Configuring VLANs on a Cisco Catalyst 3550

Many network administrators will discover over time that the amount of traffic on their network exceeds the capacity of their switches.  To relieve some of the strain, improve speed for users, and provide security for the infrastructure it becomes advantageous to segment their network into virtual local area networks.  The process is simple, but requires the environment to be thought out in advance.

 

A traditional small business network consists of some form of internet connection, a firewall, a switch, a couple of servers and user workstations.  The discussion below does not get to in-depth into programming your switch for VLANs.  It assumes that the reader has the ability to follow the documentation provided with their device.  If you would like assistance in designing and implementing a solution, feel free to contact me and we can discuss a solution that fits your needs.

 

Standard Network

Though this configuration is fine, as a network grows, it becomes necessary to isolate traffic to reduce latency.  A traffic cop is needed to assist with traffic management.  You may also be considering setting up wireless access for visitors.  They need to be able to access the internet, but you want to keep them off of your main network for security reasons.   This is where VLANs come in.

Before we start to reconfigure our switch to add the VLANs, we need to purchase additional switches to control each portion of our network.  The following scenario requires one network for workstation traffic, one for server traffic and one for guest access.  We will need one switch for each of these segments.  We can use the existing switch to configure the main backbone where traffic will be processed between these segments.

To make things simpler, we are only going to configure the main switch.  There is no need to configure the new switches that you just purchased.  They should be ready to run out of the box.

The first thing that you will want to do is decide which ports on the main switch are going to be for which network segment.  The important thing to realize is that port numbers are not numbered from left to right, but follow a zigzag pattern as shown in the following diagram.

 

Port Numbering

For this scenario, we are going to split our 24 port switch into four separate VLANs, the fourth being for traffic with the firewall.  Because of the numbering pattern, we will use ports 1, 3, 5, 7, 9 and 11 for internet traffic on VLAN1.  These are the top left six ports on the switch.  Ports 2, 4, 6, 8, 10 and 12 will be used for server traffic on VLAN2.  These are the bottom left six ports.  Ports 13, 15, 17, 19, 21 and 23 will be used for workstations traffic on VLAN3.  These are the upper right six ports.  Ports 14, 16, 18, 20, 22 and 24 will be used for guest access.  These are the remaining lower right six ports.  We only need one port in each of these segments, but this allows for future growth.

Now that we know which ports we are going to use for each VLAN, we need to program these into our switch.  Once logged in you will need to modify your configuration to show how each port is configured.  The following code segment is the actual configuration within IOS for this plan.  Notice the final number on each line is different.

interface FastEthernet0/1
  switchport access vlan 1
  switchport mode access
  spanning-tree portfast
interface FastEthernet0/3
  switchport access vlan 1
  switchport mode access
  spanning-tree portfast

interface FastEthernet0/5
  switchport access vlan 1
  switchport mode access
  spanning-tree portfast

interface FastEthernet0/7
  switchport access vlan 1
  switchport mode access
  spanning-tree portfast

interface FastEthernet0/9
  switchport access vlan 1
  switchport mode access
  spanning-tree portfast

interface FastEthernet0/11
  switchport access vlan 1
  switchport mode access
  spanning-tree portfast

interface vlan1
  description internet-traffic[192.168.1.0/24]
  ip address 192.168.1.254 255.255.255.0
  ip helper-address 208.67.222.222
  ip helper-address 208.67.220.220

The last block defines the characteristics of the VLAN.  In this example, VLAN1 encompasses the class C subnet of 192.168.1.0/24 with a gateway address of 192.168.1.254.  Remember that you cannot use the first or last IP address of a subnet as these correspond to the network and broadcast addresses respectively.  We have also given this VLAN an arbitrary name in the description line.  

Also in the last block are two lines that refer to a helper address.  For this example, I used those of OpenDNS.  These can be the IP addresses provided by your ISP or of those on your network.  Ideally, you would want to use your own DNS server addresses for configuring the device so that internal services can be more easily found.

One additional line is added to in the last block for the guest subnet only.  This is to apply an access control list to be defined later in the document.  To make it more clear, the entire last block for the guest VLAN will read as follows.

interface vlan4
  description guest-traffic[192.168.4.0/24]
  ip address 192.168.4.254 255.255.255.0
  ip access-group 103 in
  ip helper-address 208.67.222.222
  ip helper-address 208.67.220.220

Use this same template for configuring the remaining 18 ports.

Now we need to configure guest access so that visitors can access internal sites that are normally available to them over the internet, but would otherwise not be accessible from an isolated subnet within your firewall.  They would not be accessible to them because in its current state, a loopback condition would be created on the firewall.  We need to tell their subnet how to access those services and which ones to deny.

Let's assume that the guest subnet is 192.168.4.0 (VLAN4).  We know that our servers are on VLAN2 which has an ip range of 192.168.2.0, but we do not want to give guests full access to these resources.  We also want to restrict access to workstations which are on the 192.168.3.0 (VLAN3) subnet.  Finally, we need to allow them full access to the internet on the 192.168.1.0 (VLAN1) subnet.  This can be easily configured by creating an access control list.

First, let's define services that are normally accessible from the internet.

192.168.2.1 Corporate website at http://www.contoso.com/
192.168.2.2 Corporate email at mail.contoso.com
192.168.2.3 Corporate intranet at intranet.contoso.com
192.168.2.4 Corporate DNS server
192.168.2.5 Corporate Secondary DNS server

It is possible that employees might at some time want to access these resources from a guest wireless device.  These servers can be assumed to be running their own security mechanisms, so there is no increased risk in having these exposed to the guest network.  The goal is to make wireless access as seamless as possible for any user on that subnet.

The following is the code we would use to configure access to these servers as well as to block all other traffic.  The 103 in each line below is an arbitrary name that we have assigned to our access control list.

access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.2.1 eq www
access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.2.1 eq 443
access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.2.2 eq www
access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.2.2 eq 443
access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.2.2 eq smtp
access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.2.3 eq www
access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.2.1 eq 443
access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.2.4 eq domain
access-list 103 permit udp 192.168.4.0 0.0.0.255 host 192.168.2.4 eq domain
access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.2.5 eq domain
access-list 103 permit udp 192.168.4.0 0.0.0.255 host 192.168.2.5 eq domain
access-list 103 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip any any

The final line is an explicit allow for any traffic not previously defined in the access control list.  It is this line that allows all internet traffic to function as well as all communications between servers and workstations.  The four lines terminating with "domain" refer to DNS requests so that the users can access internal DNS to process their requests.

Because of the existence of VLANs, any broadcasts within a given IP segment are restricted exclusively to that segment.  Broadcast messages are not routed to other VLANs.  This reduces the amount of network traffic on each segment.  Workstations don't have to process broadcasts from inter-server communication and servers do not have to listen to broadcasts from workstations unless they are specifically designated for that network segment. 

And that is pretty much all there is to it.  We now have one network segment for servers, one for workstations, one for guest access and one for internet traffic.  The following diagram best describes the new configuration.

Final Solution