VLANS creation / organization

Mat Dan · ‎04-27-2017

Hello :-)

Things are a bit mixed up in my mind, so I'll ask your help for clarification.

I'm taking in charge the management of the network (I'm basically a sys admin), and the CCNA is dusted.

We have 2 3548 XL switches, both linked.

- On the first one, I'd like to set up 3 VLANS, one for servers (1 port, servers have their own switch), one for workstations (all unused ports), one for printers (5 ports). I'm thinking about a VOICE VLAN, a NETWORK VLAN, and an administration VLAN too. The workstations will be on the " rest ", on both switches.

- Currently, all being on a flat organization, one port goes to the " outside " (firewall).

Questions :

1) If all the VLANs exist on one single switch, do I need any kind of encapsulation like dot1Q or not at all (as vlans are not being distributed among several switches, switch 2 will just use the GB link port to switch 1) ? If no, then I don't need any trunking stuff ?

2) Routing ... Of course, printers, computers, servers, network stuff all need to communicate even if not on the same network. Do I have to set up one specific route for each VLAN to each and every other VLAN ? Should I use a default gateway too ?

3) Finally, I've been ask to set up a " seperate network administration for servers and network elements ". Are some of you used to set up that kind of things, is it about ACLs for who can access this or that, or is it something different ?

I'll check books and online stuff, and check this, but if you can help me, I'd be grateful :)

Thanks in advance !

cofee · ‎04-27-2017

Questions :

1) If all the VLANs exist on one single switch, do I need any kind of encapsulation like dot1Q or not at all (as vlans are not being distributed among several switches, switch 2 will just use the GB link port to switch 1) ? If no, then I don't need any trunking stuff ? You also stated that you will have user machines connected to second switch as well, if that's the case then you should configure a trunk between these two switches. Without knowing your overall topology it's kind of hard to answer.

2) Routing ... Of course, printers, computers, servers, network stuff all need to communicate even if not on the same network. Do I have to set up one specific route for each VLAN to each and every other VLAN ? Should I use a default gateway too ? Are you configuring these switches to be the core? if so you can create SVIs for listed Vlans and that would take care of routing. SVI address will be the gateway for end hosts.

3) Finally, I've been ask to set up a " seperate network administration for servers and network elements ". Are some of you used to set up that kind of things, is it about ACLs for who can access this or that, or is it something different ? Yes, you can use ACLs to filter traffic between vlans/subnets on the switch itself.

You mentioned that you will also be connecting this switch to the outside interface of firewall?.why would you do that? This is your LAN and it should be behind the INSIDE interface of firewall (this is most protected interface usually with security level of 100 by default unless you change it or name it something else)

Mat Dan · ‎04-27-2017

Hello, thanks for your help Cofee, I meant outside of the switch, sorry if it wasn't clear :)

dperezoquendo · ‎04-27-2017

Hello,

I would probably keep these vlans simple and in increments of 10.

vlan 10 = Data (e.g. workstations)

vlan 20 = Voice (e.g. phones)

vlan 30 = Server (e.g. servers)

vlan 40 = Printer (e.g. printers)

vlan 50 = Management (e.g. your "administration")

vlan 999 = Native VLAN (e.g. your native vlan for trunks)

You may also group your printers with the data vlan.

All vlans should be configured on your distribution switch and your access switches will vary depending on the current design. For example, it's unnecessary and, I believe, can be seen as a security risk to configure a voice vlan on a switch that will have no phones attached to it. Then ensure connections between your access and distro switches are trunked between each other as necessary. Best practice for security reasons is to not use the default of vlan 1 as your native vlan.

For routing, ensure you set up an SVI at the distribution switch. This SVI will be the default gateway for your end devices.

As for your network management, just remember that there is going to have to be a separate "management" workstation configured for this network. You can then limit SSH access to all network devices via this network only. A standard ACL permitting only this network and denying all others will be sufficient.

HTH

Mat Dan · ‎04-27-2017

Very clear, thank you !

Joseph W. Doherty · ‎04-27-2017

1) If all the VLANs exist on one single switch, do I need any kind of encapsulation like dot1Q or not at all (as vlans are not being distributed among several switches, switch 2 will just use the GB link port to switch 1) ? If no, then I don't need any trunking stuff ?

First, it depends whether you want hosts on your two different switches to have direct L2 communications. If so, you need to bridge VLAN(s) between the switches. This can be done using one port per VLAN you wish to share or it can be done using a trunk, the latter allows multiple VLANs to share the connection. Dot1Q is the current standard encapsulation method for doing that, but your 3548 XLs might also support Cisco's earlier ISL.

