Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
VLAN configs for Cisco 2821 and catlyst 3560
Here we go again guys. I am back, but one step closed to an end to the VLAN saga. I think we decided to move away from the dot1q trunk and just make everything access ports. Here is what I have so far. In the diagram I have grayed out the sites that are not ready to move yet. I figure once I have the first couple of site done properly is will be easy for me to duplicate it across the network. I have also post new configs for sites A, B, and C. I will just mimic Site C for Site D's Config. I have never set up routing on a switch so any help there would be great.
Fiber-conversion-NEW-100608.jpg
Fiber-conversion-NEW-100608.jpg
Who is Participating?
LVL 50
No problem. I'm teaching troubleshooting this week which is almost all lab so I'm just sitting around. :-)
SITE A
!
interface GigabitEthernet0/0
description VLAN30 SERVERS
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description METRO ETHERNET
ip address 10.10.10.1 255.255.255.240
ip helper-address 192.168.101.215
duplex auto
speed auto
!
interface FastEthernet0/0/0
description VLAN10 MGMT-IT
switchport access vlan 10
!
interface FastEthernet0/0/1
description ASA 5510 FIREWALL
!
interface FastEthernet0/0/2
description VLAN20 CITY HALL
switchport access vlan 20
!
interface Serial0/1/0
description T1 DIRECT LINK AIRPORT
ip address 192.168.1.25 255.255.255.248
!
interface FastEthernet0/2/0
description LINK TO OLD NETWORK
ip address 192.168.101.5 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan10
description MGMT DEVICES CONNECTED TO FE0/0/0
ip address 192.168.96.1 255.255.255.0
!
interface Vlan20
description CITY HALL DEVICES CONNECTED TO FE0/0/2
ip address 192.168.100.1 255.255.255.0
!
router eigrp 1
network 192.168.96.0
network 192.168.97.0
network 192.168.98.0
network 192.168.99.0
network 192.168.100.0
network 192.168.101.0
network 192.168.102.0
network 192.168.103.0
network 192.168.104.0
network 192.168.105.0
network 192.168.106.0
network 192.168.107.0
network 192.168.108.0
network 192.168.109.0
network 192.168.110.0
network 192.168.111.0
network 192.168.112.0
network 192.168.113.0
network 192.168.114.0
network 10.10.10.0
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/2/0
ip route 192.168.96.0 255.255.255.0 FastEthernet0/0/0
ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/2
ip route 192.168.101.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.102.0 255.255.255.0 192.168.101.9
ip route 192.168.103.0 255.255.255.0 192.168.101.9
ip route 192.168.114.0 255.255.255.0 192.168.101.9
ip route 192.168.104.0 255.255.255.0 10.10.10.5
ip route 192.168.105.0 255.255.255.0 10.10.10.6
ip route 192.168.106.0 255.255.255.0 10.10.10.7
ip route 192.168.107.0 255.255.255.0 10.10.10.9
ip route 192.168.108.0 255.255.255.0 Serial0/1/0
ip route 192.168.109.0 255.255.255.0 10.10.10.3
ip route 192.168.110.0 255.255.255.0 10.10.10.8
ip route 192.168.111.0 255.255.255.0 10.10.10.2
ip route 192.168.112.0 255.255.255.0 10.10.10.10
ip route 192.168.113.0 255.255.255.0 10.10.10.4
no ip http server
no ip http secure-server
!
