VLAN Questions

Unanswered Question
Oct 8th, 2007

Hello everyone,

I'm working on re-designing an existing network topology, and am trying to do it the "Cisco recommeneded" way. I have alot of Cisco expierence in the way of VoIP, and some routing & switching knowledge, but I want to make sure before trying to implement this solution, that I at least ask some of the experts.

We currently have 2 separate networks, a, and a, both which are class C subnets.

Most of our user PC's, and almost all servers are housed on the 192.168 network. The most major thing that is on the 10.1 network is our email server, and a static DNS server, and also a few un-migrated user PC's.

All ports are currently assigned to the default VLAN 1. What is the best way to go about setting up VLANs on this network? I plan on creating a VLAN192, and a VLAN10, and assigning all necessary ports to the correct VLANs. In the near future there will also be 1 or 2 more VLAN's created for VoIP).

What is needed to correctly route traffic between each VLAN? Right now we have a Cisco4506 L3 switch, in which I can set up routing (IP routing command/static routes/EIGRP??). All edge/access switches on the network connect back to the 4506, and then on the "other side" of the 4506 we have a PIX Firewall, and then the "public internet".

Also, to throw another question in, I plan on subnetting down the 10.1 network, but again, I'm assuming that I can easily set up static routing in the L3 4506, or even use a routing protocol that supports VLSM's, such as EIGRP.

What problems might I run into? There are currently 2 DHCP servers in place, one for each network, so I don't think that will be a problem, but again I could be wrong.

Any help is always greatly appreciated!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Jon Marshall Mon, 10/08/2007 - 12:14


Your 4506 will do the routing beteen vlans. If your edge switches connect back at layer 2 then you don't need to run an IGP as all the L3 interfaces for the vlans will exist on the 4500 so it will route between them.

You should add a default route to your pix internal interface.

On the pix you will need to add routes to the 192.168.1.x and 10.1.1.x networks.

I would create a separate vlan for the connection between the pix and the 4500 switch.

You have the right approach with the vlans. Create 2 new vlans, create the L3 SVI's for these vlans on the 4500 and then migrate the clients across.

Do you intend to have a DHCP server on bith vlans ? If so you don't need to worry about it.


jkloza Mon, 10/08/2007 - 12:28

Ok this is exactly what I thought should be done.

Our PIX admin is out for the week, and I don't want to lie, I don't have much firewall experience at all, but I can fumble through the ASDM & probably put a route or 2 in.

By default route, you mean I should add a route that says - Ip route PIX Internal interface, correct?

As for the separate VLAN for connection between the PIX, and the switch, the port that I should connect should be a L3 port right, not a switchport? So I should do a no switchport, and give the port an IP address correct?

What exactly do you mean by L3 SVI, I know SVI is a routed switch virtual interface, not sure by what you meant when saying "create L3 SVI's for these vlans", how would I go about doing this?

And, yes, I do intend on having a DHCP server on each network, if I don't, I can easily just use the ip helper address commands correct, to pass DHCP traffic per vlan?

Thanks again for the help Jon!

Jon Marshall Mon, 10/08/2007 - 12:34

"By default route, you mean I should add a route that says - Ip route PIX Internal interface, correct?"

Yes, exactly, add this to the 4500.

Yes, you could make it a routed port on the 4500 (something is nagging me about this as i am sure i have issues with this before but can't see what it is at the moment)

L3 SVI = on 4500 switch (assuming you have created vlan 10 at layer 2)

interface vlan 10

ip address

no shut

This create a L3 interface for vlan 10

Yes to the DHCP question. I was actually going to suggest ip helper-address but as you are putting one on each subnet...


jkloza Mon, 10/08/2007 - 13:57

I planned on creating the VLAN's on the 4500, and then for VTP to update all our other switches in the network @ layer 2. Is this not the correct way to do it?

About the routed port, does it "have" to be done this way, or can I leave it a switchport, just on a separate VLAN? Because doing it this way would eliminate alot of overhead for me, then I probably wouldn't even need to change any addresses on my PIX.

If the port is left a switchport, does the port need to be on a separate subnet, or just a separate VLAN? Can it be a member of one of my 2 existing networks/subnets? Or should I plan ahead and make a /252 subnet for the link between the switch & the firewall?

Thanks again for all the help, it is very much appreciated!

Jon Marshall Mon, 10/08/2007 - 19:16

If all the other switches are connected via Layer 2 trunks then yes make your 4500 a vtp server and the other switches vtp clients.

No it doesn't have to be a routed port, you can make it a switchport.

I would recommend having it on a dedicated subnet rather than one of your existing ones. It clearly defines the separation between your internal subnets and external access and you may want to use ACL's on the vlan interface connecting to the pix in future.


jkloza Tue, 10/09/2007 - 02:24

Understood, then that's how I'll plan it out, I'll just break a chunk of my existing 192.168 network up for the link between the firewall and the switch.

One last question, then I think I should be pretty good to go. I plan on subnetting the 192.168 network down. I'll have a /32, a /64, and a /128 at least.

For each separate subnet, should there be a separate VLAN, or since they are all part of the "192.168" network, can it be in the same VLAN. Something here is confusing me, and I'm not sure why. I thought that each subnetwork would need to be its own VLAN, but again, if it doesn't need to be, then why complicate things later on.

