You briefly consider the idea of installing separate switches in each department, but that seems like overkill. Every switch port on the 2924 switch is full, but HR assures you that the mad hiring rush is over for now, and your boss tells you that you don't have enough money left in the budget to install separate switches for every department. Nevertheless, you can't help but think that it would be nice to put each department into its own Local Area Network. Fortunately, you realize that your 2924 has the ability to create separate logical networks, even if they share the same physical hardware. Even better, this modification is something you can do without leaving your office -- there's no need for you to run new cables or install any new hardware. Best of all, this upgrade to the network will allow you to quickly and easily move users to different logical networks, if they should change positions within the company, whether or not they change offices. The logical networking that allows you this incredible flexibility is known as "virtual LANs", or "VLANs." On Cisco equipment, there are two types of VLANs that you can create -- a Cisco proprietary VLAN through a protocol called "ISL" and a standards-compliant protocol known by the obscure moniker "802.1q." Knowing that some day, you might need to incorporate non-Cisco equipment in your network, you decide to use the 802.1q protocol in your VLAN implementation.
One other thing to consider is what Cisco calls "access ports" and "trunked ports" (grrr...). This is a bit of a pet peeve of mine, since pretty much every other vendor on the planet calls them "untagged" and "tagged" ports, respectively. "Trunk" ports -- to seemingly everyone but Cisco -- is when you bind two or more Ethernet ports together for greater reliability and/or greater bandwidth. For example, you could trunk two 100Mbps Ethernet ports together to have a single 200Mbps channel. This is also sometimes called "Link Aggregate Groups" or "LAG." LAG is beyond the scope of this particular article, but we will get to it a little later. You can tell the switch that all traffic coming in on a particular port will belong to one particular VLAN (untagged, or access ports), or you can tell the switch to expect a tag in the Layer-2 frame header (tagged or trunk ports). This tag will tell the switch which VLAN that particular frame should belong to. If you are using untagged VLANs on a particular port, then in essence, you have told the switch that all traffic coming in on that port belongs to one and only one VLAN. Think about it -- how would the switch know how to route traffic to different VLANs if all of the traffic is untagged? On the other hand, if you are using tagged frames on a particular port, then the switch can differentiate between all the of VLANs that you can configure on the switch. (Actually, that isn't strictly true. You can also create a hybrid port, where all tagged traffic will go to the VLAN that is tagged on the frame, but all untagged traffic will default into one, specific, other VLAN.)
Two last things to consider before we set up the VLANs. First, each VLAN is a separate network, so hosts on each VLAN cannot talk to each other without passing through a router. Second, since each VLAN is a separate network, each VLAN will have its own IP addressing scheme, and you will need to configure the router with IP addresses on virtual sub-interfaces to route between the VLANs.
To build this logical separation between groups, you log in to your main office router using a console cable (you will lock yourself out of the router before you complete the configuration, if you attempt this through telnet or SSH). Then, you run the following commands:
lab2651rtr# conf t
lan2651rtr(config)# no ip dhcp excluded-address 192.168.1.1 192.168.1.31
lan2651rtr(config)# no ip dhcp pool LANPOOL
lan2651rtr(config)# ip dhcp excluded-address 192.168.1.65
lan2651rtr(config)# ip dhcp excluded-address 192.168.1.81
lan2651rtr(config)# ip dhcp excluded-address 192.168.1.97
lan2651rtr(config)# ip dhcp excluded-address 192.168.1.113
lan2651rtr(config)# ip dhcp excluded-address 192.168.1.129
lab2651rtr(config)# ip dhcp pool IT
lab2651rtr(dhcp-config)# network 192.168.1.64 255.255.255.240
lab2651rtr(dhcp-config)# dns-server 192.168.1.35
lab2651rtr(dhcp-config)# default-router 192.168.1.65
lab2651rtr(dhcp-config)# domain-name mis.example.com
lab2651rtr(dhcp-config)# lease 0 6 0
lab2651rtr(config)# ip dhcp pool Exec
lab2651rtr(dhcp-config)# network 192.168.1.80 255.255.255.240
lab2651rtr(dhcp-config)# dns-server 192.168.1.35
lab2651rtr(dhcp-config)# default-router 192.168.1.81
lab2651rtr(dhcp-config)# domain-name exec.example.com
lab2651rtr(dhcp-config)# lease 0 6 0
lab2651rtr(config)# ip dhcp pool Acct
lab2651rtr(dhcp-config)# network 192.168.1.96 255.255.255.240
lab2651rtr(dhcp-config)# dns-server 192.168.1.35
lab2651rtr(dhcp-config)# default-router 192.168.1.97
lab2651rtr(dhcp-config)# domain-name acct.example.com
lab2651rtr(dhcp-config)# lease 0 6 0
lab2651rtr(config)# ip dhcp pool Sales
lab2651rtr(dhcp-config)# network 192.168.1.112 255.255.255.240
lab2651rtr(dhcp-config)# dns-server 192.168.1.35
lab2651rtr(dhcp-config)# default-router 192.168.1.113
lab2651rtr(dhcp-config)# domain-name sales.example.com
lab2651rtr(dhcp-config)# lease 0 6 0
lab2651rtr(config)# ip dhcp pool CustServ
lab2651rtr(dhcp-config)# network 192.168.1.128 255.255.255.224
lab2651rtr(dhcp-config)# dns-server 192.168.1.35
lab2651rtr(dhcp-config)# default-router 192.168.1.129
lab2651rtr(dhcp-config)# domain-name custserv.example.com
lab2651rtr(dhcp-config)# lease 0 6 0
lab2651rtr(config)# int fast 0/0
lab2651rtr(config-if)# no ip address
lab2651rtr(config-if)# no ip nat inside
lab2651rtr(config-if)# description Physical LAN port
lab2651rtr(config-if)# int fa0/0.1
lab2651rtr(config-subif)# encapsulation dot1q 1
lab2651rtr(config-subif)# description NetMgmt
lab2651rtr(config-subif)# ip address 192.168.1.1 255.255.255.224
lab2651rtr(config-subif)# int fa0/0.2
lab2651rtr(config-subif)# encapsulation dot1q 2
lab2651rtr(config-subif)# description Server Farm
lab2651rtr(config-subif)# ip address 192.168.1.33 255.255.255.224
lab2651rtr(config-subif)# ip nat inside
lab2651rtr(config-subif)# int fa0/0.3
lab2651rtr(config-subif)# encapsulation dot1q 3
lab2651rtr(config-subif)# description IT
lab2651rtr(config-subif)# ip address 192.168.1.65 255.255.255.240
lab2651rtr(config-subif)# ip nat inside
lab2651rtr(config-subif)# int fa0/0.4
lab2651rtr(config-subif)# encapsulation dot1q 4
lab2651rtr(config-subif)# description Exec
lab2651rtr(config-subif)# ip address 192.168.1.81 255.255.255.240
lab2651rtr(config-subif)# ip nat inside
lab2651rtr(config-subif)# int fa0/0.5
lab2651rtr(config-subif)# encapsulation dot1q 5
lab2651rtr(config-subif)# description Acct
lab2651rtr(config-subif)# ip address 192.168.1.97 255.255.255.240
lab2651rtr(config-subif)# ip nat inside
lab2651rtr(config-subif)# int fa0/0.6
lab2651rtr(config-subif)# encapsulation dot1q 6
lab2651rtr(config-subif)# description Sales
lab2651rtr(config-subif)# ip address 192.168.1.113 255.255.255.240
lab2651rtr(config-subif)# ip nat inside
lab2651rtr(config-subif)# int fa0/0.7
lab2651rtr(config-subif)# encapsulation dot1q 7
lab2651rtr(config-subif)# description CustService
lab2651rtr(config-subif)# ip address 192.168.1.129 255.255.255.224
lab2651rtr(config-subif)# ip nat inside
lab2651rtr(config-subif)# exit
lab2651rtr(config)#
The only new thing in this config is configuring the sub-interfaces under fa0/0. The name of each sub-interface is derived from the physical interface upon which they are connected (fa0/0, in this case), and the VLAN number to which they are assigned. For example, VLAN 1 on fa0/0 would be fa0/0.1, VLAN 2 would be fa0/0.2, and so on. Next, we have to tell the router to encapsulate the VLANs using the 802.1q protocol. We have subnetted the 192.168.1.0/24 network into multiple subnets, with the size of the subnet determined by the expected number of hosts in each group. We have 30 hosts each in the network management subnet (probably gross overkill, but <shrug>), the server farm and in Customer Service, and 14 hosts each in IT, Accounting, Executive and Sales. Since we are still NAT'ing to the Internet, we have moved the "ip nat inside"statement to each sub-interface (except for the network management subnet, which I don't want accessible from the Internet, for security reasons).
