Avatar of gopher_49
gopher_49 asked on

assign port to multiple VLANs Catalyst 2950

I have a Catalyst 2950 and I'm trying to assign a series of power to multiple VLANs...  With HP switches the default VLAN ID 1 is untagged... Then.. I simply tag a port to a specific VLAN or a series of VLANs.  What's the command to accomplish this with the Catalyst 2950?  I tried using the 'multi' mode command and it didn't work..  I assume my syntax was wrong.
Switches / Hubs

Avatar of undefined
Last Comment
gopher_49

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
naderz

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
gopher_49

Okay.  That's the syntax I used last night when remotely accessing the switch...  I'll test my lab later today.

Thanks
Craig Beck

In Cisco talk, the native VLAN is the equivalent of the HP untagged VLAN.

So, to allow VLANs 10-20 on a port with VLAN10 as the default (or untagged)...

interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10-20
 switchport trunk native vlan 10


Notice that you do it the other way round in Cisco, as opposed to allowing ports in VLANs on HP kit you allow VLANs per port on Cisco kit.

To break it down...

switchport trunk encapsulation dot1q - This is important as the 2950 also supports ISL (Cisco proprietary) trunking.  If you don't set this to 802.1q you'll not pass proper VLAN-tagged frames.

switchport trunk native vlan 10 - This sets the untagged VLAN

switchport trunk allowed vlan 10-20 - This determines which VLANs are allowed to pass through the port if you want to restrict it, otherwise all VLANs pass.
ASKER
gopher_49

The 'encapsulation' command doesn't take in the below command line you sent.

switchport trunk encapsulation dot1q

It says invalid input detected.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
gopher_49

It seems the 2950 doesn't not require the switchport trunk encapsulation dot1q command for it only support 802.1q.

https://supportforums.cisco.com/docs/DOC-3686

Note: The steps to configure trunking on the Catalyst 2950 or 3550 series are almost the same. The 2950/2955 series switches do not require step 4, as they only support 802.1q and do not support ISL trunk encapsulation.Cisco Catalyst 3550 Series switches support both ISL and 802.1Q trunks. A recommended migration to the ISL trunking standard while using the Cisco Catalyst 2950 is to place an ISL/dot1Q-capable device between the ISL-supported device and the Cisco Catalyst 2950 Series switch.The following URL outlines some FAQ about the 2950:

http://www.cisco.com/cpropart/salestools/cc/pd/si/casi/ca2950/prodlit/2950p_qp.htm

Refer to Configuring VLANs for more information on the Catalyst series, specifically the Catalyst 2950 or 3550 series.
Craig Beck

It depends on the version of IOS, but earlier 2950s did support ISL.  Anyway, if the command isn't supported the trunk will be 802.1q.
ASKER
gopher_49

I performed the commands and I'm unable to access anything in the vlan.  I set 251 as my vlan ID on my VMware ESXi server and once doing that its not accessible.  I also set vlan 251 on my DRAC board and its not accessible either.  I tried setting the switch port to trunk and tried manually assigning it
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Craig Beck

You need to configure VLAN251 on the switch, and allow it on the trunk...

vlan 251
exit
interface FastEthernet0/1
 switchport trunk allowed vlan add 251
ASKER
gopher_49

I did that... doesn't work.  When setting VLAN ID 251 on the NIC of the ESXi VMWare server and Dell DRAC board they both drop off the network.  The workstations that are trying to access them also are allowed to 251.  They have the same config on their switch port as the ESXi server and DRAC board.
naderz

vmware esxi only supports 802.1(q).

Please make sure you have trunking setup correctly on the VMWare. See below:

Follow these steps:

1.    Define ESXi/ESX VLANs on the physical switch.
2.    Allow the proper range to the ESXi/ESX host.
3.    Set the physical port connection between the ESXi/ESX host and the physical         switch to TRUNK mode. ESXi/ESX only supports IEEE 802.1Q (dot1q) trunking.

        - Physical switch is set to TRUNK mode
        - dot1q encapsulation is enabled
        - Spanning-tree is set to portfast trunk (for example, port forwarding, skips other modes)
        - Define VLAN interface
        - Assign IP Range to VLAN interface
        -  VLAN Routing – and VLAN Isolation

        Caution: Native VLAN ID on ESXi/ESX VST Mode is not supported. Do not assign a VLAN to a port group that is same as the native VLAN ID of the physical switch. Native VLAN packets are not tagged with the VLAN ID on the outgoing traffic toward the ESXi/ESX host. Therefore, if the ESXi/ESX host is set to VST mode, it drops the packets that are lacking a VLAN tag.