SITE B
!
interface FastEthernet0/0
description VLAN100 traffic from CHR1
ip address 10.10.10.2 255.255.255.240
duplex auto
speed auto
!
interface FastEthernet0/1
description KPD SWITCH
ip address 192.168.111.1 255.255.255.0
duplex half
speed auto
no mop enabled
!
router eigrp 1
network 10.10.10.0
network 192.168.111.0
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.96.0 255.255.255.0 10.10.10.1
ip route 192.168.100.0 255.255.255.0 10.10.10.1
ip route 192.168.101.0 255.255.255.0 10.10.10.1
ip route 192.168.102.0 255.255.255.0 10.10.10.1
ip route 192.168.103.0 255.255.255.0 10.10.10.1
ip route 192.168.114.0 255.255.255.0 10.10.10.1
ip route 192.168.104.0 255.255.255.0 10.10.10.5
ip route 192.168.105.0 255.255.255.0 10.10.10.6
ip route 192.168.106.0 255.255.255.0 10.10.10.7
ip route 192.168.107.0 255.255.255.0 10.10.10.9
ip route 192.168.108.0 255.255.255.0 10.10.10.1
ip route 192.168.109.0 255.255.255.0 10.10.10.3
ip route 192.168.110.0 255.255.255.0 10.10.10.8
ip route 192.168.111.0 255.255.255.0 FastEthernet0/1
ip route 192.168.112.0 255.255.255.0 10.10.10.10
ip route 192.168.113.0 255.255.255.0 10.10.10.4
no ip http server
no ip http secure-server
!
SITE C
!
interface FastEthernet0/1
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/2
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/3
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/4
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/5
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/6
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/7
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/8
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/9
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/10
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/11
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/12
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/13
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/14
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/15
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/16
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/17
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/18
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/19
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/20
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/21
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/22
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/23
switchport mode access
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/24
description VLAN20 traffic from CHR1
ip address 10.10.10.3 255.255.255.240
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description MGMT ACCESS
ip address 192.168.96.51 255.255.255.0
!
interface Vlan20
description COURT
ip address 192.168.109.1 255.255.255.224
!
ip classless
ip http server
!
First, on Site A, the only network statements you need for EIGRP are:
network 10.10.10.1
network 192.168.1.0
network 192.168.101.0
network 192.168.96.0
network 102.168.100.0
For site C:
router eigrp 1
network 10.10.10.0
network 192.168.96.0
network 192.168.109.0
network 10.10.10.1
network 192.168.1.0
network 192.168.101.0
network 192.168.96.0
network 102.168.100.0
For site C:
router eigrp 1
network 10.10.10.0
network 192.168.96.0
network 192.168.109.0
DOH!!! Looksl ike I forgot to take those networks out when I reverted from the failed dot1q trunk config. I have a few other questions.
Can you offer some insite on the VLAN tags for the 3560's?
What needs to be dont on the 3560 switches (Sites C and D) and the 2811 at site B to insure proper DHCP addressing? I have the helper address on the main router at Site A, but and unsure about the other sites.
On the Site C 3560, are the VLAN tags nessesary on of the ports on the switch? How to i allow access to more than 1 VLAN?
Thats all for now...I'm sure there will be more
Can you offer some insite on the VLAN tags for the 3560's?
What needs to be dont on the 3560 switches (Sites C and D) and the 2811 at site B to insure proper DHCP addressing? I have the helper address on the main router at Site A, but and unsure about the other sites.
On the Site C 3560, are the VLAN tags nessesary on of the ports on the switch? How to i allow access to more than 1 VLAN?
Thats all for now...I'm sure there will be more
yes only DHCP server located at site A. On the router at site A I have the helper-address on the interface touching the Metro-E. Is this correct?
No. You'll need a helper address statement on the interfaces of the site B, C and D routers that receive the request.
Site B:
int f0/1
ip helper-address 192.168.96.111 (or whatever the servers address is)
Site C:
int vlan10
ip helper-address 192.168.96.111 (or whatever the servers address is)
int vlan 20
ip helper-address 192.168.96.111 (or whatever the servers address is)
Other than you can remove all the static routes since you're using EIGRP.
BTW, where is Kerrville? Texas?
BTW, where is Kerrville? Texas?
Sounds good. So if I have EIGRP running on all my devices I will not need static routes? And all my sites on the metro-e should be able to route directly to each other without hitting my main router, correct? You have been very helpful and I thank you. Right now we are waiting to hear back from Time Warner and we will be pushing forward. hopefully by the end of this week. The whole VLAN concept has thrown me for a complete loop. I think I slept that week in class.
