Solved

Configure VLAN on Cisco 3560G

Posted on 2009-07-13
14
905 Views
Last Modified: 2012-08-13
Experts, IThis is the first time, I am creating a VLAN. I have Cisco 3560G Switch which is connected to router through G0/1 interface of Switch. I was looking at different forums and it seems I can do all the routing on this switch because this is a Layer-3 switch. I have 3 VLANs already configured, VLAN-10, VLAN-15 and VLAN-1. I can ping from one VLAN to another but I can not ping to the gateway(router in the diagram) which is 172.23.200.1. Another thing, I can not access the configuration of this router and I have to configure everything on the switch if it can be. Please see my configuration as below:

Lab_Test_Setup#sh run
Building configuration...

Current configuration : 2857 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Lab_Test_Setup
!
enable secret 5 $1$gHib$dbAbmm5nRPYPsm6plenfW.
enable password telecom
!
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
 switchport access vlan 5
!
interface GigabitEthernet0/18
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/30
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/31
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/32
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface GigabitEthernet0/49
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface Vlan1
 ip address 172.23.200.30 255.255.254.0
!
interface Vlan5
 ip address 172.23.210.110 255.255.254.0
!
interface Vlan10
 ip address 172.23.220.110 255.255.254.0
!
ip default-gateway 172.23.200.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.23.200.1
ip route 172.23.210.0 255.255.254.0 172.23.200.1
ip http server
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 password cisco
 no login
line vty 5 15
 password cisco
 no login
!
end
vlan.JPG
0
Comment
Question by:sg2009
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
hi

As your router is part of vlan 1 and you have not mentioned it doing any trunking, you should make this port an access switchport:

interface GigabitEthernet0/1
 no switchport trunk encapsulation dot1q
 no switchport mode trunk
 switchport access vlan 1
 switchport mode access

Also - ensure the subnet mask on your router is also 255.255.254.0.

hth
0
 

Author Comment

by:sg2009
Comment Utility
Hi nodisco,
I tried your commands and changed gig0/1 to access mode but VLAN 5 and VLAn 10 still doesn't ping to the router. But I can ping from VLAN 1. My router also has the same 255.255.254.0 subnet mask.
0
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
On your 3560G enable routing

conf t
ip routing

On the vlans5 and 10, ensure that the default gateway on the machines are 172.23.210.110 and 172.23.220.110 respectively
Why do you have ip route 172.23.210.0 255.255.254.0 172.23.200.1?  This is a connected network

And finally on your router 172.23.200.1, you will need to have a route back for the networks on vlan 5 and 10

e.g
ip route 172.23.210.0 255.255.254.0 172.23.200.30
ip route 172.23.220.0 255.255.254.0 172.23.200.30

hth
0
 
LVL 16

Assisted Solution

by:memo_tnt
memo_tnt earned 50 total points
Comment Utility
hi sg2009


plz check this link regarding VLAN posted before ,, it's very useful...

http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_24072072.html

BR
0
 
LVL 16

Expert Comment

by:Aaron Street
Comment Utility
well ig you havent set up the config of the router that will be your problem.

Dose the router know about the ip ranges in the vlans ??

think of it as the packet traces the network. PC in VLan 5 pings a PC in vlan 10. the gateway is the switch so it knows how to route between the vlans.

however ping the routers 172.x.x.x address from a PC and the packet first goes to the switch, thsi knows how to get to the routers ip address becasue you ahve set up that in the routing tables

ip default-gateway 172.23.200.1
ip classless
ip route 0.0.0.0 0.0.0.0 172.23.200.1

(from your config)

so it forwards the packet to the router.

now the router however does not know about the

interface Vlan5
 ip address 172.23.210.110 255.255.254.0
!
interface Vlan10
 ip address 172.23.220.110 255.255.254.0

address ranges, they are on the "far" side of the switch! it has no route back to them.

so if you did a packet trace you would see the packet come from the PC, go to the router, but not come back!

routers only forward packets, they do not understand to send a packet back the same way it came, they need a route in both directions.

to make this work you can do it one of two ways..

the correct way is to either set up a static route on the router to send traffic back to the switch. or use a routing protocal to achive the same thing.

Or if you really cant change the routers config you could cheat.

simlply have all the networks on the vlasn as subnets of the 172.23.200.30 255.255.254.0 range. this is called summerisation so beacue the router will send all traffic to this network towards the switch. you can then use the switch to further device the network range.

