L3 Switch w/ 802.1Q VLans connecting to L2 Cisco switches

Unanswered Question
Oct 15th, 2008

I'm in the process of working on a new switch configuration. Basically what we have are 2 L3 switches that will have multiple VLANs and 802.1Q enabled. If devices are plugged into the L3 switch things work fine.

The question/problem I have is that these L3 switches are connected to a stack of L2 Cisco switches via the gig uplink ports. All L2 switches are basically base config'd, no VLANs.

My thought process is if I have the production network (which all the L2 switches connect to), I'm going to have to configure all the L2 switches to be on the same VLan as it is configured on the L3 switch.

I've done some testing and right now when I plug into the L2 switch connected by the gig backbone (no config done on backbone) I can't talk to anything on the L3 switch.

Is there something I'm missing here or what is my next step in the right direction?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 10/15/2008 - 11:09

Kyle

We can talk you through getting this to work but i am slightly worried about you saying the L2 switches are on production.

Could you expand on that a bit. You will have to do some configuration on these switches and we need to be careful if this is production.

Are your L3 switches the only ones with vlans at the moment ?

Jon

kylehughes Wed, 10/15/2008 - 11:16

Sorry, I guess I should mention this is in a completely isolated R&D network. I have simular ability switches that I can test before I make changes on the "Production Equipment"

To make it easier sub out when I said production to LAN traffic.

This is for a ESX environment, so on the L3 switch, I have VLAN10 (mgmt), VLAN20 (vmotion), VLAN30 (LAN Traffic).

I have a L2 switch that is connected to the L3 switch via backbone, with basically no configuration done. So basically all LAN traffic on the L2 switches is going over VLAN1 I'm assuming.

Jon Marshall Wed, 10/15/2008 - 11:20

Right. What do you want to do ?. Do you want those 3 vlans on your L3 switches to be available to your L2 switches ?

What type of switches are your L3 and L2 switches ?

Jon

kylehughes Wed, 10/15/2008 - 11:36

R&D Setup (which I'm currently practicing on):

Cat 3560(L3) and 3550 (L2)

Eventually would like to make these changes on production switches, 2x 3750(L3) and 3550(L2) switch rack

Overall goal would be is to have something like this:

L3 Switch(es):

VLAN10(esx mgmt) - IP Range 10.10.0.0/16

VLAN20(esx vmotion) - IP Range 10.20.0.0/16

VLAN30(lan network/servers/etc) - IP Range 10.30.0.0/16

L2 Switches(all users are connect to the L2 switch rack, including myself):

Default Config

All traffic is IP range of 10.30.0.0/16

So I want all traffic on the L2 switches to be able to talk to VLAN30 on the L3 switch for obvious reasons of getting to the servers.

I need connection from the L2 switch rack (10.30.0.0/16 network) to the 10.10.0.0 network, but limited access. So I would need access lists to controll that I'm sure.

I want VLAN 20 traffic to be isolated, only 10.20.0.0/16 talks to 10.20.0.0/16. Again would need to create an access list I'm sure.

Jon Marshall Wed, 10/15/2008 - 11:43

Kyle

Okay sorry to keep asking questions but would like to provide a working config.

Firstly i would recommend having servers on a separate subnet than your users. If you are using 10.30.0.0/16 you could easily split this - how many users do you have and how many servers.

Now if all the devices on your L2 switches are end users then you do not need to connect the L2 switches to the L3 switches with a trunk link. However you generally use a separate vlan for managing the switches. So there are a few options.

Also can you run the output of a

"sh vtp status" on your 3560 and 3550 switches and post here.

10.10.0.0/16, 10.20.0.0/16 and 10.30.0.0/16 are big ranges. Do you need this range of addresses ?

If you could answer the questions above we can come up with a config and also the access-lists.

Jon

kylehughes Wed, 10/15/2008 - 13:07

No worries on the questions, its been a while since i've had to use my cisco training/cert so i'm a tad rusty.

