Configuring Cisco 3560 switch
Let’s consider a scenario in which there are two several departments of the same company that have to be connected using logically separate networks (VLANs) and need to communicate with each other, while being connected on a single Layer 3 switch Cisco 3560.
The task is to organize the following subnets (VLANs):
– Sales department network (192.168.10.0 255.255.255.0)
– Accounting department network (192.168.20.0 255.255.255.0)
– IT administrators network (192.168.100.0 255.255.255.0)
– Network management subnet (192.168.1.0 255.255.255.0)
Layer 2 switches are capable of of transferring data only within a single network, since they use Layer 2 MAC addresses in order to forward packets. Layer 3 devices are used to forward packets between various networks and use IP addresses to make forwarding decisions.
Layer 3 switch (such as the Cisco 3560) is a combination of an OSI Layer 2 device (Access layer) and a Layer 3 device (Network layer), such as a router. It is a switch and a router in one box.
One Cisco 3560 switch can, in theory, replace a combination of a Cisco 2960 switch and a Cisco 2811 router. Yet using such a switch for external connections is highly NOT recommended. ISP uplink and any external links should be connected into a separate router or firewall, while Layer 3 switches should only be used for internal routing.
(This article describes how a similar task of having several VLANs can be solved with a Layer 2 Cisco 2960 switch and a Cisco 2811 router.)
Step 0. Clear previous configuration
(This step should be performed only on new or test equipment, since it completely removes all existing configuration)
After you take your new switch out of the box, connect to it with a console cable and clear the factory configuration by entering the privileged mode and using the “write erase” command (you can learn more about Cisco IOS configuration modes in this article)
Switch > enable
Switch# write erase
/clear configuration acknowledgment/
After this your switch will reboot, taking about three minutes to do so, and display a request for basic configuration wizard afterwards. You should decline:
Would you like to enter the basic configuration dialog (yes/no): no
Step 1. Hostname
Let’s call our switch SWR-DELTACONFIG-1 (SWR is an abbreviation from SWitch Router). To do this, enter the configuration mode (conf t) and type the following commands:
Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# hostname SWR-DELTACONFIG-1
The hostname will change from “Switch” to the specified name.
Step 2. Configure remote access
In order to administer your switch remotely, you have to give it an IP address on VLAN 1. Don’t forget to switch on the interface by using the “no shutdown” command:
interface vlan 1
ip address 192.168.1.1 255.255.255.0
Step 3. Configure user authorization
In order for all users to be authorized and gain an access to the switch:
- Create a password for accessing the privileged mode (indicated by the “#” sign after the hostname) with the command “enable secret“
- Create a user account (and its password) for remote access with the command “username … secret …“
enable secret *****
username admin secret *****
Turn on authorization using the local user and password database:
line vty 0 4
In order to check the availability of the privileged mode (#) after entering the above commands, exit all configuration modes by entering “exit” or “Ctrl+Z” until you are in the original “>” mode. After this try entering the privileged mode again using enable command and enter the password you specified above when asked.
If all commands were entered correctly, you should get something like this:
You can also check the remote access by entering “telnet 192.168.1.1” from the command line of a workstation. You should get a request for username and password in a telnet window.
After you’ve ensured that your switch is accessible via Telnet (TCP port 23), I recommend to secure your remote sessions by configuring SSH access (TCP port 22). Detailed instructions on how to do this are available in here.
Step 4. Create VLANs
Next, create a VLAN for each department and assign serial numbers and names to them:
Each switch has Vlan 1 as a default one. It will be used for remote control of the switch.
You can check the current VLAN configuration by issuing the “show vlan” command:
SWR-DELTACONFIG-1# show vlan
VLAN Name Status Ports
—- ——————————— ——— ——————————-
1 default active Gi0/1, Gi0/2, /...output cut.../
10 NET_SALES active
20 NET_ACCOUNT active
100 NET_ADMIN active
Make sure that all defined networks are in your list.
Step 5. Binding Vlans and ports
The next step is to create a correlation between a switch ports and VLANs. The switch we use for this example has 24 Gigabit Ethernet ports. Let’s split them as follows:
- 6 for administration network (Vlan 100)
- 12 for sales department (Vlan 10)
- 6 for accounting department (Vlan20)
It would be great to add description strings for each interface . This is a text field which doesn’t affect any other settings.
interface range gi 0/1 – 6
switchport access vlan 100
interface range gi 0/7 – 18
switchport access vlan 10
interface range gi 0/19 – 24
switchport access vlan 20
Then, ports will be shown next to each Vlan. The result of sh vlan command should be similar to this:
SWR-DELTACONFIG-1# show vlan
VLAN Name Status Ports
1 default active
10 NET_SALES active Gi0/7, Gi0/8, Gi0/9, Gi0/10, Gi0/11, Gi0/12, Gi0/13, Gi0/14,
Gi0/15, Gi0/16, Gi0/17, Gi0/18
20 NET_ACCOUNT active Gi0/19, Gi0/20, Gi0/21, Gi0/22, Gi0/23, Gi0/24
100 NET_ADMIN active Gi0/1, Gi0/2, Gi0/3, Gi0/4, Gi0/5, Gi0/6
By performing the above steps, we are dividing one physical switch into 4 logical switches (VLAN 1, VLAN 10, VLAN 20 and VLAN 100). Starting from this moment, the communication will be carried out only(!) between the ports that belongs to the same VLAN.
From this moment on, the workstations connected to ports that belong to different VLANs will not be able to send traffic to each other, even if they have IP addresses from the same subnet.
Step 6. Routing
In order for different VLANs to be able to communicate with each other, we need to create Layer 3 virtual interfaces for each VLAN:
inter vlan 10
ip address 192.168.10.1 255.255.255.0
inter vlan 20
ip address 192.168.20.1 255.255.255.0
inter vlan 100
ip address 192.168.100.1 255.255.255.0
SWR-DELTACONFIG-1 (config)# ip routing
On most current versions of IOS, the command “ip routing” is not necessary, because packet routing is turned on by default.
For comparison: on a Layer 2 switch mentioned in this article, you can create only one Layer 3 interface on VLAN 1 and use it only for remote access to the device. This is the reason that scenario requires a Cisco 2811 router in order to ensure routing between the various subnets.
As a result of following this set of instructions, all workstations should be able to communicate workstations in all other VLANs (after being connected to the appropriate ports of the switch). The accessibility should be checked using the ping command from the command line of the workstations.
Don’t forget to save the configuration on all devices with the “write” or “copy run start” commands. Otherwise you will lose all your configuration changes after a reload.
This article was written by Alexey Yurchenko
can we configure NAT in this switch so the clients can surf internet?
No. You should perform NAT on a separate router.
This switch has routing features but it is made only for being in the core of your network and route traffic only between local networks. So just connect all your local users, servers, switches and other hosts to 3560 switch and then configure a default route to other router which is connected to the Internet.