Thanks again for all the help, it is very much appreciated!

Jon Marshall Tue, 10/09/2007 - 02:30

No problem with the help, ask as many questions as you need ( might not be able to answer all of them tho !! )

You should look to do 1 vlan per subnet so if you are subnetting 192.168.1.x into 3 subnets then you should look to use 3 vlans.

Each vlan will have a L3 vlan interface which will be the default-gateway for clients in that vlan.


jkloza Tue, 10/09/2007 - 08:09

Actually, 1 more question.

Currently we have 2 lines going from our 4500 switch, to our firewall. One of the lines connects to the 192.168 interface on the firewall, and one connects to the 10.1 interface on the firewall.

Am I correct in saying that PIX firewalls cannot, and do not route between networks? Again, I'm not a firewall guy by any means, our firewall admin was saying, and I quote "the PIX is routing between the 192.168 / 10.1 networks". This is incorrect right? Just because I've always been told that firewalls do NOT route traffic, there must be a router here somewhere w/ routing statements, or a routing protocol configured correct?

This is getting a bit complicated :)

Thanks again..

Jon Marshall Tue, 10/09/2007 - 09:46

Okay, pix firewalls are not routers but they can route traffic between interfaces. They do have routing tables and can run some of the Open standard routing protocols (pix v8.x can also run EIGRP now).

However they generally do not automatically route between interfaces without additional configuration - it is a firewall after all.

Enough of the theory :) - i suspect your 4500 is just acting as a Layer 2 switch at the moment and the routed interfaces for your subnets exist on the firewall. You need to do a bit more investigation of your network devices before trying to implement what we have been discussing as you could break your network.

If you run a "sh ip int br" on your 4500 what is the output ?. Do you see any entries for vlan interface eg.

vlan 10 192.168.1.x



jkloza Tue, 10/09/2007 - 09:58

There are no VLANs (other than the default VLAN 2) on the network right now, everything is layer 2..

Right now if i do a show ip interface brief, I currently see - VLAN 1 - IP address 192.l68.1.50 / UP. There are no other VLAN's created, as I'm working out all things that can go wrong right now :)...

How would I go about checking to see if the firewall is routing between our 2 networks? Ultimately, I think we'll have to wait until our firewall admin is around, just so he can do any configuration needed on his end, then I can setup the VLANs and any routing statements that need to be put in place.

Thanks again -


Jon Marshall Tue, 10/09/2007 - 10:04

Yes, apologies for that should have reread thread, you did say about it being one vlan.

Could you just confirm, are all the devices connected into switches in vlan 1 ?.

i ask because you have 2 separate interfaces on the firewall connected into your 4500. It would therefore have made more sense if you have 2 vlans at least on the 4500 one for each firewall interface and then the firewall would route between these 2 vlans but it sounds like this is not what you have.

Could you also confirm what supervisor you are running in the 4500 - log on and from enable mode

switch# sh module

and post the output here.

if you could get a copy of the config of the firewall and post it here (minus any sensitive information) we could tell what the firewall is doing. That is assuming it is a pix - do you know what type of firewall it is.


jkloza Tue, 10/09/2007 - 10:18

Yes, all devices are connected in VLAN 1, I know that it would have made more sense to do 2 separate VLAN's, but I'm not sure why they didn't orignally set it up this way (I'm new here :)..

The supervisor module in the 4500 is a


Unfortunatley, I can't post configs of the firewall, not that I dont want to, trust me :).. I've been looking through the ADSM though, and the only real route that I see is an outside route, and a check box that is enabled that says "enable traffic between two or more interfaces w/ the same security level".. Not sure if this could be doing it..

Jon Marshall Tue, 10/09/2007 - 10:27

The "enable traffic between 2 or more..." could well be what does it. You would need to check the security levels on both interfaces but i would guess they are the same.

Sounds like you have a pix/ASA. You will need to talk to your firewall admin but what we have talked about still stands, it just needs a bit more planning.

Might be worth finding out why they have bought a L3 switch only to use it as a layer 2 device and route between subnets off the firewall. Maybe they have security concerns ?


jkloza Tue, 10/09/2007 - 11:07

Sorry, yes we have a PIX525, I forgot to mention that. Anyway, thanks for the help, I'm still going to try to get at least 2 of the VLAN's implemented today, but I'll wait for the routing / subnetting the other network out until our firewall admin has returned.

Thanks again.

Jon Marshall Wed, 10/10/2007 - 02:26

Okay, hope it goes well, thanks for the ratings and any problems let us know.


jkloza Wed, 10/10/2007 - 03:41

Thanks much, implementing the VLAN's went well, got both created the L3 SVI interfaces, and all ports assigned to the correct VLAN's. Everything seems to be working well.

One more question, we have 2 hubs on our network (soon to be replaced w/ switches) :(..

One of the hubs has PC's that are connected to both networks connected to it (the 192.168, and the 10.1), is there any way for me to let it pass traffic for both VLAN's, or should i just replace it with a switch ASAP.

Thanks -


Jon Marshall Wed, 10/10/2007 - 04:33

Glad to hear it's going well.

As for the hub as far as i know they do not support 802.1q ie. trunking so no. The port the hub connects into would have to be allocated to one of your vlans.

So either use it for just one of the vlans or swap out when you can.



This Discussion