cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2432
Views
0
Helpful
20
Replies

Backbone switch question

the-lebowski
Level 4
Level 4

I am replacing a Linksys switch with a 3750 on my backbone network. I did little to no configuration on that switch.  Now that I am replacing it I have question regarding VLAN 1 on the new switch.  It will be a flat L2 switch on backbone network which connects my FW's to my core 3750.

Is it best practice to move all the ports out of VLAN 1 into another vlan?  IE: say my backbone is 10.35.66.0/24, could I just create a VLAN local to that switch (say VLAN 660) and move all the ports in to that vlan?  If I add another switch to the backbone can I create the same vlan local to that switch and again move all the ports off VLAN1 (IE VLAN 660 on switch 2)?

The routing for that network is done via the physical interface on the L3 3750 so that vlan wouldn't exist on the L3 3750. 

Can someone help me wrap my head around it?

Here is a crude diagram, the switch in question is the L2 3750.


L2.png

20 Replies 20

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello DPatten,

>> could I just create a VLAN local to that switch (say VLAN 660) and move  all the ports in to that vlan?

you can do in this way.

if you want this switch to not share the vlan DB with the L3 C3750 you can use a routed port on the L3 C3750 or two access ports.

That is no trunk port and no same VTP domain name

VTP mode transparent to be preferred for security reasons

Using access ports give you also the capability to use a different Vlan-ids on the two devices and you just need to disable CDP to remove annoyning messages about native vlan mismatch

for the management of that L2 switch you need to decide from where you want to reach it.

if you want to control it from L3 switch you may want to create a L2 trunk carrying the management Vlan and the User traffic vlan but in this case you need to agree on the vlan-ids used on both ends of the link.

Hope to help

Giuseppe

Thanks Guiseppe.

Right now the routed port on the L3 3750 is connected to the current linksys backbone switch, which will be plugged into the new 3750 when all is said and done.

Disable CDP on the backbone switch?  Do I need to disable it on the L3  3750 as well?

Management isn't a problem, I can give it an IP on the 10.66.35.0/24 and a default GW of the routed interface on the L3 3750.  Which will make it reachable from anywhere on the LAN. 

Hello DPatten,

>> Disable CDP on the backbone switch?  Do I need to disable it on the L3   3750 as well?

only if you have an access port on L2 backbone switch side and you want to use a different vlan

the L3 port being a routed port should not carry native vlan information so yes you should not need to disable CDP on either side

>> Management isn't a problem, I can give it an IP on the 10.66.35.0/24 and  a default GW of the routed interface on the L3 3750.  Which will make  it reachable from anywhere on the LAN.

This is acceptable, but a separate management vlan can be of help in some cases it can make the difference between being able to still reach the switch or not.

Hope to help

Giuseppe

Jon Marshall
Hall of Fame
Hall of Fame

dpatten78 wrote:

I am replacing a Linksys switch with a 3750 on my backbone network. I did little to no configuration on that switch.  Now that I am replacing it I have question regarding VLAN 1 on the new switch.  It will be a flat L2 switch on backbone network which connects my FW's to my core 3750.

Is it best practice to move all the ports out of VLAN 1 into another vlan?  IE: say my backbone is 10.35.66.0/24, could I just create a VLAN local to that switch (say VLAN 660) and move all the ports in to that vlan?  If I add another switch to the backbone can I create the same vlan local to that switch and again move all the ports off VLAN1 (IE VLAN 660 on switch 2)?

I don't fully understand how it works when you don't have a VLAN configured on a L3 device, when its physically separated from the other subnets.

Can someone help me wrap my head around it?


Your L3 3750 routes for all vlans. So you can use any number of L3 vlan interfaces on the L3 switch to route between vlans. An example might help.

vlan 10, 11, 12

1) first you create the vlans at L2 on your switches. If you use VTP server/client you only need to configure them on the server providing the L2 3750 is connected via a trunk.

3750L3(config)# vlan 10

3750L3(config-vlan)# name v10

etc. for each vlan

2) then you create L3 interfaces for each vlan

3750L3(config)# int vlan 10

3750L3(config-if)# ip address 192.168.5.1 255.255.255.0   <-- this IP is the default-gateway for any clients in that vlan

3750L3(config)# int vlan 11

3750L3(config-if)# ip address 192.168.6.1 255.255.255.0

etc.

3) then simply allocate whichever ports you want into the relevant vlan eg.

3750L3(config)# int gi0/1

3750L3(config-if)# switchport mode access

3750L3(config-if)# switchport access vlan 10

etc..

For the 3750 L2 switch if it connected by a trunk you need -

1) to repeat step 1) above if you are not running VTP server/client or the link is not a trunk

2) a L2 switch or a L3 switch acting as a L2 switch does not route between vlans. However it does have a L3 vlan interface so you can telnet/ssh to it for management. Lets assume you use vlan 10 to manage it so

3750L2(config)# int vlan 10

3750L2(config-if)# ip address 192.168.5.2 255.255.255.0

3) you then need a default-gateway on this switch so it can be accessed from a different subnet -

3750L2(config)# ip default-gateway 192.168.5.1   <-- note this is the L3 IP for vlan 10 on the L3 3750

In answer to your question about vlan 1, yes it is best practice to not use it.  It is also best practice to have a management vlan that is not used for any end devices such as PCs/servers/printers. Note in the above example vlan 10 would be your management vlan ie. the vlan used to manage the switches.