Complete instructions:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074


All VLANs that are on the VMWare have  to be also defined and existing on the Cisco switch as well. Each vlan has to be created individually. To create them just run "vlan vlan-number" (e.g. vlan 251) on the Cisco switch. And, of course, make sure that the created vlans exist on the trunk port by the command I posted earlier:

switchport mode trunk
switchport trunk allowed vlan "list of vlans separated by comma"


Also, add this command to the Cisco interface configuration:

interface Gig 0/1
spanning-tree portfast trunk
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
gopher_49

I have not added spanning-tree nor an IP address to the vlan itself.  My switch only supports 802.1q as I understand...  I'll try again here shortly .
Craig Beck

Can you post the switch config, and show the output from show vlan brief?
ASKER
gopher_49

Below is the show valn brief of my 2950 and following it is my entire config.

Switch#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/19
251  management                       active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup


entire configis below.

Current configuration : 2011 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/18
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/19
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/20
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/21
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/22
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/23
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/24
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface Vlan1
 ip address 192.168.254.101 255.255.255.0
 no ip route-cache
!
interface Vlan251
 ip address 192.168.251.102 255.255.255.0
 no ip route-cache
 shutdown
!
ip default-gateway 192.168.251.1
ip http server
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
end
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Craig Beck

Which port does the ESXi and DRAC connect to?
ASKER
gopher_49

port 17 and 19
Craig Beck

If you don't set a VLAN ID on the DRAC, which VLAN does it work on?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
gopher_49

When it's blank it works.. This seems to default to VLAN ID 1
ASKER
gopher_49

I think it's working now.. The IP I was testing (I'm currently remote) was not set like it should of been..  I'll update the ticket shortly.
ASKER
gopher_49

okay..  I'm now able to ping from my desktop to the ESXi server via the syntax below.  My desktop is plugged into 0/21.  How do I make it where my desktop can also access host on the default VLAN ID 1?

interface FastEthernet0/21
 switchport access vlan 251
 spanning-tree portfast
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
naderz

If your desktop is confiugured with the correct default-gateway, then the switch will route the traffic between VLANs.

From what you have above the default-gateway for devices on Vlan 1 should be 192.168.254.101 and devices on Vlan 251 should have 192.168.251.102 as default-gateway.

I also see that interface vlan 251 is shutdown. You need to unshut that.

Also, what IP address is 192.168.251.1? Your switches default-gateway is pointing to that IP. This setting is for switch's own use.
ASKER
gopher_49

I'll be onsite tomorrow and will adjust further.  I have a firewall that I plan to introduce to route traffic between vlans.  Should I just use that?  See.  The Catalyst will be replaced once I ship the cluster I'm configuring.  Everything will end up on a layer 2 gigabit switch...  So, assuming I'll be using my firewall to route between VLAN's.   Should I remove the gateway statements I currently have to test the firewall routing?  I plan to test it tomorrow.
naderz

You could use the firewall to route internal VLANs, but I wouldn't. I would let the internal traffic stay within the internal routers and switches and let the firewall worry about inside/outside ACLs and NAT and VPN and other things it is designed to do. But, it is of course doable.

If you do use the firewall then yes, the default-gateways for each device would have to point to the interface on the firewall. Depending on your firewall configuration and type you would also need to setup another trunk between the L2 swtich and the firewall if there are multiple VLANs.

Any particular reason for not using a L3 switch before the firewall?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Craig Beck

If you're using a layer-2 only switch you can't do inter-VLAN routing with it.
ASKER
gopher_49

Very rarely do my host need to talk to each other through the vlans.  I only need VLAN's in this instance for a isolated wifi, isolate ESXi management, and to assign DHCP servers to each vlan via my firewall.  And..  For extra IP's... So, using the router/firewall in a stick methology seems to be an okay method.
naderz

Fair enough. What kind of firewall/router are you using and have you had it setup for routing internal traffic before, or is this a new installation?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
gopher_49

I use trunk mode on NICs/appliances that are trunked and on my windows boxes I simply added them to a VLAN but not in trunk mode.  I wasn't being patient enough when waiting for the port to detect a host... spantree fastport will help but I need to be more patient.