Hi Guys, I posted this question before and I got very useful responses but I still have issues understanding the best course of action given the following:
I can provide drawing if needed.
I am trying to creat and implement 11 VLANs on a flat network with 2 floors and one remote location connected to main office using a point-to-point T1 connection via an internal router which is the default gateway for the users and servers too. if trafic is destined for remote office, the router send it over the point to point T1 link but if traffic destined for the Internet, this router send it to the Firewall which is connected to two routers (border routers with public Interfaces to the Internet provider.
In floor one, I have a L3 Cisco 4500 switch and a CAT 4006 switch connected via GBIC interfaces.
in Floor 2, I have a CAT 4006 switch connected to the 4500 in floor 1 via fiber using GBIC interfaces.
in this floor 2, i have 5 Cisco 3512 L3 switches in 5 conference rooms connected to the CAT 4006 in this floor, i.e. floor 2.
Now, I don't know how to approach given these switches and their locality?
Should I use the Internal Router? (default gatway for all).
Also, I don't want to have same vlan on switches at both the floors but I am running into the issue of if a user or users belong to same vlan sit at different locations?
how to address this issue? would I end up having the same vlan at the both side of the router?
I am planning on having 11 vlans, 6 at floor 1 and 4 at floor 2 and 1 for the remote location but not quite sure how to handel the servers at both locations given some being clusterd?
I can provide drawing if required. Please advise as I am really confused on how to do this the best and safest way plus the trunking is also an issue given the two floor, different switches and a remote location?
Even though you have a small number of VLANs, I would recommend implementing the VLAN Trunking Protocol (VTP) to distribute VLAN information between all switches. You can also utilize VTP Pruning to keep undesirable broadcast/multicast traffic off of the trunk links. I would personally utilize SVI's for intervlan routing and just default my way back to the core. For trunking, try to go with EtherChannel if at all possible. This will give you resiliency and failover. For your remote location, with this small of a setup your not going to be running VLANs over the WAN. Just create appropriate VLANs at the remote location and default everything back to the core just like your access switches. A picture says 1000 words so it may be helpful to post a pic
Hi Adam and thanks for responding. I will take under consideration your sugestion and I think working way to the Core is the right thing to do except I need to clear my mind with the following questions:
1- I i am to use the 4500 at floor 1 as Core and create all VLANs (11 of them) on this switch, then what would be the relation between this core switch and the one at the floor 2, a CAT 4006?
2- what would I need to do as far as my switch at floor 2, the CAT 4006 an dits connections to the 5 L3 siwtches we have at 5 confrence rooms? do I need to create all 11 valns on all my switches? I assume not, then, how can I consider the locality of my users in each vlan? i mean if one or few users on a vlan, say vlan 2 sit at a different location from the rest of the department on vlan 2?
3- would it be a good idea to have 2 core switches, the 4500 for floor 1 and crreat vlans for deoartments at floor 1 on this switch and have the CAT 4006 at floor 2 for only vlans for the departments in floor 2 with a router (the current Cisco 3825 with 2 GB Ether Interfaces and 2 FastEther Interfaces) in between for the subinterfaces and routing. how should I define my trunk in this case?
I am posting the picture and may be based on what I currently have you can direct me to the right direction. I have no problems with command syntex an dvaln creation, routing, etc. but I have not done this type of vlans before therefore I don't have th eright visualization for this scenario. I don't have testing capabilities either, so I need to get it right to a great percentage the first time.!!!
I believe what you need to do is create the vlans on the 4500, then place the all the switches on the 1st and 2nd floor in the same VTP domain and set them as VTP clients.
By doing this, you will be able to create and modify all your vlans from the 4500 and the information will be propogated through the VTP domain automatically via the trunks between the switches.
What you would want to do on the 4006 on the 2nd floor is prune the trunks to only transport the necessary VLANs to the appropriate switch.
I.E. The switch in conference room 1 is in VLAN 100, there is no need for that switch to know anything about the VLAN that switch 2 is in, so that VLAN can be pruned from that trunk.
By pruning the trunks, you will free up resources on the switches as well as bandwidth on the trunk (if thats an issue), and provide a little more security.
I agree with Adam regarding the default to the core from the remote site. That simplifies configuration and achieves what you're looking for.
I beleive you have seen the diag that i have posted. Your idea is great and I am also positiuve that it would free me up of a lot of management and problems down the road.
