand who to implement vlans in my network. This is a prerequisite for our future new firewall ASA installation.

I explain briefly the architecture and what I am trying to accomplish.

The network has few Catalyst C2960X switches and a C3850. No vlan set.

I've got some ESXi and other servers, SAN and NAS.

The goal is to segment the network with a few vlans for security and net optimization.

 

I've implemented the primary VTP 3 in the 3850 and used trunks to connect every switch.

I need to be able to divide the management consoles and services from the clients.

So what I've got in mind si to use, for example, vlan 100 for main office, vlan 200 for production plant vlan 300 for labs, and vlan 400 for management; but I can't figure out how to be able to make servers in vlan 100, accessible to client in other vlans; and the Ethernet ports of esxi and nas dedicated for management, to be in the vlan 400 and be accessible to network admins.

DHCP and DNS are in those servers, the firewall router is a ZyWALL.

I just don't understand how, from my laptops, comunicate with every vlans, and let client access server services but management vlan.

 

I hope you can help me out with this!

Thank you in advance

 

PP

Labels:
0 Helpful
3 Replies 3

paul driver
VIP
VIP

‎01-11-2018 08:16 AM

Hello

For basic connectivity, Your 3850 switch will perform the intervlan -routing

 

Your Dhcp /Dns servers will i guess reside in one the vlans you have created and the client will be able to reach these servers through the 3850 core switch.

 

These can be attach via normal access ports of aggregated into port-channels it all depends on your requirements.

 

As for negating access between vlans  you can apply routed acls on the SVI's and use various other options for security.

 

Below is a very basic setup just to give you an idea

 

 

 

3850

 

Conf t

ip routing

int vlan 1

shutdown

 

 

access-list 100 remark Deny access to MGT vlan
access-list 100 deny   ip 10.10.10.0 0.0.0.255 any
access-list 100 deny   ip 10.10.20.0 0.0.0.255 any
access-list 100 deny   ip 10.10.30.0 0.0.0.255 any
access-list 100 deny   ip 10.10.40.0 0.0.0.255 any
access-list 100 permit ip any any

 

 

int vlan100
description Main Office_Vlan

ip address 10.10.10.254 255.255.255.0

int vlan 200
description Production_Vlan

ip address 10.10.20.254 255.255.255.0

int vlan300
description Labs_Vlan

ip address 10.10.30.254 255.255.255.0

int vlan400
description Server_Van

ip address 10.10.40.254 255.255.255.0

int vlan 500
description Management_Vlan

ip address 10.10.50.254 255.255.255.0
ip access-group 100 out

int x/x
description Link to switch1
switchport trunk native vlan 50
switchport trunk allowed vlan 100,200,300,400,500
switchport mode trunk
switchport nonegotiate
no shut

 

int x/x
description Link to switch2
switchport trunk native vlan 50
switchport trunk allowed vlan 100,200,300,400,500
switchport mode trunk
switchport nonegotiate
no shut

etc..

 

vtp ver 3
vtp domain STAN
vtp password xxx hidden
vtp mode server vlan
exit

vtp primary vlan force

 

Vlan 100
name Main Office_Vlan
exit

Vlan 200
name Production_Vlan
exit

 

etc.....
exit



ip route 0.0.0.0 0.0.0.0 interface ??  x.x.x.x   <  default route to WAN or ZyWALL fw

 

Edge switch

conf t

no ip routing

 

int vlan 500
description Management_Vlan

ip address 10.10.50.x 255.255.255.0
exit

ip default-gateway 10.10.50.254

 

int x/x
description Link to 3860 core switch
switchport trunk native vlan 50
switchport trunk allowed vlan 100,200,300,400,500
switchport mode trunk
switchport nonegotiate
no shut

vtp ver 3
vtp domain STAN
vtp password xxx hidden
vtp mode client
exit

 

Int x/x
description access-port
swichport host
switchport access vlan 100

Int x/2
description access-port
swichport host
switchport access vlan 200

etc..

 

All switches

aaa authentication login STAN local
aaa authorization console
aaa authorization exec STAN if-authenticated
aaa authorization commands 15 STAN local

 

access-list 199 remark allow remote access to MGT vlan

access-list 199 permit ip 10.10.50.0 0.0.0.255 any

 

line vty 0 x
access-class 199 in
logging synchronous

login authentication STAN
transport input telnet


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

rbt2016
Level 1
Level 1
In response to paul driver

‎01-12-2018 07:29 AM

Thank you for the prompt reply Paul,

I'm studying everything you've posted, and I'll let you know if something's wrong.

 

Have a good day

 

PP

0 Helpful

rbt2016
Level 1
Level 1
In response to paul driver

‎03-06-2018 12:33 AM

Hello Paul,

I've been simulating the solution with Cisco Packet Tracer, and I have few concerns I hope you can help me solve.

 

First thing first, imma explain what I've done so far:

 

I created a LAN with 3 main switches, two 2960 and one 3850.

I created a vlan domain with the latter switch being the primary, all connected together in trunk mode with native vlan 50, and restriction for vlan 100 200 300 400 500 only.

I assigned the ip addresses to vlans: for vlan 100 -->10.10.10.254 255.255.255.0 etc...

Then I've attached via access port a few pc and servers assigning on each port vlan 100 or 200 or 300 etc.

 

As you suggested I've applied ACLs to the switches:

 

 

On the 3850: in which I guess I'm denying access from every single vlan to the others.

 

access-list 100 remark Deny access to MGT vlan
access-list 100 deny   ip 10.10.10.0 0.0.0.255 any
access-list 100 deny   ip 10.10.20.0 0.0.0.255 any
access-list 100 deny   ip 10.10.30.0 0.0.0.255 any
access-list 100 deny   ip 10.10.40.0 0.0.0.255 any
access-list 100 permit ip any any

 

And: in which I'm permitting vlan 500 to go anywhere.

 

access-list 199 remark allow remote access to MGT vlan

access-list 199 permit ip 10.10.50.0 0.0.0.255 any

 

I don't understand this parts:

 

ip route 0.0.0.0 0.0.0.0 interface ??  x.x.x.x   <  default route to WAN or ZyWALL fw <<-- i dont know what I need to write here

 

int vlan 500
description Management_Vlan

ip address 10.10.50.254 255.255.255.0
ip access-group 100 out <<-- what is this? the switch doesnt allow me to do it

 

 

On the 2960s:

I've applied the same acl 199.

 

But I dont understand this config:

 

Edge switch

conf t

no ip routing <<-- the switch doesnt allow me to do this

 

int vlan 500
description Management_Vlan

ip address 10.10.50.x 255.255.255.0 <<-- what is this address?
exit

ip default-gateway 10.10.50.254 <<-- why I need to specify a gw?

 

 

Waiting for your kind reply, thanks again for your time and have a good day.

 

Piero

0 Helpful
Customers Also Viewed These Support Documents