Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vlan/trunking or both?

Hi All,

We have two buildings A and B next to each other running 10gb fiber (ATT) between them. Building A CAT 3560 connects to building B CAT 3570 over this fiber cable. Building A has a T3 to internet for data and voice. There is a firewall with 3 interfaces, inside, outside, dmz1, and dmz2. There are CAT 3560 PoE switches and they connect to inside interface of the firewall in building A. The DMZ1 interface of the firewall is connected to a 3500xl. So, basically only building A can use this switch. We would like to retire this switch and we would like to have building B able to use the DMZ1 network as well. All traffic inside or dmz1 should go over the fiber between buildings.

So, my question is is possible to vlan a few ports on the CAT 3560 PoE on building A for DMZ1 and connect it to the DMZ1 of the firewall and then configure a few ports on CAT 3570 PoE for DMZ1 so we can have access to it on building B. I know it has to do something trunking on port 48 of the CAT3560 on building A and port 1 of CAT 3750 on building B.

Thanks advance for your time. if you have sample config that would be great.

Thanks,

4 REPLIES

Re: vlan/trunking or both?

Yes, you can do that. You would have to configure the firewall rules, ACL & NAT, for Building B (DMZ1) to send any traffic to inside and other zones through the firewall.

If I am understanding you correct you want to use the same 3560 switch to connect inside users and Building B connection. You can do this by putting the Building B connection in a separate VLAN in which DMZ1 of the firewall would reside. I don't know what your LAN setup looks like but you may need trunk(s) if multiple VLANs exists between switches.

A good security design recommendation is to use separate physical equipment for the different zones of a firewall. However, in your case I assume Building B is part of your trusted domain and you just want the traffic to flow through the firewall to setup some rules with access for Building B users it's OK to do it the way you suggested.

HTH

Sundar

New Member

Re: vlan/trunking or both?

Thank you Sundar for your respond. I greatly appreciated it.

I think i'm a bit wordy since I haven't done this before. Bascially, building A and B are on the same subnet (192.168.100.x) and on the same vlan 1. The physical link between these buildings is a fiber 10GB that we paid service monthly. This is a secured link because A building was our data center. The new B building is going to be our new data center. Our internet router and firewall are on building A because it is still our main demarc point. We just want to move servers over.

Business requirement is that visitors on building B have access to the internet in an isolate network separate from our production network.

I think the solution is I would like to create a Vlan2 (4 ports) on the CAT 3560 in building A. Then connect the firewall dmz1 port to this vlan2. Then, create a Vlan2 on the CAT 3570 (4 ports) on B buidling. However, I am not sure how to allow traffic VLAN1 and VLAN2 to ride over the 10GB link between building. Is this call trunking multiple vlans?

BLD A BLD B

CAT3560-----10GB FC---CAT3570

vlan1 vlan1

vlan2 vlan2

vlan1 secure network

vlan2 visitor network connect to firewall interface dmz1.

I hope this is more clear than my previous post.

Re: vlan/trunking or both?

from the topology given by u, i understand that vlan1 & vlan2 are spanned across switches in the 2 buildings. there has to be a trunk configured on ports of both switches conncted to 10g fiber link.

New Member

Re: vlan/trunking or both?

Thank you Narayana for your respond. I haven't had access to the config yet but I would like to anticipate it since this is something i would like to do research in advance. Can you just put an SC fiber cable between 2 switches without trunking and they will "talk" to each other? meaning all vlan1 and 2. Assuming trunking is configured, what additional steps should i be looking into?

Thanks

122
Views
0
Helpful
4
Replies