Help & suggestions for setting up VLAN 5

[hinesjrh]

I have a Cisco 4006 (CAT OS) as my core data center switch. I have a group of Catalyst 2950's as distribution switches for my corporate office users. Recently some of my counterparts installed a 3COM wireless system which has been giving them some trouble (imagine that). 3COM recommends that we set up a seperate VLAN for these access points and associate users, so that this wireless traffic is not seeing all the other (espically our VOIP) traffic on our network.

Currently there is one 3COM WX1200 LAN switch of which 6 of our 8 access points patch back into, while the other two patch back to a 3COM POE unit which then patches into two of my 2950 distribution switches.

My questions are: 1) Is it best to just create a new VLAN on the 4006 and patch the 3COM LAN switch and the two POE units into three ports (all in the same VLAN) on the 4006, or 2) Should I create a VLAN that is both on the 4006 and the 2950's and leave things patched in as they are now (I can have a VLAN that is across more then one switch can't I?) and 3) is there anything special about a VLAN for wireless?

 

[vipergg]

Just create the vlans on the 4006 and then trunk the vlans you need down to 2950's and plug in your 3coms into 2950 and assign the ports to the vlan you want them in on 2950 .

 

[KiscoKid]

I'd also recommend setting up a Wireless VLAN on your VTP server (presumably the 4000) and pass them down to the 2950's the 3Coms will be directly-connected to.

As this will be a Wireless VLAN, I'd recommend considering some of the following security features:

1. MAC address security.
2. Use a unique VLAN ID for any trunk ports.
3. Consider deploying a RADIUS server and setup 802.1x port authentication for each wireless user.
4. If the guys on the WLAN require access to wired resources, deploy a firewall or even multiple firewalls (defense in depth) between them and the resources they need access too.

 

[hinesjrh]

I have limited to no experience with DHCP. I have created my new VLAN on the 4006 and it has passed knowledge of that new VLAN to my two trunked 2950 distribution switches. The problem is that when I change the ports on the 2950's and the one port on the 4006 that relate to my new wireless network to the new VLAN (VLAN 20) then I can't authenticate from wireless clients. How do I get my new VLAN to communicate with my DHCP? Maybe my new VLAN is not communicating with the rest of my network at all???

What am I forgetting or not doing correctly?

If I switch those ports back to the original VLAN (VLAN 2) then I can authenticate right away.

 

[RookThis]

Did you define a helper-address on the interface?

 

[hinesjrh]

No, I am not familiar with that. How is it done, and what does it do?

 

[mattyjenks]

helper address's are dhcp relay address's ie

pc - router1 - router2 - dhcp server

the helper address would sit on the ethernet interface of router1 and passes any dhcp request to the defined dhcp server

(havent worked with routers for a while so someone may correct me)

 

[hinesjrh]

Where does this "helper address" go if everything I have is behind just one router?

Let's see if I can document how my internal LAN is set up hardware wise, so that you can understand.

4006 core switch <---> 2950 distribution switches <---> 3COM switch that the wireless access points patch into <---> end wireless users. Both the 2950's and the 3Com switch patch directly into the 4006. Only users at this office will be using this wireless network, so I don't believe our routers play a part in this (but I could be wrong).

I have set up the new VLAN 20 on the 4006 and via VTP it shows up on the 2950's. Six of the eight wireless access points patch directly into the 3COM switch and two of the wireless access points patch into two different Cisco 2950's.

 

[vipergg]

Any devices that are not on the dhcp server subnet will need helper addresses . They are put on the router L3 interfaces that feed the switches . They will be needed on all subnets in which you want dhcp except on the dhcp server subnet itself.

 

[hinesjrh]

In my case would it be appropriate to place the helper address on the 4006 (my core data center switch) switch ports that relate to this wireless system and the new VLAN #20? Can a helper address be placed on a switch (4006 operates at layers 2, 3, and 4 per my research), or does it only work on a router?

 

[KiscoKid]

Hi

Is the 4000 the default gateway for all the clients on vlan 20? Also is it the default gateway for everyone on vlan 2?

If so, this is where to place the helper address. Place it on vlan 20 as directed above. Something like as follows:

interface Vlan 2
ip address 2.2.2.1 255.255.255.0

interface Vlan 20
ip address 20.20.20.20 255.255.255.0
ip helper-address 2.2.2.2

I'm assuming the DHCP server is on vlan 2. If not, amend as appropriate.

 

[hinesjrh]

Good question! No, the default gateway would be my 3640 router at 10.1.0.3. So I take it the IP HELPER-ADDRESS needs to go on the internal interface of the 3640. Yes, DHCP is on VLAN 2. Here's what my internal interface currently looks like on the 3640.

FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 0001.42a5.5ee1 (bia 0001.42a5.5ee1)
Internet address is 10.1.0.3/22
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 6/255, rxload 21/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 4w3d
Input queue: 0/75/20792/0 (size/max/drops/flushes);Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 8511000 bits/sec, 1624 packets/sec
5 minute output rate 2595000 bits/sec, 1572 packets/sec
2058728920 packets input, 3778987342 bytes
Received 38344047 broadcasts, 0 runts, 0 giants, 0 throttles
171789 input errors, 0 CRC, 0 frame, 171789 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
2202665446 packets output, 1977465453 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

 

[hinesjrh]

If we have the 3COM switch that most of the wireless access points are patched into act as the DHCP server for wireless clients (instead of using my existing DHCP server on VLAN2), how do I get clients on the new VLAN (VLAN 20) which are in a new DHCP range (10.1.3.x) to communicate with everything else on my network (10.1.1.x, and 10.1.2.x)?

 

[firestormsp1]

Assuming you have created a VLAN20 interface on the RSM of the 4006, you would just need to put your routes in to your d/g and point the next hop to your 4006, as VLAN20 is directly connected to your 4006 traffic will be directed on to your new vlan.

Hope this is okay, I'm more used to 6509's with MSFC's, but I'm sure the principles are the same.

The only reason some people are still alive, is simply because it's illegal to kill them!! ;0)

 

[KiscoKid]

Hi

I think you said the 3640 was your d/g - not the 4000. If this is the case, you'll need to setup vlan subinterfaces on this device and attach it to your switch that is aware of all the VLANs you want to route between.

You need to make sure the 3640 has a Fast Ethernet interface (such as the NM-1FE-TX) to make this work. Alternaitvely if your 4000 has a SUPIII or better, you can setup the layer 3 (router) interfaces on this device instead.

 

[IPKONFIG]

Agree with most of what is above.

If your 4000 has a SUPII then you need to trunk to the 3640 and sub-interface the fast ethernet port. You're helper-addresses need to be on the sub-interfaces for broadcasts to be turned into uni-casts and sent to the DHCP server. Should look something like this:

3640

interface fa0/0
description Trunked Interface
no ip adddress
no shut
interface fa0/0.1
ip address 10.0.0.1 255.255.255.0 <---L3 interface for vlan
encapsulation dot1q 1 <---vlan id on trunk
ip helper-address 10.10.10.x <--address of DHCP server
no shut
interface fa0/0.2
ip address 10.0.2.1 255.255.255.0 <---L3 interface for vlan
encapsulation dot1q 2 <---vlan id on trunk for wifi
ip helper-address 10.10.10.x <---again, address of DHCP svr

4006

set trunk mod/port on dot1q
set port mod/port enable

I think this is correct, been awhile since I've done hybrid commands.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts