I need vlans to segment my networks and focus on the processes.
3. Do you need different security zones (i.e. business and guest network access)
I currently have 3 firewalls in the network for this in different networks, we would like to change the cabling process in switches and focusing everything on a single structure Currently 192.168.2.0/24 192.168.10.0/24 192.168.5.0/24.
4. Why you think you need vlans?
But these networks are segmented in a way that we do not like much at the moment there was a need to further segment those networks and include devices from those networks outside my main network, which is 192.168.2.0/24 so we need to start the desktops from other networks .. We decided to start this process of vlan, but to improve our security we verified that it will be necessary to create administrative and service vlans .. I will describe what we have in mind for vlans
Vlan 200 - IT - int 200.0.0.254 ip helper 10.0.0.10 Vlan 300 - Wifi-Guest 110.0.0.0.254 ip helper 10.0.0.10 Vlan 400 - Comunnity 130.0.0.254 ip helper 10.0.0.10 vlan 500 - A020 - 140.0.0.254 ip helper 10.0.0.10 vlan 600 - A021 - 150.0.0.254 ip helper 10.0.0.10 vlan 700 - A022 - 160.0.0.254 ip helper 10.0.0.10 Vlan 800 - A023 - 170.0.0.254 ip helper 10.0.0.10 vlan 900 - A024 - 180.0.0.254 ip helper 10.0.0.10 vlan 1000 - A025 - 10.0.0.254 ip helper 10.0.0.10 Vlan 1100 - A30 - 210.0.0.254 ip helper 10.0.0.10
Ip rules are merely illustrative We have in mind that two of these vlans will only be guest Ex: 500,600 will be for guest access and etc. for events and access to wifi, without any communication with others only for internet routing. 700 - without need of communication with the other, since we will only have routing for internet in this - The rest of vlans we need to interact in all vlans ex: vlan 400 desktop on ip 130.0.0.20 / receive ip from dhcp server that is on 10.0.0.10 - and will have to print on printer that is in vlan 1000, And gateway for internet na vlan 110 no ip 210.0.0.1
The initial idea and pass all vlans across all switches because on the same switch will have ports of several vlans .. logically if it is viable this could help me believe that I am very lost in this project
If you need to put the running-config of the ports and vlan configu to make it easier because I believe that the process in switch l3 is one step away from finishing but in l2 I do not understand how I would do it then
Hello my friend daniel thanks Sunset solved half of my problems believing that an interface of l3 is set to the end of the process.
All of the uplink ports on my three switch layer are already properly configured
Port: Te1/0/3 VLAN Membership Mode: Trunk Mode Access Mode VLAN: 1 (default) General Mode PVID: 1000 General Mode Ingress Filtering: Enabled General Mode Acceptable Frame Type: Admit All General Mode Dynamically Added VLANs: General Mode Untagged VLANs: 1 General Mode Tagged VLANs: General Mode Forbidden VLANs: 200,300,400,500,600,700,800,900,1000 Trunking Mode Native VLAN: 1000 Trunking Mode Native VLAN Tagging: Disabled Trunking Mode VLANs Enabled: 200-1000 Private VLAN Host Association: none Private VLAN Mapping: Private VLAN Operational Bindings: Default Priority: 0 Protected: Disabled
All uplink interfaces from switch layer 3 to layer 2 are in this configuration above.
In switch layer 2 I configured as described trunk mode on uplink ports with traffic tagged for the vlans that pass to it.
I configured the client ports with untagged and it still had not worked the traffic of the main vlan prevailing, so I decided to change the PVID to the one of vlan that I would like it to happen then I started to have vlan communication that I requested.
But I started to think here, and I would like to understand how this vlan that is configured on the port as untagged and with PVID changed would communicate with two ex vlans: if my servers is in vlan 200 and the port vlan client is 900.
I would like to know how you could get the two to communicate to continue the process.
itrodrigosantan
3 Posts
0
January 4th, 2017 02:00
Hi daniel
1. Number of devices
2x SWtiches Dell N8132F
3x Switches HP 1920
10x 3com switch 2226
2. Number of buildings or locations
I need vlans to segment my networks and focus on the processes.
