cwellsatl
asked on
VLANs and routing with layer 2 Cisco 2960G
I have a network with five Layer 2 2960G switches. We also have an old Cisco 4000 Core layer 3 switch which have several VLAN's for our phones and related networking equipment and intervlan routing enabled. Up until now the 2960s have been flat with a single default VLAN. But now I need to create new VLANS on all devices as I need to change the internal IP range of the network to a new scheme. The plan is to implement this new scheme over a matter of months with devices slowly changing their IP address to the new scheme.
I set the ports that connect to each of the switches to Trunking and I have enabled VTP communication between all the switches and the 2960s all show the VLANs that they received from the 4000.
So what I need is to be able to do is have all of the ports on the 2960s to be members of two vlans at the same time. That way devices can be changed to the new scheme at anytime without having to reconfigure ports for vlans as they are needed.
I have tried several things but cant get them to work. Here is an example of what one of the ports looks like on the 2960s now.
interface GigabitEthernet0/1
switchport trunk allowed vlan 1,10
spanning-tree portfast
Here is a SHOW VLAN from the same switch
2960G-1#sh vlan
VLAN Name Status Ports
---- --------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/41, Gi0/42, Gi0/43, Gi0/44
Gi0/45, Gi0/46, Gi0/47
10 VLAN0010 active
15 VLAN0015 active
20 VLAN0020 active
30 VLAN0030 active
45 VLAN0045 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
15 enet 100015 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
45 enet 100045 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
--------------------------
Primary Secondary Type Ports
------- --------- ----------------- --------------------------
Thanks in advance for any assistance
I set the ports that connect to each of the switches to Trunking and I have enabled VTP communication between all the switches and the 2960s all show the VLANs that they received from the 4000.
So what I need is to be able to do is have all of the ports on the 2960s to be members of two vlans at the same time. That way devices can be changed to the new scheme at anytime without having to reconfigure ports for vlans as they are needed.
I have tried several things but cant get them to work. Here is an example of what one of the ports looks like on the 2960s now.
interface GigabitEthernet0/1
switchport trunk allowed vlan 1,10
spanning-tree portfast
Here is a SHOW VLAN from the same switch
2960G-1#sh vlan
VLAN Name Status Ports
---- --------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/41, Gi0/42, Gi0/43, Gi0/44
Gi0/45, Gi0/46, Gi0/47
10 VLAN0010 active
15 VLAN0015 active
20 VLAN0020 active
30 VLAN0030 active
45 VLAN0045 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
15 enet 100015 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
45 enet 100045 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
--------------------------
Primary Secondary Type Ports
------- --------- ----------------- --------------------------
Thanks in advance for any assistance
I don't know of any way you can have a port be participating in two VLANs at the same time unless it's a trunk, or unless you're using a voice vlan where you have a phone connected, with a PC connected to the phone and you want both devices to be on different VLANs. But that's not what you're trying to do, as I understand it.
Keep in mind, you can use the "interface range" command to change a number of ports to a different VLAN at one time, rather than changing them one at a time. Still requires some reconfiguration, but makes it easier.
Keep in mind, you can use the "interface range" command to change a number of ports to a different VLAN at one time, rather than changing them one at a time. Still requires some reconfiguration, but makes it easier.
What is it that you are trying to that makes you think you need a port member of 2 vlans.
Billy
Billy
Cisco used to allow a port to be a member of more than one VLAN long ago. I believe the command was "switchport mode multi". But that feature is long gone.
The closest you can get to that now is a trunk port.
Making a port a member of more than one VLAN kind of defeats the purpose of having VLANs.
The closest you can get to that now is a trunk port.
Making a port a member of more than one VLAN kind of defeats the purpose of having VLANs.
What will the second vlan that you want the port to access be for? Is it for VOIP? If the ports are to only have access to those specific vlans then the way to go about this is to assign the ports to one vlan and then create access lists that restrict traffic.
If I am guessing right you want each port to be on VLAN1 now and VLAN2 (for example) in the future, and that the devices are workstations, printers, etc?
You can only really do this if you configure trunk ports on the switches and tag the VLAN ID on the device. If the NIC in your PC supports this you could do it, but I doubt most of your devices will have this functionality. At best they will remain in VLAN1.
The other option would be 802.1X and assign the VLAN ID to devices based on a policy, but that isn't easy to implement, and again some of your devices might not support 802.1X.
I would just prepare the switch with the VLANs you need (as you have already using VTP) and configure the ports when you are ready to move the devices to the new VLAN.
You can only really do this if you configure trunk ports on the switches and tag the VLAN ID on the device. If the NIC in your PC supports this you could do it, but I doubt most of your devices will have this functionality. At best they will remain in VLAN1.
The other option would be 802.1X and assign the VLAN ID to devices based on a policy, but that isn't easy to implement, and again some of your devices might not support 802.1X.
I would just prepare the switch with the VLANs you need (as you have already using VTP) and configure the ports when you are ready to move the devices to the new VLAN.
How are the VLAN's and ports configured on the 4000? Since it is the root of the network, all VLAN's will need to be created there and the ports will need to be trunked.
Make sure all the switches are set to "VTP mode transparent" and are not using VTP domains. What is the IP range/subnet of VLAN 1? Do the new VLAN's have different IP ranges/subnets? Also, because a new VLAN doesn't activate until a device tries to use it, give the 4000 and a few of the 2960's IP addresses in VLAN10, then do some test pings.
Make sure all the switches are set to "VTP mode transparent" and are not using VTP domains. What is the IP range/subnet of VLAN 1? Do the new VLAN's have different IP ranges/subnets? Also, because a new VLAN doesn't activate until a device tries to use it, give the 4000 and a few of the 2960's IP addresses in VLAN10, then do some test pings.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Donjohnston, your correct, I was curious about the "switchport mode multi" command and it looks like it was taken out with IOS version 12.x.x. I see it referenced in a configuration with version 11.2, but I just checkeda 3570 and 2950 switch I have at home and it's definitely not there.
Yes, a trunk could be a solution but as mentioned can be a security risk. However that security risk comes from the native vlan being present in the trunk and that can be changed to make it more secure. What would need to be done is tag the native vlan and then only allow the 2 specific vlans over the trunk. you will need to allow the vlans on trunks connecting switches together on all the switches that you configure this command also.
enable
configure terminal
switchport tag vlan 1 (assuming vlan 1 is your native vlan)
int fa0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allow vlan 1,10
It would be best if you change the native vlan to an unused vlan number.
enable
configure terminal
switchport tag vlan 1 (assuming vlan 1 is your native vlan)
int fa0/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allow vlan 1,10
It would be best if you change the native vlan to an unused vlan number.
ASKER
Thanks for all of the input. We ended up getting Cisco Support involved. Even though the 4000 was not under SmartNet, the 2960's were.
Basically what I wanted to accomplish is not possible for security reasons. I was advised that as we migrate to the new IP range, change each port on an as needed basis.
Having the ARP tables handle most of this was also an option, but did not want all of that traffic of updating ARP tables between the switches.
Basically what I wanted to accomplish is not possible for security reasons. I was advised that as we migrate to the new IP range, change each port on an as needed basis.
Having the ARP tables handle most of this was also an option, but did not want all of that traffic of updating ARP tables between the switches.
Right now everything is untagged default and a PVID of the default.
You will want to set the PVID to I would imagine your resulting vlan for the port and then add an untagged to the current vlan