4503 vlan design

Answered Question
Sep 24th, 2007
User Badges:

Ok, this is alot of info attached. Not that I want a person to show me step by step on what to do. I would just like some of the questions answered. This switch was configured before I came on board. I guess I want to make sure this is a good design and that I am knowledgeable about the logic. Thanks in advance.



Correct Answer by Jon Marshall about 9 years 7 months ago

Hi


Apologies for delay in replying, been a bit busy.


1) the pix needs to know how to route back to your vlans on the 4500. So using your drawing the pix is connected to the 4500 via a point to point link. Pix end 10.10.99.2, 4500 end 10.10.99.1. So on pix


route (inside) 10.10.11.0 255.255.255.0 10.10.99.1

route (inside) 10.10.12.0 255.255.255.0 10.10.99.1

etc... for all vlans on 4500 switch.


2) nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


says to NAT any inside private address to the public IP address of the outside interface so yes if you want all inside clients to be able to access the Internet you need this.


3) 3560. You need one vlan for all the devices you are connecting in ie.


ISP inside interface

pix outside interface

vid units


Remember that this switch will not connect back to the 4500 switch so you can use any vlan you like. Do not use vlan 1.


4) Because wireless is less secure i would recommend having a separate vlan for these. So i would have at a minimum


i) server vlan

ii) wireless ap vlan

iii) client vlan(s) - depends how many clients you have.


I would only use vlan 99 for connecting pix to 4500 so don't put any other devices on this vlan.


5) You need to put ip helper-addresses on any vlan with clients that use DHCP to get an address. So assuming you have a DHCP server on your server vlan you will need to add the ip helper-address under each client vlan interface.


Don't worry about asking questions that's what NetPro is for and you'll find a lot of knowledgeable people on these forums.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (9 ratings)
Loading.
IGBarrere Mon, 09/24/2007 - 14:14
User Badges:

Looks like a decent config to me... I'm not really sure what you're asking, as it's a bit vague. I mean, the config is a good general config, yet I'm not sure what the box should be doing either. If you want to give some more details, I may be able to help you out some more.

rhopkins_nci Mon, 09/24/2007 - 16:58
User Badges:

Yeah, I figured I wasnt too clear, but that was after posting it.


Ok, first things first, I need a little education here.

1. What is vlan 2? It has a public ip, but its not a routing vlan b/c ip routing isnt enable. Am I right? I use it to login remotely and allow access for public ip video conf units.

2. I know the basics of creating vlans, but how do I get the vlans to communicate with each other?

-Do I need an intervlan on the 4503, does this require a public ip or can it use a private ip

-Do I need to enable ip routing

-Do I need to enter static routes in the route table, for some reason, now when I do a sh ip route it says default gateway 206.x.x.57 and ICMP redirects cache is empty, thats just great.

3. Now on to the pix 501. That too, is on the default vlan 1 with IP 10.10.10.2 and public of 206.x.x.59. The hosts use this as the default gateway, but when I implement more vlans, I wont be able to use that ip for hosts on different vlans. Would I use the the vlan ip as the default gateway. What is the solution for this, cant I get it to work if I do my routing on the 4503?

4. And NAT. Should I keep doing this on the pix or should I do this on the 4503? Not sure how I would do it, does the pix only accept 2 inside nat statements?


I hope this is a bit clearer and not a repeat, let me know what else you need. As you can probably tell, I am a rookie at this. But I do appreciate the help.

paul.matthews Mon, 09/24/2007 - 23:50
User Badges:
  • Silver, 250 points or more

Your plans look OK. At the moment the switch is routing between VLAN1 & VLAN2, so your users are on VLAN1 and your ISP on VLAN2, beyond the PIX.


My comments - you don't say how many users - I would keep the number of users below 256.


If running a guest VLAN, consider making it a private VLAN - that way users can talk to the router, but not each other.


I would consider separate VLANs for wireless. Really nail those down with access lists. Your internal wired can be quite open.


rhopkins_nci Tue, 09/25/2007 - 05:30
User Badges:

This is what I am stumped on from a logical and cmd standpoint:

-What would I need to do to get the vlans to talk with each other?

-What would I use as the default gateway, since the pix 501 will be on a different vlan?

-How would I nat on the pix 501 since there will be 3-4 internal networks now?


