Link to home
Create AccountLog in
Avatar of mgcomputer

asked on

Cisco 2960 -s Vlan

Im in the process of replacing Netgear l2 switches with cisco 2960. I have created a vlan called vlan 2. on port 24 . This port is plugged into a Cisco POe switch. The only configuration on the poe switch is the switch address, and nothing else. With the netgear switch all I did was tag and untag  the various ports plus making port 24 vlan2 native. I want the non poe 2960 to have the same  configuration as the netgear switch

service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SwitchSG1
enable secret 5 $1$xuzg$YDwG9xS8GV21X1lgyVv3j/
username admin privilege 15 secret 5 $1$WxfT$ku4VRcRc6.fzHPfKeznpY/
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
 enrollment selfsigned
 revocation-check none
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
 certificate self-signed 01
  30820262 308201CB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  41311330 11060355 0403130A 53776974 63685347 312E312A 300F0603 55040513
  08423034 38443538 30301706 092A8648 86F70D01 0902160A 53776974 63685347
  312E301E 170D3133 30343233 31383438 31315A17 0D323030 31303130 30303030
  305A3041 31133011 06035504 03130A53 77697463 68534731 2E312A30 0F060355
  04051308 42303438 44353830 30170609 2A864886 F70D0109 02160A53 77697463
  68534731 2E30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009973 0FED1691 A264FD7E CA57620B B29CB92D 8E3D7E5B 427F8E5E ABC78068
  6B29EA8C 61D936ED EFACD737 6577EED8 05F45FE2 706E1C2B C5A7A682 3E8C49EA
  B3297D54 8235FEFF 32E5EEBB AF8CB849 37544D4A 7A0CA967 92622AFB A81D3B24
  083703AA 04F80859 2AE7CB0E 43EDE4F2 4FB507AF F469CE97 E37C5986 EA9BF203
  733B0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
  551D1104 0E300C82 0A537769 74636853 47312E30 1F060355 1D230418 30168014
  C2D26791 3327D9EF 9BE63A6A 51240A79 70EDB431 301D0603 551D0E04 160414C2
  D2679133 27D9EF9B E63A6A51 240A7970 EDB43130 0D06092A 864886F7 0D010104
  05000381 81008635 5847206C DBFDFD46 FD15BDBA 8FD05F73 A55878E1 EBDAAF26
  BA9509AF BEC9FF22 66268A81 528A9543 541894E6 A456E8B8 7FEF0852 F8BE907A
  C12C2B53 8771BA0E C48A4E1D 057805C8 9924511C 72BB759F 3F8C3B8E 4F812738
  EA24499B 66B6AEE6 1AE627D8 15EB8585 24685D91 D4204458 5666A6D7 78DE7C00
  DA6B5680 DC76
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0
 no ip address
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface GigabitEthernet0/9
interface GigabitEthernet0/10
interface GigabitEthernet0/11
interface GigabitEthernet0/12
interface GigabitEthernet0/13
interface GigabitEthernet0/14
interface GigabitEthernet0/15
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
interface GigabitEthernet0/24
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface Vlan1
 ip address ..................
interface Vlan2
ip default-gateway
ip http server
ip http authentication local
ip http secure-server
line con 0
line vty 0 4
line vty 5 15

SwitchSG1#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                Gi0/13, Gi0/14, Gi0/15, Gi0/16
                                                Gi0/17, Gi0/18, Gi0/19, Gi0/20
                                                Gi0/21, Gi0/22, Gi0/23, Gi0/25
2    VLAN0002                         active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
2    enet  100002     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Avatar of Henk van Achterberg
Henk van Achterberg
Flag of Netherlands image

you will need to issue these commands

interface range Gi0/1 -23
 switchport mode trunk
interface Gi0/24
 switchport mode access
 switchport access vlan 2

if the switch complains about encapsulation use this:

switchport trunk encapsulation dot1q
Avatar of Cyclops3590
sorry, but henkva's interpretation of the netgear switch config doesn't seem right to me.  There's no way that all of those ports are trunks.

