VLANs configuration

rbt2016 · ‎01-11-2018

Hello everyone,

I have few concerns about my company new net config. I am a newbie in Cisco world, I've got some experience with Catalyst switches and routing, but I grew basically with HPE switches and other hardware.

This may be a dumb request, but I'm struggling trying to understand who to implement vlans in my network. This is a prerequisite for our future new firewall ASA installation.

I explain briefly the architecture and what I am trying to accomplish.

The network has few Catalyst C2960X switches and a C3850. No vlan set.

I've got some ESXi and other servers, SAN and NAS.

The goal is to segment the network with a few vlans for security and net optimization.

I've implemented the primary VTP 3 in the 3850 and used trunks to connect every switch.

I need to be able to divide the management consoles and services from the clients.

So what I've got in mind si to use, for example, vlan 100 for main office, vlan 200 for production plant vlan 300 for labs, and vlan 400 for management; but I can't figure out how to be able to make servers in vlan 100, accessible to client in other vlans; and the Ethernet ports of esxi and nas dedicated for management, to be in the vlan 400 and be accessible to network admins.

DHCP and DNS are in those servers, the firewall router is a ZyWALL.

I just don't understand how, from my laptops, comunicate with every vlans, and let client access server services but management vlan.

I hope you can help me out with this!

Thank you in advance

PP

paul driver · ‎01-11-2018

Hello

For basic connectivity, Your 3850 switch will perform the intervlan -routing

Your Dhcp /Dns servers will i guess reside in one the vlans you have created and the client will be able to reach these servers through the 3850 core switch.

These can be attach via normal access ports of aggregated into port-channels it all depends on your requirements.

As for negating access between vlans you can apply routed acls on the SVI's and use various other options for security.

Below is a very basic setup just to give you an idea

3850

Conf t

ip routing

int vlan 1

shutdown

access-list 100 remark Deny access to MGT vlan
access-list 100 deny   ip 10.10.10.0 0.0.0.255 any
access-list 100 deny   ip 10.10.20.0 0.0.0.255 any
access-list 100 deny   ip 10.10.30.0 0.0.0.255 any
access-list 100 deny   ip 10.10.40.0 0.0.0.255 any
access-list 100 permit ip any any

int vlan100
description Main Office_Vlan

ip address 10.10.10.254 255.255.255.0

int vlan 200
description Production_Vlan

ip address 10.10.20.254 255.255.255.0

int vlan300
description Labs_Vlan

ip address 10.10.30.254 255.255.255.0

int vlan400
description Server_Van

ip address 10.10.40.254 255.255.255.0

int vlan 500
description Management_Vlan

ip address 10.10.50.254 255.255.255.0
ip access-group 100 out

int x/x
description Link to switch1
switchport trunk native vlan 50
switchport trunk allowed vlan 100,200,300,400,500
switchport mode trunk
switchport nonegotiate
no shut

int x/x
description Link to switch2
switchport trunk native vlan 50
switchport trunk allowed vlan 100,200,300,400,500
switchport mode trunk
switchport nonegotiate
no shut

etc..

vtp ver 3
vtp domain STAN
vtp password xxx hidden
vtp mode server vlan
exit

vtp primary vlan force

Vlan 100
name Main Office_Vlan
exit

Vlan 200
name Production_Vlan
exit

etc.....
exit

ip route 0.0.0.0 0.0.0.0 interface ?? x.x.x.x < default route to WAN or ZyWALL fw

Edge switch

conf t

no ip routing

int vlan 500
description Management_Vlan

ip address 10.10.50.x 255.255.255.0
exit

ip default-gateway 10.10.50.254

int x/x
description Link to 3860 core switch
switchport trunk native vlan 50
switchport trunk allowed vlan 100,200,300,400,500
switchport mode trunk
switchport nonegotiate
no shut

vtp ver 3
vtp domain STAN
vtp password xxx hidden
vtp mode client
exit

Int x/x
description access-port
swichport host
switchport access vlan 100

Int x/2
description access-port
swichport host
switchport access vlan 200

etc..

All switches

aaa authentication login STAN local
aaa authorization console
aaa authorization exec STAN if-authenticated
aaa authorization commands 15 STAN local

access-list 199 remark allow remote access to MGT vlan

access-list 199 permit ip 10.10.50.0 0.0.0.255 any

line vty 0 x
access-class 199 in
logging synchronous

login authentication STAN
transport input telnet

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

rbt2016 · ‎01-12-2018

Thank you for the prompt reply Paul,

I'm studying everything you've posted, and I'll let you know if something's wrong.

Have a good day

PP

rbt2016 · ‎03-06-2018

Hello Paul,

I've been simulating the solution with Cisco Packet Tracer, and I have few concerns I hope you can help me solve.

First thing first, imma explain what I've done so far:

I created a LAN with 3 main switches, two 2960 and one 3850.

I created a vlan domain with the latter switch being the primary, all connected together in trunk mode with native vlan 50, and restriction for vlan 100 200 300 400 500 only.

I assigned the ip addresses to vlans: for vlan 100 -->10.10.10.254 255.255.255.0 etc...

Then I've attached via access port a few pc and servers assigning on each port vlan 100 or 200 or 300 etc.

As you suggested I've applied ACLs to the switches:

On the 3850: in which I guess I'm denying access from every single vlan to the others.

access-list 100 remark Deny access to MGT vlan
access-list 100 deny   ip 10.10.10.0 0.0.0.255 any
access-list 100 deny   ip 10.10.20.0 0.0.0.255 any
access-list 100 deny   ip 10.10.30.0 0.0.0.255 any
access-list 100 deny   ip 10.10.40.0 0.0.0.255 any
access-list 100 permit ip any any

And: in which I'm permitting vlan 500 to go anywhere.

access-list 199 remark allow remote access to MGT vlan

access-list 199 permit ip 10.10.50.0 0.0.0.255 any

I don't understand this parts:

ip route 0.0.0.0 0.0.0.0 interface ?? x.x.x.x < default route to WAN or ZyWALL fw <<-- i dont know what I need to write here

int vlan 500
description Management_Vlan

ip address 10.10.50.254 255.255.255.0
ip access-group 100 out <<-- what is this? the switch doesnt allow me to do it

On the 2960s:

I've applied the same acl 199.

But I dont understand this config:

Edge switch

conf t

no ip routing <<-- the switch doesnt allow me to do this

int vlan 500
description Management_Vlan

ip address 10.10.50.x 255.255.255.0 <<-- what is this address?
exit

ip default-gateway 10.10.50.254 <<-- why I need to specify a gw?

Waiting for your kind reply, thanks again for your time and have a good day.

Piero