"Firstly i would recommend having servers on a separate subnet than your users. If you are using 10.30.0.0/16 you could easily split this - how many users do you have and how many servers."

I would tend to agree with you if we had this setup earlier, but the network build has been this way since i started here, and years before then. I doubt I'll get anywhere near welcome greeting by asking to change the IP setup. Too many things are static around here. The main goal at least for now, is to isolate different VMware ESX networks, ie: prevent any possible attackers from compromising a server, then jumping to the ESX host because its on the same network.

"10.10.0.0/16, 10.20.0.0/16 and 10.30.0.0/16 are big ranges. Do you need this range of addresses?"

Again before I came, no probably don't but now its part of our IP Scheme and really can't change that.

In the attachment, the IP that was blacked out was different to the one that I have been giving as an example. It is showing VLAN10 being the lowest, so the IP should've read 10.10.10.1 (most likely wont use that address, but for example).

The less work that I have to do on the L2 3550's the better, but if there is a best practice and its not too big of a change I'm open to suggestions. Let me know if that was the information you were looking for or if you have more questions. Thanks for all of your help so far.

Jon Marshall Wed, 10/15/2008 - 13:26

Okay no problem we'll work with what you have got at the moment but be aware you should probably look to change this in future.

You could setup the L2 3550 switches as VTP clients and have your L3 switches as VTP servers but asyou oinly need one vlan ie. vlan 30 on the 3550 switches we''ll use transparent.

On your 3550 switches

3550(config)# vtp mode transparent

3550(config)# vlan 30

3550(config-vlan)' name v30

On the port(s) that uplink to your L3 switches eg.

int fa0/1

switchport

switchport access vlan 30

then you need to allocate other ports that have end user devices into vlan 30. Same as above but don't forget you can use the interface range command to save time eg.

3550(config)# int range fa0/5 - 12

3550(config-if-range)# switchport access vlan 30

On your L3 switches

On the port(s) connecting to the 3550

3560(config)# int fa0/0

3560(config-if)# switchport

3560(config-if)# switchport access vlan 30

Eventually you may well want to make the above links trunks but as you only need vlan 30 on L2 switches... If you want to make them trunks let me know.

Right now if you have a device on one of the 3550 switches in vlan 30 you should be able to ping vlan 30 interface on L3 switch and other L3 vlan interfaces on L3 switch.

Access-lists.

access-list 101 deny ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255

access-list 101 permit ip any any

int vlan 30

ip access-group 101 in

this will stop vlan 30 devices talking to vlan 20 devices. If you want further control let me know.

Try all this and let me know how you get on.

Jon

kylehughes Wed, 10/15/2008 - 13:42

Thanks Jon I'll try this out and let you know how it goes.

One question I have for ya.

So you have on the 3550(L2):fa0/1 talking to the 3650(L3)fa0/0 as a link to talk to eachother.

The way we have our switches configured is that they are all connected via the GigabitEthernet 0/1. So instead of doing the commands on fa0/1-fa0/0, can I just do those on the (3550)GigabitEthernet0/1-(3650)GigabitEthernet0/1 ?

Thanks again for all of your time spent

Jon Marshall Wed, 10/15/2008 - 13:45

No problem with the help, that's what NetPro is for :)

Yep i just used fa0/1 and fa0/0 as examples, you should use whatever ports you are using for uplinks.

Once you have this setup and working you may want to refine it ie. trunk links would provide more scalability in future and maybe VTP server/client mode so please feel free to come back.

Appreciate the rating.

Jon

kylehughes Wed, 10/15/2008 - 13:51

I can't believe I just found NetPro, its like this unknown cisco forum board that is a secret. I'm usually on the VMTN (VMware) doing what you're doing with me, and I know even we're not on here for the points, its sooo much better to get points than a "hey thanks" and nothing else to show for it :) Off to the switches I go

Actions

This Discussion