Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Backbone switch question

I am replacing a Linksys switch with a 3750 on my backbone network. I did little to no configuration on that switch.  Now that I am replacing it I have question regarding VLAN 1 on the new switch.  It will be a flat L2 switch on backbone network which connects my FW's to my core 3750.

Is it best practice to move all the ports out of VLAN 1 into another vlan?  IE: say my backbone is 10.35.66.0/24, could I just create a VLAN local to that switch (say VLAN 660) and move all the ports in to that vlan?  If I add another switch to the backbone can I create the same vlan local to that switch and again move all the ports off VLAN1 (IE VLAN 660 on switch 2)?

The routing for that network is done via the physical interface on the L3 3750 so that vlan wouldn't exist on the L3 3750. 

Can someone help me wrap my head around it?

Here is a crude diagram, the switch in question is the L2 3750.


L2.png

20 REPLIES
Hall of Fame Super Silver

Re: Backbone switch question

Hello DPatten,

>> could I just create a VLAN local to that switch (say VLAN 660) and move  all the ports in to that vlan?

you can do in this way.

if you want this switch to not share the vlan DB with the L3 C3750 you can use a routed port on the L3 C3750 or two access ports.

That is no trunk port and no same VTP domain name

VTP mode transparent to be preferred for security reasons

Using access ports give you also the capability to use a different Vlan-ids on the two devices and you just need to disable CDP to remove annoyning messages about native vlan mismatch

for the management of that L2 switch you need to decide from where you want to reach it.

if you want to control it from L3 switch you may want to create a L2 trunk carrying the management Vlan and the User traffic vlan but in this case you need to agree on the vlan-ids used on both ends of the link.

Hope to help

Giuseppe

New Member

Re: Backbone switch question

Thanks Guiseppe.

Right now the routed port on the L3 3750 is connected to the current linksys backbone switch, which will be plugged into the new 3750 when all is said and done.

Disable CDP on the backbone switch?  Do I need to disable it on the L3  3750 as well?

Management isn't a problem, I can give it an IP on the 10.66.35.0/24 and a default GW of the routed interface on the L3 3750.  Which will make it reachable from anywhere on the LAN. 

Hall of Fame Super Silver

Re: Backbone switch question

Hello DPatten,

>> Disable CDP on the backbone switch?  Do I need to disable it on the L3   3750 as well?

only if you have an access port on L2 backbone switch side and you want to use a different vlan

the L3 port being a routed port should not carry native vlan information so yes you should not need to disable CDP on either side

>> Management isn't a problem, I can give it an IP on the 10.66.35.0/24 and  a default GW of the routed interface on the L3 3750.  Which will make  it reachable from anywhere on the LAN.

This is acceptable, but a separate management vlan can be of help in some cases it can make the difference between being able to still reach the switch or not.

Hope to help

Giuseppe

Hall of Fame Super Blue

Re: Backbone switch question

dpatten78 wrote:

I am replacing a Linksys switch with a 3750 on my backbone network. I did little to no configuration on that switch.  Now that I am replacing it I have question regarding VLAN 1 on the new switch.  It will be a flat L2 switch on backbone network which connects my FW's to my core 3750.

Is it best practice to move all the ports out of VLAN 1 into another vlan?  IE: say my backbone is 10.35.66.0/24, could I just create a VLAN local to that switch (say VLAN 660) and move all the ports in to that vlan?  If I add another switch to the backbone can I create the same vlan local to that switch and again move all the ports off VLAN1 (IE VLAN 660 on switch 2)?

I don't fully understand how it works when you don't have a VLAN configured on a L3 device, when its physically separated from the other subnets.

Can someone help me wrap my head around it?


Your L3 3750 routes for all vlans. So you can use any number of L3 vlan interfaces on the L3 switch to route between vlans. An example might help.

vlan 10, 11, 12

1) first you create the vlans at L2 on your switches. If you use VTP server/client you only need to configure them on the server providing the L2 3750 is connected via a trunk.

3750L3(config)# vlan 10

3750L3(config-vlan)# name v10

etc. for each vlan

2) then you create L3 interfaces for each vlan

3750L3(config)# int vlan 10

3750L3(config-if)# ip address 192.168.5.1 255.255.255.0   <-- this IP is the default-gateway for any clients in that vlan

3750L3(config)# int vlan 11

3750L3(config-if)# ip address 192.168.6.1 255.255.255.0

etc.

3) then simply allocate whichever ports you want into the relevant vlan eg.

3750L3(config)# int gi0/1

3750L3(config-if)# switchport mode access

3750L3(config-if)# switchport access vlan 10

etc..

