Since you would need a layer-3 device of some sort (i.e. the router you mentioned) to communicate between the two networks you want to create, VLANs may help with segmentation of the network such that broadcasts for one network do not end up being forwarded out ports for another VLAN (recall that the switch will only look at the Layer-2 frame information, not the IP address - so a broadcast would still be flooded out every port).
Your best solution would probably be as follows:
1. Configure a number of VLANs to correspond to the number of networks you wish to create, assign the ports connected to end systems as access ports for their respective VLANs.
2. Configure the uplink to the router to be a trunk port, and assign all VLANs that you want to be routed to that port.
3. Configure the router(be it a hardware router or a Win2K server running routing protocols) so that it is capable of performing VLAN tagging using the IEEE 802.1q specification. Most Server-class NICs have this option with appropriate drivers from the manufacturer. You will also want to confirm that the router device is set up to route between the directly connected networks.
4. If the DHCP server is the same device as the router, you should be able to reach it from every device on the network (you'll want to check the DHCP server settings, and confirm that it is configured correctly. If the DHCP server is on another system on the network, the use of some sort of DHCP Relay option (I believe this was available both in Windows 2000 and on some hardware routers) to forward the DHCP requests to the appropriate server.
5. If appropriate, you should look into creating access lists (ACLs) on the layer-3 device functioning at your router if you wish to restrict access between the VLANs for certain systems, services, etc.
That should help clean up the traffic crossing the local network segment, and provide you with the ability to communicate between the VLANs you create.
Ok,
I am still a little confused, because of the physical location of my network.
Let me explain.
1. Local Network 1
this is what I have:
1 DSL Router
3 Unmanaged Switches separating 3 floors
1 Active Directory Domain Controller/ authenticates and serves as DNS
1 W2000 Server with DCHP
Over 150 workstations, PCs and Macs
Ip configuration 192.168.1.0-192.168.1.254
2. Windows 2000 Router Connecting Nework 1-2
3. Local Network 2
this is what I have:
T1/ Cisco router hosted by our ISP
1 unmanaged switch
Web server
email server
Email Server
ipconfiguration 192.168.0.1-254
4. Local Network 3 (this is the one I need to create)
Needs to have a different Ip configuration (192.168.2.1-192.168.2.254)
I want to have these workstations receive a DHCP address from the server on network 1
using a second scope as well as authenticate from the Domain controller
I need these computers to be able to see the Webserver and Email locally going through the w2000 router
Be able to surf the internet using the DSL router on Network 1
I cannot have any downtime when integrating the third network
Is it possible to use the PC3324 to create the 3 VLANS, allowing the DHCP Relay and still maintaing routing protocol security to the email server and web server.
What necessary steps do I need to take.
I have a similar situation as the previous users post. Do I need to have a router to be able to access across VLANs? I was under the understanding that the 3324/48 had this ability built-in. If not what is the purpose of the Access Control Lists if it is not to pass traffic between VLANs/Subnets?
The 3324/3348 series switches are still only Layer-2 switches. They just incorporate some layer-3 functionality in terms of better QoS support, and the ability to assign ACLs to interfaces on the switch.
Your assumption that ACLs are use to route is incorrect, however. Routing between VLANs requires a layer-3 device with that capability, preferably one that supports IEEE 802.1q frame tagging. The purpose of an ACL is just as the name implies: Access Control - a means of allowing or denying traffic through the specified interface. This does not have to be restricted to a router, especially with the use of MAC-based ACLs, and on the 33xx series switches ACLs are limited to ingress traffic only.
3. Local Network 2 this is what I have: T1/ Cisco router hosted by our ISP
Therefore one other possibility - with you exisitn hardware is to ask yor ISP provider to consider changes on the Cisco router to poentially give you a workaround :
Option 1 - Router - Dot1Q trunking
Turn on dot1Q trunking on the ethernet port of the Cisco ISP router - and this will enable you to have muiltipe VLANs to be routed between by the Cisco router. If you wish to use DHCP leases from one of you own DHCP servers then you would also just add "ip helper-address commands" on the VLAN sub interface of teh dot1q trunk of the cisco router point to the IP address of your true DHCP server
Option 2 - Secondary addressing on Cisco router
All Cisco routers can allow multiple Ip address subnets to co-exist on the same LAN.....by using the "ip address 192.168.x.0 255.255.255.0 secondary "command on the ethernet interface of the Cisco ISP router you can have more subnets exist there. This does have a downside though - all broadcasts and mulicast traffic will be seen by all PC's - since they effectivley sitting on the same subnet....with inter subnet routing still provided by the ISP router....this is more a temporary fix - rather than a good design .
Andrew_Hicks1
2 Intern
•
169 Posts
0
February 23rd, 2004 12:00
Since you would need a layer-3 device of some sort (i.e. the router you mentioned) to communicate between the two networks you want to create, VLANs may help with segmentation of the network such that broadcasts for one network do not end up being forwarded out ports for another VLAN (recall that the switch will only look at the Layer-2 frame information, not the IP address - so a broadcast would still be flooded out every port).
