Switch w/ VLANs at the Edge Question

Discussion in 'Cisco' started by tman, Feb 19, 2008.

  1. tman

    tman Guest

    I have several switches in my public network each connecting two or
    three devices on seperate networks. I thought it would be a good idea
    to consolidate them into one switch with a VLAN for each network with
    no interVLAN routing. I can't find any information that I can
    understand. I was wondering if anyone does this and how to make it
    secure.

    Thanks.
     
    tman, Feb 19, 2008
    #1
    1. Advertising

  2. tman

    Trendkill Guest

    On Feb 19, 12:56 pm, tman <> wrote:
    > I have several switches in my public network each connecting two or
    > three devices on seperate networks. I thought it would be a good idea
    > to consolidate them into one switch with a VLAN for each network with
    > no interVLAN routing. I can't find any information that I can
    > understand. I was wondering if anyone does this and how to make it
    > secure.
    >
    > Thanks.


    Essentially you are talking about creating the vlans centrally, using
    VTP to propagate out the VLANs, using your existing routers to service
    those networks (or perhaps consolidate those as well to a central l3
    switch or router). This isn't that difficult, and it depends if you
    are consolidating onto a catalyst or ios based switch for config
    references. You also would need to control 'security' at the
    routers. If you don't want traffic between subnets, you'll need to
    ensure that you aren't advertising the networks between you routers,
    or you have access-control lists if you are routing centrally.
     
    Trendkill, Feb 19, 2008
    #2
    1. Advertising

  3. tman

    tman Guest

    On Feb 19, 11:57 am, Trendkill <> wrote:
    > On Feb 19, 12:56 pm, tman <> wrote:
    >
    > > I have several switches in my public network each connecting two or
    > > three devices on seperate networks.  I thought it would be a good idea
    > > to consolidate them into one switch with a VLAN for each network with
    > > no interVLAN routing.  I can't find any information that I can
    > > understand.  I was wondering if anyone does this and how to make it
    > > secure.

    >
    > > Thanks.

    >
    > Essentially you are talking about creating the vlans centrally, using
    > VTP to propagate out the VLANs, using your existing routers to service
    > those networks (or perhaps consolidate those as well to a central l3
    > switch or router).  This isn't that difficult, and it depends if you
    > are consolidating onto a catalyst or ios based switch for config
    > references.  You also would need to control 'security' at the
    > routers.  If you don't want traffic between subnets, you'll need to
    > ensure that you aren't advertising the networks between you routers,
    > or you have access-control lists if you are routing centrally.


    My plan is to use one switch that has one VLAN to connect every pair
    of devices. Each pair of devices is in on a separate network. Each
    port will be configured as an access port e.g. switchport mode
    access. There will be no connections from this switch to any other
    switches, thus no need for trunks. I am replacing several small
    switches. The switch is a Catalyst switch with IOS.

    Your comments will be welcomed.

    Thanks
     
    tman, Feb 19, 2008
    #3
  4. tman

    Trendkill Guest

    On Feb 19, 5:02 pm, tman <> wrote:
    > On Feb 19, 11:57 am, Trendkill <> wrote:
    >
    >
    >
    > > On Feb 19, 12:56 pm, tman <> wrote:

    >
    > > > I have several switches in my public network each connecting two or
    > > > three devices on seperate networks. I thought it would be a good idea
    > > > to consolidate them into one switch with a VLAN for each network with
    > > > no interVLAN routing. I can't find any information that I can
    > > > understand. I was wondering if anyone does this and how to make it
    > > > secure.

    >
    > > > Thanks.

    >
    > > Essentially you are talking about creating the vlans centrally, using
    > > VTP to propagate out the VLANs, using your existing routers to service
    > > those networks (or perhaps consolidate those as well to a central l3
    > > switch or router). This isn't that difficult, and it depends if you
    > > are consolidating onto a catalyst or ios based switch for config
    > > references. You also would need to control 'security' at the
    > > routers. If you don't want traffic between subnets, you'll need to
    > > ensure that you aren't advertising the networks between you routers,
    > > or you have access-control lists if you are routing centrally.

