4500 and VLANs 1

[wilson2468]

I will be starting a new job, the company has 2 4500 series routers with etherchannel links connecting the two switches.

There is one uplink from 10 3COM distribution switches to one of the 4500. There is also one port on the 4500 used for uplink to a PIX.

As it stands now, there is a phone system on one of the distribution switches that needs to be VLANed out of the regular traffic.

I am thinking I need to

1. Create the VLAN on the distribution switches and create a trunk port on the 3COM uplink to the 4500.

2. Create the VLAN on the Cisco4500 and cretae a trunk port on it.

3. Tag the phone system ports on the trunk link.

I guess I need to know if my thinking is correct.
An really I am not sure how to go about doing all of this.

Any input would be appreciated

A piece of the config is shown below:


!
interface GigabitEthernet1/1
switchport mode access
!
interface GigabitEthernet1/2
!
interface GigabitEthernet2/1
description uplink to distribution switches
duplex full
!
interface GigabitEthernet2/2
!
interface GigabitEthernet2/3
!
interface GigabitEthernet2/45
!
interface GigabitEthernet2/46
description PIX1
switchport access vlan 2
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface GigabitEthernet2/47
description etherchannel
switchport access vlan 2
switchport mode dynamic desirable
speed 1000
duplex full
channel group 1 mode desirable
!
interface GigabitEthernet2/48
description etherchannel
switchport access vlan 2
switchport mode dynamic desirable
speed 1000
duplex full
channel group 1 mode desirable
!
interface Vlan1
ip address 10.10.151.230 255.255.255.0 secondary
ip address 10.10.152.230 255.255.255.0 secondary
ip address 10.10.153.230 255.255.255.0 secondary
ip address 198.104.204.230 255.255.255.0 secondary
ip address 10.10.153.80 255.255.255.0 secondary
ip address 10.10.150.232 255.255.255.0 secondary
ip address 10.10.150.230 255.255.255.0
no ip redirects
no ip split-horizon
Standby ip 10.10.150.254
Standby ip 10.10.150.253 secondary
Standby ip 10.10.151.254 secondary
Standby ip 10.10.152.254 secondary
Standby ip 10.10.153.126 secondary
Standby ip 10.10.153.254 secondary
Standby ip 198.104.204.2 secondary
standby timers msec 300 1
standby priority 150
standby preempt
!
interface Vlan2
description PIX VLAN
ip address 10.10.154.230 255.255.255.0
no ip redirects
no ip split-horizon
standby ip 10.10.154.2
standby timers msec 300 1
standby priority 150
standby preempt
!
router rip

 

[vipergg]

Sue thats entirely posible and done all the time , its actually what trunking is all about enabling multiple vlans down one pipe . We didn't actually say you needed you have separate uplinks if you don't want all the work . All you would have to do is keep the current setup but make all your connecting links between your switches trunks allowing the vlans you need below . It is a much better practice to have separate uplinks but not necessary , though you have a single point for all routed traffic up thru the switches if everything is daisy chained below . You are aggregating all your routed traffic thru the one link from the top 3com to the 4500 so you can see where that could be a potential bottleneck in your current setup which would be eliminated if you did have separate uplinks...

 

[vipergg]

Also one other point you don't mention . You say you have 10 different switches , I am going by the assumption that they go to 10 different closets when I say run indivdual links . Obviously if you have mutliple switches in the same closet you don't need to run separate links for those , just leave those daisy chained and run one link back to the 4500 instead of going to whatever 3com switch it is currently going to. It will be a bit of a project but if it gets done right the network will be in a lot better shape . If you have resources I would set this up in a lab so you know what commands are needed on each box because you are dealing with 2 different makers of network gear and you aren't trying to figure out on the fly on cutover weekend...

 

[wilson2468]

Vipergg,

Your help has been invaluable. Your input and expertise has been great. You don't know how much I appreciate all of your willingness to help.

This post could be a lesson on how to start learning to VPN in a real world scenario.

One last thing (maybe),

Can I create the layer 2 and 3 VLANs prior to linking any ports to them without any problems with the existing traffic?

 

[vipergg]

Yes you can create them without affecting anything else, good luck...

 

[wilson2468]

Vipergg,

I have one more question:

Looking at the config, since the users are using the various secondary interfaces as their default gateway on the different networks(10.10.151.230, 10.10.152.230, etc...), If I remove the secondary addresses from VLAN1, create the new VLANS and give them the old secondary addresses (10.10.151.230, 10.10.152.230),
As long as the uplinks are trunked, do I have to do any addition IP Address configuration on the uplinked switches?

Or will the trunk links take care of everything?

 

[vipergg]

No there wouldn't be any extra "addressing on the switches if you trunk down to the switches but you will have to put all the users on the switches into the correct vlans down on the switches which means you are going to have to know which default gateway each user is currently using so that you can assign them into the correct new vlan . Right now they are all in vlan 1 with secondaries and that all changes if you are going make separate SVI's and layer 2 vlans for each secondary address , a much better solution but you have to do your homework to know where they are going . You will have to determine if you going to keep the switches in their current vlan for management or give them their own vlan and default gateway . I'm not familiar with the 3 coms if they are layer 2 only if so the only reason they would even have an address on them is so that you can manage them remotely .

 

[wilson2468]

Sorry Vipergg, but I am confused here,

One of the secondarys is 10.10.151.230,

I am going to remove that secondary and create a layer 2 and layer 3 vlan, give the vlan ip address of 10.10.151.230.

At this point, anyone that was using 10.10.151.230 as their default gateway is still using it. Ss long as the downstream switches are trunked to pass each vlan, everything should be ok right?

When you say "do you homework to see where they are going" do you mean "they" the users or the switches?

And when you say "You will have to determine if you going to keep the switches in their current vlan for management or give them their own vlan and default gateway . I'm not familiar with the 3 coms if they are layer 2 only if so the only reason they would even have an address on them is so that you can manage them remotely" .

Im not sure what you mean, the 3COMs have IP addresses in one of the subnets in vlan1, unless you are talking about creating a different vlan and put all of the switches in for the management vlan as you mentioned before. They have routing capability I believe. But, it should be ok to leave the 3Coms with that ip address in vlan1 right?

If so, I am not sure what sort of impact it would have on the 4500 and what they are doing. They have RIP configured on them it is being used to route packets.

 

[vipergg]

You shouldn't have to change the addresses of the 3coms. As far as your other question think of it like this when you implement this if you do . You are creating a new layer 2/3 vlan say vlan 5 with a 10.10.151.230 address . The information for this vlan is now riding vlan 5 across the trunk . When it hits the 3coms it has a vlan 5 tagg on it so the 3coms should stick into vlan 5 so anyone who is using 10.10.151.230 as the default-gateway would have to have their access port put into vlan 5 also so that it gets up to the 4500 correctly. Currently it looks like everything is in vlan 1 , that would have to change you would have to put the users in the correct vlans down on the 3coms that correspond to the layer2/3 setup on the 4500 . As you see whoever did this initially took the easy way out basically left everything vlan 1 and just added secondaries ,while it will work it is less than ideal... It gives me a little pause when you the 3coms are running rip though not knowing exactly how they set those up . I had been running this scenario on that the 3coms were basically a layer 2 setup . You would probably have to figure out if they are really running rip or it just has the capability on the 3coms. Sorry I can't help you more with the 3coms just never have been exposed to any of their equipment strictly a cisco shop here .If you are unsure then you could just leave things as they are and just break out your phone vlan down the trunk because it would be a lot of work if you decided to break out all the secondaries into there own vlans ...

 

[wilson2468]

You are correct about the 3Coms, only layer 2, the 4500 are running RIP.

They have an MPLS cloud running OSPF and the 4500's are distributing their route table into a 2800 router connected to the MPLS cloud. I do not know why they chose to use RIP at the local site in the 4500's.

Unless there may be a little more control with RIP in the setup.

The way they have everything set up is not very good I don't think. They have a maual failover situation with the remote sites, and have vitual tunnels in the 4500 switches "shut down" that goes to a PIX out to the internet. If the MPLS connection fails, they manually "shut down" the interface in the 2800 and "no shut" the tunnel to the Internet in the switch, that goes to a second router at the remote site.

Thanks for all of the help, if anyone has any better ideas for the failover situation, i have real big ears.