3560's connecting two LANS with two VLANs

Unanswered Question
Jan 30th, 2007

My current setup consists of two 3560 switches in two different buildings connected by fiber.

We are currently running a 10.10.10.X network across them.

We have a DMZ in Building A running a 192.168.10.X network off of a second interface on our PIX. There is a primary interface on the PIX that is connected to this 3560 switch.

What we need to know is to get the 192.168.10.X network into Building B. We have a dev server in Building B that we need to be able to connect to the DMZ for testing purposes.

Can I create a VLAN to somehow get a port on both 3560's to be on the 192.168.10.X network keeping in mind that the only connection these two switches have is the one strand of fiber that is routing the 10.10.10.X traffic.

Would the fiber ports have to also be assigned this new VLAN as well as the default? Will this solution work?

If there is a better way please let me know.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Amit Singh Tue, 01/30/2007 - 06:40


My idea for this would be :

1. Connect the DMZ interface to the 3560 switch or any other switch which is trunked to 3560 in bulding A, which is connecting the two buildings.

2. Configure the new vlan on both the 3560 switches and configure the link between them as trunk ports.

3. Donot configure any VLAN interface on either of the 3560's.

4. Connect the user in building in the new vlan configured on 3560 switch in building B.

5. Set the default gateway for the PC as the Ip address of the DMZ interface of the PIX.

This should work for you.


-amit singh

boschrexroth Tue, 01/30/2007 - 08:01

Thanks Amit.

Couple of questions:

You say to configure ex.VLAN 100 on both switches but not to configure any interfaces. Do you mean do not assign an IP to the VLAN or not assign any ports to the VLAN?

I have posted my current Gig0/25 port which is what the fiber is connected to. It is the same config on both switches. I have also include my VLAN statement.

Say I use Gig0/1 on both switches for this new VLAN. One would be connected to the DMZ switch and one would be connected to the server in the other building. Do I assign these two ports to the new VLAN and do I assign gig0/25 (fiber link) to both the default VLAN and this new VLAN?

Do I not need to assign an address for the DMZ to this new VLAN or is the routing taken care of by the VLAN.


interface GigabitEthernet0/25

switchport trunk encapsulation dot1q

switchport mode trunk

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

queue-set 2

mls qos trust cos

macro description cisco-switch

auto qos voip trust

spanning-tree link-type point-to-point

interface Vlan1

ip address

boschrexroth Tue, 01/30/2007 - 11:20

I should also mention that I do not want these two networks to be able to communicate.

As the 192.168.10.X network is my DMZ it cannot have any access to my internal network which is 10.10.10.X

Thanks again.


This Discussion