Cisco VLAN problems ... HELP!!!!!!!! 1

[networkgod99]

I am having trouble figuring out the following. Where I work, they want to create a multi Vlan environment to seperate users/printers, open servers, secure servers, administrators. The environment is 4506 core, with 2924xl edge switches - some have fibre GBIC connection, some are copper port to port ... the problem is applying multiple vlans to each port in the setup and where to start!!!!!

CCIE, MCSE, CISSP, M.O.U.S.E

 

[networkgod99]

and an FYI - This is my bosses account ... he is in Santa Clara and has left me with this project .... so PLEASE help if you can

 

[Antelope]

Is your software SMI or EMI in your 2924xl's or can you do L3 switching with the sup engine you have at your core?

 

[networkgod99]

Antelope ... this is the software in the edges
Cisco Internetwork Operating System Software
IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5.2)XU, MAINTENANCE IN
TERIM SOFTWARE
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon 17-Jul-00 17:35 by ayounes
Image text-base: 0x00003000, data-base: 0x00301F3C

and in the core

Cisco Internetwork Operating System Software
IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-I9K91S-M), Version 12.2(20)EWA, RELEASE SOFTWARE (fc1)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 08-Sep-04 18:33 by kellythw
Image text-base: 0x00000000, data-base: 0x012D5740


Thanks a bunch for any info

 

[ADB100]

The 2900XL's only support layer-2 forwarding so you will have to route between VLAN's via the Core. You will need to define all your VLAN's, trunk these down to the 2900XL's and then setup whatever ACL's are needed on the 4000 SVI interfaces.

You could use VTP to propogate your VLAN database to all your switches or just use VTP transparent mode (my preference) and configure the VLAN's statically on each switch.

You will have to use 802.1q trunking as the 4000 only supports this, whereas the 2900XL supports both ISL and 802.1q - default is ISL.

Andy

 

[networkgod99]

AAwesome ....thank you ..... now .... how do I do that? I mean trunking from just the core to the switches is no biggie .. but defining the Vlans in the core ... how does that help seperate regular users from secure users and open servers from secure servers etc.?

 

[ADB100]

Defining VLAN's and putting ports in particular VLAN's will physically break the network up allow only ports within the same VLAN communicate. To route between the VLAN's you will need to define SVI interfaces on the 4000, by default then as long as your workstations have a default-gateway defined (the SVI interface IP address) they can then access all other devices. This is where you would need to define ACL's (Access Control Lists) that permit or deny certain traffic and apply them to the SVI interfaces. i.e.

ip access-list extended Allow-Telnet
permit ip any gt 1024 any eq telnet
!
interface vlan 10
ip address 10.1.1.254 255.255.255.0
!
interface vlan 20
ip address 10.2.2.254 255.255.255.0
ip access-group Allow-Telnet out

This is just an example but would allow all IP traffic to enter the router on VLAN 10 but would only allow traffic to hosts on TCP Port 23 to leave the VLAN 20 interface.

Andy

 

[networkgod99]

Awesome ...... excellent information ... I feel like such a tool .. my boss is going to probably kill me if this isn't done when he gets back .. I just don't feel comfortable ... Like if someone who is on Native vlan 101 needs to access stuff on vlan 102 and 104 ..... I guess I just don't that part