Re: Creating a "common" VLAN with 4006 and 2900XL switches

abehar · ‎11-22-2001

We have a B class network all over the building (1200 hosts) and I'm planning to isolate the network via Layer 2 Vlans. we need 18 Vlan's. We have 6 2900XL switches connected to a 4006 switch via 6 fiber ports (WS-X4306). We have the Router module (WS-X4232-L3) too.

The thing is that I need that 17 Vlans see a common vlan but don't see each other, I can't route because all the host are in the same subnet, and it is almost impossible to change the ip addresses. Can any of you point me in how to do this ? Can I configure private vlans and are supported in 2900XL switches ?. I even try bridges but you can only include a port channel interface in 1 bridge group. I 'll appreciate any help.

Thanks in Advance.

millerv · ‎11-30-2001

I think you will have to route.

What is the current subnet/mask scheme in place right now?

For a VLAN to "see" another vlan, they need to use layer 3. You can bridge them, but I think thats asking for trouble.

jchromcik · ‎11-30-2001

I have a similar setup to you in that I use a 4006 as my backbone and have 3500XL in all my wiring closets. I setup a management VLAN and the 4006 as well as all the 3500s. I currently have 5 vlans which have portchannel sub-interfaces on the 4006 router module as gateways. My connections between the 4006 and 3500s are gigabit fiber (gbic modules) on each end. I don't know if this helps it just what we did here.

abehar · ‎12-01-2001

The netmask we're using is 16 bit mask (255.255.0.0),actually my problem is I can't route because all the host are in the same subnet I configure a test environmenbt with C class networks and works just perfect but I can't change the ip addressing...any ideas ? I'm really in a hurry right now

Thanks for answer.

jchromcik · ‎12-01-2001

not sure what you mean by can't change the ip addressing....are you refering to the management ip of each device?

abehar · ‎12-03-2001

I mean the ip address on the hosts/servers in order to put a C class in each VLAN, I need to do it with the current subnet (16 bit) and segmentate the network via Layer 2 VLAN's

Thanks again for answer

Erick Bergquist · ‎12-03-2001

Hi,

This won't work unless you re-address your different VLAN segments and route between them.

If you create more VLANs and keep the same subnet on all the PCs then you would isolate the users and they would only be able to talk to those devices in their VLAN.

naveentk · ‎12-04-2001

Dear Abehar,

There is no use of just creating VLANs without subnetting your network.( I mean u hv to change the IP addresses with respect to the vlan.) In this case u can create only one subinterface in the L3 module which will again consider the whole n/w as a single n/w, bringing no use of vlan.

In short each vlan should be in different subnets.

milan.kulik · ‎12-06-2001

One idea:

Use Private VLANs (see

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/rel6_3/config/vlans.htm#xtocid2389310).

Put the servers to promiscuous port group (= common VLAN) and users to community port groups (17 VLANS). The problem is that private VLANs are not supported on 2900XL. It might work if you divide your 2900s to appropriate VLANs and connect each of them to a port on your 4006 which would be a member of the proper private community VLAN (I'm afraid there is not possible to use trunks to connect switches in this scenario.). But this solution would increase the number of lines connecting your switches. Another problem is that PVLAN switches on the BPDU guard and you would have to stop it with very careful STP loops handling.

I have not tested this scenario personally, it's just an idea I've got reading your problem description.

Regards,

Milan