Networks Training

You are here: Home / Cisco Switches / Cisco Switch Layer2 Layer3 Design and Configuration

Cisco Switch Layer2 Layer3 Design and Configuration

Written By

Layer2 and Layer3 switches are the foundation of any network. After all, any network devices (routers, firewalls, computers, servers etc) have to be connected to a switch.

Sooner or later, as a network engineer you will be faced with the task of deploying a switch network for a customer or for your own company.

Therefore, learning about some basic switch design and configuration principles will prove beneficial for your professional career.

One simple and popular switch design scenario will be shown in the following tutorial. This scenario will fit most SMB networks (or even bigger ones) that have a few layer 2 VLANs and consequently a few layer3 network subnets. It is a good design principle to separate network hosts by department or by similar group of users.

Network Scenario

In our network scenario below we have segmented the network into seven Layer2 VLANs (and hence 7 Layer3 subnets), as listed below:

  • VLAN10: Network devices management VLAN (10.10.10.0/24)
  • VLAN20: Callcenter Department (10.10.20.0/24)
  • VLAN30: Sales Department (10.10.30.0/24)
  • VLAN40: Accounting & Financial Department (10.10.40.0/24)
  • VLAN50: Support Department (10.10.50.0/24)
  • VLAN60: Company Servers (10.10.60.0/24)
  • VLAN100: Company Managers (10.10.100.0/24)

As far as the design goes I will try to use Cisco’s hierarchical internetworking model (Distribution, Aggregation and Access Layers) with some modifications.

For the proposed scenario the distribution and aggregation layer will be combined on the same layer 3 switch to keep the design simple and for better understanding.

Network Diagram

cisco-layer2-layer3-switch-design

The diagram above shows one Layer 3 switch used for Aggregation, three Layer 2 switches used for access purposes and one router for Internet connectivity.

Company X has several departments grouped on several levels in a building. The departments are Callenter, Sales, Accounting, Support and Management.

The only department allowed access to the internet is the Management department. Each of the departments has been allocated a Layer2 VLAN and an IPv4 Class C private address range. All the switches are connected over port-channel links for higher bandwidth and better redundancy.

Configuration

Configuration of Layer3 Aggregation Switch

Switch model used: Cisco ME-C3750-24TE (IOS image c3750me-i5k91-mz.122-55.SE6.bin)

Step1: Access, management and logging configuration

username admin privilege 15 secret Strongpasshere      <—– creates user admin with highest privilege 15
logging buffered 1024000 debugging        <—– enables logging using the local storage. The log file will be max 1024000 bits and will record debugging logs
service password-encryption      <—— Make all passwords secure
enable secret Strongpasshere  <—— create the enable password
line vty 0 4                             <—— enables remote network login
transport input telnet ssh  <—— enables telnet & ssh on the switch
login local                             <——- uses local database  credentials for login

line console 0
password Strongpasshere 
login

Step2: Layer2 VLAN Configuration

vlan 10
 name Device_Management
!
vlan 20
 name Callcenter
!
vlan 30
 name Sales
!
vlan 40
 name Accounting&Finance
!
vlan 50
 name Support
!
vlan 60
 name Servers
!
vlan 100
 name Company_Management

Step3: Layer 3 VLAN Configuration

MORE READING:  What is an SFP Port-Module in Network Switches and Devices

ip routing
!
interface Vlan10
 description Device_Management
  ip address 10.10.10.1 255.255.255.0
!
interface Vlan20
 description Callcenter
  ip address 10.10.20.1 255.255.255.0
!
interface Vlan30
 description Sales
  ip address 10.10.30.1 255.255.255.0
!
interface Vlan40
 description Accounting&Finance
  ip address 10.10.40.1 255.255.255.0
 !
interface Vlan50
 description Support
  ip address 10.10.50.1 255.255.255.0
 !
interface Vlan60
 description Servers
  ip address 10.10.60.1 255.255.255.0
 !
interface Vlan100
 description Company_Management
  ip address 10.10.100.1 255.255.255.0

Step4: Port-Channel configuration

interface GigabitEthernet1/1/1
description downlink Link 1 to Switch Management&suport&servers
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,50,60,100
switchport mode trunk
channel-group 1 mode on

interface GigabitEthernet1/1/2
description  downlink Link  2 to Switch Management&suport&servers
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,50,60,100
switchport mode trunk
channel-group 1 mode on

interface GigabitEthernet1/1/3
 description downlinkLink 1 to Switch Accounting&Finance
switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,40
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet1/1/4
description  downlink Link 2 to Switch Accounting&Finance
switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,40
 switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet1/1/5
 description downlink Link 1 to Switch Callcenter&Sales
switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,20,30
switchport mode trunk
channel-group 3 mode on

interface GigabitEthernet1/1/6
description  downlink Link 2 to Switch Callcenter&Sales
switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,20,30
 switchport mode trunk
channel-group 3 mode on

Interface to Router

interface GigabitEthernet1/1/7
 description To Router
switchport
switchport access vlan 10
switchport mode access

Default route to the router

ip route 0.0.0.0 0.0.0.0 10.10.10.5

Configuration of Layer2 Access Switches

Switch models used: Cisco WS-C2960G-48TC-L (IOS Image: c2960-lanbase-mz.122-35.SE5.bin)

1) Switch Management&suport&servers configuration

NOTE: Configuration for device management and logging remain the same as Layer3 switch above.

Step1: Layer2 VLAN Configuration

We only add the vlans needed on this switch.

vlan 10
 name Device_Management
!
vlan 50
 name Support
!
vlan 60
 name Servers
!
vlan 100
 name Company_Management

Step2: Port-Channel Configuration

interface GigabitEthernet1/1
 description uplink Link 1 to Switch AGGREGATION
 switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,50,60,100
switchport mode trunk
channel-group 1 mode on

interface GigabitEthernet1/2
description  uplink Link  2 to Switch AGGREGATION
switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,50,60,100
 switchport mode trunk
channel-group 1 mode on

Step3: Management interface

interface Vlan10
 description Device_Management
  ip address 10.10.10.2 255.255.255.0

Step4: Configure Access interfaces to users

Only one interface  per vlan is shown for brevity


interface GigabitEthernet0/3
 description  Server
 switchport access vlan 60
 switchport mode access
 spanning-tree portfast  <—— allows immediate transition of the port into forwarding state
 spanning-tree bpduguard enable <——- if a BPDU is received on the port it transitions to errdisable

interface GigabitEthernet0/4
description  Management
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable

interface GigabitEthernet0/5
description  Support
 switchport access vlan 50
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable

2) Switch Accounting&Finance configuration

MORE READING:  How to Configure Private VLANs on Cisco Switches

NOTE: Configuration for device management and logging remain the same as Layer3 switch above.


Step1: Layer2 VLAN Configuration

We only add the vlans needed on this switch.

vlan 10
 name Device_Management
!
vlan 40
 name Accounting&Finance

Step2: Port-Channel Configuration

interface GigabitEthernet1/1
 description uplink Link 1 to Switch AGGREGATION
  switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,40
switchport mode trunk
channel-group 1 mode on

interface GigabitEthernet1/2
description  uplink Link 2 to Switch AGGREGATION
  switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,40
 switchport mode trunk
channel-group 1 mode on
!

Step3: Management interface

interface Vlan10
 description Device_Management
  ip address 10.10.10.3 255.255.255.0

Step4: Configure Access interfaces to users

Only one interface  per vlan is shown for brevity


interface GigabitEthernet0/3
 description  Accounting
switchport access vlan 40
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable

3) Switch Callcenter&Sales configuration

NOTE: Configuration for device management and logging remain the same as Layer3 switch above.

Step1: Layer2 VLAN Configuration

We only add the vlans needed on this switch.

vlan 10
 name Device_Management
!
vlan 20
 name Callcenter
!
vlan 30
 name Sales

Step2: Port-Channel Configuration

interface GigabitEthernet1/1
 description Link 1 to Switch AGGREGATION
  switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,20,30
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/2
 description  Link 2 to Switch AGGREGATION
  switchport
 switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 10,20,30
 switchport mode trunk
channel-group 1 mode on

Step3: Management interface

interface Vlan10
 description Device_Management
  ip address 10.10.10.4 255.255.255.0

Step4: Configure Access interfaces to users

Only one interface  per vlan is shown for brevity

interface GigabitEthernet0/3
description  Callcenter
switchport access vlan 20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
description  Sales
switchport access vlan 30
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable

Configuration of Router for Internet Access

Router model used: Cisco 867VAE-K9 (IOS Image: c860vae-advsecurityk9-mz.152-4.M3.bin)
Only relevant configuration is shown

Step1: Internal Vlan Configuration connected to Layer3 Switch

vlan 10
 name Device_Management
!
interface FastEthernet0
switchport mode access
switchport access vlan 10

Step2: Layer3 Interfaces Configuration

interface GigabitEthernet1
 description WAN
 ip address 1.1.1.10 255.255.255.0
 no ip proxy-arp
 ip nat outside
!
interface Vlan10
 description Management
  ip address 10.10.10.5 255.255.255.0
 ip nat inside

Step3: Configure NAT for providing access only to Management Users

!NAT ACL  is matching only the company  management subnet
!
ip access-list extended NAT
 permit ip 10.10.100.0 0.0.0.255 any
!
ip nat inside source list NAT interface GigabitEthernet1 overload
!

Step4: Other config

!A default route to the internet is needed 
ip route 0.0.0.0 0.0.0.0 1.1.1.1

!A static route to the management subnet is needed
ip route 10.10.100.0 255.255.255.0 10.10.10.1

At this point only the Company Management has access to the internet and nobody else.

DOWNLOAD THIS ARTICLE AS PDF FILE

Related Posts

Filed Under: Cisco Switches

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. imad says

    hello very nice teturial sir great job..sir i need some modification in this design like access,distribution,core design and core connected to router and the core and distribution provide reducdency mean 2 links between one swithcromm to anohter not to core and run ospf as routing protocol and some end to end vlan how i can achieve this…plz help regarding..
    design
    access,distribution,core
    ospf as routing protocol run on core and distribution
    local vlan and some end to end vlan server connected in the core switch and voip,cctv etc.
    rstp between switch room making riangle shape.
    plz help

  2. GERSON says

    Nice job. But could you add the ip addresses into the diagram next time. I know it will look crowded but will help us to understand better the example. Thank you.

  3. Ali says

    hi ,
    i have 1 layer 3 switch 3550 and i created on this switch 02 vlans , vlan 192 and vlan 137 and assigned both vlan IPs , 192.168.1.5 & 192.168.137.5 also enable routing on this switch both vlan systems commutation each other perfect. am installed Pf Sense for internet gateway (192.168.1.1)also add route on this switch ip route 0.0.0.0 0.0.0.0 192.168.1.1
    but problem is internet not working on both vlans can any one help me on this. Pf sense connect native vlan1 (some systems connect on this default vlan)& no ip assigned on this vlan interface.

  4. Harris Andrea says

    Ali,

    The IP of Pfsense (192.168.1.1) belongs to vlan 192. So you need to configure the switch interface port connected to Pfsense as “switchport access” port and assign it in vlan192. Also, on Pfsense you need to configure a static route for network 192.168.137.x to be reached via gateway 192.168.137.5 (which is the IP of vlan 137).

    Harris

  6. A says

    I have the same configuration on cisco 4948 Layer 3 switch wit the following running configuration and I can not access internet from vlan 35