Thanks for the tips Paul.

paul.matthews Tue, 09/25/2007 - 05:48
User Badges:
  • Silver, 250 points or more

The 4503 can handle the intervlan routing


int vlan 10

des internal wired

ip address 10.10.10.1 255.255.255.0


int vlan 20

des internal wireless

ip address 10.10.20.1 255.255.255.0


int vlan 30

des guest wired

ip address 10.10.30.1 255.255.255.0


int vlan 40

des guest wireless

ip address 10.10.40.1 255.255.255.0



would route between those VLANS


int vlan 99

des To ISP VIA PIX

ip add

ip route 0.0.0.0 0.0.0.0


All devices would use the 10.10.n.1 address as their default gateway, where n is the VLAN number - please note I am using these addresses purely as ilustration, you are free to do as you wish.


I am not familiar with the PIX config, but simply including all the subnets in the list of match addresses for NAT should do the trick.







rhopkins_nci Tue, 09/25/2007 - 06:27
User Badges:

I think Im starting to get it. Hopefully this will be the last of questions, for awhile at least. Just to reiterate, so you want have to look back, here is my setup:

206.x.x.57 - isp router

206.x.x.58 - my cat 4503 vlan 2

206.x.x.59 - my outside in pix 501

206.x.x.60 - free to use

206.x.x.61 - vid conf unit

206.x.x.62 - vid conf unit

10.10.10.0 - vlan 1, all host are part

10.10.10.1 - vlan 1 ip

10.10.10.2 - pix inside int

What would you suggest vlan 99 to look like? For vlan 99, can I still allow access for the vid units? For the pix, would the new inside int be 10.10.14.2(my net and sys vlan)? Also, do I need to add static routes in the route table? How will my internal vlans know to use the pix inside int to get out, since it will not be the hosts default gateway anymore?


Hope Im not asking too much. Thanks again Paul.


Jon Marshall Tue, 09/25/2007 - 06:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Paul has covered the vast majority of this but just to add.


On the original config it seemed a bit worrying that you have a vlan 1 interface and a vlan 2 interface at Layer 3. The clients DG was set to the pix but as i understand it if one of your users could change their DG to be the vlan 1 interface on the 4500 they have effectively bypassed the firewall.


I agree with all Paul has said, i'm just not clear on the following info for the pix.


int vlan 99

des To ISP VIA PIX

ip add

ip route 0.0.0.0 0.0.0.0


I think the inside interface of the pix should be a private ip address ie.


4500


int vlan 99

ip address 172.16.5.1 255.255.255.252

no shut


Then allocate the port that connects to the pix inside interface into vlan 99 and allocate the pix inside IP address as 172.16.5.2 255.255.255.252.


Your default route on the 4500 would be


ip route 0.0.0.0 0.0.0.0 172.16.5.2


On the pix your default route would be the upstream ISP router. You need to add routes to the pix for the networks on the 4500.


The NAT could just be


nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


assuming the pix has a public ip on the outside.


Jon




rhopkins_nci Tue, 09/25/2007 - 08:31
User Badges:

Good eye on the default gateway issue, I had no idea about that. Are saying that I should use a private ip for vlan 99? So if I draw this out, would it look something like this:


206.x.x.57-isp router

|

|

206.x.x.58-pix outside int

|

|

10.10.99.2-pix inside int(vlan 99)

|

|

10.10.99.1-vlan 99 ip

__________|_____________

| | |

guest vlan user vlan server vlan

10.10.11.1 10.10.12.1 10.10.14.1


-what should my ip route show? by default will the vlans know how to communicate with

each other, or is this where the ip route 0.0.0.0 0.0.0.0 10.10.99.2 comes in to play.


-should my servers and networking devices ie switches ap's, be on a different vlan than 99, ie 14.


-lastly, how could I keep my vid conf units with public ip's so they can bypass the firewall.


And again, thanks for all the help, and hopefully I will get it sooner or later.

Jon Marshall Tue, 09/25/2007 - 08:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes the way you have drawn it is the way i would configure it.


The vlans on the 4500 will know how to communciate with each other. The "ip route 0.0.0.0 0.0.0.0 10.10.99.2 is to allow your internal clients to get to the Internet.


Yes, only use vlan 99 for the link between the 4500 and the pix.


If you only have one switch ie the 4500 then you can use vlan 2 if you want. In this vlan would be


inside interface of isp router

outside interface of pix

vid units


The key thing here is to delete the Layer 3 SVI for vlan 2 off the 4500 or you can route round your pix. Note it doesn't have to be vlan 2, it cna be any unused vlan. As long as it only exists at layer 2 on your 4500 you will be okay.


In an ideal world you would not use your internal switch for this purpose ie. you would have a separate switch for the outside of the pix etc.


Hope this answers your'e questions.


