Network design questions

Unanswered Question
Feb 5th, 2007

Hi friends,

I just wanted to share a design of an old network, and based on that ask for suggestions on integrating the new network into the old network.

The diagram has been enclosed for your reference as well.

The old network has essentially two categories of users: Admin and Guests. There are two network segments created for both of

them as well which are as follows:

Admin Users: / 24

Guest users: /24

The access method is different for both categories of users. With regards to outside access, the Admin users go through the firewall. But guest users dont touch the firewall. Regarding DHCP, the Admin users get their DHCP address from a server in For wireless users, the DHCP server / Default Gateway is the Egress server (a Linux box) with IP address / 24. The default gateway for the Admin users is the firewall viz. Both the Egress server and the Symantec firewall have a public interface too connecting to the router.

The 3560's connecting to the Egress, Symantec are all Layer 2. The same servers will be used by the new network users too for DHCP allocation, Internet access, firewall filtering. There are no VLAN's in the current network, which means, there is only VLAN viz. VLAN 1. The old network was setup by third party.

With regards to the new network in a different building, the network design and integration has been contracted to us.

Now, there is a core / distribution switch 4506 connected to 3560 access switches in different floors. The access switches are connected to users and access points. We are planning for floor based VLAN's and also ensuring that wired / wireless VLAN's are separated too. The design is pretty simple if you look at the new building / network alone. But a few questions that pop up are as follows:

1. The 4506 switch connects through fiber to the old building 3560 switches which in turn connect to the Egress and Symantec firewall. Now, how should the ports connecting the 4506 to the 3560 be configured? As trunks? I am not sure as 3560 will have no ports configured in VLAN's created on 4506. So, why should it receive VLAN info from 4506?

2. How will I be able to pass traffic from VLAN's on the new network to the servers in the old network? The old network has only one VLAN viz. VLAN1. And the new network has multiple VLAN's.

As of now, all that I can think is configure the 3560's connected to servers as Layer 3 devices. The 3560's can be used to route traffic between the old network and new network. The 3560 and 4506 can share a common VLAN. There can be routes created on the 3560's pointing to 4506 for reaching VLAN's created on new network. Similarly, there can be routes added on core to reach the 3560's for old network. But the DHCP servers become two hops away now for clients on new network. So, first hop is 4506 switch and second hop is the 3560 connected to the server. SO, I believe I need to configure ip-helper address on the 4506 as well as the 3560 switches?? I really need some help in validating this solution as well.

Once I know the answer to these two questions, I think that the setup pretty much gets straightforward. I can configure ip-helper address to pass DHCP requests to different DHCP servers on the Layer 3 vlan interface. And I can use policy-based routing to pass traffic to different default gateways (for admin and guests) because that is source-sensitive.

Looking forward to your kind help in this regard

Thanks a lot


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gautamzone Mon, 02/05/2007 - 22:18

Hi friends,

Sorry for the terribly long post!!! I just wanted to be descriptive about the issue.

To sum up, I just have one concern. How can I integrate a VLAN-based network into a non-VLAN network? The non-VLAN or VLAN1 network has all the servers / Internet access services?

I just need a rough idea on how to proceed. Once I get it, I am ready to take up from there!!! All the switches at the edge are 3560 Standard Image and the core is 4560.



Amit Singh Mon, 02/05/2007 - 23:14


There are two ways to do it:

1. Create two vlans on 4500 i.e vlan for admin segment users and vlan for wireless segment user Say vlan 192 and vlan 10. The links from respective 3560's should be terminated to the rsepective vlans. Say admin (192) segment 3560 switch will be connected to vlan 192 and the wireless segment switch (10) should be connected to vlan 10.

Create the SVI's for respective vlans on 4500.Set the gateway for admin users as the firewall and gateway for wireless users as the linux box. For intervlan routing between admin users and wireless users, configure the static routes on firewall and linux box as the next-hop ip of the Cat4500 SVI's. Foreaxmple on firewall :

ip route

This will work for you.

2. In second option you can do it using Policy Based routing on 4500. Set the respective vlan clients Default gateway as the SVI of the 4500 and configure the policy based routing to route the traffic based on source address.i.e users from admin vlan will have the firewall as the next hop ip for internet and the users from wireless segment will have the linux box as the next hop ip.

Please revert in case of any questions.

HTH,Please rate if it does.

-amit singh

gautamzone Tue, 02/06/2007 - 00:35

Hi Amit,

Thanks a lot for your efforts and response. I understood the second point that you mentioned. But I wanted to clarify on the first point.

So, on the first point, you are saying that I create two SVI's on the 4500, one for admin and one for wireless. The SVI's should have the IP addresses configured in the same segment as that of the servers (Linux box and firewall)? Both the servers should have routes pointing to the 4500's SVI.

If I create a SVI whose VLAN is 192 with IP address, and I have a server ( connected to the switch which has no VLAN's configured (which means the default VLAN 1 only), then will the SVI ( - VLAN 192) be able to communicate to the server (, VLAN1)?

Thanks a lot again


gautamzone Tue, 02/06/2007 - 06:20

Sorry if my question was not clear. Just wanted to ask that if the server is in VLAN1 and the SVI's IP is in a different VLAN, though in the same segment, will I be able to ping to the server's IP from the core switch?

If it will not work, what do you suggest? Shall I make the 3560 a Layer 3 device that routes between the 4506 and the servers connected to it?

Thanks a lot


gautamzone Tue, 02/06/2007 - 10:27

Hi to All,

Sorry to come up with so many questions. I have just thought about a solution and I request your kind help in validating it.

1. 4506 connects to 3560


On VLAN 192 (Admin)

2. 4506 connects to 3560


On VLAN 10 (Wireless)

Both 4506 and 3560 have Layer 3 SVI's for VLAN 10 and VLAN 192. The 4506 will point to the 3560's SVI's to reach the networks behind them through static route on 4506. Similarly, the 3560's will point to the 4506's SVI's to reach the networks behind the 4506 through static routes. (I will need to configure IP routing on the 3560's to make them Layer 3).

So, basically the links between the 4506 and the 3560 are NOT trunk links and just normal links whose ports are access ports.

The servers in the old network (behind the 3560's) will have a route add statement (and equivalent route statement for Linux box) to reach the networks behind the 4506 having the 3560's VLAN 1 IP as the next hop.

Does this solution sound workable?

Thanks a lot again and sorry to post so many questions in this regard.


gautamzone Wed, 02/07/2007 - 08:33

Hi friends,

Eagerly waiting for some insight and inputs on my question!!!

Thanks a lot



This Discussion