Simple Networking

Configuring Cisco 3560 switch

04.11.2015

Let’s consider a scenario in which there are two several departments of the same company that have to be connected using logically separate networks (VLANs) and need to communicate with each other, while being connected on a single Layer 3 switch Cisco 3560.
The task is to organize the following subnets (VLANs):

Sales department network (192.168.10.0 255.255.255.0)
Accounting department network (192.168.20.0 255.255.255.0)
IT administrators network (192.168.100.0 255.255.255.0)
Network management subnet (192.168.1.0 255.255.255.0)

Configuring Cisco 3560 switch

Important!
Layer 2 switches are capable of of transferring data only within a single network, since they use Layer 2 MAC addresses in order to forward packets. Layer 3 devices are used to forward packets between various networks and use IP addresses to make forwarding decisions.
Layer 3 switch (such as the Cisco 3560) is a combination of an OSI Layer 2 device (Access layer) and a Layer 3 device (Network layer), such as a router. It is a switch and a router in one box.

Important!
One Cisco 3560 switch can, in theory, replace a combination of a Cisco 2960 switch and a Cisco 2811 router. Yet using such a switch for external connections is highly NOT recommended. ISP uplink and any external links should be connected into a separate router or firewall, while Layer 3 switches should only be used for internal routing.
(This article describes how a similar task of having several VLANs can be solved with a Layer 2 Cisco 2960 switch and a Cisco 2811 router.)

Step 0. Clear previous configuration

(This step should be performed only on new or test equipment, since it completely removes all existing configuration)
After you take your new switch out of the box, connect to it with a console cable and clear the factory configuration by entering the privileged mode and using the “write erase” command (you can learn more about Cisco IOS configuration modes in this article)
Switch > enable
Switch# write erase
/clear configuration acknowledgment/
Switch# reload
/reload acknowledgment/

After this your switch will reboot, taking about three minutes to do so, and display a request for basic configuration wizard afterwards. You should decline:
Would you like to enter the basic configuration dialog (yes/no): no

Step 1. Hostname

Let’s call our switch SWR-DELTACONFIG-1 (SWR is an abbreviation from SWitch Router). To do this, enter the configuration mode (conf t) and type the following commands:
Switch# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# hostname SWR-DELTACONFIG-1
SWR-DELTACONFIG-1(config)#

The hostname will change from “Switch” to the specified name.

deltaconfig cisco outsourcing

Step 2. Configure remote access

In order to administer your switch remotely, you have to give it an IP address on VLAN 1. Don’t forget to switch on the interface by using the “no shutdown” command:
SWR-DELTACONFIG-1(config)#
interface vlan 1
ip address 192.168.1.1 255.255.255.0
no shutdown

Step 3. Configure user authorization

In order for all users to be authorized and gain an access to the switch:

  • Create a password for accessing the privileged mode (indicated by the “#” sign after the hostname) with the command “enable secret
  • Create a user account (and its password) for remote access with the command “username … secret …

SWR-DELTACONFIG-1(config)#
enable secret *****
username admin secret *****

Turn on authorization using the local user and password database:
SWR-DELTACONFIG-1(config)#
line vty 0 4
login local

In order to check the availability of the privileged mode (#) after entering the above commands, exit all configuration modes by entering “exit” or “Ctrl+Z” until you are in the original “>” mode. After this try entering the privileged mode again using enable command and enter the password you specified above when asked.
If all commands were entered correctly, you should get something like this:
SWR-DELTACONFIG-1>enable
Password:  *****
SWR-DELTACONFIG-1#

You can also check the remote access by entering “telnet 192.168.1.1” from the command line of a workstation. You should get a request for username and password in a telnet window.
After you’ve ensured that your switch is accessible via Telnet (TCP port 23), I recommend to secure your remote sessions by configuring SSH access (TCP port 22). Detailed instructions on how to do this are available in here.