Can you explain a little more on how your environment is connected?  So ports 1-23 only hosts are plugged in?  port 24 plugs to POE switch.  what does the POE switch connect to (a router/firewall)? which port on POE switch does the non-POE plug into.  on the POE can you give the output of the following two commands

sh vlan
sh int trunk

that should give me a better idea of how it connected to the netgear and how it should be configured on the new non-POE
Dear Cyclops3590,

if PVID is set to VLAN 1 and VLAN 2 is tagged configured on the ports it means that traffic sent on such interface in vlan 1 is untagged and in vlan 2 tagged. Tagged traffic implies the "trunk" on the cisco switch.

So I am correct, the only difference is that you may need to restrict VLAN access with trunk ports at the cisco.
Avatar of mgcomputer


One port is on the  nonpoe switch  is plugged into a cisco 1841 router and the remaining 22 ports workstations are connected to switch. The only thing setup on the nonpoe switch is the basic switch setup  no vlans were ever setup on the non poe switch
mgcomputer: if you have a default 2960 config please add the commands I gave previously and it will work as requested.
on port 24 the pvid is set to 2
PVID is the "Port VLAN ID". This means that traffic coming out of this interface which is the same VLAN as the PVID the traffic will be untagged.

On port 1 to 23 the PVID is 1, which means that all untagged traffic is VLAN 1. Port 24 has VLAN 2 as PVID, that means that untagged traffic on port 24 is in VLAN 2.

Because VLAN 1 is NOT configured on port 24 this means that there is only 1 VLAN on port 24 and that is VLAN 2 untagged. If there is ony one untagged VLAN on a port it is called an access port in Cisco terms.

On port 1 to 23 there are two VLAN's configured, VLAN 1 untagged (henche the PVID) and VLAN 2 tagged. To allow more then one VLAN on an interface you need to configured the interfaces as trunk interfaces on Cisco.

Makes this a bit sense?

sorry that is not entirely correct.  trunks should only be used when multiple vlans are needed.  so the port connected to the router should be trunk and the port to the poe switch should be trunk.  all others should be access.  while your config may work, you should never assign trunk mode to access ports.

also port 24 will be tagged vlan 2, not untagged vlan 2.  for that you must change the native vlan on the switch or assign port 24 as a trunk (which is what I would do as it connects to another switch) and assign the native vlan as 2.

this is why we need to know how everything is configured and which devices plugged into where.  because it looks like the netgear and your cisco config match but the netgear shouldn't have been configured that way to begin with despite "working".  host ports should ALWAYS be configured as access mode and NEVER as trunks.
btw, ports on the poe switch should be configured with vlan 2 then if they are not tagged at this time and the port between the switch set as a trunk.  the whole point of vlans is that you can make better use of your physical infrastructure so if you need to plug a vlan 1 host into the poe switch you can.  

also, so are phones plugged into the poe and vlan 2 is your voice network?  if so you know you can run an access port with 2 vlans right on a cisco switch?  you just enable the voice vlan configuration then and make even better use of your switch environment
Dear Cyclops3590,

You are incorrect, please let me explain why.

At picture vlan5.JPG you see that port 0/24 is configured with PVID 2. At picture vlan4.JPG and vlan5.JPG you will see that the port range 0/1-0/23 is configured with PVID 1.

At picture vlan3.JPG you will see that VLAN 2 is TAGGED on port range 0/1-0/23 and UNTAGGED on port 0/24. At picture vlan2.JPG you will see that VLAN 1 is untagged on port range 0/1-0/23 and NOT present on port 24.

At the port range 0/1-0/23 we have VLAN 1 (untagged) and VLAN 2 (tagged), thus multiple VLAN's, thus Trunking ports.

Port 0/24 has only one VLAN, VLAN 2, which is untagged, thus an access port.

let me explain why I say you are not wrong, but rather the switch environment is misconfigured and we should help mgcomputer fix it.

first tagged doesn't necessarily mean a trunk, multiple vlans means trunk as you have stated.  Second, I agree that what you have described is true.  Finally, you NEVER have multiple vlans to client host.  As mgcomputer stated, one port has a router plugged in, one has a switch and all others are clients.  clients only operate in one vlan.  By configuring those as trunks you are opening yourself up to the vlan hopping attack not to mention you just should never do that.

