Cisco VLANing question

[child of wonder]

We're setting up a DR site at a remote location and the equipment is being put on a separate subnet -- 192.168.10.0/24.

At that remote location, the Cisco 2960G in our DR rack is connected to the main switch, also a 2960G, for this location on port 20. That switch's port 24 is then connected up to the router for this location, a 3845.

What we're wanting to do is create a VLAN so traffic from our DR rack can only get to the router. To do so, we'll need to give port 24 on this location's switch access to two VLANs: vlan1 and vlan2.

Is it as simple as adding "switchport access vlan 1" then "switchport mode access vlan 2" for port 24? Will this cause the network to go down for any period of time?

If that works, then we're looking to create a BGP route on the router so all our other routers can see 192.168.10.0/24.

Thanks for helping!

 

[Jeff7181]

Why not just put port 20 and 24 on the same vlan and all the other ports on a different vlan?

 

[Tbirdkid]

the network will go down because it will re assign the dhcp unless you are removing that and going static. No matter what, if you are switching over to vlan, you will go down. Honestly, I would just set up the network to a couple of computers off of the network and configure it, make sure it works, then put it mainstream. Depending on the clientel will depend on how pissed they get....

 

[child of wonder]

Originally posted by: Jeff7181
Why not just put port 20 and 24 on the same vlan and all the other ports on a different vlan?

Port 24 goes to the router. If I put it on a different VLAN than the rest of the ports, no one in the building could get to the router.

 

[Jeff7181]

Originally posted by: child of wonder

Originally posted by: Jeff7181
Why not just put port 20 and 24 on the same vlan and all the other ports on a different vlan?

Port 24 goes to the router. If I put it on a different VLAN than the rest of the ports, no one in the building could get to the router.

I believe configuring port 24 as a trunk port would fix that, no? Sounds like what you want is basically a "router on a stick."

 

[child of wonder]

Originally posted by: Tbirdkid
the network will go down because it will re assign the dhcp unless you are removing that and going static. No matter what, if you are switching over to vlan, you will go down. Honestly, I would just set up the network to a couple of computers off of the network and configure it, make sure it works, then put it mainstream. Depending on the clientel will depend on how pissed they get....

Yeah, the network can't go down until after 9pm.

 

[jlazzaro]

if you only have 2960s, then your routing would have to be performed by the 3845. like Jeff said, use a router on a stick with access lists to filter VLAN traffic. the switches will go down as you're creating the trunk, and hopefully everything will come back up if you did it right. i always use some type of out of band management for these types of changes...

 

[child of wonder]

We might just install a WIC in the router and take the easy route. That way the DR subnet has its own link to the router and we don't need to fiddle with VLANs or trunking at all.

 

[Jeff7181]

Originally posted by: child of wonder
We might just install a WIC in the router and take the easy route. That way the DR subnet has its own link to the router and we don't need to fiddle with VLANs or trunking at all.

You'll need another switch then too if you're not going to set up VLANs, right? That could get costly...

 

[child of wonder]

Originally posted by: Jeff7181

Originally posted by: child of wonder
We might just install a WIC in the router and take the easy route. That way the DR subnet has its own link to the router and we don't need to fiddle with VLANs or trunking at all.

You'll need another switch then too if you're not going to set up VLANs, right? That could get costly...

Couldn't we simply give the new router FE interface an IP and this would be the DGW for the DR subnet? Then we could forgo VLANs entirely?

 

[Jeff7181]

Originally posted by: child of wonder

Originally posted by: Jeff7181

Originally posted by: child of wonder
We might just install a WIC in the router and take the easy route. That way the DR subnet has its own link to the router and we don't need to fiddle with VLANs or trunking at all.

You'll need another switch then too if you're not going to set up VLANs, right? That could get costly...

Couldn't we simply give the new router FE interface an IP and this would be the DGW for the DR subnet? Then we could forgo VLANs entirely?

You're not really segmenting the network then. Isn't that the reason for doing this in the first place, you want your DR traffic isolated from all other internal traffic?

