«

We newly purchased a Cisco Catalyst 3560G-24-EMI that will be a core
layer 3 switch to route between 3 vlans (at 3 distinct locations that
separately link to an ISP switch by fiber optics) and to use a trunk
port to carry vlan traffic to the ISP's switch.

The following is the basic network map:


site1---------------ISP switch ------------- site 2
vlan 102 | | vlan103
192.168.1.0/24 | | 192.168.2.0/24
| | trunk (dot1q)
| |
| | native vlan101;
| | vlan104 - 192.168.3.0/24

Site 3(Headquarter)
Core L3 switch 3560G (192.168.3.1)
|
PIX 506E (192.168.3.2)

We also have a PIX 506E available in site 3 to control the Internet
traffic.

My questions lie in the two areas:
1. Physically where should I install the PIX? --my understanding is I
should link both interfaces of the PIX to two ports of the 3560G, one
interface for inbound and the other for outbound. The two ports on the
switch that connect to the PIX should not be assigned to any vlan.
Thus I don't need to configure anything about vlan on the PIX to allow
vlan tagging traffic.
2. Do site 1 and site 2 have to be configured vlan information on
their access layer switches? Regarding the ISP engineer's opinion, we
don't need configure vlan on switches on site 1 and site 2 because the
ISP switch has already assigned two ports to vlans that belong to the
two sites. Is this true? If not, we have to consider purchasing two
layer 2 switches (such as 2960) to fulfill the task.

Thank you so much for your help on the two questions.

In article <. com>, "" <> writes:
> We newly purchased a Cisco Catalyst 3560G-24-EMI that will be a core
> layer 3 switch to route between 3 vlans (at 3 distinct locations that
> separately link to an ISP switch by fiber optics) and to use a trunk
> port to carry vlan traffic to the ISP's switch.
>
> The following is the basic network map:
>
>
> site1---------------ISP switch ------------- site 2
> vlan 102 | | vlan103
> 192.168.1.0/24 | | 192.168.2.0/24
> | | trunk (dot1q)
> | |
> | | native vlan101;
> | | vlan104 - 192.168.3.0/24
>
> Site 3(Headquarter)
> Core L3 switch 3560G (192.168.3.1)
> |
> PIX 506E (192.168.3.2)
>

Where is 192.168.1.1? Is VLAN 102 carried into site 3 on the trunk?

Where is 192.168.2.1? Is VLAN 103 carried into site 3 on the trunk?

Is there any equipment on 192.168.3.x on the ISP's network? If not,
what is VLAN 104 used for? If so, at what IP address[es]?

Is there any equipment in VLAN 101 on the ISP's network? Any associated
IP address? If not, what is VLAN 101 used for?

Is the ISP doing IP routing for you or just handing off layer 2
connectivity? Are they handing you an Internet circuit as well?


Every plausible guess that I can make as to your actual configuration
can be ruled out based on the information in your drawing. It makes
no sense.

> We also have a PIX 506E available in site 3 to control the Internet
> traffic.

Also? You mean other than the one you already showed on the drawing?

> My questions lie in the two areas:
> 1. Physically where should I install the PIX? --my understanding is I
> should link both interfaces of the PIX to two ports of the 3560G, one
> interface for inbound and the other for outbound. The two ports on the
> switch that connect to the PIX should not be assigned to any vlan.
> Thus I don't need to configure anything about vlan on the PIX to allow
> vlan tagging traffic.

Yes, that is one way of doing it.

> 2. Do site 1 and site 2 have to be configured vlan information on
> their access layer switches? Regarding the ISP engineer's opinion, we
> don't need configure vlan on switches on site 1 and site 2 because the
> ISP switch has already assigned two ports to vlans that belong to the
> two sites. Is this true?

Yes, this is true.

> Where is 192.168.1.1? Is VLAN 102 carried into site 3 on the trunk?
192.168.1.1 belongs to the inferface for vlan 102 on the switch 3560G
on site 3.
> Where is 192.168.2.1? Is VLAN 103 carried into site 3 on the trunk?
192.168.2.1 belongs to the inferface for vlan 103 on the switch 3560G
on site 3.

> Is there any equipment on 192.168.3.x on the ISP's network? If not,
> what is VLAN 104 used for? If so, at what IP address[es]?
No. Vlan 104 is for site 3 solely. 192.168.3.1 belongs to the
inferface for vlan 104 on the switch 3560G.