3. Do you need different security zones (i.e. business and guest network access)
I currently have 3 firewalls in the network for this in different networks, we would like to change the cabling process in switches and focusing everything on a single structure Currently 192.168.2.0/24 192.168.10.0/24 192.168.5.0/24.
4. Why you think you need vlans?
But these networks are segmented in a way that we do not like much at the moment there was a need to further segment those networks and include devices from those networks outside my main network, which is 192.168.2.0/24 so we need to start the desktops from other networks .. We decided to start this process of vlan, but to improve our security we verified that it will be necessary to create administrative and service vlans .. I will describe what we have in mind for vlans
Vlan 200 - IT - int 200.0.0.254 ip helper 10.0.0.10
Vlan 300 - Wifi-Guest 110.0.0.0.254 ip helper 10.0.0.10
Vlan 400 - Comunnity 130.0.0.254 ip helper 10.0.0.10
vlan 500 - A020 - 140.0.0.254 ip helper 10.0.0.10
vlan 600 - A021 - 150.0.0.254 ip helper 10.0.0.10
vlan 700 - A022 - 160.0.0.254 ip helper 10.0.0.10
Vlan 800 - A023 - 170.0.0.254 ip helper 10.0.0.10
vlan 900 - A024 - 180.0.0.254 ip helper 10.0.0.10
vlan 1000 - A025 - 10.0.0.254 ip helper 10.0.0.10
Vlan 1100 - A30 - 210.0.0.254 ip helper 10.0.0.10
Ip rules are merely illustrative We have in mind that two of these vlans will only be guest Ex: 500,600 will be for guest access and etc. for events and access to wifi, without any communication with others only for internet routing. 700 - without need of communication with the other, since we will only have routing for internet in this - The rest of vlans we need to interact in all vlans ex: vlan 400 desktop on ip 130.0.0.20 / receive ip from dhcp server that is on 10.0.0.10 - and will have to print on printer that is in vlan 1000, And gateway for internet na vlan 110 no ip 210.0.0.1
The initial idea and pass all vlans across all switches because on the same switch will have ports of several vlans .. logically if it is viable this could help me believe that I am very lost in this project
If you need to put the running-config of the ports and vlan configu to make it easier because I believe that the process in switch l3 is one step away from finishing but in l2 I do not understand how I would do it then
itrodrigosantan
3 Posts
0
January 4th, 2017 11:00
Hello my friend daniel thanks Sunset solved half of my problems believing that an interface of l3 is set to the end of the process.
All of the uplink ports on my three switch layer are already properly configured
Port: Te1/0/3
VLAN Membership Mode: Trunk Mode
Access Mode VLAN: 1 (default)
General Mode PVID: 1000
General Mode Ingress Filtering: Enabled
General Mode Acceptable Frame Type: Admit All
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs: 1
General Mode Tagged VLANs:
General Mode Forbidden VLANs: 200,300,400,500,600,700,800,900,1000
Trunking Mode Native VLAN: 1000
Trunking Mode Native VLAN Tagging: Disabled
Trunking Mode VLANs Enabled: 200-1000
Private VLAN Host Association: none
Private VLAN Mapping:
Private VLAN Operational Bindings:
Default Priority: 0
Protected: Disabled
All uplink interfaces from switch layer 3 to layer 2 are in this configuration above.
In switch layer 2 I configured as described trunk mode on uplink ports with traffic tagged for the vlans that pass to it.
I configured the client ports with untagged and it still had not worked the traffic of the main vlan prevailing, so I decided to change the PVID to the one of vlan that I would like it to happen then I started to have vlan communication that I requested.
But I started to think here, and I would like to understand how this vlan that is configured on the port as untagged and with PVID changed would communicate with two ex vlans: if my servers is in vlan 200 and the port vlan client is 900.
I would like to know how you could get the two to communicate to continue the process.