    >
    > My plan is to use one switch that has one VLAN to connect every pair
    > of devices. Each pair of devices is in on a separate network. Each
    > port will be configured as an access port e.g. switchport mode
    > access. There will be no connections from this switch to any other
    > switches, thus no need for trunks. I am replacing several small
    > switches. The switch is a Catalyst switch with IOS.
    >
    > Your comments will be welcomed.
    >
    > Thanks


    Well, you can't use one vlan to merge layer 3 networks. I guess
    technically you can have one vlan, and the boxes will only be able to
    talk to other boxes in the same layer 3 address range, but all boxes
    would see broadcasts, etc, and it would be very bad practice.
    Additionally, if you ever need to route externally, this could get
    very very nasty. Perhaps I misunderstood your requirements, but I
    would connect all boxes to the switch, create vlans for each subnet,
    and lets the router(s) control security via ACLs.

    If this is indeed not routing anywhere else, you can look into vlan
    security, and use things like private vlans. Generally this is for
    nodes that are all in the same layer 3 network, but you want to
    protect them from one another and only allow communications within a
    group or with the gateway. Here is a link.

    http://www.informit.com/articles/article.aspx?p=29803&seqNum=6
     
    Trendkill, Feb 19, 2008
    #4
  5. tman

    tman Guest

    On Feb 19, 3:16 pm, Trendkill <> wrote:
    > On Feb 19, 5:02 pm, tman <> wrote:
    >
    >
    >
    >
    >
    > > On Feb 19, 11:57 am, Trendkill <> wrote:

    >
    > > > On Feb 19, 12:56 pm, tman <> wrote:

    >
    > > > > I have several switches in my public network each connecting two or
    > > > > three devices on seperate networks.  I thought it would be a good idea
    > > > > to consolidate them into one switch with a VLAN for each network with
    > > > > no interVLAN routing.  I can't find any information that I can
    > > > > understand.  I was wondering if anyone does this and how to make it
    > > > > secure.

    >
    > > > > Thanks.

    >
    > > > Essentially you are talking about creating the vlans centrally, using
    > > > VTP to propagate out the VLANs, using your existing routers to service
    > > > those networks (or perhaps consolidate those as well to a central l3
    > > > switch or router).  This isn't that difficult, and it depends if you
    > > > are consolidating onto a catalyst or ios based switch for config
    > > > references.  You also would need to control 'security' at the
    > > > routers.  If you don't want traffic between subnets, you'll need to
    > > > ensure that you aren't advertising the networks between you routers,
    > > > or you have access-control lists if you are routing centrally.

    >
    > > My plan is to use one switch that has one VLAN to connect every pair
    > > of devices.  Each pair of devices is in on a separate network.  Each
    > > port will be configured as an access port e.g. switchport mode
    > > access.  There will be no connections from this switch to any other
    > > switches, thus no need for trunks.  I am replacing several small
    > > switches.  The switch is a Catalyst switch with IOS.

    >
    > > Your comments will be welcomed.

    >
    > > Thanks

    >
    > Well, you can't use one vlan to merge layer 3 networks.  I guess
    > technically you can have one vlan, and the boxes will only be able to
    > talk to other boxes in the same layer 3 address range, but all boxes
    > would see broadcasts, etc, and it would be very bad practice.
    > Additionally, if you ever need to route externally, this could get
    > very very nasty.  Perhaps I misunderstood your requirements, but I
    > would connect all boxes to the switch, create vlans for each subnet,
    > and lets the router(s) control security via ACLs.
    >
    > If this is indeed not routing anywhere else, you can look into vlan
    > security, and use things like private vlans.  Generally this is for
    > nodes that are all in the same layer 3 network, but you want to
    > protect them from one another and only allow communications within a
    > group or with the gateway.  Here is a link.
    >
    > http://www.informit.com/articles/article.aspx?p=29803&seqNum=6- Hide quoted text -
    >
    > - Show quoted text -


    This is a simplified view of what I have now:

    Three Seperate Networks, three separate switches:

    Router1 ----- Switch1 ------ Router2

    Router3 ----- Switch2 ------ Router4

    Router5 ----- Switch3 ------ Router6


    What I Would Like to do if it is a good idea:

    Three separate networks, one switch with three vlans that do not
    communicate with each other..

    Router1 ----- Switch1, vlan1 ------ Router2

    Router3 ----- Switch1, vlan2 ------ Router4

    Router5 ----- Switch1, vlan3 ------ Router6

    Thus replacing three separate switches with one switch

    There are no routing protocols. The routers do not know about one
    another.

    Is this feasable? Is it secure?

    Thanks
     
    tman, Feb 20, 2008
    #5
  6. tman

    Trendkill Guest

    On Feb 20, 12:16 am, tman <> wrote:
    > On Feb 19, 3:16 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Feb 19, 5:02 pm, tman <> wrote:

    >
    > > > On Feb 19, 11:57 am, Trendkill <> wrote:

    >
    > > > > On Feb 19, 12:56 pm, tman <> wrote:

    >
    > > > > > I have several switches in my public network each connecting two or
    > > > > > three devices on seperate networks. I thought it would be a good idea
    > > > > > to consolidate them into one switch with a VLAN for each network with
    > > > > > no interVLAN routing. I can't find any information that I can
    > > > > > understand. I was wondering if anyone does this and how to make it
    > > > > > secure.

    >
    > > > > > Thanks.

    >
    > > > > Essentially you are talking about creating the vlans centrally, using
    > > > > VTP to propagate out the VLANs, using your existing routers to service
    > > > > those networks (or perhaps consolidate those as well to a central l3
    > > > > switch or router). This isn't that difficult, and it depends if you
    > > > > are consolidating onto a catalyst or ios based switch for config
    > > > > references. You also would need to control 'security' at the
    > > > > routers. If you don't want traffic between subnets, you'll need to
    > > > > ensure that you aren't advertising the networks between you routers,
    > > > > or you have access-control lists if you are routing centrally.

    >
    > > > My plan is to use one switch that has one VLAN to connect every pair
    > > > of devices. Each pair of devices is in on a separate network. Each
    > > > port will be configured as an access port e.g. switchport mode
    > > > access. There will be no connections from this switch to any other
    > > > switches, thus no need for trunks. I am replacing several small
    > > > switches. The switch is a Catalyst switch with IOS.

    >
    > > > Your comments will be welcomed.

    >
    > > > Thanks

    >
    > > Well, you can't use one vlan to merge layer 3 networks. I guess
    > > technically you can have one vlan, and the boxes will only be able to
    > > talk to other boxes in the same layer 3 address range, but all boxes
    > > would see broadcasts, etc, and it would be very bad practice.
    > > Additionally, if you ever need to route externally, this could get
    > > very very nasty. Perhaps I misunderstood your requirements, but I
    > > would connect all boxes to the switch, create vlans for each subnet,
    > > and lets the router(s) control security via ACLs.

    >
    > > If this is indeed not routing anywhere else, you can look into vlan
    > > security, and use things like private vlans. Generally this is for
    > > nodes that are all in the same layer 3 network, but you want to
    > > protect them from one another and only allow communications within a
    > > group or with the gateway. Here is a link.

    >
    > >http://www.informit.com/articles/article.aspx?p=29803&seqNum=6-Hide quoted text -

    >
    > > - Show quoted text -

    >
    > This is a simplified view of what I have now:
    >
    > Three Seperate Networks, three separate switches:
    >
    > Router1 ----- Switch1 ------ Router2
    >
    > Router3 ----- Switch2 ------ Router4
    >
    > Router5 ----- Switch3 ------ Router6
    >
    > What I Would Like to do if it is a good idea:
    >
    > Three separate networks, one switch with three vlans that do not
    > communicate with each other..
    >
    > Router1 ----- Switch1, vlan1 ------ Router2
    >
    > Router3 ----- Switch1, vlan2 ------ Router4
    >
    > Router5 ----- Switch1, vlan3 ------ Router6
    >
    > Thus replacing three separate switches with one switch
    >
    > There are no routing protocols. The routers do not know about one
    > another.
    >
    > Is this feasable? Is it secure?
    >
    > Thanks


    Yes, that works fine. Provided you do not have routing turned up, and
    there will be no connections between the vlans, and the routers will
    not connect to multiple vlans and advertise networks, that will work
    absolutely fine. No traffic will cross vlans/networks with that
    configuration.
     
    Trendkill, Feb 20, 2008
    #6
  7. tman

    tman Guest

    On Feb 20, 2:52 am, Trendkill <> wrote:
    > On Feb 20, 12:16 am, tman <> wrote:
    >
    >
    >
    >
    >
    > > On Feb 19, 3:16 pm, Trendkill <> wrote:

    >
    > > > On Feb 19, 5:02 pm, tman <> wrote:

    >
    > > > > On Feb 19, 11:57 am, Trendkill <> wrote:

    >
    > > > > > On Feb 19, 12:56 pm, tman <> wrote:

    >
    > > > > > > I have several switches in my public network each connecting two or
    > > > > > > three devices on seperate networks.  I thought it would be a good idea
    > > > > > > to consolidate them into one switch with a VLAN for each network with
    > > > > > > no interVLAN routing.  I can't find any information that I can
    > > > > > > understand.  I was wondering if anyone does this and how to make it
    > > > > > > secure.

    >
    > > > > > > Thanks.

    >
    > > > > > Essentially you are talking about creating the vlans centrally, using
    > > > > > VTP to propagate out the VLANs, using your existing routers to service
    > > > > > those networks (or perhaps consolidate those as well to a central l3
    > > > > > switch or router).  This isn't that difficult, and it depends if you
    > > > > > are consolidating onto a catalyst or ios based switch for config
    > > > > > references.  You also would need to control 'security' at the
    > > > > > routers.  If you don't want traffic between subnets, you'll need to
    > > > > > ensure that you aren't advertising the networks between you routers,
    > > > > > or you have access-control lists if you are routing centrally.

    >
    > > > > My plan is to use one switch that has one VLAN to connect every pair
    > > > > of devices.  Each pair of devices is in on a separate network.  Each
    > > > > port will be configured as an access port e.g. switchport mode
    > > > > access.  There will be no connections from this switch to any other
    > > > > switches, thus no need for trunks.  I am replacing several small
    > > > > switches.  The switch is a Catalyst switch with IOS.

    >
    > > > > Your comments will be welcomed.

    >
    > > > > Thanks

    >
    > > > Well, you can't use one vlan to merge layer 3 networks.  I guess
    > > > technically you can have one vlan, and the boxes will only be able to
    > > > talk to other boxes in the same layer 3 address range, but all boxes
    > > > would see broadcasts, etc, and it would be very bad practice.
    > > > Additionally, if you ever need to route externally, this could get
    > > > very very nasty.  Perhaps I misunderstood your requirements, but I
    > > > would connect all boxes to the switch, create vlans for each subnet,
    > > > and lets the router(s) control security via ACLs.

    >
    > > > If this is indeed not routing anywhere else, you can look into vlan
    > > > security, and use things like private vlans.  Generally this is for
    > > > nodes that are all in the same layer 3 network, but you want to
    > > > protect them from one another and only allow communications within a
    > > > group or with the gateway.  Here is a link.

    >
    > > >http://www.informit.com/articles/article.aspx?p=29803&seqNum=6-Hidequoted text -

    >
    > > > - Show quoted text -

    >
    > > This is a simplified view of what I have now:

    >
    > > Three Seperate Networks, three separate switches:

    >
    > > Router1 ----- Switch1 ------ Router2

    >
    > > Router3 ----- Switch2 ------ Router4

    >
    > > Router5 ----- Switch3 ------ Router6

    >
    > > What I Would Like to do if it is a good idea:

    >
    > > Three separate networks, one switch with three vlans that do not
    > > communicate with each other..

    >
    > > Router1 ----- Switch1, vlan1 ------ Router2

    >
    > > Router3 ----- Switch1, vlan2 ------ Router4

    >
    > > Router5 ----- Switch1, vlan3 ------ Router6

    >
    > > Thus replacing three separate switches with one switch

    >
    > > There are no routing protocols.  The routers do not know about one
    > > another.

    >
    > > Is this feasable?  Is it secure?

    >
    > > Thanks

    >
    > Yes, that works fine.  Provided you do not have routing turned up, and
    > there will be no connections between the vlans, and the routers will
    > not connect to multiple vlans and advertise networks, that will work
    > absolutely fine.  No traffic will cross vlans/networks with that
    > configuration.- Hide quoted text -
    >
    > - Show quoted text -


    Thanks for your help. I was having difficulty in describing what I
    wanted to do. Thanks for hanging in.
     
    tman, Feb 20, 2008
    #7
  8. tman

    Trendkill Guest

    On Feb 20, 11:12 am, tman <> wrote:
    > On Feb 20, 2:52 am, Trendkill <> wrote:
    >
    >
    >
    > > On Feb 20, 12:16 am, tman <> wrote:

    >
    > > > On Feb 19, 3:16 pm, Trendkill <> wrote:

    >
    > > > > On Feb 19, 5:02 pm, tman <> wrote:

    >
    > > > > > On Feb 19, 11:57 am, Trendkill <> wrote:

    >
    > > > > > > On Feb 19, 12:56 pm, tman <> wrote:

    >
    > > > > > > > I have several switches in my public network each connecting two or
    > > > > > > > three devices on seperate networks. I thought it would be a good idea
    > > > > > > > to consolidate them into one switch with a VLAN for each network with
    > > > > > > > no interVLAN routing. I can't find any information that I can
    > > > > > > > understand. I was wondering if anyone does this and how to make it
    > > > > > > > secure.

