I need to replace existing core switch 4506 running CatOS with a 4507R-E running IOS and keeping existing trunks to 3550 L2 switches. The challenge I have is that since current ip traffic flows under default Vlan1 (management on switches too as interface Vlan1 with respective ip address) and default gateway is set for the WAN router on the same Vlan and segment, I was asked to not only create and assign an interface loopback with a different ip address to the new 4507 but remove all ports and management to a different Vlan number to start releasing Vlan 1 on this switch. My concern is how to achieve that without affecting communication to 3550s switches forward and backward the main router. I am not sure if just with the statement native Vlan X...on each on the trunks to the 3550s could work since the L3 is within the same ip scope. The 3550s swithces should be replaced eventually in the near future, but at this time the core swith is the one affected.

For the new ip address on the loopback interface, I will have to set an static route in the WAN router to be able to reach this and in the future the rest of the switches since there is no routing protocol running on the deployment.

I really appreciate your advice.

Francisco de la Rosa

Hi Francisco,

To better understand your requirement it would be helpful if you can attach the scehmatic representation of the required network.To my understanding with the above thread you want vlan 1 to be removed from your network which is currently the path for traffic right now.

Can you calrify few things

Is your 4506 is connected to trunk with two 3500 switches ?

What are all the vlan configured in 3550?

Ganesh.H

Hello Francisco,

as Reza has noted removing user traffic from native Vlan is a good move and it is recommended for security reasons.

However, it is not possible to migrate in this way at IP subnet level.

Trying to use a loopback address with an address taken from current IP subnet in Vlan1 is not advisable.

You should simply move all user ports to a new vlan like vlan 100 for example.

The new vlan has to created both as a L2 object eventually propagated by VTP (if you use it) and at OSI layer3 as a switched virtual interface SVI vlan 100

config it

vlan 100

name newclient_vlan

exit

int Vlan 100

desc ip address in current ip subnet but not the same as the one used in WAN router

ip address 10.x.y.z

! important you need to unshut

no shut

!

Interface Vlan100 will be up/up when at least one L2 port (including L2 trunks) is in STP forwarding state for vlan  100 broadcast domain.

This is called autostate.

move ports in vlan 1 in vlan 100

interface gx/y

switchport

switchport mode access vlan 100

this has to be done also on the C3750 switches user ports

Vlan 100 has to be permitted on the trunk links on both sides

Also the port towards the WAN router has to be moved to vlan 100

In this case a new management Vlan with a separate IP subnet is recommended, user PCs have to be in a different subnet.

So I recommend to change also the management IP addresses of all devices in a new IP subnet for security and better control.

You can use vlan 300 for management Vlan for example.

In this way you can use ACL to avoid access to devices from client vlan 100.

Hope to help

Giuseppe Larosa