Setup cisco vlans
I hope this will be an easy question to answer but I'm running into a major stumbling block.
I am setting up vlans to break up our ip ranges at our main office as I've just run out of IP addresses. As we have some external partners that have equipment located on premise the dicision was made to add vlans to inable us to implement our virtual desktop environment. The equipment on hand is all cisco. Routers 2811 and 2600, switches 2960's 3750G's and new SG-300's.
What I've found is that 2960's and 3750's play nice with VTP but do not support GVRP. The SG-300's support GVRP but not VTP so everything will be configured manually.
I am trying not to configure (or at least minimumly) the 2811 branch router. I've added a 2621XM to be the vlan router.
Main switch is a 2960 (2 48ports and 1 24port), all servers and SAN's are on the 3750G's, all workstations and VDI's will be on the 2960's and SG-300's, IP phones are on the 2960's.
On the SG-300's Cisco has changed how to access the switch and it appears that I can not look at the familiar IOS settings and have to use the GUI which is fine except I can not upload the config file for you to see. I've included the files for the two routers and the main switch. As I'm not concerned with the 3750's at this time I didn't include them.
The one thing I didn't include on the network drawing is I'm also trying to use DHCP on these vlans and and the DHCP server is on vlan1.
I've modified the configurations for berevity (i.e. removing extra switch ports)
vlan.jpg
w2811.txt
vlan2600.txt
sw2960.txt
I am setting up vlans to break up our ip ranges at our main office as I've just run out of IP addresses. As we have some external partners that have equipment located on premise the dicision was made to add vlans to inable us to implement our virtual desktop environment. The equipment on hand is all cisco. Routers 2811 and 2600, switches 2960's 3750G's and new SG-300's.
What I've found is that 2960's and 3750's play nice with VTP but do not support GVRP. The SG-300's support GVRP but not VTP so everything will be configured manually.
I am trying not to configure (or at least minimumly) the 2811 branch router. I've added a 2621XM to be the vlan router.
Main switch is a 2960 (2 48ports and 1 24port), all servers and SAN's are on the 3750G's, all workstations and VDI's will be on the 2960's and SG-300's, IP phones are on the 2960's.
On the SG-300's Cisco has changed how to access the switch and it appears that I can not look at the familiar IOS settings and have to use the GUI which is fine except I can not upload the config file for you to see. I've included the files for the two routers and the main switch. As I'm not concerned with the 3750's at this time I didn't include them.
The one thing I didn't include on the network drawing is I'm also trying to use DHCP on these vlans and and the DHCP server is on vlan1.
I've modified the configurations for berevity (i.e. removing extra switch ports)
vlan.jpg
w2811.txt
vlan2600.txt
sw2960.txt
Soulja
First off, I surely wouldn't use the 2621 router for vlan routing. Bad idea. I would put a 3750 in place of the main 2960 and let that be the Layer 3 vlan routing switch. Then for DHCP all you have to do is create IP helpers on the vlan interfaces on the 3750.
On the 2800 router you will have to add routes on it so that it can access the new vlans. It's next hop would be the vlan inteface of vlan 1.
ASKER
Soulja- can't put the 3750 as primary switch (wish I could) primarily because of number of ports. Now as far as putting the routes in the 2800 I assume you're talking about under eigrp. I did add while thinking about this eigrp to the 2600 and then I could at least ping the vlans from the switch but not anywere else. And lastly could you elaborate on why the 2600 is a bad idea for vlan routing?
Thanks.
Thanks.
ASKER
Also need to add that the 2960 are POE and they also drive our IP phones.
ASKER
OK, place the routing on the 2800 under eigrp with the same results. I can ping the vlan ip's but not out to a workstation on the vlan 7.
If the 2600 isn't a good canidate then could I move the vlan definitions to the 2800?
Thanks.
If the 2600 isn't a good canidate then could I move the vlan definitions to the 2800?
Thanks.
The router on stick model is not efficient if you are expecting a lot of intervlan traffic. Especially using an old 2600 to push that traffic. Seriously, there is no way a layer 2 switch should be your main switch. The only routing you really want the routers to perform is in/out your internal network or to the wan.
Post your 2800 config.
I would do the inter-VLAN routing on the 2960.
@ Don
What secret are you keeping about the 2960? Isn't is Layer 2?
