05-25-2010 10:34 AM - edited 03-06-2019 11:15 AM
Hi,
We have catalyst 6509 with sup 720 ,3750-12g and 2960 , from 6509 to 3750-12g is connected with 10g and after that 8 nos. 2960 switches are connected with FC port in all 8 departments. Now we have to plan to implement L3 VLAN .
We have few points.
1.Vlan for all department with different subnet Like VLAN5 172.16.5.0,VLAN6 172.16.6.0 etc.
2. User can not access other VLANs if required access may posible by routing.
3. Proper Routing.
Can anyone suggest.
Thanks
05-25-2010 10:43 AM
Hi,
We have catalyst 6509 with sup 720 ,3750-12g and 2960 , from 6509 to 3750-12g is connected with 10g and after that 8 nos. 2960 switches are connected with FC port in all 8 departments. Now we have to plan to implement L3 VLAN .
We have few points.
1.Vlan for all department with different subnet Like VLAN5 172.16.5.0,VLAN6 172.16.6.0 etc.
2. User can not access other VLANs if required access may posible by routing.
3. Proper Routing.
Can anyone suggest.
Thanks
Hi,
See as per my undersatnding 6509---3750--(8) 2960 switches and it is best practice to have separet subnet for separet department ,with this in mind you can have different subnet vlan configured and extended them till 3750 switch for inter vlan routing at 3750 switch level rathe at 6509 level.
and if you want some vlan can talk with other or not you can apply acl to 3750 svi interface of the specific vlans.
Check out the below link for intervlan routing
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
05-25-2010 10:48 AM
If I understand your qustion correclty I would use VTP making one of the switches the server and the other the client. Then I would use ACL's to control access accross the vlans if you don't wan't people to have unrestricted access to all vlans.
05-25-2010 11:55 AM
I would shy away from VTP. The potential revision number issue is big enough to outwiegh any gains of automatic VLAN advertisements.
05-25-2010 10:50 AM
Based on what you've told me....
1. Your VLAN scheme looks fine. Matching the 3rd octet and the VLAN number is fairly common.
2. Pretty simple to block access from one VLAN to another. Just utilize ACL's to deny the desired ranges and permit all else. You haven't mentioned that you have stringent PCI or security concerns, so using ACL's on switch SVI's to block traffic should suffice - as opposed to requiring a FW.
3. From a routing perspective, you have a lot of options.
a. Place the SVI's on your 3750. This extends layer 2 from the 2960's to the 3750, but this isn't a big deal since you didn't mention redundant 3750's. If the SVI's are on your 3750, all routes will be locally connected. The 3750 will need a default route to the 6500, and the 6500 will need a summary route to the 2960's.
b. Same as above, but you could run multiple L3 PTP links between the 3750 and 6500. This provides redundancy, removes any STP complexity, and allows both uplinks to be utilized. Either implement dual static routes pointing over both links, or use some dynamic variant (EIGRP / OSPF).
c. Run L3 PTP links from the 2960's to the 3750. Although you don't gain STP abstraction benefits since these are single homed, you still limit your
L2 fault domain. This design does require that L3 networks don't span more than one closet, and it requires routes on the 3750 / 6500 via one of
methods described above (either statics or a dynamic protocol).
HTH
05-25-2010 08:33 PM
05-25-2010 08:43 PM
He he he ...
I like your design. However, I have some questions for you: If someone from this forum gives you a config and something should ever happen, who's responsible? Who'll compensate your company for the financial loss? Who'll review your network design?
This is probably where some of us (including me) who'll recommend you (or your company) should seek professional help to build and configure your network. The most some of us will do is provide you guidance and direction as to best way to go.
05-26-2010 05:48 AM
Actually, this is where I hope all of us point you towards some professional help. I would suggest two things...
1. Start studying. Rather than asking experienced engineers to spoon feed you configs, grab some books and start to learn to do it for yourself.
2. Hire a contractor who knows what they are doing. Pay them to configure this network for you, and keep their number handy for when you need further help.
05-26-2010 08:57 AM
Dear All,
I have seen you all are very expert
FYI I have configured this setup now working perfectly.
one of my cisco sales friend tell us for this forum so i have tried for your knowledge.
but you all are very less in knowledge.
thanks
05-26-2010 09:07 AM
I'm glad you got it working and I'm glad we could help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide