4500 and VLANs 1

[wilson2468]

I will be starting a new job, the company has 2 4500 series routers with etherchannel links connecting the two switches.

There is one uplink from 10 3COM distribution switches to one of the 4500. There is also one port on the 4500 used for uplink to a PIX.

As it stands now, there is a phone system on one of the distribution switches that needs to be VLANed out of the regular traffic.

I am thinking I need to

1. Create the VLAN on the distribution switches and create a trunk port on the 3COM uplink to the 4500.

2. Create the VLAN on the Cisco4500 and cretae a trunk port on it.

3. Tag the phone system ports on the trunk link.

I guess I need to know if my thinking is correct.
An really I am not sure how to go about doing all of this.

Any input would be appreciated

A piece of the config is shown below:


!
interface GigabitEthernet1/1
switchport mode access
!
interface GigabitEthernet1/2
!
interface GigabitEthernet2/1
description uplink to distribution switches
duplex full
!
interface GigabitEthernet2/2
!
interface GigabitEthernet2/3
!
interface GigabitEthernet2/45
!
interface GigabitEthernet2/46
description PIX1
switchport access vlan 2
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface GigabitEthernet2/47
description etherchannel
switchport access vlan 2
switchport mode dynamic desirable
speed 1000
duplex full
channel group 1 mode desirable
!
interface GigabitEthernet2/48
description etherchannel
switchport access vlan 2
switchport mode dynamic desirable
speed 1000
duplex full
channel group 1 mode desirable
!
interface Vlan1
ip address 10.10.151.230 255.255.255.0 secondary
ip address 10.10.152.230 255.255.255.0 secondary
ip address 10.10.153.230 255.255.255.0 secondary
ip address 198.104.204.230 255.255.255.0 secondary
ip address 10.10.153.80 255.255.255.0 secondary
ip address 10.10.150.232 255.255.255.0 secondary
ip address 10.10.150.230 255.255.255.0
no ip redirects
no ip split-horizon
Standby ip 10.10.150.254
Standby ip 10.10.150.253 secondary
Standby ip 10.10.151.254 secondary
Standby ip 10.10.152.254 secondary
Standby ip 10.10.153.126 secondary
Standby ip 10.10.153.254 secondary
Standby ip 198.104.204.2 secondary
standby timers msec 300 1
standby priority 150
standby preempt
!
interface Vlan2
description PIX VLAN
ip address 10.10.154.230 255.255.255.0
no ip redirects
no ip split-horizon
standby ip 10.10.154.2
standby timers msec 300 1
standby priority 150
standby preempt
!
router rip

 

[vipergg]

that is an ugly flat setup with all those secondaries on one vlan . Each one of those address ranges should have their own vlan and then trunked down your 3coms and broken out down their to their specific vlans. You can break out the phone network by creating the layer 2 vlan and then creating the layer 3 SVI for the routing end of it and then trunk down to the 3coms . I think you are on the right track but man that current setup they have is bad , one big broadcast domain...

 

[wilson2468]

Thanks Vipergg,

That is another thing I was thinking is that each 3com needed its own uplink to the 4500.

I guess I don't really know how to get started on this thing as far as the concepts of the layer 2 VLAN and Layer 3 SVI.

I believe I am almost there as far as the understanding.

The layer 2 VLAN is seperating the traffic and increasing the number of broacast domains (a good thing) and the Layer 3 is rouitng the traffic between each subnet.

If I am going to set up the phone traffic as I said to trunk from the 3coms, I will need to tag the voice traffic is that right?

 

[vipergg]

It is really not hard just think of a layer 2 vlan as a broadcast domain that is "not" routed , and that is where the layer3 SVI (interface vlan XX) comes into play , this is where your ip address for routing that particular broadcast domain comes into play . When you create the layer 3 SVI it is directly associated with layer 2 vlan that was defined . To create a layer 2 vlan on a 4500 from the command line.

conf t
vlan XX , enter
(if you want to name the vlan just type name (then enter whatever you want to name it)

type end

For layer 3 SVI
conf t,enter
interface vlan XX (where XX matches the layer 2 vlan number) , enter
You then add your address to this interface and this will be your default gateway for that subnet for all clients. Just like you currently have for vlan 1.

