need help with Vlan

[mostecryder]

Hi all, I am trying to create two vlans in a small network. The network looks similar to this:

20 PC clients => 2900 switch => PIX => 2621 router => Internet

All the clients are on the 192.168.1.0 network. They are getting IP addresses from a 2003 DHCP server.

What I want to do is to split the clients into two vlan, with 10 on the 192.168.1.0 network and 10 on a new 192.168.2.0 network. Would I have to create another DHCP server? and how do I route both networks out to the Internet? I am fairly familiar with Cisco IOS commands, just need help on the routing of the VLAN. Any help is appreciated!

 

[ciscofreak1241]

No, you would create two different DHCP scopes, one for 192.168.1.X and another for 192.168.2.X.

Therefore, when you configure your VLAN (SVI) interfaces (if the switch is routable??)

interface vlan 11
ip address 192.168.1.1 255.255.255.0

interface vlan 12
ip address 192.168.2.1 255.255.255.0

router eigrp 1
network 192.168.1.0
network 192.168.2.0
passive-interface default

If you DHCP server is on a different network (e.g. 192.168.3.x) then you would configure "ip helper-address [ip-of-dhcp-server]" under those VLAN interfaces. The DHCP request from either PC in VLAN11 or VLAN12 will be tagged with 192.168.1.255 or 192.168.2.255. From there, with the help of the tag, it will assigned the PC's with the right IP.

In terms of routing of VLANs, I'm assuming the Catalyst 2900 is a Catalyst 2950? The Catalyst 2950 IOS codes for EMI and SMI are merged together, and they provide some routing capabilities especially if you want to use certain routing protocols.

cf

 

[mostecryder]

No it's a WS-C2924M-XL switch. I don't think that switch has routing capabilities. Would I have to configured the switch to a router then ?

 

[ciscofreak1241]

Well, the 2924 is only configuable as a switch. You would need to add a router to it with trunking to get your routing within your VLANs.

However, there are some stuff you can do on the PIX firewall, especially with the 7.x release, which does some dot1q trunking. What PIX verison do you have? Here is what I have done before, if you have a PIX 515E or higher you can run PIX OS 7.x. That will allow you to configure the PIX in transparent mode with it's interfaces configured as trunks, but you have to do trunking on your c2621 and 2900 switch. That way you can do your VLAN routing on the router. Some people don't like to complicate things on the PIX, so I understand. Just want to present to you all of your possible options.

Another option is configuring trunking between the PIX and the Catalyst switch, but then you would do DHCP scopes on the firewall itself.

So what PIX hardware and OS do you have running? Do you have another router or a L3 switch (catalyst 3550, 3560, 3750, etc) then that would be very easy for a migration?

cf

 

[mostecryder]

I rather not configure the PIX for VLAN. I'm not that familiar with PIX OS 7.x. If was to connect another router...my network would look like this:

20 PC clients on two different VLANS => 2900 switch => router => PIX => 2621 router => Internet

Would this be the correct config?

 

[ciscofreak1241]

that is correct. I agree, doing the PIX solution can complicate things. how big is your network today that this network will accommodate (100 users, etc)?

or you can get the cat3560/3750 and it can look like this:

20 PC clients on two different VLANS => 3560/3750 switch => PIX => 2621 router => Internet

cf

 

[mostecryder]

I think 3750 would be out of the price range for this network. Since this is a small company network, there shouldn't be more than 25 users supported. So according to the diagram i presented, do I need two trunk lines or one from the switch to the router? Sorry, I am kind of new at this..if you can link me to a helpful resource or show me the steps I'd appreciate it.

 

[ciscofreak1241]

That's ok, I want to help. So, if it's only 25 users then that is ok and yeah I do understand that the price for 3750's are very very expensive.

What router do you have available to use if possible?

You only need one trunk which will carry the two VLANs across.

Here is the config you would need, as an example:

~~~~2900xl switch~~~~
~~~~~~~~~~~~~~~~~~


vlan database
vlan 11 name user-network1
vlan 12 name user-network2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

interface fast0/1
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
no shutdown


interface fas0/10
description for users on network1
switchport access vlan 11
spanning-tree portfast
no shutdown


interface fas0/11
description for users on network2
switchport access vlan 12
spanning-tree portfast
no shutdown




~~~~ IOS router ~~~~
~ if the DHCP server is not on 192.168.1.0 or 192.168.2.0 you need to configure ip helper. For example if your DHCP server is IP 192.168.3.10.
~~~~~~~~~~~~~~


interface fastethernet0
no ip address
no shutdown

interface fastethernet0.11
encapsulation dot1q 11
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.3.10


interface fastethernet0.12
encapsulation dot1q 12
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.3.10



router eigrp 1
network 192.168.1.0
network 192.168.2.0
passive-interface default

ip route 0.0.0.0 0.0.0.0 <pix-inside-ip>


cf

 

[mostecryder]

intersting...so I would only need an IOS routers with two Ethernet ports correct? BTW thank you very much for the config...I'll try it tomorrow morning

 

[ciscofreak1241]

yes a router with two FastEthernet ports.

cf

 

[mostecryder]

thanks CiscoFreak. But I'm still curious about one more thing..if my DHCP server (Windows 2003) is located on the .1 network and I add another scope for .2 network, how will clients on the .2 network get the correct IP addrss? Is it done through the server, or a command on the switch to help the clients get the correct IP address.

 

[mostecryder]

I noticed that in the code you're given...the vlans are 11 and 12. Couldn't I just place use the native vlan and add vlan 2?