2) Routing ... Of course, printers, computers, servers, network stuff all need to communicate even if not on the same network. Do I have to set up one specific route for each VLAN to each and every other VLAN ? Should I use a default gateway too ?

Yes, if you want to jump between VLAN, you'll need to route. Believe the 3548 XLs are L3 switches. By default, if routing is enabled on the L3 switch, it should be able to route between all the networks known to that L3 switch. Things become more complicated if you need to route between the two 3548 XLs, or other devices, but you might run one 3548 XL as a L3 switch and one just as a L2 switch.

Default gateways are generally defined to hosts; today often provide via DHCP.

3) Finally, I've been ask to set up a " seperate network administration for servers and network elements ". Are some of you used to set up that kind of things, is it about ACLs for who can access this or that, or is it something different ?

Yes, generally its a network devoted to management of devices. Often also protected by ACLs (to insure only authorized devices can intercommunicate. Sometimes it's supported by having management IP in a different logical network, sometimes it's by using dedicated interfaces on the hosts.

Mat Dan · ‎04-27-2017

Thank you for the explanation Joseph.

Mat Dan · ‎04-27-2017

First, I'd like to thank all those who replied so quickly, thank you, it really helps me get back on rails. I found out an old Packet Tracer and will practice labs there (and took my network books off the shelf ... will buy some new too I guess, I find networking very interesting, but I guess you have to keep your hands on it not to loose the skill ... Like for everything in fact :))

Explanations were very clear, here are my final thoughts and questions ;-)

I've made a little drawing of the current configuration. Everything is in the same building, same room. You see 24p switches but these are 48p in reality.

For now, everything is in " VLAN 1 on the same network.

Servers have their own switch linked from G0/1 to the upper switch through G0/1 too

Workstations, printers are connected on the upper switch and on the down switch (both switches connected through the G0/2 interface on the upper switch, and the G0/1 on the down switch).

The " way out " to the firewall is connected on the upper switch.

So, my final questions :

Let's say that (something simple without printers, management, network ...) on the upper switch (let's call it " core " in a way) :

SERVERS = VLAN 10 = Ports 1-5 on first switch

WORKSTATIONS = VLAN 20 = All the rest

1) If the secondary switch is " just for workstations ", if I just put G0/2 on switch 1 in VLAN 20, do I keep the actual " uplink " without having to trunk ? If so, same for " server switch " by simply putting G0/1 on " upper switch " in VLAN 10 ?

2) Should I put " Outside to Firewall " connection in a specific port on " upper switch " ? It's place is in the eventual " Network VLAN " (not mentioned in the current exemple) isn't it ? Should I set up a default route to the firewall for the switch or a route to the firewall per vlan?

3) DHCP ... I'll check how a DHCP server from VLAN 10 can distribute IPs to Workstations on VLAN 20

dperezoquendo · ‎04-28-2017

Hello

So in a way, your top switch appears to be more in a Core/Distribution role while your server switch and bottom switch appear to be more within the access layer. In my opinion, for simplicity of the network and management, I would create the SVI's for all VLANs on the top switch and configure trunk ports between the switches. If you're not using a dynamic protocol like OSPF, you're going to have configure some static routes to finish it up.

1) If the secondary switch is " just for workstations ", if I just put G0/2 on switch 1 in VLAN 20, do I keep the actual " uplink " without having to trunk ? If so, same for " server switch " by simply putting G0/1 on " upper switch " in VLAN 10 ?

I would still configure a trunk port for these connections. Now, however, if for whatever reason you don't want to use the top 3550 as the core/distro switch, and/or if your current configs has the server switch and bottom switch as layer 3 switches, I would do a /30 subnet for interconnects between the switches. Though as mentioned earlier, I think a cleaner build with the top switch designated as the core/distribution switch would be better design.

2) Should I put " Outside to Firewall " connection in a specific port on " upper switch " ? It's place is in the eventual " Network VLAN " (not mentioned in the current exemple) isn't it ? Should I set up a default route to the firewall for the switch or a route to the firewall per vlan?

I would specify what your uplink port to the firewall will be. This uplink can just be a /30 subnet between the two. I also think a default route would be best. The environment appears quite small and if it ever becomes necessary to block certain IPs or networks, I think firewall rules or even ACLs on the switches will suffice.

3) DHCP ... I'll check how a DHCP server from VLAN 10 can distribute IPs to Workstations on VLAN 20

I think this explains it pretty well and may work for you. http://www.michaelriccioni.com/how-to-multiple-vlans-single-dhcp-server-multiple-dhcp-scopes-2/.