As far as your question about tagging , any vlan that is allowed across that trunk (only alllow what is actually needed) will be tagged with a vlan identifier before being sent over the trunk and then it is stripped at the far end when it comes off that trunk , it is really for just keeping track what data belongs on what vlan across a trunk , this includes if you are trunking down to a phone .

 

[wilson2468]

Thanks man I appreciate your knowlegable posts.

What about the management VLANs? I keep seeing that it is best to make the management VALN a differnet one.

Why is that?

Also, what they have here is a collapsed core right?

With the switch doing both layer2 and 3 functions.

Is this the best way to go in this situation?

You said there needs to be more VALNs configured to segment the subnets rather than the secondary addresses.

 

[vipergg]

Well the main reason to have a separate vlan is if you having a problem with a certain vlan it may allow you to still get at the switch to take a look around. It is a cisco best practice to do this though a lot of people do just make the switch another client off an existing subnet . I would make a separate vlan and if you just have a few switches use VLSM to you don't waste a whole class c address range .

 

[wilson2468]

Thanks,

One last question on the VLANs

With the current config the way it is:

VLAN1 = users

VLAN2 = PIX

If I were to create a VALN3 for the phone system and had to trunk it from the distribution switches, Since it would be trunked with the VLAN1, wouldn't I have to TAG the VLAN3?

I believe the default VLAN1 is not tagged because it is the native VLAN.

Can you give me your input on this?

Thanks

 

[vipergg]

That is correct vlan 1 is not tagged because it is the native vlan , though you can make the native vlan anything you want as long as it matches on both ends. All vlans will be tagged going across the trunk except native vlan packets . You keep asking about tagging , there is nothing you ahve to do once the trunk is setup all but the native will be tagged. If the setup is different on the 3coms I really can't help you there ,have never had to deal with 3com . You will have to use dot1q encapsulation for the trunk and maybe force the trunk on , negotiation of the trunk won't work like it would between 2 cisco devices. For more info on a lot of features on the 4500 go to

http://www.cisco.com/en/US/products...on_guide_chapter09186a00800dde93.html#1020628

 

[wilson2468]

Thanks for all of the help.

The questions about the tagging comes from a situation I was involved in before, where there was Voice set up in a similar way.

There were no layer 3 capable switches just HP managed switches and a Cisco router.

The Cisco was set up with subinterfaces and the dot1Q encapsulation on the Ethernet as shown:

interface FastEthernet0/0
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.1
description Local-Lan
encapsulation dot1Q 1 native
ip address 10.11.4.8 255.255.0.0
ip ospf priority 0
no snmp trap link-status
!
interface FastEthernet0/0.2
description VOIP
encapsulation dot1Q 11
ip address 172.16.11.1 255.255.255.0
ip ospf priority 0
no snmp trap link-status

The HP switches were setup with VLANs labled the same as the subinterfaces with the trunk port having VLAN1 "untagged" and VLAN11 "tagged"

all other ports were in VLAN1 "untagged in the HP.

This is where I got that from, I am just trying to cover all the bases because I have never worked with a 4500 series switch.

 

[KiscoKid]

Can you describe your telephone setup? i.e. are you using a full IP telephony solution (IP Phones, Call Manager etc) or a VoIP solution (H323/SIP with PABX etc)?

 

[wilson2468]

No,on the phone system.

I have not seen anything about how they have their phone system set up yet.

I will start there Monday, they are the ones that mentioned to me that the phone system was not VLANed from the rest of the traffic.

They have RIP running on the switches and are distributing that route table to the Router that connects them to their other sites, which is an MPLS cloud running OSPF.

I probably will have a much clearer picture of what needs to be done Monday.

I am also thinking that some of the secondary networks are not even being used any more.

 

[wilson2468]

It seems the more questions I get answered, the more questions I have and I don't know where to learn it from.

The books never seem to have these types of questions answered. If anyone has a minute maybe they could point me to some answers.

For example:

1. What is the technical explanation why there needs to be a VLAN to isolate the broadcast domain?
Why doesn't the secondary interface do it?
If the users are on different subnets, they still need the router to route the packets, the router does it because it is a directly connected interface, is this correct?