 

[child of wonder]

Originally posted by: Jeff7181

Originally posted by: child of wonder

Originally posted by: Jeff7181

Originally posted by: child of wonder
We might just install a WIC in the router and take the easy route. That way the DR subnet has its own link to the router and we don't need to fiddle with VLANs or trunking at all.

You'll need another switch then too if you're not going to set up VLANs, right? That could get costly...

Couldn't we simply give the new router FE interface an IP and this would be the DGW for the DR subnet? Then we could forgo VLANs entirely?

You're not really segmenting the network then. Isn't that the reason for doing this in the first place, you want your DR traffic isolated from all other internal traffic?

Not necessarily. However that would be my first choice.

In fact, why not this:

1. Run port 24 from the DR rack to port 20 on the DR site's main switch.
2. Run port 19 on the DR site's main switch to the new WIC port on the DR site's router.
3. VLAN ports 19 and 20 together on the DR site's main switch.
4. Give new router interface 192.168.10.1 so it can be the DGW for the DR rack.
5. Advertise route on BGP.
6. ...
7. Profit.

 

[mcmilljb]

Originally posted by: Jeff7181

Originally posted by: child of wonder

Originally posted by: Jeff7181

Originally posted by: child of wonder
We might just install a WIC in the router and take the easy route. That way the DR subnet has its own link to the router and we don't need to fiddle with VLANs or trunking at all.

You'll need another switch then too if you're not going to set up VLANs, right? That could get costly...

Couldn't we simply give the new router FE interface an IP and this would be the DGW for the DR subnet? Then we could forgo VLANs entirely?

You're not really segmenting the network then. Isn't that the reason for doing this in the first place, you want your DR traffic isolated from all other internal traffic?

I think he feels that trunking and router on a stick is more complex/trouble than he wants to do. I think the router on a stick solution is the cheaper solution if you don't already have the extra FE port. He just needs to implement ACL's if he needs to keep DR traffic and the remote site's traffic separated if he chooses to use a FE port on the router, which he would still need to do if he did router on a stick.

 

[mcmilljb]

Originally posted by: child of wonder

Originally posted by: Jeff7181

Originally posted by: child of wonder

Originally posted by: Jeff7181

Originally posted by: child of wonder
We might just install a WIC in the router and take the easy route. That way the DR subnet has its own link to the router and we don't need to fiddle with VLANs or trunking at all.

You'll need another switch then too if you're not going to set up VLANs, right? That could get costly...

Couldn't we simply give the new router FE interface an IP and this would be the DGW for the DR subnet? Then we could forgo VLANs entirely?

You're not really segmenting the network then. Isn't that the reason for doing this in the first place, you want your DR traffic isolated from all other internal traffic?

Not necessarily. However that would be my first choice.

In fact, why not this:

1. Run port 24 from the DR rack to port 20 on the DR site's main switch.
2. Run port 19 on the DR site's main switch to the new WIC port on the DR site's router.
3. VLAN ports 19 and 20 together on the DR site's main switch.
4. Give new router interface 192.168.10.1 so it can be the DGW for the DR rack.
5. Advertise route on BGP.
6. ...
7. Profit.

If you're adding a WIC to the router, why run the DR switch to the main switch? I think it just introduces too many extra potential problems than it's worth. I would run the DR switch straight to the router if you're adding an extra port for it. Let the router do the filtering, without the need for vlans at that point.

 

[Jeff7181]

Meh... that should work. Would also prevent the entire site from sharing the bandwidth of the trunk port.

Still, it sounds like a pretty messy and unnecessarily costly solution to me. /shrug

 

[spidey07]

This is all sounding MUCH more complicated than it needs to be. OP - what exactly are you trying to accomplish?

Also if you want traffic isolation you could look at Private Vlans - that's what immediately came to mind when you said you only want the DR switch ports to talk to the router and no other hosts...that screams private vlan.

 

[child of wonder]

Originally posted by: spidey07
This is all sounding MUCH more complicated than it needs to be. OP - what exactly are you trying to accomplish?

Also if you want traffic isolation you could look at Private Vlans - that's what immediately came to mind when you said you only want the DR switch ports to talk to the router and no other hosts...that screams private vlan.