Yes, Kerrville is in Texas about 60ish miles NW of San Antonio.
Yes, Kerrville is in Texas about 60ish miles NW of San Antonio.
>So if I have EIGRP running on all my devices I will not need static routes?
That is correct. Unless you're trying to get to a network that's not being advertised by EIGRP.
>And all my sites on the metro-e should be able to route directly to each other without hitting my main router, correct?
Correct.
>I think I slept that week in class.
Yeah, I do that too... And I teach it! :-)
What class did you take?
That is correct. Unless you're trying to get to a network that's not being advertised by EIGRP.
>And all my sites on the metro-e should be able to route directly to each other without hitting my main router, correct?
Correct.
>I think I slept that week in class.
Yeah, I do that too... And I teach it! :-)
What class did you take?
It went to ITT Tech and took a 12 week Cisco WAN course. It was pretty much just ICND 1 and 2. At least that's the text book we used.
HA!! That would be why I am so lost. Thanks for the help. I feel a little more confident in moving forward with this. I am gonna leave the question open until my new equipment is up and in place.
On the Site C 3560, are the VLAN tags nessesary on of the ports on the switch? How to i allow access to more than 1 VLAN?
I am thinking I should set the default route on all my remote switches to the main router. Does that sound logical?
I thought I remembered something about VLAN databases needing to be identical on all devices. Am I just crazy?
>On the Site C 3560, are the VLAN tags nessesary on of the ports on the switch?
A point of nomenclature... The term "tag" usually refers to a trunk. In your case, you don't have any trunks, only access links. A port becomes a member of a VLAN with the command
"switchport access vlan ##"
>How to i allow access to more than 1 VLAN?
On a single port? You would need a trunk for that.
>I am thinking I should set the default route on all my remote switches to the main router. Does that sound logical?
Only if there are networks that are not advertised by EIGRP which you need to get to that are reachable through the main site.
>I thought I remembered something about VLAN databases needing to be identical on all devices. Am I just crazy?
Yep. You're crazy. ;-)
They need to be identical if you're trunking between the switches AND the same VLANs exist on all the switches. In your case, you're not trunking. The VLANs are local to that switch only.
-dj
A point of nomenclature... The term "tag" usually refers to a trunk. In your case, you don't have any trunks, only access links. A port becomes a member of a VLAN with the command
"switchport access vlan ##"
>How to i allow access to more than 1 VLAN?
On a single port? You would need a trunk for that.
>I am thinking I should set the default route on all my remote switches to the main router. Does that sound logical?
Only if there are networks that are not advertised by EIGRP which you need to get to that are reachable through the main site.
>I thought I remembered something about VLAN databases needing to be identical on all devices. Am I just crazy?
Yep. You're crazy. ;-)
They need to be identical if you're trunking between the switches AND the same VLANs exist on all the switches. In your case, you're not trunking. The VLANs are local to that switch only.
-dj
>In your case, you're not trunking. The VLANs are local to that switch only.
I am NOT trunking, True. However, there are several (7 out of the 10) site on the metro that will be on the same VLAN. This is VLAN 20. the other three are segregated for security reasons. The sites on VLAN20 all have this in their configs.
I am NOT trunking, True. However, there are several (7 out of the 10) site on the metro that will be on the same VLAN. This is VLAN 20. the other three are segregated for security reasons. The sites on VLAN20 all have this in their configs.
!
interface Vlan10
description MGMT ACCESS
ip address 192.168.96.52 255.255.255.0 <------Address differs from site to site
!
!
interface Vlan20
description COURT
ip address 192.168.113.1 255.255.255.224 <------Address differs from site to site
ip helper-address 192.168.101.215
!
Am I over complicating it?interface Vlan10
description MGMT ACCESS
ip address 192.168.96.52 255.255.255.0 <------Address differs from site to site
!
!
interface Vlan20
description COURT
ip address 192.168.113.1 255.255.255.224 <------Address differs from site to site
ip helper-address 192.168.101.215
!
No, you're not over complicating it... it's just... complicated.
When you don't have a trunk between to switches, a VLAN number is just that; a number. No other switch will ever know that the other switch has a VLAN 20.
In fact, when I create a network like yours, I use different VLAN numbers at each site (even though I don't have) just to eliminate any possible confusion.
When you don't have a trunk between to switches, a VLAN number is just that; a number. No other switch will ever know that the other switch has a VLAN 20.
In fact, when I create a network like yours, I use different VLAN numbers at each site (even though I don't have) just to eliminate any possible confusion.
Since I am all about monopolizing your time today...
check this out..
http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_23794805.html
check this out..
http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_23794805.html
Ok, so we were working until after midnight last night.
Sites, A, B, and C were a breeze. the configured 3560 switch a site C was nearly plug and play. A small minor change to the dhcp settings and all worked perfectly. The routers at site sites A, and B are working great. Then we get to site D. With the exception of the hostname, and the ip addresses, the config was identical to to the config at site C. When I plugged it in and did a few housekeep procedures (i.e. removed eroneus routes) interface VLAN20 would not come up no matter what I tried. fron the switch console i could ping everything on the network, but nobody else could see past the metro port at site D. This was at 7:00pm last night. the next 5 hours were spent doing the following.
blew away the vlan20 interface and started over - NOTHING
created a new vlan interface (VLAN220) and assigned the network ip address to that - NOTHING
reloaded the config from our TFTP server - NOTHING
reloaded the config from the switch at site c and changed hostname, ip's, etc - NOTHING
replaced with a whole different switch - NOTHING
nothing i did would bring that vlan interface up. Finally our despiration and pure exhuastion, at 11:45, I desided to assigned the network ip to the vlan1 interface and what do you know, all the ports on the switch that were lit up amber all turned green and all the pc's at site D started grabbing DHCP. We desided to leave it alone for now and research what went wrong. so my question is this.
Why would the VLAN20 interface not come online? Did it have something to do with an active VLAN20 running at site C. an earlier post here suggests that the switches are oblivious to the VLANS on other switches in a setup like this. What more should I be looking at? What are the dangers of running traffice on VLAN1? The hard part is done. Now we need to work out the kinks before we move the other 7 sites over.
Sites, A, B, and C were a breeze. the configured 3560 switch a site C was nearly plug and play. A small minor change to the dhcp settings and all worked perfectly. The routers at site sites A, and B are working great. Then we get to site D. With the exception of the hostname, and the ip addresses, the config was identical to to the config at site C. When I plugged it in and did a few housekeep procedures (i.e. removed eroneus routes) interface VLAN20 would not come up no matter what I tried. fron the switch console i could ping everything on the network, but nobody else could see past the metro port at site D. This was at 7:00pm last night. the next 5 hours were spent doing the following.
blew away the vlan20 interface and started over - NOTHING
created a new vlan interface (VLAN220) and assigned the network ip address to that - NOTHING
reloaded the config from our TFTP server - NOTHING
reloaded the config from the switch at site c and changed hostname, ip's, etc - NOTHING
replaced with a whole different switch - NOTHING
nothing i did would bring that vlan interface up. Finally our despiration and pure exhuastion, at 11:45, I desided to assigned the network ip to the vlan1 interface and what do you know, all the ports on the switch that were lit up amber all turned green and all the pc's at site D started grabbing DHCP. We desided to leave it alone for now and research what went wrong. so my question is this.
Why would the VLAN20 interface not come online? Did it have something to do with an active VLAN20 running at site C. an earlier post here suggests that the switches are oblivious to the VLANS on other switches in a setup like this. What more should I be looking at? What are the dangers of running traffice on VLAN1? The hard part is done. Now we need to work out the kinks before we move the other 7 sites over.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
