Another vLAN question

[Deepseadata]

Hey sorry about this.. I've searched but didn't find what I was looking for.

2801 router -- 3560 switch

Ive got to make a dozen vLAN's

vlan 50 192.168.50.0 ADMIN
vlan 51 192.168.51.0 VOICE
vlan 52 192.168.52.0 CCTV
vlan 53 192.168.53.0 GUEST
etc,

before I start laying down the framework I need to understand the difference between Vlan 1 (cisco's admin) and vlan 50 (my created admin vlan).

I setup Vlan 50 so I could include all the IP in that subnet for the switch, router, a SBS server, and all my access points (that have multi SSID's).

I can't seem to get my head around how it should be designed. Do I just forget the vlan 50 because it's already there a vlan1 or do I just forget about the vlan1 and continue with the vLAN 50 idea?

Could someone please have a look at my diagram and see if I have it designed right?

 

[Minue]

Hello
The Vlan 1 is used for some of cisco internal protocols.Cisco also used this by default to manage the switch.But at the same time they recommend not to use it for security reason.So what you intend to do is good pratcice.

Regards

 

[burtsbees]

Yes---forget about vlan 1 and use vlan 50. You create svi's for all the vlans in the 3560. I will look at the picture later...

Burt

 

[Deepseadata]

But now I get confused by the native vlan thing. What i read is that native vlan is the catch all for stuff that isn't attached/labelled to a vlan.

Can someone explain for the hundredth time what the native vlan will be for each vlan?

I just noticed that I have an old diagram attached.. now the admin vLAN starts it off at 50 and they go up from there.

 

[burtsbees]

The native vlan can be changed to vlan 50, as long as the keyword "native" is used...then all switchports not associated with any vlan will automatically be associated with vlan 50.

Burt

 

[jneiberger]

...then all switchports not associated with any vlan will automatically be associated with vlan 50."

I'm not sure what you're saying here. On a Cisco switch, all ports are associated with a VLAN. If there is no specific config, the port is placed into VLAN 1 by default.

 

[burtsbees]

I thought that if you changed the native vlan to something else, then the switchports not associated with anything become a part of that native vlan, not vlan 1...is that wrong then?

Burt

 

[jneiberger]

Changing the native VLAN only affects how the trunk sends data for that VLAN. It has no effect on the VLAN configuration of any switch ports. They remain in the default VLAN 1 unless otherwise configured.

 

[Minue]

Hello
THe Native VLAN is for untagged traffic(without a Vlan id).The 802.1Q trunk protocol will still pass this traffic.So you could have Workstations that aren't part of a VLAN still being able to speak to each other.Ideally all traffic should be associated with a VLAN.So I never understood why the 802.1Q implemented this.The ISL doesn't support this feature.
Regards

 

[Deepseadata]

Ok this is getting clearer!

Now I need to figure out two more related things:

1)Am I supposed to use the router to handle inter-vlan routing, the switch, or both?

2)What is a standard scheme to use for each vlan's IP address and gateway IP.

Obi 1 Canobi, you're my only hope.

 

[Minue]

Hello
It's best to let the layer 3 switches handle the inter-vlan routing.Much faster!We could be talking a 30 percent improve rate.
You must use a different subnet for each VLAN.The numbering scheme is personal choice.The gateway for each Vlan will be the ip address of VLAN.
Regards

 

[Alterac]

Most people use a scheme based on physical floors, or departments etc.

Personally ive used the following

10.1.09.0 - 9th Floor Data
10.1.10.0 - 10th Floor Data
10.2.09.0 - 9th Floor Voice
10.2.10.0 - 10th Floor Voice

I use the .1 of each subnet as the vlan address/gateway.


----------------------------------
Bill

 

[Deepseadata]

Thanks!

I was sort off looking for the IPs used within a vlan though.

Lets say a vlan named 50...

router side:
int vlan 50
ip address 192.168.50.254

switch:
int vlan 50
ip address 192.168.50.200

I'll assume that the gatway on the hosts would be set to .254.... but I will be using dhcp on the router (I'll open that can of worms in another thread though) to serve all the different vlans.

 

[Minue]

Hello
That's not bad a idea!Please note,that if the layer 3 switches are terminating the VLAN's the gateway will be that of the switch (192.168.50.200).Then you would use a routing protocol between the switch and the router.
If the concepts aren't quite clear fell free to ask for in deep explanations.
Regards

 

[Deepseadata]

OK I think I'm getting closer.

This is where I'm at on the 3560 switch:

interface GigabitEthernet0/5
switchport access vlan 50

interface GigabitEthernet0/6
switchport access vlan 51

interface GigabitEthernet0/48
description ROUTED PORT TO ROUTER
no switchport
ip address 10.10.10.2 255.255.255.0

interface Vlan50
description NETWORK MANAGEMENT
ip address 192.168.50.200 255.255.255.0

interface Vlan51
description OWNER DATA
ip address 192.168.51.200 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.10.10.1

Inter-vlan routing is working to the point where I can ping the .200 adresses from my PC.

Now I want to have the internet traffic sent to the router on 10.10.10.1.

Now I'm confused by two things.

1) How can I give that hwic-4esw (layer 2) port on the router the 10.10.10.1? SVI?

2) Does the router need any vlan info in it other than for what I do with question 1?

I'm having a real hard time finding this setup on cisco.com

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

 

[Alterac]

Is your diagram still up to date?
Can you post full configs for both the switch and router?



----------------------------------
Bill

 

[Alterac]

Do you have your DNS and Default Gateway setup correctly on the computer for internet?

Any ACL's?


----------------------------------
Bill

 

[Minue]

Hello
What you want to do is quite simple.You must think of the switch as the router-on-the-stick.First thing:

The worstation will have the switch as the default-gateway.

The switch will pass Internet traffic for the different subnets to the router.With the "ip route 0.0.0.0 0.0.0.0 10.10.10.1"

So you the router will need to know,how to get back to the subnets behind the switch.(Routing protocol or static routing) -on the router.

The "hwic-4esw" will function only as a layer 3 interface.Just remember the switch is handling all the intervlan-routing.

Regards

 

[Deepseadata]

Thanks for asking to see the config!

The Hwic is my real confusion these days. If It was an FE port I could just use sub-ints to terminate the all the vlans.. i think. But now I'm sending all the internet traffic from the switches up the 10.10.10.0 net but the router side is a layer 2 port, no?

Here's the switch.

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname BD3560
!
enable secret 5 $1$igMk$Bjz9AGnZusCF33RNjtQjA0
enable password
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
switchport access vlan 50
!
interface GigabitEthernet0/5
description Aironet 1242
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/6
description Aironet 1242
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/7
description Aironet 1242
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/8
description Aironet 1242
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/9
description Aironet 1242
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/10
description Aironet 1242
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/17
switchport access vlan 52
!
interface GigabitEthernet0/25
switchport access vlan 55
!
interface GigabitEthernet0/27
switchport access vlan 55
!
interface GigabitEthernet0/48
no switchport
ip address 10.10.10.2 255.255.255.0
!
interface Vlan1
no ip address
!
interface Vlan50
description NETWORK MANAGEMENT
ip address 192.168.50.200 255.255.255.0
!
interface Vlan51
description OWNER DATA
ip address 192.168.51.200 255.255.255.0
!
interface Vlan52
description GUEST DATA
ip address 192.168.52.200 255.255.255.0
!
interface Vlan53
description SHIP MGT DATA
ip address 192.168.53.200 255.255.255.0
!
interface Vlan54
description CREW DATA
ip address 192.168.54.200 255.255.255.0
!
interface Vlan55
description CCTV
ip address 192.168.55.200 255.255.255.0
!
interface Vlan56
description AV1
ip address 192.168.56.200 255.255.255.0
!
interface Vlan57
description AV2
ip address 192.168.57.200 255.255.255.0
!
interface Vlan58
description SPARE
ip address 192.168.58.200 255.255.255.0
!
interface Vlan59
description VOICE OWNER
ip address 192.168.59.200 255.255.255.0
!
interface Vlan60
description VOICE GUESTS
ip address 192.168.60.200 255.255.255.0
!
interface Vlan61
description VOICE SHIP MGT.
ip address 192.168.61.200 255.255.255.0
!
interface Vlan62
description VOICE CREW
ip address 192.168.62.200 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password v@ncouver
login
line vty 5 15

I'll put the router on in my next post in a few mins.

Thanks again guys!

 

[Deepseadata]

And here is my router capture. Don't laugh at my attempts at getting dhcp pools to work hahaha. I'll deal with that after I have all vlans on the internet and talking to each other.