So let me please re-cap:
1- I create all my VLANs on the 4500 - correct? then, how would I deal with issues of users siting in various ocations belonging to the same VLAN?
2- what would be th erole of my router here which is between the 4500 and the 4006 and other switches, i.e all user traffic must get to this router fristr and then this router decides if the traffic is destined for the remote location or for the Initernet and if for the Internet, forward the packets to the next hop which is my PIX and from PIX to my border oruter.
3- How would I define the trunk on 4500 and 4006 - I beleive, the same connection that I have between the 4500 and 4006 which is a fiber connection using the GBIC interfaces can becomem the trunk link and I can have all VLANS to be allowed on that trunk? correct?
4- How would I relate the conference room switches (they all need to be part of Conference room VLAN) with the 4006 (they currently have direct connections to 4006), i mean should there be only one connection and that be a trunk link? I have 5 coonnections going fron 4006 to one to each conference room for each switch.
please if you could eleborate a little on this as I have not done this before (like this converting a flat network to VLANs)with no testing facility in my disposal.
1. Yes create the VLANs on the 4500. I'm not totally clear about what you mean with users sitting in various locations in the same VLAN. Are you refering to having a user always be in the same VLAN no matter where they plug in their computer? If that is the case, you can do MAC based VLANs. However, if you have alot of users, this becomes an administrative nightmare having to enter in each MAC and VLAN mapping.
2. The Router would be used as in inter-VLAN routing device. It will sit between those switches just as it is now, and it will determine if the traffic is local, and if it is local which VLAN the destination is on. If the traffic is local, route it to the appropriate VLAN, if it's not local traffic route it to the Firewall (you can do this with a default to the firewall).
3. Yes, you can use the existing Fiber link as the trunk. Just go into the interface and set it to a mode of trunk an encapsulation of dot1q, on both sides of the link. You would then allow all the necessary VLANs on the trunk. By default all the VLANs will be allowed, and judging by the diagram, you probably wouldnt want to remove any of the VLANs.
4. If all the Conference rooms are in the same vlan, you wouldnt really need a trunk. You would only need the one connection to each switch. Just set the ports for the conference room switches on the 4006 to the VLAN you need and the ports on the conference rooms all to the same VLAN and you should be good to go.
Thanks very much for getting back to me. I guess it all make sense and i will go ahead and try it. Fitst Icreate the vlans on my 4500 with the appropriate subinterfaces on the router (or I don't need that?), one per vlan, Second I set the VTP mode to server on 4500 and to client on the 4006 and conference switches and define the trunk betwwen th etwo core switches and on the router Interface (I have two subnets each connected to a separate Pysical Gi Interface on the router) and this must do it.
I wil let you know of how it all goes.
I do have one final question beofre I actualy move with the implementation. I will follow as you suggested by creating all vlans on the 4500 and make it a VTP server and the other switches in the VTP client mode.
here is my question:
I create, VLAN 2, 3, 4, 5, and 6, including VLAN 1 on the 4500 switch and make it VTP server. I then, create a trunk (existing fiber link through GBIC Interface to the CAT 4006 on floor 2) and connecte this switch to the CAT 4006. on the router (the Internal 3825 Cisco router) i am a little confused. I do have two subnets; 10.1.1.0/24 and 10.1.4.0/24 on Gigi0/0 and gigi0/1 Interfaces of the router and all the users/servers get IPs from the DHCP server from these two pools. Now, when I create teh Sub-Interfaces on the router, I want to do the following:
on Gi0/0, i creat subinterfaces .1, .2, and .3 and give them IP addresses from 10.1.1.0/24 and on Gi0/1, I create Sub-Interfaces .4, .5, and .6 and give IP addresses from 10.1.4.0/24 - the sub-interfaces refer to the VLAN numbers, i.e. gi0/0.1 for VLAN 1 and Gi0/0.2 for VLAN 2 and so on.
Now, should I also give IP addresses to th etwo trunk links from the 4500 switch to router two Gigi Interfaces?
this is what I don't understand, I only have two subnets and two Gigi Interfaces on the router so, i don't know if I need IP address at the switch side of the trunk between the switch 4500 and the router???
Am I missing something?
also, do I need a trunk link between the CAT 4006 on floor 2 to the router too? or the trunk link betwwen the 4500 and this CAT 4006 will suffuce?
I cannot test this so i must get it right the first time and this is why I am asking so many questions.
I really appreciate your help.