cisco 2940 switch issue

I current have a 2940 switch connected to my cisco 881 router.  I have 2 issues, for some reason whenever I enable trunking on a port the port light does not light up when it is connected to a trunk port on my cisco 881 and I cannot have vlan 10 and 50 up on the same time.  Vlan 10 and 50 were created on my cisco 881 router.  Any idea how to fix these iisues?
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
vtp domain GRADY
vtp mode transparent
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!         
vlan 10,50 
!
interface FastEthernet0/1
 switchport access vlan 50
!
interface FastEthernet0/2
!
interface FastEthernet0/3
 switchport access vlan 50
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface GigabitEthernet0/1
 switchport trunk native vlan 2
 switchport trunk allowed vlan 1,2,10,50,1002-1005
 switchport mode trunk
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan2
 no ip address
 no ip route-cache
!
interface Vlan10
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan50
 ip address 50.0.0.10 255.255.255.0
 no ip route-cache
!
ip http server
!
line con 0
line vty 5 15
!
!
end

Switch(config-if)#

Open in new window

mmercaldiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brain2000Commented:
I'm not real familiar with PVST, but Is it possible that the 881 is bridging vlans 10 and 50 causing spanning tree to put it into blocking mode when you plug the switch and router together?

Can you post the config to the 881?
Otto_NCommented:
Spanning tree should not be an issue, since we're only talking about one link.

A couple of questions to consider:
Do the 881 implement 802.1Q trunking? (The 2940 only use 802.1Q, not ISL)
Is the speed and duplex modes compatible? (Autonegotiating could fail, do a 'show int status' to verify)

If you could post the router port configuration, it should be very helpful.

If by "I cannot have vlan 10 and 50 up on the same time" you mean that you cannot have both Switched Virtual Interfaces (SVI's, the 'inteface vlan x' part of the config) active ON THE SWITCH, the answer is that you're not supposed to.  The 2940 is a Layer2 switch, and, as such, will only allow you to have one SVI (and IP address) active at the same time.
mmercaldiAuthor Commented:
here is my router config
crypto pki certificate chain TP-self-signed-1180740580
 certificate self-signed 01
  30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313830 37343035 3830301E 170D3130 30323031 31383131
  31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383037
  34303538 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BDA9 EB6E7BF1 647984DC F95D057A 42A482FC 9B4C297F B83F42CD 44699958
  50E8D2C4 1EDD52ED 6CD4C8B6 2B7D8854 CDC0FC3A 0015D374 70F56CAB 99DBB00B
  3137515E 106667EB 745F0AA8 B58C3C50 8B55F078 59ED097C 9158D506 24F41D67
  8461527E 0373D4FF 7C1773DB 818B8802 FB2C7B09 BCC02AAE 67A1D114 4201A0BC
  1B630203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
  551D1104 0E300C82 0A6D6572 63726F75 74657230 1F060355 1D230418 30168014
  9F768D13 75DEBCFC BC859725 95A68056 3AD92304 301D0603 551D0E04 1604149F
  768D1375 DEBCFCBC 85972595 A680563A D9230430 0D06092A 864886F7 0D010104
  05000381 81004C97 6A52BF96 94C10D75 D1B4F21C 16E83B82 82E2DFCA 31EC664C
  877EBA90 5B2BC26C EC75F790 F3EBA272 0743A037 6A8C2918 3B6F5D69 43DE2958
  A794C60D B8BCADA4 346284BF C4C428DA 96623CB1 36A4ACCB 8E2571D5 DCA5CD9B
  796D791B C410D98B 8DC259B3 0E366F03 85047B83 4E3B8B8E E661D87F 84A844BD
  4B8A3AC8 D53E
        quit
ip source-route
!
!
!
ip dhcp pool DATA
   network 50.0.0.0 255.255.255.0
   dns-server 50.0.0.1 4.2.2.2
   default-router 50.0.0.1
!
ip dhcp pool CABLE
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 10.10.10.1
!
!
ip cef
ip domain name mercdomain
ip name-server 4.2.2.1
ip name-server 4.2.2.2
ip ddns update method dyndnsupdate
 HTTP
  add http://mercxi:merc84@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 10 0 0 0
 interval minimum 9 0 0 0
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license boot module c880-data level advipservices
!
!
username mercxi privilege 15 secret 5 $1$oc/Z$ifBjqktNFq7dZCxP3Jq9Z.
!
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group mercdecember
 key merc84
 pool ippool
 acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set security-association idle-time 86400
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthen
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-any intranet-internet-traffic
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any internet-intranet-traffic
 match protocol tcp
 match protocol udp
 match protocol icmp
!
!
!
!
interface FastEthernet0
 switchport access vlan 50
!
interface FastEthernet1
 switchport access vlan 10
!
interface FastEthernet2
!
interface FastEthernet3
 switchport trunk native vlan 2
 switchport trunk allowed vlan 1,2,10,50,1002-1005
 switchport mode trunk
!
interface FastEthernet4
 ip ddns update hostname mercxi.kicks-ass.net
 ip ddns update dyndnsupdate
 ip address dhcp
 ip access-group 103 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 55.0.0.1 255.255.255.0
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport access vlan 50
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 no ip address
!
interface Vlan10
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan50
 ip address 50.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool ippool 60.0.0.5 60.0.0.10
ip local pool new 65.0.0.2 65.0.0.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source static udp 50.0.0.100 88 interface FastEthernet4 88
ip nat inside source static udp 50.0.0.100 3074 interface FastEthernet4 3074
ip nat inside source static tcp 50.0.0.100 3074 interface FastEthernet4 3074
ip nat inside source route-map DATA interface FastEthernet4 overload
!
access-list 101 deny   ip 50.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255
access-list 101 deny   ip 10.10.10.0 0.0.0.255 60.0.0.0 0.0.0.255
access-list 101 permit ip 50.0.0.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 103 permit ip any any
access-list 108 permit ip 50.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255
access-list 108 permit ip 10.10.10.0 0.0.0.255 60.0.0.0 0.0.0.255
!
!
!
!
route-map DATA permit 10
 match ip address 101
 match interface FastEthernet4
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 password merc84
 transport input all
!
scheduler max-task-time 5000
!
webvpn gateway gateway_1
 ip interface FastEthernet4 port 443
 ssl trustpoint TP-self-signed-1180740580
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-2.4.0202-k9.pkg sequence 1
 !
webvpn context webvpn
 ssl authenticate verify all
 !
 !
 policy group defaultpolicy
   functions svc-enabled
   svc address-pool "new"
   svc split include 50.0.0.0 255.255.255.0
   svc split include 10.10.10.0 255.255.255.0
   svc dns-server primary 50.0.0.1
 default-group-policy defaultpolicy
 aaa authentication list userauthen
 gateway gateway_1
 inservice
!
end

mercrouter#

Open in new window

SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

Brain2000Commented:
I thought it was mentioned the port would not even light up when you connect the trunks.  So if that's the case, the could the SVI being shut down cause the light to go out?  If so, better to remove all SVI's instead of shutting them.
Otto_NCommented:
* Please configure each interface (Gi0/1 on switch, and Fa3 on router) with
 speed 100
 duplex full
* Connect the two ports with a cross-over cable.
* If it does not work, post the output of the "show interface status" command.
mmercaldiAuthor Commented:
Brain that is correct the port lights do not light up when I connect the trunks.  How do I remove the SVI's?
sidetrackedCommented:
the switch is a layer 2 device and can only have one Vlan configured with an ip address and up.

when the port doesn't light up, how is the speed and duplex setting?

try to make use of the "switchport nonegotiate" command on the switch trunkport
sidetrackedCommented:
to clarify

speed 100
duplex full
switchport nonegotiate

do s show interface on the switch to check that the port is not being set in " error disable" when u connect it to the router
Brain2000Commented:
no interface vlan1
no interface vlan2
no interface vlan10

That'll leave 50.  See if the light comes on after that.
mmercaldiAuthor Commented:
I was just looking at my router and I found I am getting an err-disabled on my trunk port
mmercaldiAuthor Commented:
I was able to fix the trunk port by restarting the router however I need to have vlan 10 and 50, and vlan 2 is my native vlan for the trunks.   How can I get around this issue?
sidetrackedCommented:
you can have all the vlans but not with IP addresses. add your vlans in vlan-database. the only vlan that should be an interface is the one u use for management of the switch.
mmercaldiAuthor Commented:
right however if I have only vlan 10 and 50, if I bring vlan 50 up it takes vlan 10 down and if I bring vlan 10 up it takes vlan 50 down
Otto_NCommented:
There is a difference between an SVI ("interface vlan 50") and a VLAN ("vlan 50").  The SVI is a logical Layer-3 interface of a specific LAN segment (the VLAN, in this case).  So, on an SVI, you can configure Layer-3 parameters, such as IP address, while on a VLAN, you can configure Layer-2 parameters.

On the 2940, you can have many VLANs, but only one active SVI.  The switch will automatically disable other SVI interfaces if enable a new SVI.  This mean that the switch's management plane (as a host that have an IP address) can only be part of a single VLAN at a time.  If you want more than one SVI active, you need a different switch (that have L3 routing functionality).

Even though you can only have one SVI active (and the switch might disable "interface vlan 50", the SVI), it does not mean that VLAN 50 is not working:  You just need to connect something (i.e. a PC) to it to get traffic on it to test.  If you run "show vlan" on the switch, you'll see that there are a lot of vlans active on the switch.  VLANs 1,1002-1005 are default and cannot be removed, although you can choose not to allocate any ports to it, and not allowing it on trunk links, in effect isolating it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.