07-26-2008 05:09 AM - edited 03-06-2019 12:28 AM
Hi All,
I am working on a new network configuration for our company and I'm not sure if I have the right equipment to do what I'm wanting to do. We just got a direct allocation of IPs directly from ARIN and we're setting them up.
Here's the equipment that I have:
1 7301 Router
1 3560G Layer 3 switch
3 2960G 48 Port layer 2switches
5 Ranges of IP Addresses (Named 1, 2, 3, A, and B for simplicity)
At a conceptual level, what I want to do is say IP Range 1 can only be utilized on 2960G #1, IP Range 2 can only be utilized on 2960G #2, IP Range 3 can only be utilized 2960G #3, and IP Range A and B and be utilized "across" all three 2960Gs. At the same time I want to isolate the layer 2 traffic such that if any host on #1, #2, or #3 starts sending out bad data, it only affects the servers located on its individual switch.
Ideally, I should be able to enter the configuration only on my layer 3 switch and the other switches could be dumb.
This is "psudo-IOS" to what I am wanting to accomplish on my layer 3 switch:
--------------
interface gi0/1
ip access deny all
ip access allow 10.10.1.1 10.10.1.255 (IP range 1)
ip access allow 10.10.100.1 10.10.100.255 (IP range A)
ip access allow 10.10.200.1 10.10.200.255 (IP range B)
exit
interface gi0/2
ip access deny all
ip access allow 10.10.2.1 10.10.2.255 (IP range 2)
ip access allow 10.10.100.1 10.10.100.255 (IP range A)
ip access allow 10.10.200.1 10.10.200.255 (IP range B)
exit
interface gi0/3
ip access deny all
ip access allow 10.10.3.1 10.10.3.255 (IP range 3)
ip access allow 10.10.100.1 10.10.100.255 (IP range A)
ip access allow 10.10.200.1 10.10.200.255 (IP range B)
exit
--------------
I know I am mixing layer 2 and layer 3 concepts together.
Does anyone have any suggestions?
07-26-2008 05:19 AM
HI as for as my konowledge what i suggest is
configure vlans in l3 switch for all the ip ranges u want say 5 vlans
configure 5 SVI (interface vlan ) commands over the l3 switch and assign some ip address in the corresponding ip ranges so that these ip addresses act as a gateway to the inside users
and configure all l2 switches with the vlans and have trunk ports to the L3 switch.
This configures the necessary thing and unless u enable routing in L3 switch there will be no inter valn routing and no traffic can flow between any two vlans
assign the ports on L2 switches as regarding to thier VLANS
I hope it works
07-26-2008 05:32 AM
Hi Sreekanth,
Thank you very much for the reply. That was actually something that I tried first. The problem that I ran into was that the individual hosts on Switch 1 will use IPs in 1,A,B, and the hosts on switch 2 will use IPs in 2,A,B and the hosts on switch 3 will use IPs in 3,A,B.
The first time I set that up, we ended up having to use Broadcom NICs with the BACS software and also configure the actual computer's NICs with multiple virtual interfaces which each had the VLAN IDs. That was simply too complex for our users to comprehend. I would like to be able to assign all three IP ranges to the same physical NIC with no additional configuration.
-Tony V.
07-26-2008 05:40 AM
I was just doing a bit of reading online.
Is it possible to use the "access-list" feature of the Layer3 switch in order to make this work?
07-29-2008 03:51 PM
Hi Tony,
Try to read this discussion. This may be close to your questions you had.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide