Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

a flat vlan!

Hi,a costumer of mine asked to segment his lan using vlan.

I want to create 4 vlans distributed across the building floors. So, for example at floor 1 are present vlan 1 and 2, at floor 2 are present vlan 2 and 3, at ground flor is present vlan 4 (where I have the servers).

Each pc must talk ONLY with other pc within the same vlan and with servers on vlan 4. No comunication between vlan 1-2, 1-3, 2-3.

Another requirement is that I cannot change the pc's ip addresses. So I cannot create different ip subnet for each vlan, but all the vlan must share the 10.1.0.0/16 network.

I'm using some cat3500xl at the wiring closet and cat 4006 at the core level. The uplink are in f.o. Gb.

Any idea on how realize this job?

Thanks to all.

Andrea.

29 REPLIES
Cisco Employee

Re: a flat vlan!

if your customer doesn't want to re-address the PC, than there is no way of doing this.

The reason is that a VLAN is by definition a Virtual Lan that needs is one ip segment.

You also need a L3 device to route between the VLANs.

If you don't segment your ip block, then you can't route between the vlan and therefore you need bridging which is the equivalent of not configuring vlans.

New Member

Re: a flat vlan!

gdufour,

if PCs of VLAN 1,2 and 3 did not need to connect to servers in VLAN4, i think we can segment the network by using trunking, is it true?

then suppose we can put each server in all VLAN 1,2 and 3 so i think it will be OK too. but i'm afraid a server can not belong to many VLAN if we use trunking.

is this true for all cisco switches?

New Member

Re: a flat vlan!

PC in vlan 1,2,3 need to connect to server in vlan4.

No, a single port can belong to a single vlan.

Cisco Employee

Re: a flat vlan!

you can bridge between vlan. But as I said before, if you do this, you get back to a flat topology which is just more difficult to manage.

The reason to go to a Vlan design is to separate the broadcast domains. Therefore, you need re-addressing.

Your customer might be affraid of down time due to this task. But if you can find a nice way to re-address all devices it might be better than try to find a solution with no re-addressing.

New Member

Re: a flat vlan!

Hello,

thanks for your messages.

No, the costumer isn't afraid about down-time to change ip addressing. The problem is that he has a cobol application that works with the mac-address references.

What about private vlan?

Do you think they can help me?

Many thanks

New Member

Re: a flat vlan!

Hi,

First I just want to tell you that you can assign on a Catalyst 2900XL/3500XL a port to several VLANs. This allows you to have the same IP subnet for all your VLANs and the there would be a Layer 2 separation between the different VLANs, preventing communication between hosts eventhough they belong to the same subnet.

The overlapping-VLAN port (not a trunk port) can be connected to the server (or common resource) and communication can take place since the IP network is the same.

On the other hand, the private VLAN could also be an option. The users that you need to communicate with each others can be connected to community ports, they will be able to communicate with ports within the same community and to the promiscuous port (where you server should be connected).

You can create several community VLANs within the same primary VLAN and a single isolated VLAN where your server(s) will be positionned.

Hope I could be of any help.

Regards.

New Member

Re: a flat vlan!

Wassim, thank for your post.

Ok, cat 2900xl/3500xl support multi/overlapping vlan, but my servers (or common resource) are connected to the cat 4006 at the data center which doesn't support multi/overlapping vlan.

About Pvlan: If i'm not wrong, I belive that cat 2900xl/3500xl don't support comunity ports. My end users are connected on the 3500xl switches.

so the problem persist.

Many Thanks

Andrea.

Cisco Employee

Re: a flat vlan!

I think Wassim had a good point with the PVLAN.

BTW, how many devices are we talking about ?

How many PC and how many servers ?

New Member

Re: a flat vlan!

I'm new at this but have you thought about Dynamic Vlans with VTP pruning?

Re: a flat vlan!