    >
    > > > > > > > Thanks.

    >
    > > > > > > Essentially you are talking about creating the vlans centrally, using
    > > > > > > VTP to propagate out the VLANs, using your existing routers to service
    > > > > > > those networks (or perhaps consolidate those as well to a central l3
    > > > > > > switch or router). This isn't that difficult, and it depends if you
    > > > > > > are consolidating onto a catalyst or ios based switch for config
    > > > > > > references. You also would need to control 'security' at the
    > > > > > > routers. If you don't want traffic between subnets, you'll need to
    > > > > > > ensure that you aren't advertising the networks between you routers,
    > > > > > > or you have access-control lists if you are routing centrally.

    >
    > > > > > My plan is to use one switch that has one VLAN to connect every pair
    > > > > > of devices. Each pair of devices is in on a separate network. Each
    > > > > > port will be configured as an access port e.g. switchport mode
    > > > > > access. There will be no connections from this switch to any other
    > > > > > switches, thus no need for trunks. I am replacing several small
    > > > > > switches. The switch is a Catalyst switch with IOS.

    >
    > > > > > Your comments will be welcomed.

    >
    > > > > > Thanks

    >
    > > > > Well, you can't use one vlan to merge layer 3 networks. I guess
    > > > > technically you can have one vlan, and the boxes will only be able to
    > > > > talk to other boxes in the same layer 3 address range, but all boxes
    > > > > would see broadcasts, etc, and it would be very bad practice.
    > > > > Additionally, if you ever need to route externally, this could get
    > > > > very very nasty. Perhaps I misunderstood your requirements, but I
    > > > > would connect all boxes to the switch, create vlans for each subnet,
    > > > > and lets the router(s) control security via ACLs.

    >
    > > > > If this is indeed not routing anywhere else, you can look into vlan
    > > > > security, and use things like private vlans. Generally this is for
    > > > > nodes that are all in the same layer 3 network, but you want to
    > > > > protect them from one another and only allow communications within a
    > > > > group or with the gateway. Here is a link.

    >
    > > > >http://www.informit.com/articles/article.aspx?p=29803&seqNum=6-Hidequ...text -

    >
    > > > > - Show quoted text -

    >
    > > > This is a simplified view of what I have now:

    >
    > > > Three Seperate Networks, three separate switches:

    >
    > > > Router1 ----- Switch1 ------ Router2

    >
    > > > Router3 ----- Switch2 ------ Router4

    >
    > > > Router5 ----- Switch3 ------ Router6

    >
    > > > What I Would Like to do if it is a good idea:

    >
    > > > Three separate networks, one switch with three vlans that do not
    > > > communicate with each other..

    >
    > > > Router1 ----- Switch1, vlan1 ------ Router2

    >
    > > > Router3 ----- Switch1, vlan2 ------ Router4

    >
    > > > Router5 ----- Switch1, vlan3 ------ Router6

    >
    > > > Thus replacing three separate switches with one switch

    >
    > > > There are no routing protocols. The routers do not know about one
    > > > another.

    >
    > > > Is this feasable? Is it secure?

    >
    > > > Thanks

    >
    > > Yes, that works fine. Provided you do not have routing turned up, and
    > > there will be no connections between the vlans, and the routers will
    > > not connect to multiple vlans and advertise networks, that will work
    > > absolutely fine. No traffic will cross vlans/networks with that
    > > configuration.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Thanks for your help. I was having difficulty in describing what I
    > wanted to do. Thanks for hanging in.


    Not a problem, a diagram usually does it every time, even when its a
    notepad diagram :).
     
    Trendkill, Feb 20, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. gene martinez

    2900 switch & vlans

    gene martinez, Nov 8, 2003, in forum: Cisco
    Replies:
    1
    Views:
    486
    Walter Roberson
    Nov 9, 2003
  2. Peter Rowe
    Replies:
    0
    Views:
    542
    Peter Rowe
    Nov 17, 2003
  3. Replies:
    0
    Views:
    579
  4. punisher
    Replies:
    2
    Views:
    2,096
    Charles Deling
    Nov 17, 2005
  5. Ian

    Lenovo ThinkPad EDGE 13: Bleeding Edge

    Ian, Feb 28, 2011, in forum: Front Page News
    Replies:
    0
    Views:
    1,185
Loading...

Share This Page