1. Home
  2. Cisco Systems
  3. Network design questions

Network design questions

Hi friends,

I just wanted to share a design of an old network, and based on that ask for suggestions on integrating the new network into the old network.

The old network has essentially two categories of users: Admin and Guests. There are two network segments created for both of them as well which are as follows:

Admin Users: 192.168.0.0 / 24 Guest users: 10.254.1.0 /24

The access method is different for both categories of users. With regards to outside access, the Admin users go through the firewall. But guest users dont touch the firewall. Regarding DHCP, the Admin users get their DHCP address from a server in

192.168.0.0/segment. For wireless users, the DHCP server / Default Gateway is the Egress server (a Linux box) with IP address 10.254.1.1 / 24. The default gateway for the Admin users is the firewall viz. 192.168.0.254. Both the Egress server and the Symantec firewall have a public interface too connecting to the router.

The 3560's connecting to the Egress, Symantec are all Layer 2. The same servers will be used by the new network users too for DHCP allocation, Internet access, firewall filtering. There are no VLAN's in the current network, which means, there is only VLAN viz. VLAN 1. The old network was setup by third party.

With regards to the new network in a different building, the network design and integration has been contracted to us. Now, there is a core / distribution switch 4506 connected to 3560 access switches in different floors. The access switches are connected to users and access points. We are planning for floor based VLAN's and also ensuring that wired / wireless VLAN's are separated too. The design is pretty simple if you look at the new building / network alone. But a few questions that pop up are as follows:

  1. The 4506 switch connects through fiber to the old building 3560 switches which in turn connect to the Egress and Symantec firewall. Now, how should the ports connecting the 4506 to the 3560 be configured? As trunks? I am not sure as 3560 will have no ports configured in VLAN's created on 4506. So, why should it receive VLAN info from 4506?

  1. How will I be able to pass traffic from VLAN's on the new network to the servers in the old network? The old network has only one VLAN viz. VLAN1. And the new network has multiple VLAN's.

As of now, all that I can think is configure the 3560's connected to servers as Layer 3 devices. The 3560's can be used to route traffic between the old network and new network. The 3560 and 4506 can share a common VLAN. There can be routes created on the 3560's pointing to

4506 for reaching VLAN's created on new network. Similarly, there can be routes added on core to reach the 3560's for old network. But the DHCP servers become two hops away now for clients on new network. So, first hop is 4506 switch and second hop is the 3560 connected to the server. SO, I believe I need to configure ip-helper address on the 4506 as well as the 3560 switches?? I really need some help in validating this solution as well.

Once I know the answer to these two questions, I think that the setup pretty much gets straightforward. I can configure ip-helper address to pass DHCP requests to different DHCP servers on the Layer 3 vlan interface. And I can use policy-based routing to pass traffic to different default gateways (for admin and guests) because that is source-sensitive.

Looking forward to your kind help in this regard

Thanks a lot Gautam

Reply to
gautamzone
Loading thread data ...

Hi friends,

Sorry for the terribly long post!!! I just wanted to be descriptive about the issue.

To sum up, I just have one concern. How can I integrate a VLAN-based network into a non-VLAN network? The non-VLAN or VLAN1 network has all the servers / Internet access services?

I just need a rough idea on how to proceed. Once I get it, I am ready to take up from there!!! All the switches at the edge are 3560 Standard Image and the core is 4560.

Thanks!!!

Gautam

Reply to
gautamzone

You need to route between different vlans (subnets), probably at the core switch.

You should also be aware of some security problems associated with having a single VLAN for Management and data:

formatting link

Reply to
Drake

Thanks a lot for the useful inputs!!

I have just thought about a solution based on your inuts and I request your kind help in validating it.

  1. 4506 connects to 3560

----------->

On VLAN 192 (Admin)

  1. 4506 connects to 3560

----------->

On VLAN 10 (Wireless)

Both 4506 and 3560 have Layer 3 SVI's for VLAN 10 and VLAN 192. The

4506 will point to the 3560's SVI's to reach the networks behind them through static route on 4506. Similarly, the 3560's will point to the 4506's SVI's to reach the networks behind the 4506 through static routes. (I will need to configure IP routing on the 3560's to make them Layer 3).

So, basically the links between the 4506 and the 3560 are NOT trunk links and just normal links whose ports are access ports.

The servers in the old network (behind the 3560's) will have a route add statement (and equivalent route statement for Linux box) to reach the networks behind the 4506 having the 3560's VLAN 1 IP as the next hop.

Does this solution sound workable?

Thanks a lot again and sorry to post so many questions in this regard.

Gautam

Reply to
gautamzone

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.