What secret are you keeping about the 2960? Isn't is Layer 2?
ASKER
Thanks 2811 config is listed as w2811.txt.
2960's are layer 2 3750's are layer 3, SG300's layer 3.
Also I do agree that the 3750 (if I had the ports) would make a better main switch but I don't make the purchasing desicisions. Just a bit of history the 2960's were recently purchased to replace some ancient baystack 450's. The first 3750 was installed to support our SAN installation and the second 3750 (different rack) was installed to upgrade last remaining servers to Gb speed. Unfortunately our CFO will not permit purchasing any more switches in the near future especially since we just got the SG's a couple of weeks ago.
2960's are layer 2 3750's are layer 3, SG300's layer 3.
Also I do agree that the 3750 (if I had the ports) would make a better main switch but I don't make the purchasing desicisions. Just a bit of history the 2960's were recently purchased to replace some ancient baystack 450's. The first 3750 was installed to support our SAN installation and the second 3750 (different rack) was installed to upgrade last remaining servers to Gb speed. Unfortunately our CFO will not permit purchasing any more switches in the near future especially since we just got the SG's a couple of weeks ago.
I was referring to the config when you stated you moved the vlan routing to the 2800 router.
ASKER
Oh, ok.
ASKER
Here's the new config.
w2811.txt
w2811.txt
ASKER
After re-reading I should have said moving the routing to the 2811.
ASKER
Here's what's happening so far.
1. from the 2960 switch I can ping all vlans which tells me that it's making it to the 2600.
2. I can ping any address ok on the vlan1 which is as it should be it's a production network.
3. I can not ping any device on any other vlan (7,8,9,10,11)
1. from the 2960 switch I can ping all vlans which tells me that it's making it to the 2600.
2. I can ping any address ok on the vlan1 which is as it should be it's a production network.
3. I can not ping any device on any other vlan (7,8,9,10,11)
How are the sg300's configured?
Also, do the devices have their respective gateways set to the vlan subinterfaces on the 2600?
ASKER
On the SG300 I've included some screenshot. This is the first of 4 or 5 total switches.
SG300.pdf
SG300.pdf
ASKER
Gateways? I believe so. They all point to 192.168.6.27 except the 2960 switch which points to 6.34. The workstation that I'm testing is pointing to 192.168.7.27.
The 2960 and the workstation should point to .34
ASKER
OK, but I have a question on the workstaion's If they're on vlan7 how can their gateway be point to a vlan1 address. This also seems to defy all the sample configs I see from Cisco. Did I miss something?
You stated that the workstation was pointed to .27, so I assumed it was on vlan 1 since the 2800 sits on vlan 1. If it is on vlan 7 than it's gateway should be the vlan 7 subinterface on the 2600 router.
What secret are you keeping about the 2960? Isn't is Layer 2?
No secret. Everybody knows about the routing capability of the 2960. ;-)
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swipstatrout.html
No secret. Everybody knows about the routing capability of the 2960. ;-)
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swipstatrout.html
Se you learn something new everyday. I didn't know that. That being said, the 2960 should do the vlan routing for your network. Move it off of the 2600.
ASKER
OK, after reading the article here's my problem. Can not issue the "sdm prefer lanbase-routing global configuration command and reload the switch. " (sdm command doesn't exist) and the follow on is that there isn't any "IP route or routing" command. And I believe it's because my version of IOS is " C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)" and the documentation says it's for 12.2(55)SE so it looks like I'm not out of the woods yet.
Will you be able to upgrade to that version?
ASKER
Not in the time frame that I have. Although these switches are new (within the last year) I don't know if I can upgrade the firmware under as "warranty" type issue. I'm working on getting all of our cisco products under a contract. Up until the last couple of months we operated our network in a very basic mode and didn't require a more advanced look. With the implementation of our VDI's that's when we stretched our IP range to the breaking point.
I did have a thought, as you believe the 2600 isn't up to the task of vlan routing (and we don't have a large network), would it be advisable to move the routing to the 2800? I'd prefer to keep it on the 2600 only because "IF" the 2800 required a reboot or something caused the routing to break then it would drop our entire organization. We have a total of 4 locations and the main site is where we're starting the VDI project. The 2800 is also going to be where I'll be implementing our backup circuits.
I did have a thought, as you believe the 2600 isn't up to the task of vlan routing (and we don't have a large network), would it be advisable to move the routing to the 2800? I'd prefer to keep it on the 2600 only because "IF" the 2800 required a reboot or something caused the routing to break then it would drop our entire organization. We have a total of 4 locations and the main site is where we're starting the VDI project. The 2800 is also going to be where I'll be implementing our backup circuits.
ASKER
I'm also open to moving our IP to say the 172 net but that "could" cause issues with our vendors particular our hosted service as they have a router on premise and I don't have any control on that box. Getting that one to change it's IP takes a bit of cordination.
What do you mean by not in the time frame, in order to upgrade. Is this because of change control processes, approvals, and such, or do you not have access to the updated version of software?
ASKER
Both. When I asked for a service contract it only came back with one of many routers and no switches. In talking to the powers to be they're dragging there feet most likely to the hardware purchases that we've made to implement the VDI's (yeh I know a bit short sited). Anyway I've got to get this going by the 16th. That's the vlans and VDI's. Just about all is done except for the vlans. And I really don't understand why it's being such a pain. It appears that I'm missing just a small piece of the puzzle to get this going.
So given what I've got where do we start? Can we use the existing physical setup to accomplish these vlans? It may not be perfect but if we can get this working then I can work on management to get the appropriate upgrades. Keeping in mind I have about 80 users and about 20 servers with an assortment of vendors thrown in. Very modest compared to others.
Also like I mention if the 2811 would handle the vlan job easier and faster we can go that route.
So given what I've got where do we start? Can we use the existing physical setup to accomplish these vlans? It may not be perfect but if we can get this working then I can work on management to get the appropriate upgrades. Keeping in mind I have about 80 users and about 20 servers with an assortment of vendors thrown in. Very modest compared to others.
Also like I mention if the 2811 would handle the vlan job easier and faster we can go that route.
What's currently not working on the 2600 now. Did you make the changes I stated regarding the gateways?
ASKER
OK, so we're both on the same sheet I've posted the latest configs from the 2600,2800 and the 2960. As a refresher I can ping the default gateways for all vlans from the 2960 only. I can only see a workstation if it's on vlan1(default). From the workstation if I place it on any vlan other than 1 I can not ping the gateway or any other device on the network. This happens with the workstation directly connected to the 2960 or on the SG-300's.
2960.txt
w2811.txt
vlan-router.txt
2960.txt
w2811.txt
vlan-router.txt
On your sg300, the only ports that should be tagging are the trunk ports connecting to other switches. All other ports should be set to untagged. Just assigned those ports to the appropriate vlan. On the 2960, I don't see any ports assigned to any particular vlan except the default.
Can you post the output of sho int trunk from your 2960?
Can you post the output of sho int trunk from your 2960?
ASKER
OK, on the 2960 Gi1/0/17 is assigned trunk for the 2600. And on Gi3/0/1 is assigned trunk for vlan 1 and 7.
Tried to use the command "switchport trunk allowed vlan all" on Gi1/0/17 and although it didn't give me an error does not display the results. However when I use CNA it shows that it's trunking all vlans.
I'll change the tagging on the SG300. It appears that I misunderstood the documentation and have those reversed.
Also just for reference I've posted the versions of IOS.
version.txt
Tried to use the command "switchport trunk allowed vlan all" on Gi1/0/17 and although it didn't give me an error does not display the results. However when I use CNA it shows that it's trunking all vlans.
I'll change the tagging on the SG300. It appears that I misunderstood the documentation and have those reversed.
Also just for reference I've posted the versions of IOS.
version.txt
What about the other ports on the 2960 connecting to the other sg300's, why haven't you set those up as trunks?
ASKER
Because they're not deployed yet as we're still cabling and I need to setup the initial configs.
Reset the ports as you mention but I think I messed up becasue now I can not access the switch either from http,telnet or console so I have to reset to factory.
Reset the ports as you mention but I think I messed up becasue now I can not access the switch either from http,telnet or console so I have to reset to factory.
If you can't even access them from console, it surely want the port configs.
ASKER
OK, was able to get back into the SG300. Set the workstation ports (1-24) to untagged and vlan1,7. Ports 25-28 are set to trunk and admit both untagged and tagged.
