I'm in the process of working on a new switch configuration. Basically what we have are 2 L3 switches that will have multiple VLANs and 802.1Q enabled. If devices are plugged into the L3 switch things work fine.
The question/problem I have is that these L3 switches are connected to a stack of L2 Cisco switches via the gig uplink ports. All L2 switches are basically base config'd, no VLANs.
My thought process is if I have the production network (which all the L2 switches connect to), I'm going to have to configure all the L2 switches to be on the same VLan as it is configured on the L3 switch.
I've done some testing and right now when I plug into the L2 switch connected by the gig backbone (no config done on backbone) I can't talk to anything on the L3 switch.
Is there something I'm missing here or what is my next step in the right direction?
We can talk you through getting this to work but i am slightly worried about you saying the L2 switches are on production.
Could you expand on that a bit. You will have to do some configuration on these switches and we need to be careful if this is production.
Are your L3 switches the only ones with vlans at the moment ?
Sorry, I guess I should mention this is in a completely isolated R&D network. I have simular ability switches that I can test before I make changes on the "Production Equipment"
To make it easier sub out when I said production to LAN traffic.
This is for a ESX environment, so on the L3 switch, I have VLAN10 (mgmt), VLAN20 (vmotion), VLAN30 (LAN Traffic).
I have a L2 switch that is connected to the L3 switch via backbone, with basically no configuration done. So basically all LAN traffic on the L2 switches is going over VLAN1 I'm assuming.
Right. What do you want to do ?. Do you want those 3 vlans on your L3 switches to be available to your L2 switches ?
What type of switches are your L3 and L2 switches ?
R&D Setup (which I'm currently practicing on):
Cat 3560(L3) and 3550 (L2)
Eventually would like to make these changes on production switches, 2x 3750(L3) and 3550(L2) switch rack
Overall goal would be is to have something like this:
VLAN10(esx mgmt) - IP Range 10.10.0.0/16
VLAN20(esx vmotion) - IP Range 10.20.0.0/16
VLAN30(lan network/servers/etc) - IP Range 10.30.0.0/16
L2 Switches(all users are connect to the L2 switch rack, including myself):
All traffic is IP range of 10.30.0.0/16
So I want all traffic on the L2 switches to be able to talk to VLAN30 on the L3 switch for obvious reasons of getting to the servers.
I need connection from the L2 switch rack (10.30.0.0/16 network) to the 10.10.0.0 network, but limited access. So I would need access lists to controll that I'm sure.
I want VLAN 20 traffic to be isolated, only 10.20.0.0/16 talks to 10.20.0.0/16. Again would need to create an access list I'm sure.
Okay sorry to keep asking questions but would like to provide a working config.
Firstly i would recommend having servers on a separate subnet than your users. If you are using 10.30.0.0/16 you could easily split this - how many users do you have and how many servers.
Now if all the devices on your L2 switches are end users then you do not need to connect the L2 switches to the L3 switches with a trunk link. However you generally use a separate vlan for managing the switches. So there are a few options.
Also can you run the output of a
"sh vtp status" on your 3560 and 3550 switches and post here.
10.10.0.0/16, 10.20.0.0/16 and 10.30.0.0/16 are big ranges. Do you need this range of addresses ?
If you could answer the questions above we can come up with a config and also the access-lists.
No worries on the questions, its been a while since i've had to use my cisco training/cert so i'm a tad rusty.
"Firstly i would recommend having servers on a separate subnet than your users. If you are using 10.30.0.0/16 you could easily split this - how many users do you have and how many servers."
I would tend to agree with you if we had this setup earlier, but the network build has been this way since i started here, and years before then. I doubt I'll get anywhere near welcome greeting by asking to change the IP setup. Too many things are static around here. The main goal at least for now, is to isolate different VMware ESX networks, ie: prevent any possible attackers from compromising a server, then jumping to the ESX host because its on the same network.
"10.10.0.0/16, 10.20.0.0/16 and 10.30.0.0/16 are big ranges. Do you need this range of addresses?"
Again before I came, no probably don't but now its part of our IP Scheme and really can't change that.
In the attachment, the IP that was blacked out was different to the one that I have been giving as an example. It is showing VLAN10 being the lowest, so the IP should've read 10.10.10.1 (most likely wont use that address, but for example).
The less work that I have to do on the L2 3550's the better, but if there is a best practice and its not too big of a change I'm open to suggestions. Let me know if that was the information you were looking for or if you have more questions. Thanks for all of your help so far.
Okay no problem we'll work with what you have got at the moment but be aware you should probably look to change this in future.
You could setup the L2 3550 switches as VTP clients and have your L3 switches as VTP servers but asyou oinly need one vlan ie. vlan 30 on the 3550 switches we''ll use transparent.
On your 3550 switches
3550(config)# vtp mode transparent
3550(config)# vlan 30
3550(config-vlan)' name v30
On the port(s) that uplink to your L3 switches eg.
switchport access vlan 30
then you need to allocate other ports that have end user devices into vlan 30. Same as above but don't forget you can use the interface range command to save time eg.
3550(config)# int range fa0/5 - 12
3550(config-if-range)# switchport access vlan 30
On your L3 switches
On the port(s) connecting to the 3550
3560(config)# int fa0/0
3560(config-if)# switchport access vlan 30
Eventually you may well want to make the above links trunks but as you only need vlan 30 on L2 switches... If you want to make them trunks let me know.
Right now if you have a device on one of the 3550 switches in vlan 30 you should be able to ping vlan 30 interface on L3 switch and other L3 vlan interfaces on L3 switch.
access-list 101 deny ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 101 permit ip any any
int vlan 30
ip access-group 101 in
this will stop vlan 30 devices talking to vlan 20 devices. If you want further control let me know.
Try all this and let me know how you get on.
Thanks Jon I'll try this out and let you know how it goes.
One question I have for ya.
So you have on the 3550(L2):fa0/1 talking to the 3650(L3)fa0/0 as a link to talk to eachother.
The way we have our switches configured is that they are all connected via the GigabitEthernet 0/1. So instead of doing the commands on fa0/1-fa0/0, can I just do those on the (3550)GigabitEthernet0/1-(3650)GigabitEthernet0/1 ?
Thanks again for all of your time spent
No problem with the help, that's what NetPro is for :)
Yep i just used fa0/1 and fa0/0 as examples, you should use whatever ports you are using for uplinks.
Once you have this setup and working you may want to refine it ie. trunk links would provide more scalability in future and maybe VTP server/client mode so please feel free to come back.
Appreciate the rating.