For the 3750 L2 switch if it connected by a trunk you need -

1) to repeat step 1) above if you are not running VTP server/client or the link is not a trunk

2) a L2 switch or a L3 switch acting as a L2 switch does not route between vlans. However it does have a L3 vlan interface so you can telnet/ssh to it for management. Lets assume you use vlan 10 to manage it so

3750L2(config)# int vlan 10

3750L2(config-if)# ip address 192.168.5.2 255.255.255.0

3) you then need a default-gateway on this switch so it can be accessed from a different subnet -

3750L2(config)# ip default-gateway 192.168.5.1   <-- note this is the L3 IP for vlan 10 on the L3 3750

In answer to your question about vlan 1, yes it is best practice to not use it.  It is also best practice to have a management vlan that is not used for any end devices such as PCs/servers/printers. Note in the above example vlan 10 would be your management vlan ie. the vlan used to manage the switches.

Jon

New Member

Re: Backbone switch question

Thanks Jon.

I have all that configured already on my L3 3750.  Its just in front of it that I didn't quite understand.

You were spot on already, I use vlan 10 for management at this point for everything behind the L3 3750. 

So if I configure vlan 10 on the L2 switch, give it an IP address of 10.30.33.12 (mgmt subnet) and give the switch a default gateway of 10.66.35.3 (routed interface on L3 3750) I will be able to manage it on my current management vlan?

I won't need to trunk anything to the L3 3750?  Just the access port to the routed interface?

If thats the case that I didn't understand.  Specifically that a L2 switch has L3 vlan interface.

Hall of Fame Super Blue

Re: Backbone switch question

dpatten78 wrote:

Thanks Jon.

I have all that configured already on my L3 3750.  Its just in front of it that I didn't quite understand.

You were spot on already, I use vlan 10 for management at this point for everything behind the L3 3750. 

So if I configure vlan 10 on the L2 switch, give it an IP address of 10.30.33.12 (mgmt subnet) and give the switch a default gateway of 10.66.35.3 (routed interface on L3 3750) I will be able to manage it on my current management vlan?

I won't need to trunk anything to the L3 3750?  Just the access port to the routed interface?

If thats the case that I didn't understand.  Specifically that a L2 switch has L3 vlan interface.

Ideally what you would do is connect the 3750L2 via a L2 trunk or a L2 access port in vlan 10 to the 3750L3. You would then configure a L3 vlan 10 interface on the 3750L2 switch and have it's default-gateway point to the L3 IP for vlan on the 3750L3.

You can't configure a vlan 10 interface on the L2 3750 and then connect it via a routed port on the 3750, this won't work unless the routed port uses an IP out of vlan 10 but you won't be able to do that if you already have an IP assigned to a L3 vlan 10 interface on the L3 3750.

Jon

New Member

Re: Backbone switch question

Ok I have a router interface on the L3 3750, it has an IP address of 10.66.35.3/24.  Vlan 10 on the same L3 3750 has an ip address of 10.40.2.1/24, all my switches BEHIND the L3 3750 are connected via trunks which allow vlan 10, and all of which have MGMT IP's on the 10.40.2.0/24 subnet and a default gateway of 10.40.2.1.  So that is all gravy.  

Currently the routed interface on the L3 3750, lets call it gi1/0/1 is connected to my current linksys backbone switch.  So I can move one port into the MGMT vlan on my L3 3750 and connect (as an access port) that to my L2 3750 while leaving the gi1/0/1 connected as well??  IE two cables from the L3 3750 to the L2 3750? One to allow MGMT traffic and the other doing the routing for traffic leaving and entering my network?

That is ok and won't cause any problems?  Does the port on the L2 3750 connecting to the MGMT vlan on the L3 3750 need to be in vlan 10 as well?

Like so:

Hall of Fame Super Blue

Re: Backbone switch question

dpatten78 wrote:


Your making this more complicated than it needs to be. The easier solution is to create a new vlan ie. vlan 20 and on the 3750 L3 switch create a L3 vlan interface ie.

int vlan 20

ip address 10.35.66.3 255.255.255.0  <-- note you will need to remove this IP from the routed port on the L3 3750 before allocating it to the vlan 20 interface

this new vlan will be for connectivity between the 3750 and the firewalls

then configure gi1/0/1 (currently a routed port) on the L3 3750 as a L2 trunk ie.

int gi1/0/1

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20

make sure vlan 20 exists on the L2 3750.

Then on the L2 3750 configure the interface connected to the L3 3750 as a L2 trunk.

Finally on the interfaces that connect to your firewalls configure them to be in vlan 20. So now you have vlan 10 and vlan 20 on that trunk link.

Jon

New Member

Re: Backbone switch question

Updated below.

New Member

Re: Backbone switch question

Jon, tell me about it!  My head is spining at this point.

About  a year ago I tried doing exaclty what you said, creating a separate  vlan and making that routed port the default IP.  But with the FW's I am  working (netscreen SSG5s) with I wasn't able to get it working.  Plus  the fact that I am running OSPF between the two FWs and the routed  interface I wasn't sure how that would work with a vlan, or if it would  work at all. 

So I left it as-is.

