Extending VLANs over multiple switches

[kannar]

Hi all, this is my first post so please bare with me.

I'm looking for a bit of guidance.
I have inherited a small business network. At the core is a 3750G48. This is split into 6 VLANs, routing between the VLANs is carried out by means of a firewall. 'Hanging off' this core switch is a stack of three C3750G36S switches. The link between the core switch and the stack is currently not trunked. On the core switch it is designated as Static access VLAN 8 (wired network). On the Stack side of the link it is designated as static access VLAN 1.
The stack and all connected switches have only the default VLAN 1 enabled. As a result all of the 'edge' ports are on the same VLAN.
What I would like to do is extend some of the VLAN's on the core switch, to the 'edge' ports so they can be split into 'employees' and 'guests'. I.e. use VLAN 8 for employees (with access to servers etc) and VLAN 6 for guests (with access to Internet etc).
I have created VLAN 8 and VLAN 6 on all of the edge switches as well as the stack. The links between the edge switches and the stack have been trunked. However none of the 'edge' ports have been assigned to a VLAN yet.
To get this working I guess i need to assign all of the edge ports as an access port to either VLAN 8 or 6. Then I need to trunk the link between the core switch and the stack.
Have I missed anything?
Also will I still be able to manage the switches? i.e. do I need to assign the management VLAN to one of the new VLAN's i.e.VLAN 8?

Sorry for the monster post but I wanted to put out as much info as pos ;-) Thanks in advance.
J

 

[unclerico]

this is a typical topology. what i would do is move the routing function into core and out of the firewall. as for management, yes, create a management VLAN on all switches and assign an IP address to each switch on this VLAN.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[kannar]

@unclerico
Thank you for the help and the very quick response! Much appreciated. I'll give this a try (it might be a while, management have now changed their minds ;-)). At the moment I am creating the VLAN's on each switch manually. What would the benefit and/or snags be if I used VTP?
I hear what you are saying about routing. The firewall is used to allow rule based communication between the VLAN's. I think you can do the same with CISCO ACL's but to honest I would not know where to start!

 

[Quadratic]

Yes, a VLAN ACL can do inter-vlan access control (

http://www.cisco.com/en/US/docs/swi...curity/configuration/guide/sec_vlanacls.pdf).

For the question about VTP, in my opinion it's more trouble than it's worth. The potential to overrite the entire vlan database on the network, for one, is a good reason to not use it. Convenience, yes, but you shouldn't need to extend each vlan too far, and there is little benefit of having globally-significant vlan numbers throughout an Enterprise.



CCNP, CCDP

 

[kannar]

Thanks for the feedback Quadratic. I'll have a look through that link. It might be something that I can set up over time then switch over in a "quiet period".

As for the VTP I think I'll stick with the longer way. That way if I muck up I only have to reset one switch and not rebuild the entire lot ;-).

 

[vipergg]

Yeah with only a few vlans vtp is probably not worth it . It's really made for when you have dozens of vlans and they are spread across multiple switches where you are frequently adding or deleting vlans from switches.