Unable to have multiple VLANs up on the same Cisco switch and wanting to telnet via 2 ports not all of them

your ports are in access mode and vlan1 needs to be labeled as the native vlan

Restrict telnet with an access list.

Hello,

I understand VLAN1 is the default VLAN.  I need to name it "native"?
I understand the ports are in access mode, but I cannot figure out how to get the ports assigned to the VLANs otherwise.

Why are any of the VLANs being shutdown?

Please advise.

Don

ok now i see vlan 1 is shut down because all your ports are in access mode and is assigned a vlan.

I'm guessing that this is a layer-2 switch?

On Layer-2 switches, only one SVI (VLAN interface) can be up.  When you "no shut" an SVI that is shutdown, whatever SVI that is up will automatically shut down.

Yes this is a layer-2 switch, Cisco 2950.  If I were to create 1 VLAN and then leave the other ports on VLAN1, would both the VLAN I created plus VLAN1 be up at the same time?

also what is the switch model #?

ok i concur with Don's comment

It is a WS-2950-24.  If that is the case, then what is the point in having the ability to create multiple VLANs on a Layer-2 switch?

I think you're confusing VLAN's with SVI's.  

VLAN's are layer-2 and allow segregating traffic.
SVI's are layer-3 and are used for management of the switch only.

If you need to manage the switch from a different network (VLAN), then the traffic will have to be routed through a router or layer-3 switch.

OK, so what I think you are saying is that I can have multiple VLANs on this switch, just one of them will be able to manage the switch, correct?

Is someone able to edit my config so it fits what I am attempting to do so I can learn from it?

Have a great weekend,

Don

Let me wage in on this, so if I understand you want a switch, 2950 that has multiple vlans, and you want to manage it from those vlans directly, ie by connecting to the ip on vlan 1 or vlan 2.

This is totally possible, take a look below.  You need to assign IP addresses on each vlan, then set your access and trunk ports.  You will not be able to access a device from VLAN 1 on VLAN 2 without a router or layer 3 switch.

As far as limiting access, you would use an ACL, better yet a 3rd vlan for management.

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PHXSW01
!
boot-start-marker
boot-end-marker
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 description Cubicle1
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 description side cashier
 switchport mode trunk
 switchport nonegotiate
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/10
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 switchport access vlan 4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 description Server Room Printer
 switchport access vlan 4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 description Receipt Printer 1
 switchport access vlan 4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 switchport access vlan 4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 description Uplink Router
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 description Uplink PHXSW02
 switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 10.100.1.5 255.255.255.0
!
interface Vlan2
 ip address 10.100.2.5 255.255.255.0
!
interface Vlan3
 ip address 10.100.3.5 255.255.255.0
!
interface Vlan4
 ip address 10.100.4.5 255.255.255.0
!
ip default-gateway 10.100.1.1
ip http server
ip http secure-server
!
line con 0
line vty 0 4
 privilege level 15
 login local
 length 0
 transport input all
line vty 5 15
 privilege level 15
 login local
 transport input all
!
end

OK, so what I think you are saying is that I can have multiple VLANs on this switch, just one of them will be able to manage the switch, correct?

Correct.

Is someone able to edit my config so it fits what I am attempting to do so I can learn from it?

No. Telnet access to the switch can't be limited by physical port number.  Only IP address.  Although you could configure the switch to be managed from a VLAN that is only assigned to one port. Not sure if that would meet your requirements.

Hey guys... Please use the "code" feature when posting configs.

This is totally possible, take a look below.  You need to assign IP addresses on each vlan,

No, it's not.  A 2950 will only have one SVI (VLAN interface) active at any time. So while you can assign IP addresses to as many VLAN interfaces you want, only one of those interfaces will be up at any time.

it is possible, I do it all the time, and have been doing this for the past 15 years on 2950's.  This same thing has been told to me many times, but trust me it works.

All my switches have vlan interfaces on 4 to 5 vlans, and I can ssh to any of those 4 or 5 ip addresses.

i can ssh to 10.100.1.5, 10.100.2.5, 10.100.3.5 and 10.100.4.5 for example on this switch.

On a 2950, when you "no shut" an SVI, any other SVI's will automatically shutdown.

If you're got a 2950 with multiple SVI's in the UP/UP state, I'd love to see an output of a "show ip int brief" for that switch.

Hi Guys,

OK, I made a few (very few) changes per the discussion.  Please see the attached code.

I see there is a debate as to whether I can have a port on each VLAN for telnetting.  What is the final decision?  If it is possible, I would like to have this feature.

Also, when I run sh run, all of the VLAN are shutdown with exception of the last one (999).  I have to do a no shut to enable a VLAN, but then the one that was up becomes down.  While VLAN999 is up, I can move over to VLAN217 for example with one laptop and ping 192.168.217.254, but another laptop will not ping the address.  The laptop that can ping is a year old while the one that is not able to ping either the VLAN IP address or the other laptop's IP address is 6-8 years old.

en
!
config t
hostname GEMSWI0000
en secret Pa55w0rd
!
line con 0
password Pa55w0rd
login
!
line vty 0 15
password Pa55w0rd
login
!
!
vlan 128
name Office
int vlan128
ip address 192.168.128.254 255.255.255.0
no shut
!
vlan 217
name GEM
int vlan217
ip address 192.168.217.254 255.255.255.0
no shut
!
vlan 999
name GEM-Admin
int vlan999
ip address 192.168.255.254 255.255.255.252
no shut
!
!
int fa0/1
switch access vlan 217
!
int fa0/2
switch access vlan 217
!
int fa0/3
switch access vlan 217
!
int fa0/4
switch access vlan 217
!
int fa0/5
switch access vlan 217
!
int fa0/6
switch access vlan 217
!
int fa0/7
switch access vlan 217
!
int fa0/8
switch access vlan 217
!
int fa0/9
switch access vlan 217
!
int fa0/10
switch access vlan 217
!
int fa0/11
switch access vlan 217
!
int fa0/12
switch access vlan 217
!
!
int fa0/13
switch access vlan 128
!
int fa0/14
switch access vlan 128
!
int fa0/15
switch access vlan 128
!
int fa0/16
switch access vlan 128
!
int fa0/17
switch access vlan 128
!
int fa0/18
switch access vlan 128
!
int fa0/19
switch access vlan 128
!
int fa0/20
switch access vlan 128
!
int fa0/21
switch access vlan 128
!
int fa0/22
switch access vlan 128
!
int fa0/23
switch access vlan 128
!
int fa0/24
switchport mode access
switchport port-security max 4
switchport port-security mac-address sticky
switchport port-security violation shutdown
switch access vlan 999
no shut
!
!
exit

Select allOpen in new window

Please advise.  I feel like I am real close to get this done.

Thanks for your help,

Don

I see there is a debate as to whether I can have a port on each VLAN for telnetting.

I don't think there is any debate on that.  I believe the debate is on whether you can have multiple SVI's active simultaneously.

If you want to be able to telnet from multiple VLANs to the switch, you just need a router or multi-layer switch to route the traffic from the non-management VLAN.

While VLAN999 is up, I can move over to VLAN217 for example with one laptop and ping 192.168.217.254, but another laptop will not ping the address.

You're saying that you can ping the IP address assigned to the VLAN interface which is down?  Are there any other devices that could also have that address?

OK, put the SVI issue to the side.  It is merely a "bonus" if I/we can get it working.  My biggest issue is getting all of the VLANs up at the same time.

Please drop the SVI issue for now.

Please advise.

Thanks,

Don

Please drop the SVI issue for now.
My biggest issue is getting all of the VLANs up at the same time.

Sorry.  Your prior post mentioned "shut" and "shutdown" with respect to VLANs.  VLAN's can't be shutdown.  Only SVI's can.  So I assumed you were referring to SVI's.

Why do you think the all VLAN's are not "up"? If you issue a "show vlan", the third column should be "status".  Do you not see "Active" for each VLAN?

Yes I do , but when I run sh run, it shows all but one VLAN shutdown.

Please advise.

Once again.  You are referring to the SVI's (VLAN interfaces).  Which you said to drop.

So I really don't know what to do.

As mentioned in the first post, I am new to configuring Cisco switches.  The only thing I know anything about are VLANs.  I have not heard of SVIs so I do not know what they are and how they relate to VLANs.

Please advise.

As mentioned in the first post, I am new to configuring Cisco switches.  The only thing I know anything about are VLANs.  I have not heard of SVIs so I do not know what they are and how they relate to VLANs.

VLAN's are layer-2 and allow segregating traffic.
SVI's are layer-3 and are used for management of the switch only.
On a 2950, only one SVI can be up at any one time.
You can have about 4,000 VLANs active though.

If you need to manage the switch from a different network (VLAN), then the traffic will have to be routed through a router or layer-3 switch.

What is the question (or problem)?

Thank you