Also as a quick side note, why when I connect the 300 to the network the entire network stops for a moment. This happens with both the SG300 and the other day with some 3750's that I was identifying some cables. It started when I started configuring vlans.
Also as a quick side note, why when I connect the 300 to the network the entire network stops for a moment. This happens with both the SG300 and the other day with some 3750's that I was identifying some cables. It started when I started configuring vlans.
Sounds like spanning tree convergences. Do you have that setup properly? You want to make sure your 2960 is the root for all of your vlans.
ASKER
OK, I think I see a problem with the trunk. I've got my cable plugged into g28 and it's set to trunk but I also see that vlan 7 is excluded.
SG300.pdf
SG300.pdf
ASKER
Probably don't have spanning tree right. Most likey happened at the onset when I was trying to use VTP. At some point if you could look and see what I need to change I'd appreciate it.
ASKER
For reference this is what I've pulled from the 2960 referencing spanning tree. Which begs the question could that be a factor in my problems?
spanning-tree.txt
spanning-tree.txt
Configure all ports as access ports that will be plugged into hosts(workstation) and set to untag. Then assign them to only one vlan. So if vlan 7, exclude vlan 1 for that port. For port g28, it needs to be set for tagged for vlan 7.
Yeah, looks like one of the sg300 is the root for your vlan 1.
ASKER
Added Tagged for vlan7 to port 28. Cannot set port 1 to access. error.pdf
ASKER
Also can not remove vlan1 from any port.
ASKER
OK, got it. Had to configure in two steps. Change PVID first (save) then change to access.
ASKER
Still can't ping the default gateway for vlan7.
Is that from the workstation, the sg300 or from the 2960? What port is the workstation plugged into now? Which switch?
You need to be as detailed as possible since I can't see what you are doing.
You need to be as detailed as possible since I can't see what you are doing.
ASKER
OK, Workstation(vlan7)-> SG300 port1 -> SG300 port 28 -> 2960 Gi3/0/1 -> 2960 Gi1/0/17 -> 2600
Ping from Wks-192.168.7.100 -> 2600-192.168.7.27 no-go.
Ping from Wks-192.168.7.100 -> 2600-192.168.7.27 no-go.
ASKER
I used to be able to ping from the 2960 switch to the vlan gateway but now I can't.
ASKER
OK, fixed that, I can now ping from the 2960 to the vlan gateways on the 2600. I changed the default gateway on the 2960 to 192.168.6.34 (the 2600).
ASKER
Attached is the eigrp route table
eigrp-2600.pdf
eigrp-2600.pdf
ASKER
Now I feel like a complete idiot. I had the trunk cable SG300 port28 plugged into port 27. I can now ping to the vlan7 gateway, the 2960 management IP 192.168.6.30 and to the 2600 management port but can't get past that to the 2800 management or to any servers on the vlan1.
The workstation....what gateway is configured?
ASKER
Workstation gateway is 192.168.7.27.
I can now ping all vlan gateways except vlan1 192.168.6.27 but I think I know why. I have that IP setup on the interface of the Branch router which is the current gateway for all my servers and current workstations but I think I need to define it on the vlan router and change the IP on the 2811 interface. Does that sound right?
I can now ping all vlan gateways except vlan1 192.168.6.27 but I think I know why. I have that IP setup on the interface of the Branch router which is the current gateway for all my servers and current workstations but I think I need to define it on the vlan router and change the IP on the 2811 interface. Does that sound right?
I thought the .27 was the 2811? You need to point all vlan devices to the respective vlan subinterfaces on the 2600 router. The only thing that needs to point to the 2800 is the 2600 router.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Originally the 6.27 was on the 2811. This was the original configuration and I thought I might be able to get away with it staying there but it looks like I need to move it and that's what I'm doing this morning.
ASKER
Good news, it's working. That's what I get for trying to take a shortcut with Cisco. Now to get DHCP working and to fix STP but that's for a new ticket.
Soulja my hats off to you for your expertise and patience. I'll probably be submitting a new question on STP here shortly and I hope you or your other experts here on EE will be able to help me resolve that. Again Thanks.
Soulja my hats off to you for your expertise and patience. I'll probably be submitting a new question on STP here shortly and I hope you or your other experts here on EE will be able to help me resolve that. Again Thanks.
ASKER
Great help, great site without it the time to resolve issues would be much greater. Thanks.
Anytime Richard!