Jon

paul.matthews Tue, 09/25/2007 - 09:28
User Badges:
  • Silver, 250 points or more

Jon makes an important comment there - ideally a second switch would be outside. If the switch is carrying "raw internet" secure it as best you can, even if it does not have an "outside" IP address - access lists for telnet, if using snmp access list on that, and do not even consider using public or private as communities! turn off any non-essential services (no ip http server etc)

rhopkins_nci Tue, 09/25/2007 - 10:13
User Badges:

Now when you say delete the L3 svi, is that the public ip address. So I would add my "link to internet" port on the 4503 as the isp rtr int? And give my vid units public ip's, would I use the isp router as the default gateway? Now I did just purchase a cat3560_8pc, could I use this as the outside switch? If so, how would this change things? I surely appreciate all the help.

Jon Marshall Tue, 09/25/2007 - 10:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you would be better to use the separate switch. You do not want to connect your ISP router into your 4500 or you are effectively bypassing the firewall. All traffic between the Internet and your internal network needs to go through the pix.


So


1) delete vlan 2 interface from 4500

2) Setup 4500 as previously discussed. Make sure the default route points to the IP address of the inside interface of the pix.


3) Use your 3560 to connect


pix outside interface

ISP router inside interface

vid units (this is assuming you do not want to protect the vid units with your firewall)


Each of these devices will have a public IP address.


4) On the pix have a default route pointing to the ISP router.


Also add routes on the pix for all your vlans on the 4500 pointing to the other end of the p2p link between the pix and the 4500.


One last thing. You should look to put your ap's on a separate vlan than your servers just for segregation.


HTH


Jon


rhopkins_nci Tue, 09/25/2007 - 12:43
User Badges:

Thanks everyone for the help! Im gonna try to take this all in and start working this out. Im afraid to say, Im sure I will be posting more questions when I get in the mix of this. I'll end up screwing something up. Alright then. RT.

rhopkins_nci Tue, 09/25/2007 - 19:24
User Badges:

Hey Jon, well Ive been studying my butt off, but Ive managed to get stumped already.

-What do you mean by adding routes on my pix to point to the vlan on the 4500? Can you give me a couple example cmds?

-Also, will I still use the nat (inside) 1 0.0.0.0 0.0.0.0?

-On my 3560, are there certain vlans I need to create on this, ie vlan 99 and or vlan 2 with public ip.

-Your last statement about separating ap's and servers, what would you suggest? Would my ap's and internal switches be on vlan 99 or create a new one, then servers on another vlan?

-Where would ip helper addresses come in to play with all this?


Wow, im getting myself in a bigger mess than I thought. I didnt intend to have you all walk me step by step. But thanks again and I owe you one somehow, hope Im not spamming you too bad with emails either.

Correct Answer
Jon Marshall Thu, 09/27/2007 - 08:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Apologies for delay in replying, been a bit busy.


1) the pix needs to know how to route back to your vlans on the 4500. So using your drawing the pix is connected to the 4500 via a point to point link. Pix end 10.10.99.2, 4500 end 10.10.99.1. So on pix


route (inside) 10.10.11.0 255.255.255.0 10.10.99.1

route (inside) 10.10.12.0 255.255.255.0 10.10.99.1

etc... for all vlans on 4500 switch.


2) nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


says to NAT any inside private address to the public IP address of the outside interface so yes if you want all inside clients to be able to access the Internet you need this.


3) 3560. You need one vlan for all the devices you are connecting in ie.


ISP inside interface

pix outside interface

vid units


Remember that this switch will not connect back to the 4500 switch so you can use any vlan you like. Do not use vlan 1.


4) Because wireless is less secure i would recommend having a separate vlan for these. So i would have at a minimum


i) server vlan

ii) wireless ap vlan

iii) client vlan(s) - depends how many clients you have.


I would only use vlan 99 for connecting pix to 4500 so don't put any other devices on this vlan.


5) You need to put ip helper-addresses on any vlan with clients that use DHCP to get an address. So assuming you have a DHCP server on your server vlan you will need to add the ip helper-address under each client vlan interface.


Don't worry about asking questions that's what NetPro is for and you'll find a lot of knowledgeable people on these forums.


Jon

rhopkins_nci Thu, 09/27/2007 - 10:42
User Badges:

Awesome, thanks for the great advice and steps Jon. Maybe I'll get the hang of it so I can help others out on netpro. Anyway, send me an invoice, lol. RT.

rhopkins_nci Tue, 09/25/2007 - 12:38
User Badges:

Now when you say delete the L3 svi, is that the public ip address. So I would add my "link to internet" port on the 4503 as the isp rtr int? And give my vid units public ip's, would I use the isp router as the default gateway? Now I did just purchase a cat3560_8pc, could I use this as the outside switch? If so, how would this change things? I surely appreciate all the help.

Actions

This Discussion