Since our DR rack consists of a blade enclosure, EVA, Virtualcenter server, etc. and the fact that the rack is going to move to a more permanent physical location in about 6 months, we gave the DR rack a subnet that is totally new and unused by anything else in the company. That way when we move the DR rack down the road it's a simple matter of changing the route to the new router at the new location.

We simply need the DR rack's subnet to be able to talk to our other subnets so our EVAs can begin syncing up.

It sounds like plugging the DR switch directly into the new WIC on the router is the best solution. No VLANs needed then and the traffic will be segregated.

 

[Jeff7181]

That definitely sounds like the way to go then. New WIC and plug the DR switch into it... much easier to move it later on.

Out of curiosity... what's the difference between a VLAN and a private VLAN, spidey? I looked it up and it sounds like they accomplish the exact same thing, what am I missing?

 

[spidey07]

Private vlans provide the same layer3 addressing and mapping to layer2. So private vlans are the same subnet. But they are not layer2 adjacent, meaning they are different layer2 and broadcast domains depending on how you set them up. There are different kinds of private vlans depending on what you want them to do. They're mainly used for security purposes - ie host 10.1.1.200 can't communicate with host 10.1.1.230, but BOTH hosts can talk to a router or firewall on that subnet. Or another example - ALL hosts on the 10.1.1.0/24 subnet cannot talk to each other, but they can talk through a firewall/router/load balancer, etc.

 

[Jeff7181]

So... a private VLAN provides layer 2 isolation without configuring each port on its own VLAN?

 

[mcmilljb]

Originally posted by: Jeff7181
So... a private VLAN provides layer 2 isolation without configuring each port on its own VLAN?

Private VLANs serve 2 purposes: security and address conservation. Lets say you provide hosting for websites. You have 6 bits for ip addresses(/26 which allows 62 hosts). Now you could subnet to provide each client with ip addresses as needed, and you could use ACL's to prevent clients from bothering other clients. This where private VLANs shine really well. The security comes from the fact that no private vlan can talk to another private vlan without going through a router just like in a regular vlan. The difference is that each private vlan can go through promiscuous ports. You just plug the default gateway and other servers into promiscuous ports. That only allows them to go one way in and out and that's through the default gateway or to servers you provide. To maximize the ip address space, you just pretend they're all still on the same subnet. You don't have to waste addresses for subnets because they can only go to the same default gateway. It's mostly used by service providers for these very reasons.

 

[Cooky]

Correct.

You could assign all 24 ports in vlan 2, and they can't talk to each other, unless you assign them to the same community.

 

[child of wonder]

Well, this is adorable. Tried installing a WIC in the router tonight (4ESW's) and it won't be recognized by the 3845 after a reboot. The IOS should be up to speed (12.4(3i)) so I'm confused why they're not recognized. I've tried two different WICs and tried each in multiple slots but no go.

Here's a show diag:

WIC Slot 2:
Unknown WAN daughter card
WIC module not supported/disabled in this slot
Hardware Revision : 1.0
Part Number : 73-8958-01
Board Revision : D0
Deviation Number : 0-0
Fab Version : 01
PCB Serial Number : FOC09320Y4L
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Top Assy. Part Number : 800-24120-01
Connector Type : 01
Base MAC Address : 0014.a9f6.f26c
MAC Address block size : 4
Product (FRU) Number : NM-1V=
EEPROM format version 4
EEPROM contents (hex):
0x00: 04 FF 40 00 64 41 01 00 82 49 22 FE 01 42 44 30 ....

I know I can only have one 4 port card installed in the router so I'm wondering if this is preventing it from being shown:

Slot 0:
C3845 Mother board 1GE(TX,SFP),1GE(TX), integrated VPN and 4W Port adapter, 6 ports

*shrug*

 

[Jeff7181]

Did you get the WIC to work? Might be worth calling Cisco... even just their sales department. "If I had this router would this WIC work in it?"

 

[child of wonder]

We've decided just to do the VLAN on the site's main switch then trunk the router's port into two sub interfaces. That will work.

Thanks for the input, guys.