Creating Vlans at Core layer switches ?

Is there a need to create vlans at core layer switches ? If yes what are the pros and cons for this practice ?
Actually i have seen some networks doing that!

Well this is the topology that i'm working on.
we have implemented the 3 layer approach.
1. At access layer: Switches are all L2 (for sure :) )
2. At distribution layer: All switches are L3 are routes for incoming data.
3. At core we have 2 6500 switches. One is configured as L3 and all vlans are created in it. Second is just as regular L2 device.
and ofcourse there are some switch blocks for server farms and the likes.
My issue is
1. why don't we create vlans at distribution layer switches.
2. Why one core switch is acting as L2 and other is acting as L3. What will happen in case of failure to the one acting as L3.
Ps: the second issue just came up in my mind.

Similar Messages

  • Core layer switches IP address for routing

    For routing process I add a IP address of each Vlans subnet that active on each Access and Distribution switches (Have a port with that Vlan on the switch) to the corresponding Vlan Interface of them.
    Which IP address should I add to the Core switch for routing?
    Should I add a IP of each vlan that in the LAN to each vlan interface of Core layer switch?
    I want run OSPF routing protocol on the LAN.

    Hello Reza,
    >> Which IP address should I add to the Core switch for routing?
    if you want to implement a L3 routed core every link betweeen core device and a distribution device is a L3 link with its own IP subnet.
    For example if you have 16 distribution pairs and two core switches:
    10.10.10.0/30 dis11 to core1
    10.10.10.4/30 di12 to core2
    10.10.10.8/30 dis21 to core1
    10.10.10.12/30 di22 to core2
    10.10.10.128/30 disF1 to core1
    10.10.10.132/30 disF2 to core2
    this under the idea to have not a full mesh between core routers and distribution devices
    then you need also a L3 link between the two cores (at least one)
    Each L3 device should also have a loopback interface to be used as OSPF router-id and for management purposes (telnet and so on)
    you can use /32 loopbacks taken from same block for example
    10.255.254.1/32 core1
    10.255.254.2/32 core2
    10.255.254.3/32 dis11
    10.255.254.4/32 dis12
    to make the routing function the core switches have to talk OSPF on all links to distribution nodes
    router ospf 10
    router-id 10.255.254.1
    network 10.10.10.0 0.0.0.255 area 0
    network 10.255.254.1 0.0.0.0 area 0
    network area commands work like ACL statements and first statement starts OSPF on each interface whose ip address belongs to 10.10.10/24 space
    Second command is used to advertise its own loopback.
    router-id command allows to define the OSPF router-id.
    Distribution nodes have to advertise client Vlans and to take part in OSPF communication on point to point link.
    if you use a L2 access layer design client vlans are served by distribution nodes.
    if you use a L3 access layer design the access layer switches take part in OSPF and have to advertise their own client vlans.
    Hope to help
    Giuseppe

  • Is it recommended to use HSRP or multiple default between Core Layer Switch and Customer Edge Router?

    My client is asking me for following
    Client is using Router as edge device. 2  WAN links from different service provider ( each 20 Mbps)  are getting terminated on the router. There are internal servers present in the network. Client want to make setup such that even if one wan link fails  internet users should be able to access web server. Moreover if the edge router fails there should be secondary edge device so that there is device redundancy ?
    As per my understanding, in this scenario we need to do static one - to - one natting(belonging to WAN interface subnet). If we use two routers as Customer edge ans if we connect core layer switch to these two router, is it recommended to use HSRP/VRRP/GLBP or two default route on core switch pointing to two routers with equal ad value. we will also track the wan link with help of ip sla.
    which is recommended solution  Router redundancy protocol or Default routes.?

    Just had another read of this post and some other points have come up.
    1) I assumed your secondary link was for redundancy but you talk about terminating both SP links on the same router in your first paragraph.
    Did you mean this or are you going to be terminating a link per router ?
    2) are you using the second router purely for backup ?
    3) something you didn't ask about but is relevant is the IP addressing. Are you using provider independent addressing or does each SP provide you with an address block.
    If it is the second then you are going to have an issue with the web server. The problem is which provider's IP do you use for the web server ie.
    if you use the primary provider IP then that will be the DNS record on the internet. If the primary router fails then the IP address will change on the secondary router but DNS will still be handing out the primary IP.
    If you enter both IPs (primary and secondary) into DNS then you would get load balancing but this means both links will be used and the secondary would not just be backup.
    In addition if one of the links fails then DNS does not know this so it will still be handing out the failed address as well as the address that is still up which means some connections will work and some won't.
    Jon

  • How to span vlans across core layer in core/distribution/access campus design?

