Overlapping VLAN. Which Cisco switch to get?

[AlpineMan]

First, let me start with what I'm trying to accomplish. The client has multiple servers, Server A, B, C, etc in the corporate site. They have multiple users, User A, B, C, etc. They want to allow User A to access Server A & B, but not C. User B to access Server B and C, but not A. They also have remote users connected via site-to-site VPN. Remote User A should only be able to access Server B, and so on and so forth.

So I'm thinking, the best way to handle this would be to setup a VLAN on the corporate site. What is the least expensive Cisco switch that will allow the above scenario. I've looked at the Cisco 2960 switches, but I'm unsure via the user documentation whether this is possible. As much as possible, the customer would not want to use an external router to route packets between VLANs. Ideally, overlapping VLANs should be supported by the switch or perhaps have built-in routing on the switch itself to accomplish the above requirements.

 

[AlpineMan]

I would like to add that the servers will be in its own Cisco gigabit switch...perhaps using the WS-C2960G-24TC-L, which has 20 gigabit ports (copper) and 4 ports (copper/fiber). The users will be on a separate switch...perhaps the WS-C2960-48TT-L switch, which is a 48-port 10/100 switch that has two gigabit uplink ports. Thanks!

 

[scion515]

I would do the same what AlpineMan said, either 2950G or 2950-60

 

[AlpineMan]

Scion515...not sure what you mean...do you mean you'd like to know whether the scenario would be possible on the 2950G and 2950/60 as well?

 

[AlpineMan]

I guess what I'm really looking for is whether these switches have built-in routing capabilities to route packets from one VLAN to another? If not, do these switches have overlapping VLAN capabilities...so that a server and/or user can belong to more than one VLAN at a time?

 

[chieftan]

Normally you would set the port to be "access" which would mean only 1 VLAN. However, for links that require more than 1 vlan to traverse the link then you can use .1q trunking.

802.1q trunking will be required for more than 1 vlan to traverse the link. This is so that the packet can be tagged on Egress to show the VLAN it belongs to.

For our layer 3 IP Routing between VLANs we use the 3560G or 3560 PoE switches. I am unsure about the 2950 but am sure you will get the info from

http://www.cisco.com

 

[AlpineMan]

I spoke with a Cisco presales rep. He mentioned that the 2960 series switches are layer 2 switches, therefore they can't route packets from one vlan to another. He's unsure though whether the 2960 can have ports that can belong to more than one vlan.

 

[cajuntank]

The 29XX series switches are only L2 switches which mean they need a L3 device to router between those vlans you might create. This can be accomplished by either not using 29xx series switches and going with L3 switches like the 3560 or 3750 (if you need to stack them) and it will do intervlan routing automatically. You would then have to create ACLs on the L3 switch just like you would do a router to actually deny the interesting traffic because by default it allows everything. The other way you could do it would be to use the 29xx and trunk it to a Cisco router using 802.1q encapsulation and create sub-int on that ethernet int for each vlan (this is known as router on a stick). Definitely not the best way to go, but hey, sometimes you got to do what you got to do. Again, ACLs would have to be done to define what traffic you want to allow and waht you want to deny.

And if you are a Cisco histrorian, please don't ding me for saying 29xx just L2, there was a 29xx switch a few years back that was L3, but that was a long time ago.

Hope this helps.