Different VTP Server Domains

capajaron · ‎09-09-2006

Hi:

I wanted to configure my 2 VTP Servers in different Domains, but my problem now is how will I route my other domain vlans (CISCO2) to the main domain(CISCO1)as well as access the internet,coz i only have one physical connection to my Gateway_Router w/c is in DOMAIN1 VTP Server and DOMAIN2 will have to pass through DOMAIN1 before it can access the Gateway Router to have internet access.

Examples of my vlan config are listed below:

Just correct my configs if you've seen errors and if i miss some settings.

Gateway Router:

IP Add: 10.210.1.1 /24

ip route 10.210.2.0 255.255.255.0 10.210.1.254

ip route 10.210.3.0 255.255.255.0 10.210.1.254

ip route 10.210.4.0 255.255.255.0 10.210.1.253

ip route 10.210.5.0 255.255.255.0 10.210.1.253

CORE1_SWITCH1:(100%)

Domain: CISCO1

VLAN1 IP Add:10.210.1.254 /24

VLAN10 IP Add:10.210.2.254 /24

VLAN20 IP Add:10.210.3.254 /24

ip route 0.0.0.0 0.0.0.0 10.210.1.1

CORE2_SWITCH:

VLAN1 IP Add:10.210.1.253 /24

VLAN30 IP Add:10.210.4.254 /24

VLAN40 IP Add:10.210.5.254 /24

ip route 0.0.0.0 0.0.0.0 10.210.1.1

*My aim is to be able to communicate 2 different DOMAIN VLANs and at the same time access the internet with only one physical connection to the gateway router.

Thanks

Cliff

Edison Ortiz · ‎09-09-2006

Cliff,

Please correct me if I'm wrong.

What you are trying to do, it's separating two subnets (10.210.2.0/24 and 10.210.3.0/24) - (10.210.4.0/24 and 10.210.5.0/24) routing wise, correct ?

Well, you need to implement ACLs on each SVI blocking the traffic from the other networks and allowing the rest.

For instance on Core1

access-list 1 deny 10.210.4.0 0.0.1.255

access-list 1 permit any

interface vlan10

ip access-group 1 in

interface vlan20

ip access-group 1 in

Core2

access-list 1 deny 10.210.2.0 0.0.1.255

access-list 1 permit any

interface vlan30

ip access-group 1 in

interface vlan40

ip access-group 1 in

VLAN1 is the transit network and you shouldn't be concerned about ACLs there. You can connect the gateway to either core switch and it should be pingable from either core since both have VLAN1 on their VTP database.

capajaron · ‎09-10-2006

Hi,

Thanks for the advice. I wanted all VLANs(VLAN10-VLAN40)to communicate within my Corp LAN and at the same time access the internet through my Gateway_Router.

I can make all VLANs in CORE1_Switch to access the internet and communicate within the LAN, but im not sure with the CORE2_Switch w/c is in a different VTP_domain, my goal now is how will i connect my CORE2_Switch(VTP Server2) VLANs to CORE1_Switch (VTP Server1) and at the sme time access the internet.

I have attached a sample of my network setup just for you to have more details regarding my problem.

Thanks

cliff

Edison Ortiz · ‎09-10-2006

What's the reason you are running two different VTP domains ?

I recommend matching the domain names so you can share layer2 VLAN information.

However, if you want to keep it this way, your configuration should work as I suggested before but remove the ACLs. VLAN1 Layer3 will become the transit VLAN between the networks.

capajaron · ‎09-10-2006

hi ed:

With regards to your question,its because of some reasons:

1. I dont want my VTP_Server1 to take all the switching and VLAN jobs,coz im worried with the switch cpu utilization issue.

2. I want to take advantage of the VTP_Server2 Switch features, coz both VTP_Server1 and VTP_Server2 are 2 Cisco-3750 stack switch connected with fibers about 80-100 meters apart(separate cabling rooms), that's why i feel wasted to ignore its capabilities if i just configure Server2 as client switch.

3. My design is to configure VTP_Server1 to manage Workgroup 1 (100% data)about 150 hosts, and VTP_Server2 to manage Workgroup 2 (100% VoIP)about 150 hosts.

And just for clarifications, was my configuration in my post will work if i will be implementing the 2 domain networks design?

And before i forgot, thank you very much for the advices, it really helps me a lot.

Thanks a lot

cliff

Edison Ortiz · ‎09-10-2006

Cliff,

Yes, your configuration will work. Just make sure to configure the uplink port between the switches as

switchport mode access

switchport access vlan 1

----

Please rate helpful posts.

Thanks

capajaron · ‎09-10-2006

hi ed:

Currently those links are set to

desirable,should i still change it to access mode?, or just leave it unchange?

And what if i set the links between both switches to trunk mode will it still work?

And how does it affects the operation of our VoIP applications?

thanks

cliff

Edison Ortiz · ‎09-11-2006

Cliff,

Why would you trunk the ports ? The only common VLAN between the 2 switches is VLAN1.

It's my preference to force the mode for its need. If the port only transmit one VLAN, set to 'mode access', for multiple VLANs, set to 'mode trunk'.

It shouldn't affect your VoIP apps.

----

Please rate helpful posts.

Thanks

Anand Narayana · ‎09-10-2006

Hi Cap,

by default domain 1 vlan users cannot able to communicate domain 2 vlan users as the domain name varies, since you specified the ip route command saying that domain 2 vlan users should access internet which is connected in domain 1 vlan, it works, but if u specify like that domain 1 vlan users can communicate domain 2 vlan users, if you wanted to avoid that, jus put access list in domain 1 vlan switch stating that permit only domain 2 vlan users to access internet. so that it will never allow domain 2 vlan users to access other vlans in domain 1.

hope you understood & helps.

rate this post, please get back for more clarification.