Your best solution would probably be as follows:
1. Configure a number of VLANs to correspond to the number of networks you wish to create, assign the ports connected to end systems as access ports for their respective VLANs.
2. Configure the uplink to the router to be a trunk port, and assign all VLANs that you want to be routed to that port.
3. Configure the router(be it a hardware router or a Win2K server running routing protocols) so that it is capable of performing VLAN tagging using the IEEE 802.1q specification. Most Server-class NICs have this option with appropriate drivers from the manufacturer. You will also want to confirm that the router device is set up to route between the directly connected networks.
4. If the DHCP server is the same device as the router, you should be able to reach it from every device on the network (you'll want to check the DHCP server settings, and confirm that it is configured correctly. If the DHCP server is on another system on the network, the use of some sort of DHCP Relay option (I believe this was available both in Windows 2000 and on some hardware routers) to forward the DHCP requests to the appropriate server.
5. If appropriate, you should look into creating access lists (ACLs) on the layer-3 device functioning at your router if you wish to restrict access between the VLANs for certain systems, services, etc.
That should help clean up the traffic crossing the local network segment, and provide you with the ability to communicate between the VLANs you create.
eskimo1975
2 Posts
0
February 23rd, 2004 20:00
I am still a little confused, because of the physical location of my network.
Let me explain.
1. Local Network 1
this is what I have:
1 DSL Router
3 Unmanaged Switches separating 3 floors
1 Active Directory Domain Controller/ authenticates and serves as DNS
1 W2000 Server with DCHP
Over 150 workstations, PCs and Macs
Ip configuration 192.168.1.0-192.168.1.254
2. Windows 2000 Router Connecting Nework 1-2
3. Local Network 2
this is what I have:
T1/ Cisco router hosted by our ISP
1 unmanaged switch
Web server
email server
Email Server
ipconfiguration 192.168.0.1-254
---------------------------------------------------------Problem I'm facing
4. Local Network 3 (this is the one I need to create)
Needs to have a different Ip configuration (192.168.2.1-192.168.2.254)
I want to have these workstations receive a DHCP address from the server on network 1
using a second scope as well as authenticate from the Domain controller
I need these computers to be able to see the Webserver and Email locally going through the w2000 router
Be able to surf the internet using the DSL router on Network 1
I cannot have any downtime when integrating the third network
Is it possible to use the PC3324 to create the 3 VLANS, allowing the DHCP Relay and still maintaing routing protocol security to the email server and web server.
What necessary steps do I need to take.
Again I apologize for the long question
Thanks a million.
BMan12
2 Posts
0
February 27th, 2004 17:00
I have a similar situation as the previous users post. Do I need to have a router to be able to access across VLANs? I was under the understanding that the 3324/48 had this ability built-in. If not what is the purpose of the Access Control Lists if it is not to pass traffic between VLANs/Subnets?
Thanks,
Brandon
Andrew_Hicks1
2 Intern
•
169 Posts
0
March 1st, 2004 12:00
The 3324/3348 series switches are still only Layer-2 switches. They just incorporate some layer-3 functionality in terms of better QoS support, and the ability to assign ACLs to interfaces on the switch.
Your assumption that ACLs are use to route is incorrect, however. Routing between VLANs requires a layer-3 device with that capability, preferably one that supports IEEE 802.1q frame tagging. The purpose of an ACL is just as the name implies: Access Control - a means of allowing or denying traffic through the specified interface. This does not have to be restricted to a router, especially with the use of MAC-based ACLs, and on the 33xx series switches ACLs are limited to ingress traffic only.
sentinel-master
345 Posts
0
March 7th, 2004 19:00
You said that
3. Local Network 2
this is what I have:
T1/ Cisco router hosted by our ISP
Therefore one other possibility - with you exisitn hardware is to ask yor ISP provider to consider changes on the Cisco router to poentially give you a workaround :
Option 1 - Router - Dot1Q trunking
Turn on dot1Q trunking on the ethernet port of the Cisco ISP router - and this will enable you to have muiltipe VLANs to be routed between by the Cisco router. If you wish to use DHCP leases from one of you own DHCP servers then you would also just add "ip helper-address commands" on the VLAN sub interface of teh dot1q trunk of the cisco router point to the IP address of your true DHCP server
Option 2 - Secondary addressing on Cisco router
All Cisco routers can allow multiple Ip address subnets to co-exist on the same LAN.....by using the "ip address 192.168.x.0 255.255.255.0 secondary "command on the ethernet interface of the Cisco ISP router you can have more subnets exist there. This does have a downside though - all broadcasts and mulicast traffic will be seen by all PC's - since they effectivley sitting on the same subnet....with inter subnet routing still provided by the ISP router....this is more a temporary fix - rather than a good design .