> Is there any equipment in VLAN 101 on the ISP's network? Any associated
> IP address? If not, what is VLAN 101 used for?
>
No equipment nor IP address for vlan 101. The ISP claimed vlan 101 as
native vlan and would use it for our Internet access.

> Is the ISP doing IP routing for you or just handing off layer 2
> connectivity? Are they handing you an Internet circuit as well?

The ISP handles layer 2 connectivity on their switch. They offer us
Internet connection as well. What the ISP pre-configured on their
layer 2 switch were: vlan 102 for site1, vlan 103 for site 2, vlan 104
for site 3, and vlan 101 for NATIVE vlan which they claimed to let our
network traffic go to the Internet.

On the ISP switch the port connecting to site 3 has been configured as
a trunk port. Therefore, on our catalyst 3560G layer 3 switch, we need
build a trunk port too. The 3560G will do inter-vlan routing by
assigning 192.168.1.1to interface vlan 102; 192.168.2.1 to the
interface vlan 103; and 192.168.3.1 to interface vlan 104.

> > We also have a PIX 506E available in site 3 to control the Internet
> > traffic.
We only have one PIX. Previously it controlled Internet traffic only.
What puzzles me is where I should connect the PIX once the switch
3560G is brought in our network. I was told by the ISP that i don't
need to configure vlan-related change on the PIX. Then how does the
pix carry vlan tagging packets in and out?

Regarding site 1 and site2, currently we don't have cisco switches to
be configured vlan information. I want to try out if the two sites can
handle network traffic without L2 switches to be configured on site.

Please kindly give me your suggestion if you think my design has
shortcomings or faults. Anything unclear I'll be happy to offer more
informaiton.

Thanks!

<> wrote in message
news: ups.com...
> We newly purchased a Cisco Catalyst 3560G-24-EMI that will be a core
> layer 3 switch to route between 3 vlans (at 3 distinct locations that
> separately link to an ISP switch by fiber optics) and to use a trunk
> port to carry vlan traffic to the ISP's switch.
>
> The following is the basic network map:
>
>
> site1---------------ISP switch ------------- site 2
> vlan 102 | | vlan103
> 192.168.1.0/24 | | 192.168.2.0/24
> | | trunk (dot1q)
> | |
> | | native vlan101;
> | | vlan104 - 192.168.3.0/24
>
> Site 3(Headquarter)
> Core L3 switch 3560G (192.168.3.1)
> |
> PIX 506E (192.168.3.2)
>
> We also have a PIX 506E available in site 3 to control the Internet
> traffic.
>
> My questions lie in the two areas:
> 1. Physically where should I install the PIX? --my understanding is I
> should link both interfaces of the PIX to two ports of the 3560G, one
> interface for inbound and the other for outbound. The two ports on the
> switch that connect to the PIX should not be assigned to any vlan.
> Thus I don't need to configure anything about vlan on the PIX to allow
> vlan tagging traffic.

Traffic going to the pix will not be vlan tagged unless those links are
configured as trunks. The 'in' 'out' scenario you mention would have to be
configured at layer-3 but then you're looking at asymetric routing of
packets within the same TCP stream. You could go down the '2-link' path
using an EtherChannel to the PIX (I'm not sure what pix platforms or
software versions support EtherChannel) but I'd also recommend creating a
seperate vlan for that logical link to remove the reliance on layer-2
stability ie. spanning-tree of vlan 104, which it has with the proposed
topology.

> 2. Do site 1 and site 2 have to be configured vlan information on
> their access layer switches? Regarding the ISP engineer's opinion, we
> don't need configure vlan on switches on site 1 and site 2 because the
> ISP switch has already assigned two ports to vlans that belong to the
> two sites. Is this true? If not, we have to consider purchasing two
> layer 2 switches (such as 2960) to fulfill the task.

When traversing a third party switch you are limited as to what vlan
assignments are available to you. If the ISP has dsesignated vlan #'s 102
and 103 then these vlans need to be trunked between their switch and your
3560G and they would have to configure their switch ports attached to your
equipment as trunks using the vlan assighned to each. Without vlans 102 and
103 being trunked to the 3560G their switch is responsible for layer-3
switching frames between them and into vlan 104. I'm unsure about the
requirement for a native vlan because that's typically used for
point-to-point traffic between switches at layer-2 like UDLP for example and
I don't think their switch is going to be interested in seeing it. Don't
use DTP. Check with the ISP about that type of traffic. We had a problem
with an ISP's Cabletron switch being between two Catalyst 6500's ...
'something' was causing the cabletron switch to reset. We eventually went
down the dark fibre path and haven't looked back.

BernieM