    Hi,
    I studied Cisco Borderless Campus Design Guide 1.0 (http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1-0/Borderless_Campus_1-0_Design_Guide.html) last week because we plan to redesign our campus backbone to a three tier Core/Distribution/Access Design.
    Today we use a collapsed backbone where a lot of vlans are spanned across the backbone because they are needed in different buildings.
    Could anybody give me a hint how Cisco recommends to deal with that kind of vlans in the multi-tier design?
    In my eyes between core and distribution layer there is only routing functionality and no l2 transport of vlans.
    So using the same vlan in different buildings seems not to be supported?
    Best Regards,
    Thorsten

    Thorsten
    Just to add to Joseph's post.
    It is quite common for a vlan to be spanned when it doesn't actually need to be ie. the network has evolved that way.
    Most things do not need L2 adjacency, they can happily use L3. Servers sometimes do but in the campus design your servers are usually located in one site so you don't need to extend vlans to other sites in your campus.
    Not suggesting this is the case for you but it may be worth checking whether you really do. (apologies if you already have)
    As Joseph mentioned you really want to avoid it if at all possible ie. ideally all connections to the core switches are L3 ie. no need for vlans at all in the core.
    If you need to extend a few vlans then you can do this but still route for all other vlans ie. you would configure your distribution to core connections as trunks and then allow the vlans you need to extend plus one other vlan, unique per distribution pair, to route all other vlans. So per site your distribution switches route all vlans except the extended vlans and of they need to route to a vlan in another site they use that unique vlan.
    But this is not ideal because you then need to extend certain vlans across the core and because you are using L2 connections STP could come into it although that does depend on your core switch selection eg. 4500/6500 VSS etc. would alleviate this.
    There are ways to extend vlans across a L3 network but the solutions available are very much dependant on the kit you use and their capabilities so if you do need multiple vlans in multiple sites but still want to keep a L3 core you may want to investigate some of those before purchasing kit (unless of course you have already purchased it).
    What you do really depends on just how many vlans you actually need to extend between sites.
    Jon

  • Route or switch on the core Layer

                       I am working on a new network design for my company with four buildings, I have used building distribution method for all buildings, my design seems to be functioning properly, I have configured vlans and eigrp routing on the distribution switches as you can see on the diagram, but used the four core layer switches just for switching not routing and I did not configure any routing on them, I would like to know if this is good design or do I need to configure routing on the Core Layer as well

    There is no right or wrong answer to this. Originally the recommendation was to switch in the core ie. use only L2 because L2 switching as fast and L3 routing was slow.  But then L3 switches appreared and the recommendation was to use L3 to connect to the core.
    But both are just recommendations. You don't have to follow the guidelines slavishly.
    Having said that, looking at your design there are a lot of redundant paths between switches. This means lots of loops and using L2 will mean blocked paths in the core and potentially blocked paths to and from the core. If you used L3 connections from the distrbution to the core and between the cores you would be able to utilise all the links and hence get more bandwidth.
    In addition if a link failed you would not be reliant on STP to bring up a redundant path as all paths would be in use (although you should still run STP).
    Couple of other points -
    1) you have 4 switches in the core - what is the reasoning behind this ? is it distance limitations between buildings ?
    2) your addressing. Ideally you would want to be able to summarise from one building to the other so it would make more sense to have all the 192.168.x.x networks in one building and all the 10.x.x.x networks in the other. Actually it would make more sense to decide on an IP range ie. 10.x.x.x or 192.168.x.x (not both) and then use summarised ranges for each building.
    Jon

  • Differenet VLAN's on different switches

    In short, I have two SRW 2024 switches connected together.  The first one goes to the router, ASA 5510 (supports inter-vlan routing), on the native VLAN and the second one is trunked on port 12 to the first one.  I have been doing lots of research and have found ambiguous answers to my question.  My question is can I have different VLAN's on different switches?  Meaning can I have VLAN 10 on the first switch and VLAN 20 on the second but not have VLAN 20 on the first and VLAN 10 on the second?  So far, I have heard that I HAVE to have identical VLAN's on both switches in order for them to be able to talk to each other and I have also heard that that is not true because I can setup routes on my router to make them talk to eachother and get on the internet...  Does anyone have a definitive answer to my question?  I am totally pulling my hair out on this one...

    Well, reading this post now makes me wonder if we have the same understanding.
    What do you mean with "have VLAN 10 on the first switch" etc.? What do you mean with "have"?
    If you connect the ASA to switch 1, and switch 1 to switch 2. If you use VLAN 20 on the second switch and you want to give VLAN 20 access to the internet through the ASA switch 1 must know about the existence of VLAN 20. The switch will only forward frames for VLANs it knows of. If VLAN 20 does not exist on switch 1 VLAN 20 cannot pass through switch 1.
    If you use VLAN 10 only on switch 1 and not on switch 2, you could omit VLAN 10 on the second switch as no VLAN 10 traffic has to go to switch 2. However, generally it is better to have all VLANs on both switches because it makes management easier.
    This has nothing to do with routing, though, as the SRWs are only layer 2 switches. Routing allows you to connect a VLAN to another VLAN or LAN or internet.
    Think of a single VLAN like a normal switched LAN. Different VLANs are just like different, physically separated LANs.
    If you want to allow traffic between these separated LANs you'll need a router which routes traffic between them.
    A managed switch with VLANs allows you to run these different LANs on the same hardware, making the individual VLAN assignments configurable.
    A port on a managed switch usually is in on of two modes:
    * access mode: an access mode port connects to a normal device like a desktop, printer, or similar. An access mode port can be member of a single VLAN only, i.e. you have to decide to which VLAN it is supposed to belong to. In your case, you configure an access mode port for either VLAN 10 or VLAN 20.
    With a single switch things are clear now: some ports are VLAN 10 and some ports are VLAN 20. VLAN 10 can talk to each other. VLAN 20 can talk to each other. No traffic passes between VLAN 10 and VLAN 20.
    Of course, now you want to connect this switch to some other network devices, in particular the second SRW because you need additional ports or you have an additional location. And there is the ASA which provides internet access for these VLANs.
    * trunk mode: This is where trunk mode comes in. A trunk mode port can carry multiple VLANs on a single port. This is done using 802.1q tags. 802.1q tagged ethernet frames have an additional field for the VLAN to which the frame belongs to. With this, a switch can send frames for VLAN 10 and VLAN 20 through a single port to another switch or router. Each frame sent is tagged with 10 or 20 depending on which VLAN the frame belongs to. The receiver will accept each frame and assign it to the corresponding VLAN on the receiving side. This way the receiving switch or router is able to keep those VLANs strictly separated.
    So let's say you want two VLANs 10 & 20 in your network. You would create VLANs 10 & 20 on your ASA and both SRWs. (Create only means that the device knows this VLAN exists and is able to handle traffic for this VLAN). You would configure LAN port 1 of your ASA as trunk with members VLAN 10 & 20. You configure port 1 & 24 of your first SRW in trunk mode with members VLAN 10 & 20. You configure port 1 of your second SRW in trunk mode with members VLAN 10 & 20. Now you wire port 1 of your ASA to port 1 of your first SRW. Then you wire port 24 of your first SRW to port 1 of your second SRW.
    This creates the VLAN trunk through your network. Traffic in both VLANs can travel through this trunk between the switches and to the ASA and from there, if properly routed, into the internet.
    In a very simple scenario you configure all remaining port in access mode. For each access mode port you define whether this port belongs to VLAN 10 or 20. If port 2 is in access mode and member of VLAN 10 then the device connected to port 2 is in VLAN 10.
    You are completely free how to assign the VLANs. If you assign ports 2-24 on switch2 to VLAN 20 and ports 2-23 on switch 1 to VLAN 10 this is fine. In this case, you could reduce the VLAN configuration a little by not creating VLAN 10 on the switch 2 and not adding VLAN 10 on the trunk ports connecting switch1 and 2. However, as mentioned before, I would recommend not to do so. If at some point you decide to have a port in VLAN 10 on the second switch everything would already be set up if you created the VLAN 10 on the second switch and added it to the trunk.
    You must create all VLANs on your ASA and the first switch in your case. VLAN 20 traffic has to travel through switch 1 (even if there is no end device connected to VLAN 20 on switch 1). Thus, VLAN 20 must exist on switch 1 and the trunk between the ASA, switch 1 and switch2 must carry VLAN 20 for traffic to pass through. If VLAN 20 did not exist on switch 1 no VLAN 20 traffic could travel trough switch 1.
    As you only have two switches you will only have a few VLANs which you should be able to create in the beginning. If you really have to add a new VLAN you have to touch both switches and the ASA. But with some planning, it should not be necessary to add VLANs later. With two 24 port switches you won't have more then 48 VLANs anyway.
    Your VLANs "terminate" on the ASA. The ASA is a 802.1q capable router. You can trunk your VLANs to the ASA. The ASA allows you to define gateway interfaces in each VLAN which will operate as gateways for each VLAN. Through that VLANs can talk to the internet. You can also configure the ASA to allow inter-vlan-routing, i.e. let specific traffic be routed from one VLAN to the other. For instance, if you have a printer in one VLAN you could allow traffic to this printer from the other VLAN while still blocking any attempt to access other devices on the other VLAN.

  • Creating VLAN on Cisco 3800 Series

    Hello
    I am new to networking. We have a Cisco 3800 series router with 64 ports. We have connected servers and PC's directly to the back of the router. Almost all of the ports are used with the exception of few. We would like to create a VLAN for the remaining few ports. I am able to telnet to the router or connect directly using hyper terminal.
    I have been told that we cannot create VLAN's directly on the router. For that purpose we need to first get a switch and connect the switch to the router, then create VLAN’s using the switch. Can someone please provide some tips? Any suggestions would be nice…Thanks

    Appreciate you getting back. Here is the "show vlan-switch" output
    ----------------------->
    #show vlan-switch
    VLAN Name                             Status    Ports
    1    default                          active
    1002 fddi-default                     active
    1003 token-ring-default               active
    1004 fddinet-default                  active
    1005 trnet-default                    active
    VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
    1    enet  100001     1500  -      -      -        -    -        1002   1003
    1002 fddi  101002     1500  -      -      -        -    -        1      1003
    1003 tr    101003     1500  1005   0      -        -    srb      1      1002
    1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
    1005 trnet 101005     1500  -      -      1        ibm  -        0      0
    ---------------------->
    As before I do not see any VLAN's set up. How come all the ports are not showing up on default VLAN 1. Maybe I can create a new VLAN and assign 2 or 3 ports to it. Please advise...Thanks

  • Dynamic VLAN assignment and Layer 3 switching on 300 series

    I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
    So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right?
    I'm new to VLAN configuration and layer 3 switching so I wanted to check my understanding. Doesn't this limitation significantly reduce the usefulness of the DVA feature?
    I may well be confused and missing something regarding how this is typically used..

    Hello Glenn,
    Your concept about packet forwarding is correct. With a layer 2 switch, there must be something directing traffic with multiple subnets for intervlan communication or something that provides an IP route to give the request a path back for the request.
    The usefulness for the DVA feature, is not particularly limited to the switch as the switch will correctly assign the VLAN for you, as VS the L3 switch mode, you're dealing with IP addresses. In any scenario, you're going to require a router to get to the internet since the switch does not support NAT.
    Additionally, if you're router does not support VLAN, the L3 switch feature would still be the solution since you should be able to make a static route pointing back to the switch to allow any subnet to traverse the single media. It would still beg the question, how to assign VLAN dynamically.
    The answer, although (in my opinion is terrible) would be GVRP.  But, this application would require ALL of your network cards to be GVRP Enable / Capable which most likely is not the scenario for you (or most anyone else for that matter).

  • Multiple VLANs through to layer 2 switch

    So long as each switch supports VLANing (which most manageable switches do), then yes. Some model numbers on the switches would help here though to be sure.
    Also, keep in mind that assigning VLANs is a layer 2 function, not layer 3. So long as you tag the VLANs you need to pass between the switches on the feed ports between them, you should be able to have them running without issue.
    Could you provide a little more detail as to what you're trying to accomplish so that we can better advise you how to proceed?

    Hello,
    Is it possible to send multiple vlans across a layer 3 dell powerconnect to a Meraki layer 2 switch and configure the ports to access the different vlans? 
    Is it also multiple vlans across a layer 3 dell powerconnect to a layer 2 dell powerconnect switch and configure the ports to access the different vlans? 
    I've been playing aound with this and I can't seem to get it done.
    Thanks for any help in advance.
    This topic first appeared in the Spiceworks Community

  • Switches for Access, Distribution, and Core Layer

    I have this case study in school and we are tasked to build a network in a school. So we've decided to use the three layer hierarchical model. I'm not sure about what switch is best for these layers but I've decided that I'll use 3750 for the Access layer, 4500E for the Distribution layer, 6500 for the Core layer. Are these the ideal switches for each layer? If not, could you suggest any switch that is better than the current? Need your suggestions or thoughts about this. Thanks in advance!

