I'm struggling to come up with a workable solution for VLANs within a messy network.
There's currently 3 subnets (effective class Cs), no VLANs, roughly 350 hosts, spread over some low end switches which in turn link to a pair of 4506s (Supervisor II). The 4506s in turn pass traffic through a firewall on it's way to the HSRP virtual router. The firewall is badly placed due to some overbearing security specifications and is currently creating problems due to its session limit. Once the network gets busy, the number of sessions passing through the firewall shoots up and network responses plumit.
I want to implement VLANs and enable Layer3 switching with the result that only extranet/internet bound traffic need hit the firewall - everything else stays on the switch fabric.
Basically I need to enable VLANs, implement Layer 3 switching between them using static routes and then maybe tighten things up a little with ACLs.
My main questions are around configuring Layer3 switching and where to asign IP addresses:
1. Do I need to setup three SVIs (one for each VLAN) or is the SVI purely for switch management, thus only ever requiring one
2. Does the switch route all incoming traffic regardless of whether an IP address is set on that interface?
I'm new to the bigger switches and have been tearing through the BCMSN guide and various Internet sites but can't find a solution.
hi, this should be relitivley simple to configure. Create VLAN interfaces on the 4506's. These are logical interfaces which are assigned IP addresses. If you setup trunks between your low end switches and the 4506's then you can assign access ports to VLANs as required. You will also need to trunk between the 4506's.
To add some redundency into this you could configure hsrp on the VLAN interfaces between the 4506 interfaces.
You need to configure ip routing on the vlan as follows:
description Management vlan
ip address 10.8.1.252 255.255.255.0
no ip redirects
standby ip 10.8.1.254
standby priority 50
From then on, all traffic that originates from vlan1 will be routed by the switch.
The standby config is optional but recommended when you have a dual core.
You can do the same for each vlan that needs to be L3-switched. A trunk link between the two switches is required also to allow data from one switch to the other. Also make sure that your vtp domain is synchronized so that all nodes know about all vlans.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...