I was assigned to a project that is a little out of my domain, so coming here for some help.
A client would like to setup a LAN wherein one segment is sanctioned for workgroup clients and the second segment is used for servers (DHCP, DNS, AD, etc).
They would prefer that this is done with two 2960s, in which one is split into two VLANS, and the other is used for the physical connections to the client segment.
From my knowledge, I think that this cannot be done - for example, if a client physically connects to the first 2960 (which is connected to a port set to VLAN 20 - the client VLAN), it cannot communicate with VLAN 10 (where the DHCP server resides) unless there is a router operating in a one-armed mode connected to that same 2960. My suggestion was to replace that 2960 with a layer-3 switch like the 3560, so that clients connecting to the first 2960 can communicate with the server segment. Is this a good idea?
Or, am I missing something and can you have two segments commuicating with no problems with only the use of VLANS on a single 2960?
Hopefully the questions were clear. Any advice would be appreciated, and I can answer questions to clarify my situation. Thanks.
You need a router to connect two or more vLANs together.
The big questions are...
How traffic is going across the vLANs ?
Why do they need two vLANs ?
What sort of budget are they after ?
Looking at this purely from a solution whereas you have a site with 2 or more vLANs, at the end of the day, the Layer 3 switch idea is by far the best idea. The only exception to that is if you have 2-3 vLANs with firewalling between them.
But looking at this, it seems the customer wants firewalling between the servers and the clients. Why ?
There are merits with this idea, but is it really necessary ? I can see a few headaches stemming from this idea ?
Well, first I'd like to thank the above three people for giving advice and confirming my thoughts.
Some newer information is that they want a FortiGate on the perimeter of the network, filtering all traffic in and out of the network, as well as between the VLANs.
That said, it seems to me that I can split the server-connected 2960 into VLANS 10 (for the server segment) and 20 (for clients and a few other devices), have the second 2960 fully set to the VLAN 20, and send an 802.1q trunk to the FortiGate from two-vlan switch to have it do the switching between VLANs.
To answer L.Druett's questions:
1. All DNS resolution, DHCP, AD, printing, virus-checking and patching to clients, as well as all security reporting (client computer inventories, monitoring, etc) will be going across VLANs.
2. That is a good question, and as I was just brought into this project I don't have enough information yet. I was only told that the client definitely wants them on two different segments, and already decided on two 2960s.
3. Cheap, cheap, cheap. As I understand, we started with a planned budget that included a 3560 and a higher model FortiGate, as well as a seperate plan for the webfiltering to offload the FortiGate a little, but they cut costs a lot, and insist on going for smaller models, and so chose a 2960 to replace the 3560.
I'm liking the idea to use a 48-port, but need to find out more about the intended physical locations of the switches.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...