Here  is the config of my routed interface (I can do all of this with a  virtual IP?):

interface GigabitEthernet1/0/1
description ACCESS TO BACKBONE/INTERNET
no switchport
ip address  10.66.35.3 255.255.255.0
ip access-group HQ_DEV_SNMP out
ip  ospf authentication
ip ospf authentication-key 7 xxxxxxxxxxxx
ip  ospf hello-interval 3
ip ospf dead-interval 9
ip ospf priority  128
ipv6 address 2001:5C0:987D:7100::5/64
ipv6 enable

If  so I will tackle it again in the near future but leave everything as-is  for now.

Hall of Fame Super Blue

Re: Backbone switch question

Should work fine on L3 vlan interface. Certainly OSPF will work fine.

Jon

New Member

Re: Backbone switch question

Yeah I don't remember what the exact problem was.  But I will try it again in the near future and let you guys know.

New Member

Re: Backbone switch question

Alright one more question.

If I do go that route I don't need to configure any vlans on the FWs correct?  Just make sure the two connections from the FW are in vlan 20 ports on the L2 3750?

Hall of Fame Super Blue

Re: Backbone switch question

Correct.

Jon

Hall of Fame Super Silver

Re: Backbone switch question

Hello DPatten,

>> But with the FW's I am  working (netscreen SSG5s) with I wasn't able to  get it working.  Plus  the fact that I am running OSPF between the two  FWs and the routed  interface I wasn't sure how that would work with a  vlan

I guess you could had troubled with MTU settings (MTU mismatch)  that can be detected with debug ospf adj

As Jon noted you should be able to use an SVI instead of a routed port if you like

Hope to help

Giuseppe

Hall of Fame Super Silver

Re: Backbone switch question

Hello Jon,

for the trunk link option to work it is just enough that the two switches agree on the two vlan-ids used

the L2 Lan switch just needs an IP address in the management interface and act as a pure L2 LAN switch for vlan 20

of course L2 object vlan 20 must exist on switch and need to be created in the usual manner

vlan 20

name backbone vlan

there is no need to move the SVI to the backbone switch (or it will become a L3 backbone switch )

the use of two separate links could only provide the capabiity to use different vlan-ids at the two ends of each link.

Hope to help

Giuseppe

Hall of Fame Super Blue

Re: Backbone switch question

giuslar wrote:

Hello Jon,

for the trunk link option to work it is just enough that the two switches agree on the two vlan-ids used

the L2 Lan switch just needs an IP address in the management interface and act as a pure L2 LAN switch for vlan 20

of course L2 object vlan 20 must exist on switch and need to be created in the usual manner

vlan 20

name backbone vlan

there is no need to move the SVI to the backbone switch (or it will become a L3 backbone switch )

the use of two separate links could only provide the capabiity to use different vlan-ids at the two ends of each link.

Hope to help

Giuseppe

Giuseppe

Not sure i follow you.

If you want to manage the L2 switch on a different vlan than the vlan used for data, which is recommended, there is a need to make the routed port a trunk port because you need to transmit traffic for 2 vlans between the L3 3750 and the L2 3750 ie. vlan 20 for data traffic from the firewalls and vlan 10 for management traffic to the L2 3750.

And the SVI for vlan 20 has to exist on the 3750 because a L2 switch does not pass data traffic via it's SVI.

Jon

Hall of Fame Super Blue

Re: Backbone switch question

giuslar wrote:

Hello Jon,

for the trunk link option to work it is just enough that the two switches agree on the two vlan-ids used

the L2 Lan switch just needs an IP address in the management interface and act as a pure L2 LAN switch for vlan 20

of course L2 object vlan 20 must exist on switch and need to be created in the usual manner

vlan 20

name backbone vlan

there is no need to move the SVI to the backbone switch (or it will become a L3 backbone switch )

the use of two separate links could only provide the capabiity to use different vlan-ids at the two ends of each link.

Hope to help

Giuseppe

Giuseppe

I'm still not following what you mean here. Could you perhaps clarify ?

Jon

Hall of Fame Super Silver

Re: Backbone switch question

Hello Jon,

you don't need an SVI in vlan 20 you need to create Vlan 20 broadcast domain on the L2 only switch.

you create SVI in vlan 20 if you want to provide L3 services on this broadcast domain I mean on the L2 backbone LAN switch

probably I have misunderstood your previous post you were referring to moving from a routed to an SVI on the L3 C3750

I see it now

Hope to help

Giuseppe

Hall of Fame Super Silver

Re: Backbone switch question

Hello DPatten,

>> That is ok and won't cause any problems?  Does the port on the L2 3750  connecting to the MGMT vlan on the L3 3750 need to be in vlan 10 as  well?

to this link applies the CDP concern I've expressed before if you use a different vlan on L2 switch

Hope to help

Giuseppe

909
Views
0
Helpful
20
Replies
CreatePlease to create content