[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to enable ip forwarding/routing in cisco catalyst 2960

Posted on 2009-02-17
24
Medium Priority
?
5,117 Views
Last Modified: 2012-05-06
I am trying to find command to do IP forwarding/routing on cisco 2960 so that I can forward all traffic to default gateway
0
Comment
Question by:saini_er
  • 8
  • 6
  • 4
  • +3
22 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1000 total points
ID: 23666432
Use the "ip default-gateway x.x.x.x" command where x.x.x.x is the default gateway IP address.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 1000 total points
ID: 23666614
You can't.

The 2960 is a layer 2 switch. The only traffic forwarded to the default gateway is traffic originated by the switch.

All other hosts connected to the switch need to have their default gateway configured to be a layer 3 device (router or multilayer switch) on their network.
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 23666653
The only Layer 3 features of the 2960 are for device management.  You can specify a default gateway using the  
ip default-gateway (IP ADDR)  

Command,  that is: after the 2960 has been assigned an IP address on a VLAN.
But a 2960 cannot route.    If you want a Cisco switch with routing capabilities, a 3550 with the enhanced-multilayer image (EMI) or better/newer is required.


If a device or server tries to use the 2960 as gateway,  all traffic the 2960 receives addressed to it, with destinations other than itself are discarded.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:saini_er
ID: 23666742
I already have default gateway set..I have another core switch to take care of the routing .All I need is that all ports of 2960 should forward thier traffic to default gateway.

What should be port mode for uplink...trunk?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 23666807
If you have multiple VLANs on the 2960 and the core switch then it has to be a trunk. If there is only a single VLAN, an access link is all you need.
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 23666849
You don't set the ports to forward traffic to the default gateway, they are Layer 2 ports.

You set computers attached to those ports to use the right default gateway (the core switch's IP), in their ip configuration, when setting up those computers.

0
 

Author Comment

by:saini_er
ID: 23666959
Can anybody tell me the commands to be used for uplink interface

I have extended vlan 4050 with IP address x.x.x.x.(This will be default gateway of switch)

I am using following commands
int ga0/1
Switchport mode trunk
switchport trunk native vlan 4050

I am not sure if I am doing in correct way.I can though ping to core but somehow can't ping from other vlan's

0
 
LVL 21

Expert Comment

by:from_exp
ID: 23667477
what is the port configuration of  the other end of uplink port?
this particular port configuration seems to be correct.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 23669056
The commands for the core switch will be the same as for the 2960 except that you will have to add the command "switchport trunk encap dot1q".

0
 

Author Comment

by:saini_er
ID: 23688343
Is it possible to add my trunk port as a member of other vlan so that vlan can send traffic to default gateway . I guess I have to make trunk port as untagged vlan and make it member of all vlan as tagged port
0
 

Author Comment

by:saini_er
ID: 23688353
Donjohnston ,
when you say  "you will have to add the command "switchport trunk encap dot1q".  " , do you mean to apply this command on trunk vlan i.e. vlan 4050 or to other vlans?

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 23688654
Trunk ports aren't "members" of VLANs. They carry VLANs. A VLAN can be allowed on a trunk.

The "switchport trunk encap dot1q" command needs to be applied to the core switch interface that connects with the 2960.
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 23689708
Don't use "switchport trunk native vlan 4050",   this is strongly discouraged, unless you have a very special reason to use a native VLAN other than 1 on each side,  in any case, the native VLAN must match on both sides of a trunk.

And if you wish to have good L2 security, you should never place a non-trunk (access port)  in anything you use as a native VLAN of any trunk, except for trusted network management workstations.


The trunks will pass all VLANs you configure on both switches and allowed on the trunk.   Trunks are not PLACED in a VLAN;  trunks do not act like normal switch ports,  they are solely for connecting switches, and behave very differently.

The port config for a trunk should generally be:

switchport
switchport trunk encapsulation dot1Q
switchport mode trunk
switchport nonegotiate

It is most important that the trunk config matches on both sides.
If you specify "port speed" or "duplex"  other than auto on one side, then the other side must be exactly the same  (generally, it should be auto on both sides).


The default is that all VLANs  in the local switch's VLAN database are _allowed_  to be trunked on that port.

The packets sent on the trunk will be tagged with a 802.1q section indicating the proper VLAN.     Packets with no 'tag'  are in the native VLAN,  which is by default 1.

There is a command to restrict what VLANs can cross a trunk port
switchport trunk allowed vlans (Comma separated LIST OF ALLOWED)

And everything not listed is disallowed

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 23691135
>Don't use "switchport trunk native vlan 4050",   this is strongly discouraged,
By who? Why?

>And if you wish to have good L2 security, you should never place a non-trunk (access port)  in anything you use as a native VLAN of any trunk, except for trusted network management workstations.

Why?


0
 

Author Comment

by:saini_er
ID: 23694229
I can understand the problem with native vlan but what I observed if I set native vlan , then only I was able to ping to core switch otherwise not.My 2960 is not directly connected to core but going through daisy chain of the  couple of the switches.
I don't have any access for other switches right now as they are amnaged by somebody else but routes are defined for sure in the core for this switch vlan's
Can somebody tell me exact configuration for cisco 2960 which I should apply to get it working

otherthing,
I am not able to apply this command on cisco switch
switchport trunk encapsulation dot1Q --> niether on vlan or port interface
DO I need to enable any specific thing to get it working?

Thanks everyone for your support
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 23697250
You can't use the encapsulation command on a 2900 switch.

If you don't have access to the switch that the 2960 is connected to, then there's not much more you can do.

0
 

Author Comment

by:saini_er
ID: 23697816
if i set all vlan as "voice" , will it be considered as tagged vlan
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 23697821
If the voice VLAN is not the native VLAN on the trunk then it will be tagged.
0
 
LVL 3

Expert Comment

by:MiamiCo
ID: 23699400
0
 
LVL 3

Expert Comment

by:MiamiCo
ID: 23699408
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 32349455
In my opinion, the original question was answered by posts 23666432 and 23666614


0
 
LVL 23

Expert Comment

by:Mysidia
ID: 32599949
>>And if you wish to have good L2 security, you should never place a non-trunk (access port)  in anything you use as a native VLAN of any trunk, except for trusted network management workstations.
>Why?

Matching a trunk native VLAN with a user port enables the possibility of VLAN hopping.   Access member of the native trunk VLAN can  exploit trunks  through double-tagging to send frames into other VLANs.


0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Loops Section Overview
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month17 days, 22 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question