08-04-2010 01:12 AM - edited 03-06-2019 12:18 PM
Hi
I am trying to figure out how to design my network.
The basic topology is Internet --> Gateway -> Router -> Switch -> PC's
On the switch I want to create 14 seperate VLAN's.
I will create a trunk from the Gbit ports on the router and the switch.
I have looked at buying the following equipment:
Switch: Catalyst WS-C2960-48TC-L
Router: Catalyst WS-C3560-8PC-S
Is there anything wrong with this setup? Also did I choose the right equipment? btw I already own the L2 switch.
My final question is how to create an access-list that would stop the VLAN's from being able to communicate with each other.
Any help is very appreciated!
/Martin
08-04-2010 01:58 AM
Hi
I am trying to figure out how to design my network.
The basic topology is Internet --> Gateway -> Router -> Switch -> PC's
On the switch I want to create 14 seperate VLAN's.
I will create a trunk from the Gbit ports on the router and the switch.
I have looked at buying the following equipment:
Switch: Catalyst WS-C2960-48TC-L
Router: Catalyst WS-C3560-8PC-S
Is there anything wrong with this setup? Also did I choose the right equipment? btw I already own the L2 switch.
My final question is how to create an access-list that would stop the VLAN's from being able to communicate with each other.
Any help is very appreciated!
/Martin
Martin,
3560 is itself is l3 switch for communication for local lan subnet to internet you need to have nat functionality 3560 switches does not support nat functionality.
If you have router like 1800,2600 or any router seires which you can buy for your setup can be used for internet functionality,with router you can have router on stick configuration for l2 switch with router interface.
Check out the below link for router on stick concept and apply the acl on sub interface to restric the traffic entering into other vlanin in direction.
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
08-04-2010 02:06 AM
Yes, i know. I was planning on using the nat functionality in the gateway.
08-04-2010 02:14 AM
Yes, i know. I was planning on using the nat functionality in the gateway
If you want nat functionality 3560 l3 switch do not support , make use of a router to do the same.
Check out the below link for nat configuration on router
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
08-04-2010 02:20 AM
Yes, but i have a gateway infront of the l3 switch that provides NAT...
Sendt fra min HTC
08-04-2010 02:30 AM
Yes, but i have a gateway infront of the l3 switch that provides NAT...
Sendt fra min HTC
Hi ,
Ok so L3 will be doing intervlan routing and natting will done in external router.Then do make vlan in l2 switch and connect via trunk port configuration with l3 switch.Then configure SVI in L3 switch which will act as gateway for vlan traffic and apply acl in SVI in inbound direction in these vlan inetrafce to restrict the traffic from one vlan to another.
Check out the below link for intervlan routing configuration in l3 switches
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
Ganesh.H
08-04-2010 02:44 AM
I was thinking of making an access-list like this.
access-list deny ip 10.10.10.0 0.0.0.255
Would that not block all the subnets?
Also is the l3 switch capable of assigning dhcp addresses to each vlan?
08-04-2010 11:55 AM
I was thinking of making an access-list like this.
access-list deny ip 10.10.10.0 0.0.0.255
Would that not block all the subnets?
Also is the l3 switch capable of assigning dhcp addresses to each vlan?
Your acl should be -
access-list 101 deny ip 10.10.10.x 0.0.0.7 10.10.10.0 0.0.0.255 where 10.10.0.x is the vlan you are applying the acl to. However you could use your line instead and it would still work ie. access-list 101 deny ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
then you must add the following line for internet access -
access-list 101 permit ip any any
then apply the acl inbound to the vlan interface eg.
vlan 10
ip access--group 101 in
personally i would write a specific acl for each vlan as in the first line and give it a different acl number eg. 101, 102 , 103 etc..
Yes the 3560 can do DHCP although i prefer to use a Windows server to do this sort of thing.
Jon
08-16-2010 04:44 AM
Hi Jon,
Is there any specific reason for using windows server for DHCP over L3 switch DHCP configuration.?
08-16-2010 02:30 PM
shahhardik wrote:
Hi Jon,
Is there any specific reason for using windows server for DHCP over L3 switch DHCP configuration.?
Because L3 switches really are designed primarily to move traffic across your network and not act as DHCP/DNS servers etc. The windows DHCP server is easy to use and last time i used both the windows server was more flexible and supported a greater range of options although this may have changed now.
Jon
08-16-2010 09:20 PM
jon.marshall wrote:
Because L3 switches really are designed primarily to move traffic across your network and not act as DHCP/DNS servers etc. The windows DHCP server is easy to use and last time i used both the windows server was more flexible and supported a greater range of options although this may have changed now.
Jon
Hi Jon,
So is there any impact on switch performance if we configure as a DHCP server momentorily?
08-20-2010 07:55 AM
I would definately suggest implementing a firewall in this environment if it will be connected to the Internet. Whether IOS Firewall on a Router or a ASA would be worth looking into.
What kind of gateway are you using? also what ios feature set?
HTH, Please rate below if so.
Regards,
Justin
08-26-2010 12:30 AM
Hi Justin,
yes a firewall would be the best, but it is also more expensive than a baisc router like the 1800 Series.
I suggest you, try to set up the layer 3 switch as a VTP Server, configure VLAN interfaces with IP-helper-addresses on it and distribute it to the Layer 2 devices.
You need only to set up a linux or W2K3 Server acting as a DHCP in the network.
For more securty you can apply ACL on the router.
If you have more question, ask me
I think I have also a design guide anywhere on my HDD,
Regards Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide