Currently my company provides web hosting, internet access, colo, etc, but our colo solution is pretty insecure and not setup the best. Not too important because we only have a few customers.
I want to change this and actually have a decent setup. A portion of my current hardware is this:
Cisco 3660 -> Catalyst 2924XL
Currently, I have no vlans setup on my catalyst, so my colo customers and my network are both on open ports (though my network is behind a firewall) How does the normal setup look in this situation? Say I have my internal subnet numbered on FE0/0 on the 3660 as 10.0.0.1/24 should I just have a static route for my colo customers subnet 10.1.1.0/24? If this is the case, can I have customers on seperate vlans using addresses from that range? Does it matter how I subnet it out per customer? And in the instance what would my customers subnet and gateway be?
I hope I'm properly describing what I'm looking for here. Just some help on a basic colocation setup.
Basically our colo customers will have different network sizes, /29's /26's etc. My plan is to generally assign /24's to the Colocation Ethernet interface on the router, but I'm just not sure of the best vlan setup on my switch, and how that (if at all) will affect my subnetting.
Generally, you set up setup the Vlans on the subinterface, don't assign, a /24 per interface... Say for example,
encapsulation dot1q 100
ip address 10.10.1.0 255.255.255.248
for a /29
The overall interface doesn't have anything assigned to it.. The encapsulation dot1q 100 tells it that it is to pass that on to the switch as vlan 100 which you assign to your switch interface. The first switch in the line will act as the VTP server (Virtual Trunking Protocol) and then any switches beyond that will act as VTP Clients.
VTP is actually very dangerous if you don't thoroughly understand it. You can easily remove all of your VLANs from your entire switch fabric by misconfiguring a single device. While it can be convenient in an all-Cisco switching environment, we never recommend the use of VTP because of the opportunity for a small mistake to cripple an entire VTP domain.
Thanks for the link to VTP. I think I'm just at the beginning of understanding Vlans and don't think I want to get into VTP yet. I'm a former CCNA but have always worked on the router side, not switching. Also, I do not seem to have the encapsulation option for the ethernet interface on my switch or router.
I'd like to sort of draw how I'm thinking things should be setup. If everyone could take a look and correct me I'd appreciate it.
Cisco3660 - FE0/0 numbered 10.0.0.1/24 (internal LAN)
Static routes for colo customers - ip route 192.168.0.0/24 FE0/0
Catalyst 2900XL VLAN1 - My internet network-
VLAN2 - My first customer (1 port on switch)
My first customer then could say use:
192.168.0.0/29 with a gateway of 10.0.0.1
Then so on and so forth for additional customers, all using gateways of 10.0.0.1.
So please correct away at my thoughts here. Some basic questions that arise out of this: Do customers have to be subnetted at the router level? Will customers be able to reach the gateway if seperated by the VLAN?
Sorry if I seem like an idiot, I'm a layer 3 guy. I always liked the idea of using a "dumb switch" but obviously thats not the best setup in this situation.
Last edited by craigeb252; 04-28-2005 at 08:51 AM.
There's really only one way to do this with the equipment you have.
As lumbyjj said above. You'll need sub interface on your 3660's interface pointing to your switch. Each sub interface will be encapsulated dot1q and have an IP address on it in a different subnet. That IP address will be the gateway IP for the server or servers on that subnet.
You'll trunk from your router to your switch and then assign ports on the VLAN's from there.
Don't take this the wrong way, I'm not sure how else to say this. If you're a "former CCNA" you should know this. You should be able to subnet in your head (subnet calculators are for babies) and you should DEFINATELY know that 192.168.0.0/29 can't use a 10.0.0.1 gateway. Not on the same network. Any "Layer 3" guy would know this, Cisco or not.
It is good that you are asking these questions now, regardless of your actual technical knowledge or achievements.
If you are selling bandwidth to paying customers, it is foolhardy not to separate them into their own VLANS. I don't want to turn this into a tutorial for you <<Snipped self promotion>> but from a colocation business point of view I can tell you two words that can ruin you if you do not get your VLANs set up.
Those two words are: Broadcast Storm
Customers get creative, they put in their own switches, their own (doh) hubs, they daisy-chain them, they come up with horrible cowboy band-aid solutions, and eventually they slip a loop past spanning tree.
One single VLAN for all customers == Complete Outage of your Entire Customer Base when One Customer makes One Mistake.
That just simply not acceptable. I guarantee that the bandwidth you yourself are paying for is on its own VLAN, and if not get the hell out of there.
Last edited by anon-e-mouse; 05-13-2005 at 11:34 PM.