Hi,

If you go along with the PVLAN suggestion, remember that VTP and PVLANs can't be configured together on the same switch. You also can't trunk PVLANs. At least this is the last I knew but maybe things have changed in newer code releases.

New Member

Re: a flat vlan!

Hugginsa,

yes, I have thought, Ok for dynamic vlan (but I can also assign vlan based on port, it's not a problem because there isn't a very often user mobility).

VTP Pruning is another thing. It prevents to sending out vlan traffic over a trunk if this vlan doesn't exist on the spoke (for example) switch.

Bye and thanks for your thinking!

New Member

Re: a flat vlan!

I'm talking about 400 PCs and 20 Serves.

Cisco Employee

Re: a flat vlan!

And I suppose the PC have a fix IP address. No DHCP ?

I still think you should re-address and use DHCP (except for the servers).

You could do this by keeping the server addresses.

Then, you take a new range of address in the 10.x.0.0/16 and you start migrating 1 floor at a time. And I would go with DHCP so next time your customer wants to change sth, it's easier to manage.

Once a floor is migrated, it will be using a new VLAN and a new range of addresses.

A Layer 3 switch will route between the VLANs.

The floors that are still not migrated will still be in the same vlan as the servers.

At the end, all floors are migrated and only the servers are left in the initial VLAN.

You should have not much downtime by doing this.

New Member

Re: a flat vlan!

My problem is not downtime related the changeover of IP Address. Pls see post (1.1.2.1)and (1.1.2.1.2)

Bye

New Member

Re: a flat vlan!

Hi All

Has any one got a web link for setting up the PVLAN and communities.

Regards

New Member

Re: a flat vlan!

I'm sorry, there was a mistake.

The cobol application works with the IP ADDRESS references.

Bye

Andrea.

New Member

Re: a flat vlan!

Can 4006 layer-3 features and Subnetting be any help?

Your Network 10.1.0.0/16 can be further subneted to 10.1.X.0/24 -VLAN_X. that means 10.1.1.0/24-VLAn1, 10.1.2.0.24-Vlan2....and so forth.

Now at Cat-4006 you configure Inter-VLAN routing between 1-4,2-4,3-4 only.

Try it out!

New Member

Re: a flat vlan!

No, one requirement is to keep the current IP Address on PCs. So I cannot subnetting.

Otherwise it is very simple ;-)

Bye

oz
New Member

Re: a flat vlan!

I had similar problem and using NAT solved it for me.

As the other server just saw the one IP all the time and the firewall ( who's name will not be mentioned but you get the point ) handled it all. I only had about 30 PC's..

But if the remote server needs to talk to specific machines based on IP and MAC then it's a worry,,

Oz

oz
New Member

Re: a flat vlan!

Not that I am the big bridging guru.

but can you not run a bridge from each floor to one server with 4 nics one for each bridge and another to the switch where all the servers are ??

then the acl can keep the floors away from each other ?

Oz

New Member

Re: a flat vlan!

Oz,

I cannot understand what you suggested.

What is the server's role?

Thanks

Andrea

oz
New Member

Re: a flat vlan!

the server is really just being a router.

just a point to aggregate all the traffic

using say gigabit NIC's

then the other NIC uplinks to the 4008

But the key here is you have all the 3 Vlans now at an IP level so to speak.

So ACL can control each VLAN .

but hey if you have windoze 2 k you can keep the users out via permissions ?????

Oz

New Member

Re: a flat vlan!

>the server is really just being a router

A router cannot have different interfaces on the same subnet.

>So ACL can control each VLAN

Acl for 400 Pcs noooo!

Keep in mind that I don't have a hierarchic ip address assignement, so create access-list is very hard.

Also think to performances (upling are in gigabit!)

Andrea

oz
New Member

Re: a flat vlan!

Well, it's not really routing per se..but with win2k you can do some cool stuff without a router and still route.

