[afnog] Fw: Re: how to aconfigure a vlan
Mark Tinka
mtinka at globaltransit.net
Wed Nov 18 08:43:30 UTC 2009
On Tuesday 17 November 2009 01:43:23 pm teklay gebremichael
wrote:
> Thank u Mark for helping me and i appreciate ur fast
> response. hoping u will help me further, i will elaboret
> my problem a bit.
Always glad to help where I can :-).
> we have three capuses. two of the campuses have cisco
> 6509 switches and the other campus has a cisco 4506
> switch as core switches.
Are you able to advise what supervisor modules you have in
these boxes, as well as what line cards are installed? These
platforms have a number of restrictions depending on what
hardware you plug into the chassis. Knowing what you have
would help in identifying what's possible, and what isn't.
> all the intercampus liks are
> optical fiber which are in a triangular fashion...
So, a ring architecture. Good. I won't ask how you're
handling protection (STP, perhaps), although I'm curious.
> and are
> all owned by our university.
Good, so no 3rd party contractors/service providers to
hassle with. Makes things a little smoother.
> all the links are working.
> in the main campuse, there are 15 VLANs (subents) created
> on 6509 core switch (all other L2 switches in all
> campuses are cisco 2950 and 2960).
Okay, pretty standard. I'm guessing all Layer 3 services are
handled by the 6509's and 4506, right?
> so in the main campus,
> it is only the 6509 switch which is in vtp server mode.
> and in the other campuses, the core switches are in vtp
> mode server, where as the other switches are in client
> modes.
Alright.
Well, my only advice is "be very very careful" when using
VTP. It has caused many a network to melt down into nothing
for a number of reasons. In one case, a customer was
attached to an edge switch running VTP, and they managed to,
unknowingly, transmit a PDU that reconfigured the entire
VLAN database and brought the entire network down (I say
entire because the edge switch doubled as a core switch).
We've seen that in a small-to-medium sized network, manually
configuring VLAN's, i.e., by hand, is a good balance between
security and scalability. Of course, as the network grows
(especially if you're a Metro-E service provider), different
methods need to employed.
As you scale, I would have recommend the use of other
control planes, but I'm not sure what which stage in the
"development cycle" your network is, and do not want to
digress from what you need NOW.
> we use rip v2 as routing protocol to communicate
> each subnet in one capuse with others in other campuses.
Would recommend considering something more scalable and
modern, e.g., OSPF or IS-IS.
> so, when we want to create a new vlan on any of the
> campuses, we just create it on the respective core
> switch.
Which is to say, VLAN's today do not span farther than the
campus in which they are created, right?
> so, right now, i don't have any problem in
> creating a working vlan with the architecture i am
> telling u now.
Pretty stock.
> here is the problem i faced.
>
> i am asked to create one vlan with a network id of
> 192.168.20.0/24. computers in this valn don't need to be
> connected to the Internet but should communicate with
> each other being at different campuses...
No problem; I'll call our mystery VLAN, VLAN 100.
(having stayed away from VTP all my life), go to each core
switch at each of the campuses and:
a) add VLAN ID 100 to the VLAN database.
b) create an SVI for VLAN 100.
c) ensure the 802.1Q trunks on the ring are forwarding VLAN
100.
When you finish that, VLAN 100 should now be available at
all 3 campuses. Next step is to go the affected edge
switches at each campus, and:
a) add VLAN ID 100 to the VLAN database.
b) decide which ports will be a part of VLAN 100.
c) ensure the 802.1Q trunks between the core and edge
switches are forwarding VLAN 100.
Plug your servers into the edge switches as appropriate, and
assign them addresses out of the '192.168.20.0/24' per your
needs.
> but the servers
> that the computers are connected to will be connected to
> the university network and hence to the Internet. so,
> this vlan should be vissible in the 10.128.0.0/16 campuse
> and in the 10.130.0.0/16 campuse.
No problem - both the 6509's and the 4506 support IP routing
(as I'm sure you already know).
Since you'd have already created an SVI on each core switch
in the preceding steps, just assign them, each, an IP
address out of the '192.168.20.0/24' space. You could assign
each core switch like so:
* 6509_1 = 192.168.20.254/24
* 6509_2 = 192.168.20.253/24
* 4506_1 = 192.168.20.252/24
You've probably noticed, from the above, that all 3 switches
are in the same VLAN (VLAN 100), meaning that all the
computers configured with this address space are also in the
same broadcast domain. This means that, technically
speaking, any computer could use any of the above core
switch IP addresses as a default router.
However, to keep things simple, and keep traffic from
circulating around the network unnecessarily, you can
configure each computer to use the default gateway of the
core switch physically closest to it (ordinarily, I'd have
used a separate subnet for each campus, but I'm not sure as
to your design requirements).
So since you have RIP running across your network (you
really should consider using link state routing protocols),
all your core switches know about all the IP networks you're
running in the network. When the computers in VLAN 100 need
to talk to each other, the core switches will forward the
traffic as switched Ethernet frames in a single broadcast
domain. When the computers in VLAN 100 want to talk to the
servers in the 10.x/16 space, the core switches will forward
the traffic as routed IP packets to the correct destination,
using the information populated by RIP.
And you should be good to go...
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <http://afnog.org/pipermail/afnog/attachments/20091118/ff0b9d75/attachment.pgp>
More information about the afnog
mailing list