    Hi Seb, thanks for replying. My groupmates and I have already decided that we're going to have a distribution layer. So basically, is 3750 enough to be the backbone/core of the network? We're configuring the to have a Layer 3 design so that makes me choose on 3750 on distrib and core rathen than 2960 switches cause I think that's better than Layer 2 though I don't know specifically what makes it better. Do you know? So I could have a thorough explanation when I present it to my professor. As for the budget, the case study didn't give us any limit so I think layer 3 would be a better choice than layer 3. Thanks Sib, appreciate it.

  • WS-C3560X-24 needs to be connected with another WS-C3560X-24 core layer 3 sitch.

    I got new task moving WS-3560X24 port layer 3 core switch from one branch to be moved  to my  branch and connect WS3560 layer 3 core switch my site network. Both core switch has got 3-4 cisco 2960 switch underneath and lots of vlan offcourse. I am thinking about creating etherchannel between these two switch.
    Any suggession and advise will be hightly appreciated.
    Thanks in advance.

    So today you have one core 3560X switch with layer 3 interfaces for all the VLANs which go out to your Access layer 2960 switches - correct?
    We would typically see a core (Cisco would call it "distribution" layer in such a case becasue they don't consider the 3560 full-featured or powerful enough to call it a "core" switch) made of of dual switches connected with a trunk port (may be multiple physical ports in a port channel for higher availability and throughput). Each access switch has trunk port connections to core switch #1 and #2. At layer 3, core switch #1 and #2 setup hsrp groups for all VLAN interfaces.
    That's the high level approach that most closely resembles a reference architecture. Have a look at the "LAN Baseline Architecture Overview-Branch Office Network" document for more information.

  • Packets dropped to Access layer switch???

    We have a 6509 running in Native IOS that has 2gb port channels connecting to our 7 access layer switches. About a week ago we were working with Remote span vlans and added a remote span from the 6509 to our other core (6513) which is connected via a 20Gbps portchannel. We began to notice that a lot of people were calling in reporting devices as being slow and we noticed that from the 6509 (Which was the root bridge) we were disgarding millions of packets on the transmit side of our access layer switches. We took out the remote span but it appears that we are still disgarding packets. There are no input or output errors on either side. The Remote span VLAN does not exist on the access layer switch's VLAN database. Does anybody have any idea what we should be looking for?

    you can use an acl to match the number of packets that come into / out of each of the devices. Simply use two lines in each acl where on the first line you match the packet in question and on the second line you have "permit ip any any" so you don't block any packets. Then simply apply the acl either inbound or outbound on the interface in question. If you want more than one acl on a given device, such as inbound one interfaceand outbound another, be sure to use two different acl numbers.
    create the acl's and apply them
    ensure there isn't an active call
    clear access-list counters on all devices where you configured the acl's so we ensure all of them are set to 0

  • In a huge campus network design, should be the Core layer operate on L3 if the Distribution is operating on L3?

    Or the routing overhead is less if the Core is operating on L2?
    For example:
    Wan routers and Dist L3 switches connect to Core switches (L2)
    Access layer L2 switches connects to Dist.
    So Access layer SW's do Diffserv marking, Dist layer switches do queuing, the inter vlan routing as well as routing and the core only forwards traffic based on L2.
    Is it a valid design? Should the core also have QoS?
    Thanks!

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of   the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    Yes, you can have a L2 core, but as Rick has noted, modern designs lean toward L3 cores.
    There are, even today, pros and cons to each, but the biggest factor would be a modern L3 core would normally use L3 switches, rather than traditional routers.  Generally you want the core to move packets as quickly as possible, and L2 switches were generally better at that than "traditional" routers.  L3 switches, though, have nearly L2 switch performance, so the performance difference isn't much of issue any longer (especially with CEF L3 switches and/or MPLS).
    BTW, not something you'll see in many current design documents, but modern L3 switches are so powerful and support so many ports, that you might have distribution and access just L2.
    If you're doing QoS, yes I would recommend it also be enabled in the core too, L2 or L3.

  • Problem in creating Vlan on 3550

    hi,
    I have done stacking between two 3550 siwtches. On one switch already a Vlan is created and network is running. On another switch I have created another Vlan using "int Vlan 79" command and gave an ip address for that VLAN. Enabled routing for this ip address and configured many ports to access this VLAN and connected PCs also. When I give command "sh vlan id 79", the message is "No VLAN is found in database". I have checked the VTP domain mode it was in client mode, then I converted it into server mode, reboot the switch and create Int Vlan again. Result was same. Then just for trying I put command "VLAN 79" in config mode and now everything is running fine. It is showing it in database also.
    My question is when we put "Int Vlan" command, generally it creates the VLAN, then why I need to out VLAN 79 command.
    This is problem related to concept.
    Looking forward for the suggestions.
    Thanks

    Hi Kanupriya,
    When you run the command " Int vlan 79 " and assign and IP to this, you are actually creating a SVI or the layer-3 virtual interface on the switch. This will not create Vlan 79 as a L-2 vlan in the Vlan database. When you run the command " Vlan 79 " that created the Vlan 79 in the Vlan database and you were able to see that Vlan interface. Remember to first define a L2- vlan in Vlan databse always, then configure the ports on this vlan and then define the L3 SVI.
    You can also configure the L2 vlan by going into vlan datbase :
    Switch# Vlan database
    Switch(vlan)# Vlan 79 name V79
    Switch(vlan)#exit
    HTH,
    -amit singh

  • Help create VLAN for home use.

    I use Cisco switch SG300 and SG200 series. I set my home network as attach picture.
    I want set up VLAN with these condition
    1.Every port can connect to internet through ADSL router.
    2.VLAN10( Home alarm and IP camera ) can access by internat, connect by access point and PC file server
    3.Every port can connect the PC file server
    I am new for network and fail to try setup myself and not understand static route.
    Thank you.
    Jarey
    [email protected]

    Hi Jarey,
    Are you sure you want to do this on the switch as opposed to the router? Are you going to use static IP addresses for the vlans or do you want your router to issue DHCP?
    To proceed, using the switch for inter-vlan routing, make sure the SG300 is in layer 3 mode.
    1. If you are currently in layer 2 mode, open a CLI connection and issue command:
    set system mode router
    Take note that this will delete your current config and the switch will reboot.
    2.  Create the vlans on your switch under VLAN Management -> create vlan
    3. Go to IP Configuration -> ipv4 interface and assign each vlan a static IP for the switch in the subnet for the new vlan
    4. Vlan Management -> Interface settings. I would leave all the ports as trunk ports, or change the ports to trunk if you have previously changed them.
    5. Vlan Management -> Port VLAN membership. Assign your vlans to the appropriate ports.
    6. When everything is all plugged in, you should be able to see the switch created static routes for you already under IP Configuration -> IPV4 static routes. Make sure all your subnets are there and are showing route type local
    7. You may need to add a route such as 0.0.0.0 with the next hop being your router
    At this point, you should be up and running, with all vlans connected to each other and to the internet.
    If you want to restrict access across the vlans, you'll have to create access control lists.
    You need to first create an ACL (Access control -> IPV4 based ACL) and give it a name. then go over to IPV4 based ACE where you put the actual access control rules.
    This is a sample set of rules I made, it will block all access between two subnets (each vlan you created above will have to be its own subnet) and allow certain traffic such as 3389 - remote desktop, etc. You'll need to customize based upon your needs and subnet IPs. So for ex, to allow the Xboxes to access the file server, rather than any - any, you put the xbox subnet or specific IPs as the source, the file server as the destination, and the ports used as source ports. Remember to make the converse of the rule as well.
    Then, go to Access Control -> ACL bindings and bind the access control list to the applicable ports.
    Hope that helps, good luck with your set up.
    Best,
    David
    Please remember to rate helpful posts and identify correct answers.

Maybe you are looking for

  • The length of the password entry field in the BEx Analyser

    Hi, The password is 8 characters in the BW system. When users changing their newly assigned passwords. When logging into the BEx Analyser, and prompted to change the password, a password entry box is displayed, with an entry field longer then 8 chara

  • Changing logical database ADA

    Hi, I have a requirement to change the selection screen of a report. I need to remove one field and add another field in place of it. Now the report selection screen is getting retrieved from logical database ADA. How can I achieve the addition of fi

  • How to exclude the backup of a drive in vmware mirage server

    I want to ask that how to exclude the backup of a drive in vmware mirage server.

  • Import file in expert

    Hi, does anyone know how I can call the wizard to import a flat file from an expert? Regards Ottar.

  • CS6 crashing when sequence settings are changed

    When I launch CS6 and select a new doc - it had default settings for the sequence. When I change them to DSLR - or anything but default......CS6 crashes, does not say why & shuts down. Tried changing them after setting everything else - same result.