Now, we need to configure the switch. The changes are rather long, since we are configuring 24 network ports, so instead of pasting the entire config here, I'll link to it here, and we'll just cover the highlights below. Basically, we need to configure network ports for two types of services -- trunked ports to the router(s), and access ports to users' workstations. One example of a trunked port is the uplink to the router:
interface FastEthernet0/3
description Network Mgmt
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-7,1002-1005
switchport mode trunk
I am hard-coding the speed and duplex because I have seen...oddities...in the behaviour of Cisco routers (in particular) when you try to auto-negotiate speed and duplex, particularly in their lower-end routers (2500 series, 2600 series and 2800 series). It is important to be sure that your router and switch have the same settings, since "auto-negotiate" doesn't mean exactly what you think it means, if one side is hard-coded and the other side is negotiating speed and duplex. The speed will match up (the auto side will detect and match the carrier frequency on the wire), but the auto side will default to half-duplex if the other side isn't auto-negotiating also. The tell-tale sign of this is a large number of CRC errors on the network interface. If one side is hard-coded to 10M and the other side is hard-coded to 100M, however, the port will show down when you show the interface.
After setting speed and duplex to 100M-Full, I am telling the switch that I want to use 802.1q encapsulation, just as I did on the router. This is important -- make sure both connected devices are using the same VLAN protocol. If one device is NOT a Cisco device, you will have to use 802.1q rather than ISL (which is why I prefer to go with 802.1q regardless).
Next, I set the VLANs that I am allowing on the interface. I really only wanted VLAN 1-7 (because all hosts on the LAN need to talk to the router for Internet access), but as the Cisco switch supports Token Ring and FDDI interfaces (at least in software), Cisco, in their infinite wisdom (!) has decided that 1) Ethernet uses VLAN 1 as the managment/native VLAN and VLANs 1002-1005 for the native/management VLANs for other physical media; and 2) you cannot remove the native/management VLANs from trunked ports, even in physical topologies that you aren't using (although you can reassign the native VLANs to other, more convenient numbers, if you so choose). Therefore, if you create a trunked port, you will ALWAYS see VLAN 1 and VLANs 1002-1005 on that port. Whatever.
Finally, I am telling the switch that I want to make FA0/3 a trunked VLAN port.
However, on FA0/7, I have created an access (untagged) port for the server farm to connect to. The config for this interface looks a little different:
interface FastEthernet0/7
description Server Farm
switchport access vlan 2
The Cisco switch uses access ports by default, so all I have to do is tell the switch to use VLAN 2 (server farm) on this port, rather than the default VLAN 1 (network management VLAN). Pretty simple, right? Remember, with a tagged/trunked VLAN port, traffic will be directed to the appropriate network based up tag; with an untagged/access port, any traffic entering a particular port will be directed towards the appropriate network.
Once you've got the configs in place on your equipment, make sure hosts on each of the VLANs can route to each other, as well as to the router. If something isn't working, don't give up -- you'll learn a lot more by troubleshooting and fixing problems than you will by copying and pasting configs! (In fact, while I was able to create the other labs in this series so far in a matter of an hour or two, I found configuring this lab -- since I still don't have access to the console port on my switches -- a lot trickier, taking about 18 hours to design and configure, most of which was troubleshooting). If you do need to troubleshoot, you'll find the "show vlan", "show vlan brief" and "show vlan id <VLAN ID Number>" commands very helpful. Good luck!
No comments:
Post a Comment