Hi All,

Can someone please advised me on the most suitable method for inter vlan
routing with the following setup:



---- [External IP 1841 Internal IP] ----- [Vlan 10 on a port of a Catalyst
3750 (AKA Core)]



The Cisco 1841 router has 2 interfaces internal and external. The internal
is connected to a port on the switch that is configured on VLAN 10, the
management vlan for the switches is running on VLAN1. there is no trunking
currently between the router and switch, only between the 3750 and the rest
of the Cisco switches connected to it.



Should I trunk from the router to the switch create sub interfaces on the
router or create vlans on the switch turn on ip routing and run a routing
protocol between the switch and router. I guess I'd have to turn the switch
port connected to the router into a routed switch port?

Basically I need to add a few VLANS for a 3rd party to connect to the
Internet without connecting though my companies vlan. May also be going over
to a Cisco Call Manager Express (few months times) so I'm planning on adding
a voice vlan as well.

"corb" <corb@noemail.com> wrote in message
news:IpROi.14665$DB2.13516@newsfe1-win.ntli.net...

I'd do the following:

- create sub-interfaces with VLAN 10 and your new VLAN on the 1841's inside
interface.

- configure the 3750's interface to the 1841 to be a trunk port ('switchport
mode trunk')

- create the new VLAN on the 3750

- check the interface is trunking the VLANS ('show interface trunk')


But that isn't going to be enough to stop your third-party getting access to
the corporate LAN. So you're going to need an access-list:

- create an ACL on the 1841

- deny the new subnet access to the corporate subnets

- permit everything else.

- apply this ACL inbound on the third-party sub-interface.

Of course this isn't an ideal solution - if you add new subnets on the
corporate LAN and forget to update the ACL, your third-party will have
access.

A better solution would be to get a firewall with a DMZ port. Put your
third-parties in there on a completely separate switch.

Hope that helps.

Andrew

On Tue, 9 Oct 2007 21:25:25 +0100, corb wrote
(in article <VsROi.14667$DB2.7677@newsfe1-win.ntli.net>):

"Andrew Mulheirn" <andrew@spam-no.demon.co.uk> wrote in message
news:0001HW.C331B47E0009BE3EB042494F@news.demon.co .uk...
Thanks for the reply, but I thought I should use the 3750 for inter vlan
routing as it will be much faster at routing packets between vlans and the
bottleneck will actually be the router ?

On Oct 10, 2:29 am, "corb" <c...@noemail.com> wrote:
All depends on what you have running, but yes, a router on a stick
will require all traffic to traverse that uplink/trunk and be inter-
vlan routed at the router. Distributing this to the 3750 should give
you additional performance, but the 3750 is not an enterprise class
switch/router, so you just have to be careful with your expectations.

To do this, create the vlan interfaces on the switch, and make sure
one of the vlans matches the one going to the router. Configure one
of the ports as an access port in that vlan, and configure a routing
protocol on both sides that includes the vlan/network address range
that the two devices share. Additionally, on the 3750, add the ranges
for the other networks that you want to advertise, but I would make
sure you have passive-interfaces for these networks just to keep
adjacencies clean (if you use eigrp/ospf). This should give you want
you want.

Since the 3750s are not the 6500s I deal with, not sure how 'routed
switch ports' play into this, but I would think the above should
work. Else you may need to configure a routed switch port with an IP
in the routed vlan and go that route. Either way, one way or the
other should get you what you need.