You might see how Im not sure what needs to be on the router as far as vlans go.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2801
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.50.200
ip dhcp excluded-address 192.168.50.254
ip dhcp excluded-address 192.168.51.254
ip dhcp excluded-address 192.168.51.200
ip dhcp excluded-address 192.168.52.200
ip dhcp excluded-address 192.168.52.254
ip dhcp excluded-address 192.168.53.254
ip dhcp excluded-address 192.168.53.200
ip dhcp excluded-address 192.168.54.200
ip dhcp excluded-address 192.168.54.254
ip dhcp excluded-address 192.168.55.254
ip dhcp excluded-address 192.168.55.200
ip dhcp excluded-address 192.168.56.200
ip dhcp excluded-address 192.168.56.254
ip dhcp excluded-address 192.168.57.254
ip dhcp excluded-address 192.168.57.200
ip dhcp excluded-address 192.168.58.200
ip dhcp excluded-address 192.168.58.254
ip dhcp excluded-address 192.168.59.254
ip dhcp excluded-address 192.168.59.200
ip dhcp excluded-address 192.168.60.200
ip dhcp excluded-address 192.168.60.254
ip dhcp excluded-address 192.168.61.254
ip dhcp excluded-address 192.168.61.200
ip dhcp excluded-address 192.168.62.200
ip dhcp excluded-address 192.168.62.254
ip dhcp excluded-address 192.168.58.1
!
ip dhcp pool VLAN50
import all
network 192.168.50.0 255.255.255.0
default-router 192.168.50.100
netbios-name-server 192.168.58.1
domain-name VLAN.50
dns-server 192.168.50.100
lease 8
update arp
!
ip dhcp pool VLAN51
import all
network 192.168.51.0 255.255.255.0
default-router 192.168.50.100
netbios-name-server 192.168.58.1
dns-server 192.168.50.100
domain-name VLAN.51
lease 8
update arp
!
ip dhcp pool VLAN52
import all
network 192.168.52.0 255.255.255.0
dns-server 192.168.50.100
netbios-name-server 192.168.58.1
default-router 192.168.50.100
domain-name VLAN.52
lease 8
update arp
!
ip dhcp pool VLAN60
import all
network 192.168.60.0 255.255.255.0
domain-name VLAN.60
netbios-name-server 192.168.58.1
default-router 192.168.50.100
dns-server 192.168.50.100
lease 8
update arp
!
ip dhcp pool VLAN61
import all
network 192.168.61.0 255.255.255.0
domain-name VLAN.61
netbios-name-server 192.168.58.1
dns-server 192.168.50.100
default-router 192.168.50.100
lease 8
update arp
!
ip dhcp pool VLAN62
import all
network 192.168.62.0 255.255.255.0
domain-name VLAN.62
dns-server 192.168.50.100
netbios-name-server 192.168.58.1
default-router 192.168.50.100
lease 8
update arp

interface FastEthernet0/0
description SECOND LINK TO INTERNET
no ip address
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description LINK TO INTERNET
ip address 192.168.0.224 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/3/0
description I WISH THIS WAS MY LAYER 3 LINK TO MY SWITCHES
switchport trunk native vlan 50
switchport mode trunk
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
no ip address
!
interface Vlan50
description NET ADMIN
ip address 192.168.50.254 255.255.255.0
!
interface Vlan51
description OWNER DATA
ip address 192.168.51.254 255.255.255.0
!
interface Vlan52
description GUEST DATA
ip address 192.168.52.254 255.255.255.0
!
interface Vlan53
description SHIP MGT DATA
ip address 192.168.53.254 255.255.255.0
!
interface Vlan54
description CREW DATA
ip address 192.168.54.254 255.255.255.0
!
interface Vlan55
description CCTV
ip address 192.168.55.254 255.255.255.0
!
interface Vlan56
description AV1
ip address 192.168.56.254 255.255.255.0
!
interface Vlan57
description AV2
ip address 192.168.57.254 255.255.255.0
!
interface Vlan58
description SMALL BIZ SERVER
ip address 192.168.58.254 255.255.255.0
!
interface Vlan59
description VOICE OWNER
ip address 192.168.59.254 255.255.255.0
!
interface Vlan60
description VOICE GUESTS
ip address 192.168.60.254 255.255.255.0
!
interface Vlan61
description VOICE SHIP MGT.
ip address 192.168.61.254 255.255.255.0
!
interface Vlan62
description VOICE CREW
ip address 192.168.62.254 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.100
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool MADNATPOOL 192.168.0.224 192.168.0.224 netmask 255.255.255.0
ip nat inside source list 1 pool MADNATPOOL overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
end

Thanks for coming!