    Switch#
    Switch#sh run
    Building configuration…

    Current configuration : 5218 bytes
    !
    ! Last configuration change at 04:34:14 UTC Mon Jun 11 2018
    !
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service compress-config
    !
    hostname Switch
    !
    boot-start-marker
    boot-end-marker
    !
    !
    vrf definition mgmtVrf
    !
    address-family ipv4
    exit-address-family
    !
    address-family ipv6
    exit-address-family
    !
    !
    no aaa new-model
    !
    !
    !
    !
    !
    !
    !
    !
    vtp domain Cisco
    vtp mode transparent
    !
    !
    !
    power redundancy-mode redundant
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    vlan 35
    name Wired-Internal
    !
    vlan 40
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet1
    vrf forwarding mgmtVrf
    no ip address
    speed auto
    duplex auto
    !
    interface GigabitEthernet1/1
    switchport access vlan 35
    switchport mode access
    !
    interface GigabitEthernet1/2
    switchport access vlan 35
    switchport mode access
    !
    interface GigabitEthernet1/3
    switchport access vlan 35
    switchport mode access
    !
    interface GigabitEthernet1/4
    switchport access vlan 35
    switchport mode access
    !
    interface GigabitEthernet1/45
    switchport access vlan 35
    switchport mode access
    !
    interface GigabitEthernet1/47
    !
    interface GigabitEthernet1/48
    description to ASA-Firewall
    no switchport
    ip address 200.1.1.1 255.255.255.252
    !
    interface TenGigabitEthernet1/49
    !
    interface TenGigabitEthernet1/50
    !
    interface TenGigabitEthernet1/51
    !
    interface TenGigabitEthernet1/52
    !
    interface Vlan1
    no ip address
    !
    interface Vlan35
    ip address 172.16.35.1 255.255.255.0
    ip access-group ACL1020 in
    !
    no ip http server
    no ip http secure-server
    ip forward-protocol nd
    !
    ip route 0.0.0.0 0.0.0.0 200.1.1.2
    !
    ip access-list extended ACL1020
    permit ip 172.16.35.0 0.0.0.255 any
    !
    !
    !
    !
    vstack
    !
    line con 0
    stopbits 1
    line vty 0 4
    !
    !
    end

    Switch#
    Switch#
    Switch#
    Switch#sh ip route
    Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
    D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
    N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
    E1 – OSPF external type 1, E2 – OSPF external type 2
    i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
    ia – IS-IS inter area, * – candidate default, U – per-user static route
    o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
    + – replicated route, % – next hop override

    Gateway of last resort is 200.1.1.2 to network 0.0.0.0

    S* 0.0.0.0/0 [1/0] via 200.1.1.2
    172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C 172.16.35.0/24 is directly connected, Vlan35
    L 172.16.35.1/32 is directly connected, Vlan35
    200.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
    C 200.1.1.0/30 is directly connected, GigabitEthernet1/48
    L 200.1.1.1/32 is directly connected, GigabitEthernet1/48
    Switch#
    Switch#

  7. Harris Andrea says

    You need to have a static route on ASA firewall towards VLAN35 subnet.

    For example: route inside 172.16.35.0 255.255.255.0 200.1.1.1

  9. Harris Andrea says

    John,
    I believe there is no mix up between vlan 10 and 100. Can you please let us know where you have spotted an error?

  10. John says

    Hi Harris,

    The below router’s config permits only the vlan10 to pass data through to the router (and ultimately to the internet),

    interface GigabitEthernet1/1/7
    description To Router
    switchport
    switchport access vlan 10
    switchport mode access

    however in the later part of the router’s config, the NAT and the route back to the LAN is for vlan100.

    ip access-list extended NAT
    permit ip 10.10.100.0 0.0.0.255 any

    !A static route to the management subnet is needed
    ip route 10.10.100.0 255.255.255.0 10.10.10.1

    If I am wrong would you kindly explain why is it so to me?

    Thanks.

  11. Harris Andrea says

    John,
    The configuration is correct. Although between Layer3 switch and external router there is Vlan10 only, in Layer3 level the IP subnet of vlan100 (i.e 10.10.100.0) can pass via NAT from switch to router with no problems. The subnet 10.10.100.0 will be translated to 10.10.10.1 (interface of Layer3 switch) and will pass to the router although only vlan 10 is allowed.

    Let me know if you have any questions

    Harris

  12. JOhn says

    Harris,

    I’m still quite not get it. With reference to the config below:

    interface GigabitEthernet1/1/7
    description To Router
    switchport
    switchport access vlan 10
    switchport mode access

    …shouldn’t this interface be put into vlan 100 or be configured as a trunk? Since it is put into vlan 10 then only traffic from vlan 10 will be able to traverse the link and not vlan 100.

    John

  13. Harris Andrea says

    In Layer 2 level, yes only vlan 10 will pass. However, vlan10 is associated with layer3 subnet of 10.10.10.0. The subnet associated with vlan100 (i.e 10.10.100.0) will be translated to 10.10.10.1 and the layer3 packets will pass to the router with no problem (via vlan10).

  14. Ali F says

    Many Thanks for your awesome article, I was surfing to find such the exact config as your article here. And hopefully I think I find it. Thanks again :)

  15. Harris Andrea says

    Ali I’m glad my article helped you. Thanks for your nice comments.

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx