Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN help needed . . . !!!

I am new to the VLANS , so i would like to have suggestions from you people .

I have a 10 MB Internet >> connected to Firewall >> connected to L3 Switch >> There are about 40 L2 switches beneath this L3 Switch with no STP as the physical design itself was not done for switch to switch redundancy .

And for your information I have Windows DHCP Server which assigns IPs to the clients . As of now I haven't created any VLANS . My clarifications are :

1>> How can I create VLANS here ? Do I need to create the same in L3 switch ?

2>> If i am assigning different subnets to different VLANS how would the clients get IP from DHCP ?

3>> If possible can anyone here provide some basic configuration here to give me the idea ?

Thanks in Advance,

Max

  • LAN Switching and Routing
13 REPLIES
Blue

Re: VLAN help needed . . . !!!

Max:

When you need to create a new vlan, these are the things you have to do:

1.) On the L2 switch, create the vlan and give it a name (name is optional).

vlan 10

nam management_vlan

2.) Add the new vlan to the existing trunk that faces the L3 switch:

interface gi1/0/1

switchport

switchport trunk encapsulation dot1q

switch trunk allowed vlan 2,3,4,10

switchport mode trunk

3.) On the L3 switch, allow the vlan on the trunk port, create the vlan and give it a name (name is optional).

vlan 10

nam management_vlan

Then add the vlan to the trunk that faces the L2 switch:

interface gi1/0/1

switchport

switchport trunk encapsulation dot1q

switch trunk allowed vlan 2,3,4,10

switchport mode trunk

4.) On the L3 switch, create the routed L3 interface (SVI) for that new vlan:

interface vlan 10

ip address 10.10.10.0 255.255.255.0

These are the basic steps you need to perform.

As far as DHCP is concerned, if the DHCP server sits on another subnet, then you must configure the ip helper address under the routed SVI interface:

interface vlan 10

ip address 10.10.10.0 255.255.255.0

ip helper-address 10.10.50.5 <---ADDRESS OF DHCP SERVER

Remember that DHCP clients send out a L3 and L2 broadcast known as a DHCPDISCOVER. The router, by default, will not forward broadcasts, so you need the ip helper address to forward the DHCP clients message to the DHCP server.

HTH

Feel free to come back for more info.

Please rate all helpful posts.

Victor

New Member

Re: VLAN help needed . . . !!!

Hi Victor,

You explained a lot and thanks...

If the DHCP server sits on another subnet then will use ip helpder address under the interface.

If we have many subnets like switch#1 10.28.1.5 switch#2 10.28.2.5 switch#10.28.3.5

I assigned ip helpder address 10.28.2.55 (Address of DHCP server)

Then how it can recognise different subnets as different switchs having it.

Regards,

Naidu.

Blue

Re: VLAN help needed . . . !!!

Naidu:

"Then how it can recognise different subnets as different switchs having it."

Im not sure I understand the question.

You configure a helper address on the L3 switch, under the SVI, for each vlan that requires DHCP services. If the DHCP server sits on a different subnet than the SVI interface, you need the helper address to forward the DHCP traffic.

Subnet 10.28.2.0/24 will not need the helper address configured on it because the DHCP server sits on the same subnet as the SVI interface. Therefore, the L2 broadcast will reach the server on its own, without the help of the SVI.

I hope I answered your question.

Please rate all helpful posts.

Victor

New Member

Re: VLAN help needed . . . !!!

Hii Victor,

I am very happy the way you have responded . Thanks a lot . But, being a newbie in LAN i would like to put some more queries in front of you .

1>> If my network is divided into subnets as follows ( assuming my plan ), 10.45.25.1/24, 10.45.26.1/24, 10.45.27.1/24, 10.45.28.1/24 assigned to 4 different VLANS, how does the configuration is applied . Do I need to create different scopes in DHCP server ? Please do let me know with the subnets provided in a example ...

2>> And i need configure in such a way that people will be able to access resources between VLANS ? How can i go for it ?

3>> And suppose If I am having /24 and all the clients using Internet , How can i limit them to only 10 users ( for Internet access in that VLAN .

Mostly Internet access being my end application , I don't wanna my all end users eating my bandwidth and my Boss complaining about that to me . . .

4>> Do I need to make any changes in my Firewall related to VLAN or in Router ??? I don't think so it is necessary as I have L3 switch .

Please do help me in suggesting on the above queries . . .

Thanks a lot,

Max

Blue

Re: VLAN help needed . . . !!!

Hi, Max:

1.) You would create a DHCP scope for each subnet defined on your switch. A vlan can have more than one subnet, but it is a best practice to try to keep it a 1-to-1 configuration.

interface vlan 10

ip address 10.10.0.0 255.255.254.0

This vlan has two Class "C" subnets.

10.10.0.0/24

10.10.1.0/24

2.) When you create routed vlan interfaces (SVIs) on a L3 switch with "ip routing" configured, each vlan will be a "directly connected" route. So, the L3 switch will forward all inter-vlan traffic naturally.

If those vlans need to communicate with hosts on other parts of your enterprise network, you would run a routing protocol on the interface under the routing process.

ex:

router ospf 1

network 10.45.27.1 0.0.0.0

network 10.45.28.1 0.0.0.0

3.) I dont think that is possible, quite frankly. Theoretically, you can create a policy on your Internet router or firewall that only NATs traffic from some source address and not others. You can do that using access-lists and route maps. But that isnt really a solution because you will have to define the exact host address that will be NAt'ed.

ex:

ip nat inside source list 10 interface s1/0 overload

access-list 10 permit 10.45.27.3

access-list 10 permit 10.45.27.4

access-list 10 permit 10.45.27.5

access-list 10 permit 10.45.28.3

access-list 10 permit 10.45.28.4

etc...

you could summarize the wildcard masks, but I presented it this way to make it more clear to you.

