Network redesign

smithdsl · ‎04-20-2007

I'm upgrading my network from a router on a stick design using 3500xl and 2900xl to a full routed links from build to build using 3560 and 4500. I'm running 6513 with sup720 in the core. The switch upgrades are in the distribution, and currently all vlans span whole network, 18 builds in all. I have 10 vlans total but only need 4 vlans in all builds. Is there a way trunk vlans over routed links. what ios images do i need, and commands to uses.

Thank You

chrihussey · ‎04-23-2007

There is no clean way that I know of to accomplish what you are asking. Anything designed to accomplish this would probably give you more trouble than it is worth.

With what you've stated I think your best choices are:

1- Configure trunking on the links. Manually prune the trunks to allow only the 4 VLANs that need to be everywhere and also create another VLAN specific to that link for routing purposes.

2- If you have enough ports/cable plant, have two connections to each switch. A L3 routed connection and the other a L2 trunk for the 4 VLANs that need to be everywhere. Once again, be sure to manually prune all other VLANs off.

smithdsl · ‎04-23-2007

I'm trying to create a cookie cut network, with all builds having the same vlan design and route all traffic back to my core. My guest network is a must have network to a building, if i can keep all that traffic in one vlan, I can trunk to my firewall. What would be the best way to set this up if just used routing to the core and new vlan domain in each build.

chrihussey · ‎04-24-2007

So if I understand you correctly, each building will follow the same design, each with its own set of VLANs and networks and with routed L3 connections back to the core. The exception being a single guest VLAN/network that needs to be in one or more buildings and will have it's gateway IP be the firewall interface.

If so then you need to make a decision:

You can give this guest network dedicated L2 access links from each building to the core separate from the L3 connections.

Or you can trunk single connections from each building allowing one VLAN to support the routing, and the other the guest network.

Also - just a thought, if you have available interfaces on the firewall, it may be best to connect this guest to a dedicated interface and create something of a DMZ for this network for better control and to better protect your internal network.

smithdsl · ‎04-24-2007

The guest network in its current design is connected to my FWSM in my core 6513. If i do not trunk any vlans back to the core how do i keep this network separate.

This is my redesign:

building 1:10.1.X.X

building 2:10.2.X.X

building 3:10.3.X.X

Guest: 10.X.1.X: VLAN10

Staff: 10.X.2.X: VLAN20

Admin: 10.X.3.X: VLAN30

Thank you for your support.

chrihussey · ‎04-24-2007

To accomplish what you are asking, I'd say you would have to have a separate router/L3 switch at each the building to provide a gateway for only the guest VLAN and then a separate L3 link back to the core or L3 aggregation device for all guest VLANs and then to the core.

This would allow you to control the routing for the guest VLANs and keep it separate from the rest of your network.

Grant it, there are probably other ways to accomplish this (tunneling, VPNs, etc) but I would try to avoid creating something that in the end becomes a bear to manage and could compromise your network.