Her is what I have on one of my test boxes in the lab

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : 3Com 3C918 Integrated Fast Ethernet

Controller (3C905B-TX Compatible)

Physical Address. . . . . . . . . : 00-C0-4F-68-98-DC

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 216.254.100.15 ( blocked by my ISP but lets me terminal client into other pc's out side the firewall)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.1.1.114

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.1.1.2

DNS Servers . . . . . . . . . . . : 216.254.95.2

216.231.41.2

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI Fast

Ethernet NIC

Physical Address. . . . . . . . . : 00-E0-7D-00-86-64

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.1.1.11

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . . : 10.1.1.2

DNS Servers . . . . . . . . . . . : 127.0.0.1

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Compaq NC3121 Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-08-C7-72-CF-B3

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.1.1.75

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . . : 10.1.2.1

DNS Servers . . . . . . . . . . . : 127.0.0.1

216.254.95.2

So you could have similar and have each floor uplink to each NIC on the server then have one or two more NIC's uplinked to the 4008 and those two can do load balancing thru windoze ..I think ( have to read up but I am pretty sure you can).

The questions are.

1. Do you have budget to add more equipment ?

if no then the multiple NIC are an answer but you will have to rely on NT security to keep them out of each other.

2. To bridge is going to be hefty price wise

3. Once you write the ACL they should not change that much... I have seen them with 700 lines andd as long as you write them clean and careful it's OK.

Don't forget you only have to permit a heap and the deny any any will take care of the rest

4. Who says you have to NAT at the end by the servers. You can NAT on each floor.. Each floor have it's own FW and this would reduce it down to 100 or so PC's no big deal there .

I understand about throughput, how much traffic is REALLY running across each floor ??

You can have firewall run 1 Gbps easily not cheaply (grin)

Just a FWI

I have customer who has about 50 Unix boxes blasting anywhere from 250 meg to 1 gig files all day across a Sparc box with 3 gig NIC's and its 500 hz or so cpu with a gig of RAM and it handles it like a champ

Oz

New Member

Re: a flat vlan!

Thanks Oz,

nat is a good point, but as you know, I have about 400 Pcs and 20 servers, so I don't want to use static nat!. Dynamic nat (one to one) could be fine, but I'm afraid about the consequences that nat can have on a windows 2000 client server network (that's what I have!). I'm referring e.g. at domain authentication process (with kerberos!), wins and dns names resolution and so on.

Andrea.

oz
New Member

Re: a flat vlan!

I didn't say it would be easy (grin)

and I can do it on a checkpoint box for sure ..

But using a PIX and CSPM would be a worry ( frown)

I have set up here in my lab where a customer comes from a double NAT (windoze 2K --> NAT Cpoint--->my DSL--> internet<-- cable <-- modem NAT <-- Cpoint FW NAT-- host.

So it can be done..

I would look at WINS and see if you can dump it .. You DNS why bother with WINS it's easier just to add a couple of hosts files if needed

Oz

New Member

Re: a flat vlan!

I'm afraid about complexity (specially when troubleshooting).

I want to keep it as simple as possible. If it becomes more complicated I prefer to say my customer "sorry, it's no possible".

Also performances are a point that we must respect. Nat is good for slow connection (Mb) but I think that, with gigabit connection, nat could be a bottle neck.

Andrea

Cisco Employee

Re: a flat vlan!

If the servers are connected to the Catalyst 3500XL series switches, you can use the Multi-VLAN concept on these switches and allow VLANs 1 to 4 traffic on ports connected to servers.

This was all VLANs can access the servers, but can not to InterVLAN communication. To know about Multi-VLAN concept, check this link:

http://www.cisco.com/warp/public/793/lan_switching/3.html#catalyst2935

Hope this helps

New Member

Re: a flat vlan!

sshant,

the servers are connected to a catalyst 4006.

Thanks anyway.

Andrea.

235
Views
0
Helpful
29
Replies
CreatePlease to create content