But Nodisco has the right idea in saying you need to put the routs on the router.  Hopefully I have explained why this is. If you are still confused just rember a router only knows about networks directly attached to it. Other networks must be entered in to its routing tables in some way. Just becasue you dont get a ping reply does not mean the packet does not reach the destination. both the outward and return jorney must be configured correctly for the ping to return correctly.

Try running a trace route command and see what happens

0
 

Author Comment

by:sg2009
Comment Utility
Hi All, Thanks for your explanations. I understood my problem here. But as I told you that I can not acces routr config. is there any other way to acheive this. As DevilWAH mentioned, "simlply have all the networks on the vlans as subnets of the 172.23.200.30 255.255.254.0 range. this is called summerisation so beacue the router will send all traffic to this network towards the switch. you can then use the switch to further device the network range. "

Can you please help me to do this step by step because I  am new in this.

Also, is there any other setup to create VLANs without accessing router config? I mean connect another switch to this switch and create VLAN's on another switch.

I am trying to understand how this will work in real environment. In our company, we have C-beoynd T1 line and they gave us on WAN port and didn't give us any access to their router. The WAN port is connectd to Sonicwall firewall and our switch is connected to LAN port of Firewall. How can VLAN be created in this enviornment???
0
 
LVL 16

Expert Comment

by:Aaron Street
Comment Utility
ok think of it like this

router has ip address 172.23.200.1/23
change swith port G0/1 to a non switchs port
#int g0/1
#no switch port
#ip address 172.23.200.2/26 (note the subnet is different at each end of the link!!! the router has a /23 subnet) so router thinks all the 172.23.200.1/23 range is on the switch. but the switch see different parts of the network range on different vlans.)

no you have a point to point link between your switch and router on the same ip address and down which all the 172.23.200.0/23 traffic will travel to the switch.

next set up the vlan ranges

#int vlan 1
#ip address 172.23.200.65/26   (gives you a range from 172.23.200.64 to 127)

int vlan 2
#ip address 172.23.200.129/26 (range 172.23.200.128 - 192)

on the switch set up a default route

#route 0.0.0.0 0.0.0.0 172.23.200.1  (so all unknown traffic is forwarded out to the router)

#ip routing (dont forget this to make sure routing is enabled)

no a #show ip route should give you

172.23.64.0/26 directly attached (vlan 1)
172.23.128.0/26 Directly attached (vlan2)
172.23.200.0/26 directly attached (this connects to the router)

0.0.0.0 0.0.0.0 172.23.200.1 (every thing else send to the router to deal with.)

remember you cant use any of the 172.23.200.0/23 range anywhere the other side of the router!!! thats the down side to supernetting and summirisation. you are binding the entire 172.23.200.1/23 range to that one interface of the router.

also rember i used /26 masks for simplicity. you could have one valn use a /25 and another use /27. the only rule is that ranges must not over lap. Idealy you want to start with the larges ones at the bottom and the smaler ones at the end. this way you lose less addresses. however becasue you have the router stuck at 200.1 you have to have the point to point using the first range.

if you want to post you network ranges I can have a quick look over them to check them for you.

Also I may have made mestakes in my masks. I am typing and making them up in my head as I go, but I hope they give you the right idea..

If you want a digram let me know and I will sort one out this evening at home (see how dedicated I am  :) )

well hope that helped.

Aaron

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 16

Expert Comment

by:Aaron Street
Comment Utility
oh i forgot to say the IP address set on the VLAN interfaces are what you need to set the PC's default gate way who are on that VLAN's. and the subnet mask they will have is the same as the valns interface...

jsut image you are a packet and each roter switch is a seperate device that do not know about each other.

you can only talk to a device with an ip in the same range as you.

so packet from PC on vlan 2, cant see the router directly... cant see the ip address of the g0/1 interface... can see interface of vlan 2 with its own range...

ok take a step to the switch.... now it can see what the switch sees... now it can see the router interface, as the switch can see that on its g0/1 port so can take the next step...

follow the same process back... and you can work out the problems as they happen..
0
 

Author Comment

by:sg2009
Comment Utility
Hi DevilWAH, Its working and I am able to ping the gateway and any other PCs connected to the router. But my problem is the PCs in VLANs do not ping to the internet. I get the following message. It seems the incoming traffic gets lost. Can you please help again?

C:\Documents and Settings\sanjivk>ping www.yahoo.com
Pinging www-real.wa1.b.yahoo.com [209.131.36.158] with 32 bytes of data:
Reply from 172.23.82.69: Destination net unreachable.
Reply from 172.23.82.69: Destination net unreachable.
Reply from 172.23.82.69: Destination net unreachable.
Reply from 172.23.82.69: Destination net unreachable.

Ping statistics for 209.131.36.158:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
0
 

Author Comment

by:sg2009
Comment Utility
Let me re-post my new configuration too. Please help to fix the inbound traffic.


Lab_Test_Setup#sh run
Building configuration...

Current configuration : 2801 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Lab_Test_Setup
!
enable secret 5 $1$gHib$dbAbmm5nRPYPsm6plenfW.
enable password telecom
!
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
 no switchport
 ip address 172.23.200.3 255.255.255.192
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/18
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/30
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/31
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/32
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface GigabitEthernet0/49
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface Vlan1
 ip address 172.23.200.65 255.255.255.192
!
interface Vlan5
 ip address 172.23.200.129 255.255.255.192
!
interface Vlan10
 ip address 172.23.200.194 255.255.255.192
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.23.200.1
ip http server
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 password cisco
 no login
line vty 5 15
 password cisco
 no login
!
end
0
 
LVL 19

Assisted Solution

by:nodisco
nodisco earned 150 total points
Comment Utility
hi

DevilWah has given you a clever workaround to get these vlans talking to your gateway switch.  Will you have enough space in your summarised subnet though for future changes.  Remember that unless you gain control of the router, everything you ever expand on that network will have to fit into a summarised /23 subnet - something to keep in mind.
Your problem now with internet traffic is most likely due to the fact that your summarised network has a different ip subnet on the switch now.  Without access to the router, troubleshooting this will be v difficult as you don't know what might be stopping it - the subnet/nat policy etc.

If possible, I would get control of the router or if its managed by another entity, have them do one of 2 things to support your LAN routing out.
Configure EIGRP on it and on your 3560 so future changes are reflected on the router
Configure a blanket route for all internal nets to come back to your 3560
e.g.
ip route 10.0.0.0 255.0.0.0 172.23.200.30
ip route 172.23.0.0 255.255.0.0 172.23.200.30

Then you can use your original vlans and have room to expand.  Nat policies may need to be changed also, but on advising the routers management team, they should be able to amend

hth
0
 
LVL 16

Assisted Solution

by:Aaron Street
Aaron Street earned 300 total points
Comment Utility
Yep you will need to have the subnet of /23 on the link connected to the router. (see bottom of post for correction)

its ok as I forgot the route with the lowest mask will win

so if you have route say

192.168.10.0 255.255.255.0 192.168.10.1
and
192.168.1.0 255.255.0.0 192.1.1

the second is a summerisation of the first..

the router will always use the first route to get to the 192.168.10.x network as it has the most specific mask.

however as nodisco said. the best way to solve this is to have more control on the router.

if possible you want the route to have a point to point link to you switch, and then a static route of

172.23.0.0 255.255.0.0 xxx.xxx.xxx.xxx where the next hop address is the ip of the point to point link of the switch.

again sitting down with it I could probable get it working but with all the varibles that may be on the router, it is going to be a pain.

what happens if you run a tracert to the internet?

I can see the DNS query is working. what it the dns server ip address??

and can you ping the 172.23.200.1 (router interface) ?

as the failer is from 172.23.89.69 this is an address from out side your range, so must be a routing issue further up the chain.

try pinging

208.67.222.222
208.67.220.220 (open dns servers these diffidently respond to a ping so good test IP address to know)  

Oh i know what it is!!!

the router further up are seeing the networks as /26 networks and don't have sumirisation turned on. because the g0/1 is advertising only the 172.23.200.1/26 to the router it can only route back to this network!

give the gig0/1 a /23 mask and then it will know how to get back.

think of it this way, the router try's to sends the packet back to 172.23.200.98, (assuming that is the host pc but the g0/1 wont accept that packet as its range is only up to 172.23.200.63!!!

This is a messy way of doing it (but much more fun than doing it neatly ;) )

if you can get control of the router you can set it up much neater and will be much simpler to change in the future is you need to. plus trouble shooting will be much simpler.


0
 

Accepted Solution

by:
sg2009 earned 0 total points
Comment Utility
Hey guys, I got control of the router and it worked. Thanks for all your help. I also got the better understaning of VLANs and made some other setup which also worked. I connected C2960 switch with C2651 router and configured VLANs and it all worked.
0
 

Author Comment

by:sg2009
Comment Utility
solved
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now