Jon

Thanks Jon.

I have all that configured already on my L3 3750.  Its just in front of it that I didn't quite understand.

You were spot on already, I use vlan 10 for management at this point for everything behind the L3 3750. 

So if I configure vlan 10 on the L2 switch, give it an IP address of 10.30.33.12 (mgmt subnet) and give the switch a default gateway of 10.66.35.3 (routed interface on L3 3750) I will be able to manage it on my current management vlan?

I won't need to trunk anything to the L3 3750?  Just the access port to the routed interface?

If thats the case that I didn't understand.  Specifically that a L2 switch has L3 vlan interface.

dpatten78 wrote:

Thanks Jon.

I have all that configured already on my L3 3750.  Its just in front of it that I didn't quite understand.

You were spot on already, I use vlan 10 for management at this point for everything behind the L3 3750. 

So if I configure vlan 10 on the L2 switch, give it an IP address of 10.30.33.12 (mgmt subnet) and give the switch a default gateway of 10.66.35.3 (routed interface on L3 3750) I will be able to manage it on my current management vlan?

I won't need to trunk anything to the L3 3750?  Just the access port to the routed interface?

If thats the case that I didn't understand.  Specifically that a L2 switch has L3 vlan interface.

Ideally what you would do is connect the 3750L2 via a L2 trunk or a L2 access port in vlan 10 to the 3750L3. You would then configure a L3 vlan 10 interface on the 3750L2 switch and have it's default-gateway point to the L3 IP for vlan on the 3750L3.

You can't configure a vlan 10 interface on the L2 3750 and then connect it via a routed port on the 3750, this won't work unless the routed port uses an IP out of vlan 10 but you won't be able to do that if you already have an IP assigned to a L3 vlan 10 interface on the L3 3750.

Jon

Ok I have a router interface on the L3 3750, it has an IP address of 10.66.35.3/24.  Vlan 10 on the same L3 3750 has an ip address of 10.40.2.1/24, all my switches BEHIND the L3 3750 are connected via trunks which allow vlan 10, and all of which have MGMT IP's on the 10.40.2.0/24 subnet and a default gateway of 10.40.2.1.  So that is all gravy.  

Currently the routed interface on the L3 3750, lets call it gi1/0/1 is connected to my current linksys backbone switch.  So I can move one port into the MGMT vlan on my L3 3750 and connect (as an access port) that to my L2 3750 while leaving the gi1/0/1 connected as well??  IE two cables from the L3 3750 to the L2 3750? One to allow MGMT traffic and the other doing the routing for traffic leaving and entering my network?

That is ok and won't cause any problems?  Does the port on the L2 3750 connecting to the MGMT vlan on the L3 3750 need to be in vlan 10 as well?

Like so:

dpatten78 wrote:


Your making this more complicated than it needs to be. The easier solution is to create a new vlan ie. vlan 20 and on the 3750 L3 switch create a L3 vlan interface ie.

int vlan 20

ip address 10.35.66.3 255.255.255.0  <-- note you will need to remove this IP from the routed port on the L3 3750 before allocating it to the vlan 20 interface

this new vlan will be for connectivity between the 3750 and the firewalls

then configure gi1/0/1 (currently a routed port) on the L3 3750 as a L2 trunk ie.

int gi1/0/1

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20

make sure vlan 20 exists on the L2 3750.

Then on the L2 3750 configure the interface connected to the L3 3750 as a L2 trunk.

Finally on the interfaces that connect to your firewalls configure them to be in vlan 20. So now you have vlan 10 and vlan 20 on that trunk link.

Jon

Updated below.

Jon, tell me about it!  My head is spining at this point.

About  a year ago I tried doing exaclty what you said, creating a separate  vlan and making that routed port the default IP.  But with the FW's I am  working (netscreen SSG5s) with I wasn't able to get it working.  Plus  the fact that I am running OSPF between the two FWs and the routed  interface I wasn't sure how that would work with a vlan, or if it would  work at all. 

So I left it as-is.

Here  is the config of my routed interface (I can do all of this with a  virtual IP?):

interface GigabitEthernet1/0/1
description ACCESS TO BACKBONE/INTERNET
no switchport
ip address  10.66.35.3 255.255.255.0
ip access-group HQ_DEV_SNMP out
ip  ospf authentication
ip ospf authentication-key 7 xxxxxxxxxxxx
ip  ospf hello-interval 3
ip ospf dead-interval 9
ip ospf priority  128
ipv6 address 2001:5C0:987D:7100::5/64
ipv6 enable

If  so I will tackle it again in the near future but leave everything as-is  for now.

Should work fine on L3 vlan interface. Certainly OSPF will work fine.

Jon

Yeah I don't remember what the exact problem was.  But I will try it again in the near future and let you guys know.

Alright one more question.

If I do go that route I don't need to configure any vlans on the FWs correct?  Just make sure the two connections from the FW are in vlan 20 ports on the L2 3750?

Correct.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco