aryoba
Premium,MVM
join:2002-08-22
edit:
December 19th, @09:26AM
| 1. Comment on "I need to set both of the switches to transparent"
In switch environment (read: VTP Domain), there MUST be one AND only one switch act as VTP Server to handle the switch management (i.e. VLAN and trunking info). Other switches must be in either VTP client or transparent. If your network only consists of two switches, one of them must be the VTP Server. You CANNOT set both switches as transparent.
2. VTP Server, Client, and Transparent assignment
If I were you, I would set the 3560 to be the VTP Server and the 2950 to be the VTP client or transparent. Since the 3560 is handling the inter-VLAN routing, it makes sense at the same time to be the VTP Server.
3. VLAN Management
DO NOT use VLAN 1 for user data since VLAN 1 is reserved for switch management. Setup a new VLAN for users on 3560 switch (i.e. VLAN 10) and a new VLAN for the PIX Firewall (i.e. VLAN 2).
4. VTP Domain name
Since both switches are to be in the same VTP Domain, both switches must have the same VTP Domain name. Otherwise VLAN and trunking info (among other things) are not known on both switches.
5. Subnet separations
The PIX inside (internal) interface subnet should be different than the subnet of 3560 users. As illustrated previously, VLAN 2 could belong to the PIX and VLAN 10 could belong to the 3560 users.
6. 2950 Default Gateway
The 2950 default gateway should be the 3560 interface VLAN 20 IP address since (again) the 3560 is handling the inter-VLAN routing.
7. The "spanning-tree portfast" command usage
The "spanning-tree portfast" command should be applied on ports only when those ports go to COMPUTERS ONLY. When such ports go to different device other than computers (i.e. firewall or router), there should be no "spanning-tree portfast" command applied.
8. The Application Box that acts as a router
Since basically there are at least two routers in your network (the 3560 and the application box), there should be some kind of routing protocol mechanism between the two. You might want to run dynamic routing protocol or just static routing.
CLARIFICATION:
I believe your network has two Internet gateways. One goes through the PIX and another goes through the application box. Is this true?
Or maybe the application box go to internal network?
Can you redraw your network setup? This time please include the 2nd network and everything.
Tips:
You can use the HTML code "PRE" and "/PRE" when drawing the network. Therefore you don't have to add the ***  |
