We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

How to enable ip forwarding/routing in cisco catalyst 2960

Medium Priority
6,293 Views
Last Modified: 2012-05-06
I am trying to find command to do IP forwarding/routing on cisco 2960 so that I can forward all traffic to default gateway
Comment
Watch Question

Top Expert 2009
Commented:
Use the "ip default-gateway x.x.x.x" command where x.x.x.x is the default gateway IP address.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015
Commented:
You can't.

The 2960 is a layer 2 switch. The only traffic forwarded to the default gateway is traffic originated by the switch.

All other hosts connected to the switch need to have their default gateway configured to be a layer 3 device (router or multilayer switch) on their network.

Commented:
The only Layer 3 features of the 2960 are for device management.  You can specify a default gateway using the  
ip default-gateway (IP ADDR)  

Command,  that is: after the 2960 has been assigned an IP address on a VLAN.
But a 2960 cannot route.    If you want a Cisco switch with routing capabilities, a 3550 with the enhanced-multilayer image (EMI) or better/newer is required.


If a device or server tries to use the 2960 as gateway,  all traffic the 2960 receives addressed to it, with destinations other than itself are discarded.

Author

Commented:
I already have default gateway set..I have another core switch to take care of the routing .All I need is that all ports of 2960 should forward thier traffic to default gateway.

What should be port mode for uplink...trunk?
Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
If you have multiple VLANs on the 2960 and the core switch then it has to be a trunk. If there is only a single VLAN, an access link is all you need.

Commented:
You don't set the ports to forward traffic to the default gateway, they are Layer 2 ports.

You set computers attached to those ports to use the right default gateway (the core switch's IP), in their ip configuration, when setting up those computers.

Author

Commented:
Can anybody tell me the commands to be used for uplink interface

I have extended vlan 4050 with IP address x.x.x.x.(This will be default gateway of switch)

I am using following commands
int ga0/1
Switchport mode trunk
switchport trunk native vlan 4050

I am not sure if I am doing in correct way.I can though ping to core but somehow can't ping from other vlan's

Commented:
what is the port configuration of  the other end of uplink port?
this particular port configuration seems to be correct.
Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
The commands for the core switch will be the same as for the 2960 except that you will have to add the command "switchport trunk encap dot1q".

Author

Commented:
Is it possible to add my trunk port as a member of other vlan so that vlan can send traffic to default gateway . I guess I have to make trunk port as untagged vlan and make it member of all vlan as tagged port

Author

Commented:
Donjohnston ,
when you say  "you will have to add the command "switchport trunk encap dot1q".  " , do you mean to apply this command on trunk vlan i.e. vlan 4050 or to other vlans?

Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
Trunk ports aren't "members" of VLANs. They carry VLANs. A VLAN can be allowed on a trunk.

The "switchport trunk encap dot1q" command needs to be applied to the core switch interface that connects with the 2960.

Commented:
Don't use "switchport trunk native vlan 4050",   this is strongly discouraged, unless you have a very special reason to use a native VLAN other than 1 on each side,  in any case, the native VLAN must match on both sides of a trunk.

And if you wish to have good L2 security, you should never place a non-trunk (access port)  in anything you use as a native VLAN of any trunk, except for trusted network management workstations.


The trunks will pass all VLANs you configure on both switches and allowed on the trunk.   Trunks are not PLACED in a VLAN;  trunks do not act like normal switch ports,  they are solely for connecting switches, and behave very differently.

The port config for a trunk should generally be:

switchport
switchport trunk encapsulation dot1Q
switchport mode trunk
switchport nonegotiate

It is most important that the trunk config matches on both sides.
If you specify "port speed" or "duplex"  other than auto on one side, then the other side must be exactly the same  (generally, it should be auto on both sides).


The default is that all VLANs  in the local switch's VLAN database are _allowed_  to be trunked on that port.

The packets sent on the trunk will be tagged with a 802.1q section indicating the proper VLAN.     Packets with no 'tag'  are in the native VLAN,  which is by default 1.

There is a command to restrict what VLANs can cross a trunk port
switchport trunk allowed vlans (Comma separated LIST OF ALLOWED)

And everything not listed is disallowed

Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
>Don't use "switchport trunk native vlan 4050",   this is strongly discouraged,
By who? Why?

>And if you wish to have good L2 security, you should never place a non-trunk (access port)  in anything you use as a native VLAN of any trunk, except for trusted network management workstations.

Why?


Author

Commented:
I can understand the problem with native vlan but what I observed if I set native vlan , then only I was able to ping to core switch otherwise not.My 2960 is not directly connected to core but going through daisy chain of the  couple of the switches.
I don't have any access for other switches right now as they are amnaged by somebody else but routes are defined for sure in the core for this switch vlan's
Can somebody tell me exact configuration for cisco 2960 which I should apply to get it working

otherthing,
I am not able to apply this command on cisco switch
switchport trunk encapsulation dot1Q --> niether on vlan or port interface
DO I need to enable any specific thing to get it working?

Thanks everyone for your support
Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
You can't use the encapsulation command on a 2900 switch.

If you don't have access to the switch that the 2960 is connected to, then there's not much more you can do.

Author

Commented:
if i set all vlan as "voice" , will it be considered as tagged vlan
Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
If the voice VLAN is not the native VLAN on the trunk then it will be tagged.
Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
In my opinion, the original question was answered by posts 23666432 and 23666614


Commented:
>>And if you wish to have good L2 security, you should never place a non-trunk (access port)  in anything you use as a native VLAN of any trunk, except for trusted network management workstations.
>Why?

Matching a trunk native VLAN with a user port enables the possibility of VLAN hopping.   Access member of the native trunk VLAN can  exploit trunks  through double-tagging to send frames into other VLANs.


Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.