Step 4. Create VLANs

Next, create a VLAN for each department and assign serial numbers and names to them:
SWR-DELTACONFIG-1(config)#
vlan 10
name NET_SALES
vlan 20
name NET_ACCOUNT
vlan 100
name NET_ADMIN

Each switch has Vlan 1 as a default one. It will be used for remote control of the switch.
You can check the current VLAN configuration by issuing the “show vlan” command:
SWR-DELTACONFIG-1# show vlan
VLAN Name                             Status    Ports
—- ——————————— ——— ——————————-
1    default               active    Gi0/1, Gi0/2, /...output cut.../
10  NET_SALES              active
20  NET_ACCOUNT            active
100  NET_ADMIN             active
/...output cut.../

Make sure that all defined networks are in your list.

Step 5. Binding Vlans and ports

The next step is to create a correlation between a switch ports and VLANs. The switch we use for this example has 24 Gigabit Ethernet ports. Let’s split them as follows:

  • 6 for administration network (Vlan 100)
  • 12 for sales department (Vlan 10)
  • 6 for accounting department (Vlan20)

It would be great to add description strings for each interface . This is a text field which doesn’t affect any other settings.
SWR-DELTACONFIG-1(config)#
interface range gi 0/1 – 6
switchport access vlan 100
description NET_ADMIN
interface range gi 0/7 – 18
switchport access vlan 10
description NET_SALES
interface range gi 0/19 – 24
switchport access vlan 20
description NET_ACCOUNT

Then, ports will be shown next to each Vlan. The result of sh vlan command should be similar to this:
SWR-DELTACONFIG-1# show vlan
VLAN Name              Status    Ports
1    default           active
10  NET_SALES          active    Gi0/7, Gi0/8, Gi0/9, Gi0/10, Gi0/11, Gi0/12, Gi0/13, Gi0/14,
Gi0/15, Gi0/16, Gi0/17, Gi0/18
20  NET_ACCOUNT        active    Gi0/19, Gi0/20, Gi0/21, Gi0/22, Gi0/23, Gi0/24
100  NET_ADMIN         active    Gi0/1, Gi0/2, Gi0/3, Gi0/4, Gi0/5, Gi0/6
/…output cut.../

Important!
By performing the above steps, we are dividing one physical switch into 4 logical switches (VLAN 1, VLAN 10, VLAN 20 and VLAN 100). Starting from this moment, the communication will be carried out only(!) between the ports that belongs to the same VLAN.

Important!
From this moment on, the workstations connected to ports that belong to different VLANs will not be able to send traffic to each other, even if they have IP addresses from the same subnet.

Step 6. Routing

In order for different VLANs to be able to communicate with each other, we need to create Layer 3 virtual interfaces for each VLAN:
SWR-DELTACONFIG-1 (config)#
inter vlan 10
ip address 192.168.10.1 255.255.255.0
description Sales
no shut
inter vlan 20
ip address 192.168.20.1 255.255.255.0
description Account
no shut
inter vlan 100
ip address 192.168.100.1 255.255.255.0
description Admins
no shut
SWR-DELTACONFIG-1 (config)# ip routing

Important!
On most current versions of IOS, the command “ip routing” is not necessary, because packet routing is turned on by default.
For comparison: on a Layer 2 switch mentioned in this article, you can create only one Layer 3 interface on VLAN 1 and use it only for remote access to the device. This is the reason that scenario requires a Cisco 2811 router in order to ensure routing between the various subnets.
As a result of following this set of instructions, all workstations should be able to communicate workstations in all other VLANs (after being connected to the appropriate ports of the switch). The accessibility should be checked using the ping command from the command line of the workstations.

Important!

Don’t forget to save the configuration on all devices with the “write” or “copy run start” commands. Otherwise you will lose all your configuration changes after a reload.
SWR-DELTACONFIG-1#write
Building configuration...
[OK]

 
This article was written by Alexey Yurchenko
 

Back to Table of contents

avatar
1 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
nevidimkastdBedreddin Recent comment authors
newest oldest most voted
Bedreddin
Guest
Bedreddin

can we configure NAT in this switch so the clients can surf internet?

×

How can I help you?