The vlan question is that i've 2x L2 3560 sitting behind a firewall connected to my core sw(4506). Behind this firewall, the 2x L2 switches(3560) are not configured with any vlan. it has only one network segment within it. The gw for this network segment is at the firewall connected to one of this sw. Currently there isn't any vlan created on the L2 3560 switches. (only switchport mode access, and default-gateway command configured)
My question is that, if i would to create a vlan (eg. vlan42) in the L2 3560 switches and assign all the sw ports (of course exclude the trunk between each sw) in there as vlan access port vlan42.....can the host in there still able to reach the host outside the firewall (currently it working fine)?
currently, the native vlan for the L3 4506 is vlan10 and the L2 3560's native vlan is 1. does that matter in this case?
As for the command default-gateway at the end of each edge switches config, does that mean that whatever vlans configured in the edge sw, the the first gateway will always be that default-gateway on that particular switch before it's routed to other vlan interfaces?
You currently have all users in vlan 1 on your 3560s. VLAN 1 is the native vlan and for security reasons it should not be used at all. If you move your users to a different vlan (42) you will need to make sure you add it to your trunks. Also you would need to do this during a outage windows because moving your uses from vlan 1 to 42 will cause on outage for your users.
hi! thx for the reply. Need to check with you.....why does changing of interface port to vlan 42 will cause the outage? I just need to add in the new vlan and change all the access ports's vlan by the port range command. I believe that would be very fast right? Even if those access ports that do not have vlan configured will still be able to reach other vlan outside of the firewall right? unless i'm missing something here.
The trunk currently do not filter any vlan....Do i still need to specifically enable vlan 42 on the trunk?
If i understand your question correctly, you have two 3560 switches trunked to each other. One of the 3560 switches is connected to the FW. All switch ports, including the FW, are currently on Vlan 1. You have Layer 2 connectivity between devices on the switch and the FW. You want to move these ports to Vlan 42 and maintain connectivity.
You will need to make sure the port the FW is connected to is also changed to Vlan 42. You need to add Vlan 42 on the trunk between the 3560 switches. The native vlan on both sides of the trunks needs to match.
Also, the ip default-gateway command will not route traffic for Vlan 42. You need to create an SVI (Layer 3) interface for Vlan 42 in order to route off of that vlan:
interface vlan 42
ip address x.x.x.x y.y.y.y
The ip default-gateway command is used to set the gateway for the switch itself (to manage it) and does not effect user traffic.
hi! yes yr understanding of my setup is correct, but correctly if my understanding is wrong. i thought the ip default-gateway will be used if
it's a L2 device (i do not need that if i enable routing in the sw?) and not just for the management vlan. It's actually to forward traffic out for further routing if there's any?
as for the interface vlan xx command on a L2 switch is actually to enable remote management to that specific ip?
So, in my case do i really need to enable L3 feature in the 3560 sw if i only has a vlan in both of these switches? I just want to be able to shut my vlan 1 and create a flat network of vlan 42 and still able to route traffic out of the firewall which at the "WAN" port is connected to my core switches which have multiple svi configured. (the vlan in my core is different or seperated from the vlan behind the fw)
fyi: In the firewall itself i've 3 static route
src dest gw metric interface Origin
any 10.71.50.208/29 N/A 0 WAN Connected Route
any 10.71.1.0/24 N/A 0 LAN Connected Route
any default 10.71.50.209 100 WAN static route
pls advise further. thx
If you have a single VLAN and the FW will be routing for that VLAN, than no, you do not need to create an SVI for that VLAN.
The 'ip default-gateway' command is used when ip routing is disabled for connectivity to the switch itself. It is not used by host/user traffic.
If you enable routing, than you can manage the switch from any SVI you create on it, provided you have configured routes to the rest of your network statically or learned them dynamically via a routing protocol on the switch.
Hope this helps.
hi! thks for the reply. So in summary, just to confirm i can just turn on the vlan42
and assign to all switch port without affecting the user user connectivity to the resources in the core sw? whatever native vlan i used will not affect the connectivity + it doesn't matter whether i shut the vlan1 interface or not in this case, right?
Are you talking about the Native VLAN on the trunk link between the 3560 switches ? If so, then it does not matter what the Native VLAN is as long as it matches on both sides of the trunk and VLAN 42 is allowed on the trunk.
Are you using VLAN 1's Layer 3 interface to manage the switch ?
hi! No, from i see fromt the config. although it's a L3 capable, the routing is not turned on. so the vlan 1 is L2 and there's a ip there just for management purpose. thx
Dave, this guy has spent a considerable amount of time getting you to understand some networking basics, and all you can cough up is a 4 -- on only one post, no less?
Please go back and rate the posts accordingly.