2.As I showed in my previous situation, the router's ethernet interface had subinterfaces on it, splitting the interface logically.
Is it better to create a logical interface (SVI)for the VLAN?
It think I used the subinterface because there was only one ethernet port on the router and in the case of the switch, I have as many potential interfaces as there are available switch ports correct?

I have so many more questions and Im not sure ask, I don't want to bombard you guys with questions like this.

Are these questions, beginner questions?

 

[vipergg]

The reason to have a separate broadcast domains because the first thing a switch does if it doesn't have a listing in it's mac-address table it will flood the entire vlan using an arp and if you have multiple subnets on secondaries the traffic can be substantial so if you break it up at the router or L3 switch all broadcasts stop at the layer 3 interface so everyone does not see all the broadcasts and arps like you will see if everyone is on the same vlan 1 on your switches. The ethernet subinterface is basically the same as a layer 3 SVI in a layer 3 switch . The subinterfaces are trunked down to your switches just as they would be on a layer 3 switch so technically they are doing the same function. Best practice would dictate that all your secondaries get their own separate layer 3 SVI and trunk down to the switches which breaks out the broadcast domains... That being said you would have to configure the switches below so that the users vlan corresponds to the layer 3 SVI interface . My guess is that they just didn't want to go to all the work of breaking these out so they took the easy way out and just put everyone into vlan 1 and used secondaries...

 

[wilson2468]

I just found:

Secondary interfaces on Cisco devices put two or more subnets in the same broadcast domain and is called "multinetting"

Subinterfaces will isolate the broadcast domains as does VALN

But here is another question,

Some of the ports are assigned specifically to be members of VLAN2 in the config, but the uplink port for the distribution switches is showing no association to any VLAN.

Are all of the ports not assigned, members of the VLAN1 (default VLAN)?

In this part of the config:

 

[vipergg]

That is correct if you don't change anything by default everything is in vlan 1 . You can verify this by doing a "show interface status" . I thought vlan 2 was a connection to the pix firewall ???

 

[wilson2468]

You are correct about that, VLAN2 is the uplink from the PIX

Ok Vipergg, you have been a great help on this.

If I want to use a single trunk port from the 3com (non Cisco)to the Cisco, I am thinking I will have to do the same dot1Q tagging to accomplish it.

Would I do the same thing on the 4500, which is to create a subinterface on the layer 3SVI and dot1Q tagging?

Otherwise, I am going to have to use at least two trunk ports.

Is this correct?

 

[vipergg]

No on the 4500 you would make your layer3 SVI's ,then all you need is a trunk port going down to your 3coms . On the 4500 you just designate which vlans you want allowed across the port , by default it will allow everything across unless you manually prune it off. When you create the trunk link all but the native will be tagged on the cisco side ,can't help you on the 3com side , you may have to manually tell which vlans you want tagged on the 3com side. As an example.


4500#
conf t
vlan 2 state active (layer 2 activation)
vlan 3 state active



interface vlan 2
ip address 192.168.1.254 255.255.255.0

interface vlan 3
ip address 192.168.2.254 255.255.255.0

<Trunk config> note native vlan usually must match on both sides of the link though I don't know about the 3coms.

interface g1/1
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,3
switchport nonegotiate
switchport mode trunk

 

[wilson2468]

I am thinking the 3COM, like the HP will trunk the VLANS, but it will have to be defined on the Cisco switch so the tags match on both ends.

Is there any way to define additional Tags on the same port as you did the native?:

switchport trunk native vlan 1

 

[vipergg]

You are already doing that with the "switchport trunk allowed vlan1,2,3" statement . This is telling the trunk that those vlans are allowed across trunk and the data will be tagged as it enters the switch trunk port . You will just have to make sure that you have an equivalent on the 3 com side. They may have more info on the 3com site if you aren't sure on how set up a trunk on that side.

 

[wilson2468]

Suppose I have 10 different switches and there is no organization to who is connected to the switches and I need several VLANS.

We have established that I need to uplink all of the 3Coms seperately to the 4500 via gigabit ports.

Since each distribution 3Com could potentially have the several VLANs needing access, would it be considered acceptable practice to create trunks on each uplink port and configure it to trunk all the VLANs on each uplink?