Designing LAN

Unanswered Question

Hi

I am trying to figure out how to design my network.

The basic topology is Internet --> Gateway -> Router -> Switch -> PC's

On the switch I want to create 14 seperate VLAN's.

  • Each VLAN should have a subnet of 10.10.10.x/29 which gives me 6 useable addresses pr. subnet/vlan.
  • The VLAN's should not be allowed to communicate with each other.
  • Each VLAN should receive DHCP from the router.

I will create a trunk from the Gbit ports on the router and the switch.

I have looked at buying the following equipment:

Switch: Catalyst WS-C2960-48TC-L

Router: Catalyst WS-C3560-8PC-S

Is there anything wrong with this setup? Also did I choose the right equipment? btw I already own the L2 switch.

My final question is how to create an access-list that would stop the VLAN's from being able to communicate with each other.

Any help is very appreciated!

/Martin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Ganesh Hariharan Wed, 08/04/2010 - 01:58

Hi

I am trying to figure out how to design my network.

The basic topology is Internet --> Gateway -> Router -> Switch -> PC's

On the switch I want to create 14 seperate VLAN's.

  • Each VLAN should have a subnet of 10.10.10.x/29 which gives me 6 useable addresses pr. subnet/vlan.
  • The VLAN's should not be allowed to communicate with each other.
  • Each VLAN should receive DHCP from the router.

I will create a trunk from the Gbit ports on the router and the switch.

I have looked at buying the following equipment:

Switch: Catalyst WS-C2960-48TC-L

Router: Catalyst WS-C3560-8PC-S

Is there anything wrong with this setup? Also did I choose the right equipment? btw I already own the L2 switch.

My final question is how to create an access-list that would stop the VLAN's from being able to communicate with each other.

Any help is very appreciated!

/Martin


Martin,

3560 is itself is l3 switch for communication for local lan subnet to internet you need to have nat functionality 3560 switches does not support nat functionality.

If you have router like 1800,2600 or any router seires which you can buy for your setup can be used for internet functionality,with router you can have router on stick configuration for l2 switch with router interface.

Check out the below link for router on stick concept and apply the acl on sub interface to restric the traffic entering into other vlanin in direction.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Ganesh Hariharan Wed, 08/04/2010 - 02:14
Yes, i know. I was planning on using the nat functionality in the gateway

If you want nat functionality 3560 l3 switch do not support , make use of a router to do the same.

Check out the below link for nat configuration on router

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Ganesh Hariharan Wed, 08/04/2010 - 02:30

Yes, but i have a gateway infront of the l3 switch that provides NAT...

Sendt fra min HTC

Hi ,

Ok so L3 will be doing intervlan routing and natting will done in external router.Then do make vlan in l2 switch and connect via trunk port configuration with l3 switch.Then configure SVI in L3 switch which will act as gateway for vlan traffic and apply acl in SVI in inbound direction in these vlan inetrafce to restrict the traffic from one vlan to another.

Check out the below link for intervlan routing configuration in l3 switches

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Ganesh.H

Jon Marshall Wed, 08/04/2010 - 11:55

[email protected]

I was thinking of making an access-list like this.

access-list deny ip 10.10.10.0 0.0.0.255

Would that not block all the subnets?

Also is the l3 switch capable of assigning dhcp addresses to each vlan?


Your acl should be -

access-list 101 deny ip 10.10.10.x 0.0.0.7 10.10.10.0 0.0.0.255  where 10.10.0.x is the vlan you are applying the acl to. However you could use your line instead and it would still work ie. access-list 101 deny ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255

then you must add the following line for internet access -

access-list 101 permit ip any any 

then apply the acl inbound to the vlan interface eg.

vlan 10

ip access--group 101 in

personally i would write a specific acl for each vlan as in the first line and give it a different acl number eg. 101, 102 , 103 etc..

Yes the 3560 can do DHCP although i prefer to use a Windows server to do this sort of thing.

Jon

shahhardik Mon, 08/16/2010 - 04:44

Hi Jon,

Is there any specific reason for using windows server for DHCP over L3 switch DHCP configuration.?

Jon Marshall Mon, 08/16/2010 - 14:30

shahhardik wrote:

Hi Jon,

Is there any specific reason for using windows server for DHCP over L3 switch DHCP configuration.?

Because L3 switches really are designed primarily to move traffic across your network and not act as DHCP/DNS servers etc. The windows DHCP server is easy to use and last time i used both the windows server was more flexible and supported a greater range of options although this may have changed now.

Jon

shahhardik Mon, 08/16/2010 - 21:20

jon.marshall wrote:

Because L3 switches really are designed primarily to move traffic across your network and not act as DHCP/DNS servers etc. The windows DHCP server is easy to use and last time i used both the windows server was more flexible and supported a greater range of options although this may have changed now.

Jon

Hi Jon,

So is there any impact on switch performance if we configure as a DHCP server momentorily?

Justin Brenton Fri, 08/20/2010 - 07:55

I would definately suggest implementing a firewall in this environment if it will be connected to the Internet.  Whether IOS Firewall on a Router or a ASA would be worth looking into.

What kind of gateway are you using? also what ios feature set?

HTH, Please rate below if so.

Regards,

Justin

martin_knorre Thu, 08/26/2010 - 00:30

Hi Justin,

yes a firewall would be the best, but it is also more expensive than a baisc router like the 1800 Series.

I suggest you, try to set up the layer 3 switch as a VTP Server, configure VLAN interfaces with IP-helper-addresses on it and distribute it to the Layer 2 devices.

You need only to set up a linux or W2K3 Server acting as a DHCP in the network.

For more securty you can apply ACL on the router.

If you have more question, ask me

I think I have also a design guide anywhere on my HDD,

Regards Martin

Actions

This Discussion