This is an unorthodox soluton, to say the least.

4.) Who is performing the NAT/PAT for Internet-bound traffic, the router or the firewall?

HTH

Please rate all helpful posts.

Victor

New Member

Re: VLAN help needed . . . !!!

Hii Victor,

As you mentioned above ,

1>> What do you mean by " creating DHCP Scope for each subnet defined on the switch " , I am using microsoft DHCP server in my LAN .

2>> And as of now my internal servers , such as FTP,Anti-Virus,DHCP,WLAN controller are connected to the ports of the same core switch . Can I place them in seperate VLAN ? Does this have any impact on my exsisting network . Or is that Ok if I leave them connected to my core switch ?

3>> And as you have asked about where my NAT is being done ? Its being taken care by my Sonicwall NSA 2400 which is between my Router and L3 switch .

Any Suggestions !!!

Rgds,

Max

Blue

Re: VLAN help needed . . . !!!

MaX:

Have you ever configured a DHCP server before?

Each subnet uses a "scope" of IP addresses - a pool. When a client requests an IP address from the server, it takes it from the pool. You need to have a DHCP server agent running on the Microsoft box, something like QIP, for example.

2.) I recommend you place all your servers in a server vlan and do not connect them directly into the core switch. In theory, and I stress, IN THEORY, the network should be segmented loosely, as follows:

CAMPUS (Users) MODULE:

L2 access switches

L3 distribution switches

SERVER FARM MODULE:

L2 access switches

L3 Distribution layer

DATA CENTER EDGE MODULE:

WAN Edge Routers

Edge Distribution Layer

Each module gets connected to the core switches using routed connections.

3.) OK, so your firewall does the NATing, fine. I imagine it has a default route that points to the Internet router's HSRP VIP - or something like that. I dont know what your NAT statement looks like, but you have to make sure that the new subnets are going to be NATed to the public IP address that you will use for Internet traffic.

HTH

Please rate all helpful posts.

Victor

New Member

Re: VLAN help needed . . . !!!

Hii Victor & Everybody in the forum,

Let me clear your doubts about my network, I had attached the details of the same in the text document . Just let me know how can I configure and design my network according to the exsisting IP scheme , which I don't wanna change it .

And Victor thanks for your earlier replies too , It was very informative , but still I have some clarifications .

Also attached my Router configuration modifying according to the forum rules . .

Thanks,

Max

***************************************

I got 2 no of 2Mb leased lines which I had clubbed into Multilink and given first available public IP on my fastethernet port .

The next available public IP on Router , where Router is taking care of NAT .

My Firewall LAN port given ip of 10.45.1.1/16

The Firewall LAN port connected to one of my ports of L3 Switch (24ports) with 4 GBIC shared ports .

The above mentioned L3 switch has some Access Switches ( 8 in number ) connected along with my WLAN controller , DHCP Server , FTP Server , Anti-Virus Server and couple of free ports .

There are 2 other buildings in the Campus connected on Fibre to the GBic ports of L3 Switch.

My Devices have following Ip alloted . . .

L3 Switch - 10.45.10.1/16

WLAN Controller - 10.45.10.2/16

DHCP Server - 10.45.10.2/16

FTP Server - 10.45.10.6

My Access Switches - 10.45.10.21 onwards to 10.45.10.68 ( 43 L3 switches )

The Ip given to the L3 and L2 switches are for management purpose and serving NMS functionality .

So far I had not created any VLANS . . .

**************************************

I would like to know , What is the best configuration I can do on the above setup ???

and very important factor , there is no redundancy between switches or no scope of STP . We have redundant cables for all the Uplinks between the switches .

**************************************

My DHCP is configured with 10.45.10.5 static address with scope range 10.45.20.1 - 10.45.255.254

So, Do I need to create seperate Scope for the below mentioned subnets as per VLAN ?

**************************************

I may need to create some 20 to 25 VLANS according to the different departments . . .

Suppose there are four departments,

Finance , Management , IT , R&D , Guests .

Finance - as VLAN10 with vlan ip address 10.45.20.1 and I want the users for this particular VLAN be alloted with IP between 10.45.20.2 - 10.45.20.254 , so do I need to create a scope for this in DHCP . . . How does this work ???

R&D - as VLAN20 with vlan ip address 10.45.21.1 and I want the users for this particular VLAN be alloted with IP between 10.45.21.2 - 10.45.21.254 , so do I need to create another scope for this in DHCP . . .

What I understand from your earlier posts is when i create a VLAN 10 , i need to assign ip-helper 10.45.10.5 ( which is DHCP server ) under that VLAN so that the nodes connected to the switch port with VLAN 10 will automatically gets an IP within that particular range 10.45.20.2 as per my scenario .

How a single host from VLAN 10 on some particular port needs to access local server in VLAN 20 , what config needs to be done ? Does the config need to be done in Access Switch or in Core switch ( L3 Switch ) . I assume this will be done through InterVLAN Routing on L3 Switch !!!

*************************************

And do i need to create any default route towards firewall ???

ip route 0.0.0.0 0.0.0.0 10.45.1.1 ( where 10.45.1.1 is my Firewall LAN port which is connected to my L3 switch )

And any routes need to be added in L3 switch for InterVLAN Routing

*************************************

PLEASE DO CLARIFY ON THE ABOVE , I regret for writing so much , but find the forum here so helpful that i cannot restrict myself to add points to it

Thanks & Regards,

Max

New Member

Re: VLAN help needed . . . !!!

Hii Everybody,

The above mentioned string 43 L3 switches ,

that is 43 L2 switches instead .

Regds,

Max

212
Views
13
Helpful
13
Replies
This widget could not be displayed.