I fully agree it will work as you have stated.  But as I stated, just because it "will" work doesn't mean we should do it that way.  We should do it the correct way.  Trunks between switches and switch/routers.  Access on all client ports and tag the ports for clients.  

By not tagging anything on the poe switch and tagging port 24, it is similar to configuring port 24 as a trunk and all ports on the poe switch as vlan 2 tagged.  It will work, but that is not the correct way of doing it.  By doing untagged vlan 1 and tagged vlan 2 on client ports on non-poe switch (netgear) all clients are in vlan 1 as they don't speak 802.1q.  The router will do untagged as vlan 1 and explicitly tag vlan 2. This all works.  From the router if something is destined for vlan 2, the switch understand that it should move it out port 24 and move it as untagged.  Here becomes the part that can become confusing.  The poe switch sees all frames as vlan 1.  Why?  because that is its native vlan so anything untagged is vlan 1.  The netgear overrode that and said untagged is seen as vlan 2 (it switched the native vlan).

This is why I say we need to redo the configs to make them the way they should, not just let the same misconfiguration of the switching environment persist.  But that's me.  

Mind you, yes, what you're saying WILL WORK.  I'm just saying that it shouldn't be done, it should be done the proper way instead.
Dear Cyclops3590,

I totally agree with your statement. From a responsible network engineers perspective an answer alone is not enough.

Maybe the author can share a network diagram of his network and explain what kind of devices are attached to those switches.

If we are talking about VOIP and telephones configuring the ports as access ports and use the auto voice vlan as you stated earlier is the best thing to do.

Also, if you use multiple VLAN's and you have multiple switches it is best practice to have trunk ports between those switches to keep the VLAN's the same on those switches (and allow those VLAN's to be used at each switch).
Tried the commands it did allow me to ping the poe switch
correction could not ping
where did you ping from?
the switch and also from my workstation
which port on the non-poe is the router plugged in?  which port is the non-poe plugged into on the poe switch.  please post the config of the poe switch as well.  after that we'll just get you working with a proper config so we don't have possible issues by cisco treating things possibly different than the netgear.

we want to trunk the non-poe interfaces that connect to the router and on port 24.  we want to trunk the interface on the poe switch that connects to port 24 on the non-poe switch.  then we want to assign all other interfaces on poe switch to vlan 2.  also, post the interface and vlan configuration from the router for good measure so we can tell what is going on there.
router is on port 23 link to non poe is on port 24
I looked at router configuration and is verry plain
can you answer these questions:

1. for what purpose is VLAN 2 being used?
2. Why is VLAN 2 untagged on port 24, this means that  all the devices in the non-poe switch are in VLAN 2. If the router is in port 23 and has NO configuration for vlans (dot1q) then you will not be able to ping the router from a device in the non-poe switch as the router is in VLAN 1 and your device is in VLAN 2.

Please make a network diagram (simple) with the devices and IP addresses you have so we can help you with that.
In each router in the network there is a primary and secondary IP address for one is the 192,.xx.xx.xx subnet 801q encapsulation is installed on the router .if the workstation is on the primary address with the NetGear switch installed I can reach any  192 address in the I still have other NetGear switches that handle the data and handoff the vlan to the Poe switch
can you please make a network drawing as it is difficult to visualize with the information you gave us?
agree with henkva.  I'm not sure what you're trying to describe your network looking like.

I realize this is taking longer than you pry want it to take, but trust me, henkva and I WILL get you to a working state as what you are trying to do isn't complicated, we just need to better understand what you're environment looks like and what you are trying to accomplish.
here is the diagram
Avatar of Cyclops3590
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
The voip phones work but I still cannot ping the poe switch  from anywhere in the network. But I can ping the phone server  with a address of 192.168.xx.xx.
what do you mean by "anywhere in the network"?  do you mean from the router, from the non-poe switch, from a client in vlan 1?

Double check ip configuration.  is the ip assigned associated with the vlan1 interface correct? While you don't have to assign it to vlan1, in your case I would due to the way the network is designed.  also make sure you have the default-gateway assigned as well.
I cannot ping from any other workstation connected to the non poe switch(trying to ping the poe switch) Also  in the arp table it does show the gateway address
what is the config for the vlan1 interface on the poe switch though.