Flat Network

[BluffPlaceCourse]

Wanted to get some opinion on this. The company where I work has a flat network. Everything is on one Vlan.
This is what they have on the core
interface Vlan1
ip address 10.29.72.1 255.255.252.0 secondary
ip address 10.29.68.29 255.255.252.0
ip helper-address 10.29.68.235
no ip redirects
arp timeout 180

I'm looking to create multiple vlans. Of course, they will need more than 3. I'm just trying to get the correct concept

interface Vlan10
ip address 10.29.72.2 255.255.252.0
ip helper-address 10.29.68.235
no ip redirects
arp timeout 180

interface Vlan20
ip address 10.29.76.1 255.255.255.0
ip helper-address 10.29.68.235
no ip redirects
arp timeout 180
interface Vlan30
ip address 10.29.77.1 255.255.255.0
ip helper-address 10.29.68.235
no ip redirects
arp timeout 180

As I swap out the old equipment and put in the new switches. I'll add vlan all the vlans. I'll then go to each port and tell it which vlan it belongs to. The uplink port will be a trunk port.

Once I segment all the vlans, I can go back to vlan 1 and 10 and change it 24 bit

Can I get opinions/recommendations?

thanks

 

[VinceWhirlwind]

Looks like you have the right idea, although I don't see what you want VLAN10 for.

The way I see it, (and I've done the same thing as you are about to start) these are the steps:

Do you need to replace the core switch?
Do you need to upgrade firmware on core switch?

Create a new network design. (VERY IMPORTANT STEP!)
- /24 subnets
And in an ideal world:
- Each Access Switch only in 1 Data VLAN & 1 Voice VLAN (+ 1 Management VLAN)
- Each VLAN extended from Core to only one Access switch

Configure all required VLANs:
- Add VLAN to Core
- Create VLAN router interface on Core
- add necessary config, eg DHCP-forwarding/IP Helper
- enable Spanning tree

Extend VLANs to Access layer:
- Change each uplink to a dot1Q trunk
- add required VLAN(s) to each uplink
- prune off all other VLANs

Configure VLANs in Access switch:
- Create VLANs
- Create VLAN interface on Management VLAN and give it an IP address
- change each uplink to a dot1Q trunk
- add required VLAN(s) to each uplink
- prune off all other VLANs
- change all Access ports to correct access VLAN + required Voice VLAN OR dot1Q trunk with untagged Data/tagged Voice

 

[chieftan]

1 added point.... dont use VLAN1..... ALL Switches default to VLAN1. A security risk.

 

[stubnski]

Hi,
Just to keep going on what Vince said:

Configure Spanning tree mode = rapid-pvst
If possible configure etherchannel between switches
Configure Portfast on all host(non switch or router) access ports
Shutdown any unused port

 

[VinceWhirlwind]

...and then when it's all up and working fine and you're getting bored:

- configure all switch logins for Radius authentication
- configure DHCP snooping across your network to protect you from rogue DHCP servers
- configure IGMP snooping so Multicasting works efficiently
- configure QoS
- setup a syslog server

And if your boss has money to spend:
- setup configuration management so all your configs are backed up
- setup performance monitoring