assign port to multiple VLANs Catalyst 2950

I have a Catalyst 2950 and I'm trying to assign a series of power to multiple VLANs...  With HP switches the default VLAN ID 1 is untagged... Then.. I simply tag a port to a specific VLAN or a series of VLANs.  What's the command to accomplish this with the Catalyst 2950?  I tried using the 'multi' mode command and it didn't work..  I assume my syntax was wrong.
gopher_49Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

naderzCommented:
What do you mean by " I'm trying to assign a series of power to multiple VLANs"?

When multiple VLANs travel on the same port Cisco calls it "trunking". Is that what you are asking? Multiple VLANs on one port? If yes, then see below:

To place an interface into trunking mode (on HP you do this by "tagged" command) run this on Cisco switch:

Example:

Interface Gig 0/1
switchport mode trunk
switchport trunk allowed vlan "list of vlans separated by comma"

The above is necessary if you need to control and limit which VLANs travel on the trunk. If you don't specify all VLANs will be allowed once you set the interface to "switchport mode trunk".
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gopher_49Author Commented:
Okay.  That's the syntax I used last night when remotely accessing the switch...  I'll test my lab later today.

Thanks
0
Craig BeckCommented:
In Cisco talk, the native VLAN is the equivalent of the HP untagged VLAN.

So, to allow VLANs 10-20 on a port with VLAN10 as the default (or untagged)...

interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10-20
 switchport trunk native vlan 10


Notice that you do it the other way round in Cisco, as opposed to allowing ports in VLANs on HP kit you allow VLANs per port on Cisco kit.

To break it down...

switchport trunk encapsulation dot1q - This is important as the 2950 also supports ISL (Cisco proprietary) trunking.  If you don't set this to 802.1q you'll not pass proper VLAN-tagged frames.

switchport trunk native vlan 10 - This sets the untagged VLAN

switchport trunk allowed vlan 10-20 - This determines which VLANs are allowed to pass through the port if you want to restrict it, otherwise all VLANs pass.
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

gopher_49Author Commented:
The 'encapsulation' command doesn't take in the below command line you sent.

switchport trunk encapsulation dot1q

It says invalid input detected.
0
gopher_49Author Commented:
It seems the 2950 doesn't not require the switchport trunk encapsulation dot1q command for it only support 802.1q.

https://supportforums.cisco.com/docs/DOC-3686

Note: The steps to configure trunking on the Catalyst 2950 or 3550 series are almost the same. The 2950/2955 series switches do not require step 4, as they only support 802.1q and do not support ISL trunk encapsulation.Cisco Catalyst 3550 Series switches support both ISL and 802.1Q trunks. A recommended migration to the ISL trunking standard while using the Cisco Catalyst 2950 is to place an ISL/dot1Q-capable device between the ISL-supported device and the Cisco Catalyst 2950 Series switch.The following URL outlines some FAQ about the 2950:

http://www.cisco.com/cpropart/salestools/cc/pd/si/casi/ca2950/prodlit/2950p_qp.htm

Refer to Configuring VLANs for more information on the Catalyst series, specifically the Catalyst 2950 or 3550 series.
0
Craig BeckCommented:
It depends on the version of IOS, but earlier 2950s did support ISL.  Anyway, if the command isn't supported the trunk will be 802.1q.
0
gopher_49Author Commented:
I performed the commands and I'm unable to access anything in the vlan.  I set 251 as my vlan ID on my VMware ESXi server and once doing that its not accessible.  I also set vlan 251 on my DRAC board and its not accessible either.  I tried setting the switch port to trunk and tried manually assigning it
0
Craig BeckCommented:
You need to configure VLAN251 on the switch, and allow it on the trunk...

vlan 251
exit
interface FastEthernet0/1
 switchport trunk allowed vlan add 251
0
gopher_49Author Commented:
I did that... doesn't work.  When setting VLAN ID 251 on the NIC of the ESXi VMWare server and Dell DRAC board they both drop off the network.  The workstations that are trying to access them also are allowed to 251.  They have the same config on their switch port as the ESXi server and DRAC board.
0
naderzCommented:
vmware esxi only supports 802.1(q).

Please make sure you have trunking setup correctly on the VMWare. See below:

Follow these steps:

1.    Define ESXi/ESX VLANs on the physical switch.
2.    Allow the proper range to the ESXi/ESX host.
3.    Set the physical port connection between the ESXi/ESX host and the physical         switch to TRUNK mode. ESXi/ESX only supports IEEE 802.1Q (dot1q) trunking.

        - Physical switch is set to TRUNK mode
        - dot1q encapsulation is enabled
        - Spanning-tree is set to portfast trunk (for example, port forwarding, skips other modes)
        - Define VLAN interface
        - Assign IP Range to VLAN interface
        -  VLAN Routing – and VLAN Isolation

        Caution: Native VLAN ID on ESXi/ESX VST Mode is not supported. Do not assign a VLAN to a port group that is same as the native VLAN ID of the physical switch. Native VLAN packets are not tagged with the VLAN ID on the outgoing traffic toward the ESXi/ESX host. Therefore, if the ESXi/ESX host is set to VST mode, it drops the packets that are lacking a VLAN tag.


Complete instructions:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074


All VLANs that are on the VMWare have  to be also defined and existing on the Cisco switch as well. Each vlan has to be created individually. To create them just run "vlan vlan-number" (e.g. vlan 251) on the Cisco switch. And, of course, make sure that the created vlans exist on the trunk port by the command I posted earlier:

switchport mode trunk
switchport trunk allowed vlan "list of vlans separated by comma"


Also, add this command to the Cisco interface configuration:

interface Gig 0/1
spanning-tree portfast trunk
0
gopher_49Author Commented:
I have not added spanning-tree nor an IP address to the vlan itself.  My switch only supports 802.1q as I understand...  I'll try again here shortly .
0
Craig BeckCommented:
Can you post the switch config, and show the output from show vlan brief?
0
gopher_49Author Commented:
Below is the show valn brief of my 2950 and following it is my entire config.

Switch#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/19
251  management                       active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup


entire configis below.

Current configuration : 2011 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/18
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/19
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/20
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/21
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/22
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/23
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/24
 switchport trunk allowed vlan 1,251
 switchport mode trunk
 spanning-tree portfast trunk
!
interface Vlan1
 ip address 192.168.254.101 255.255.255.0
 no ip route-cache
!
interface Vlan251
 ip address 192.168.251.102 255.255.255.0
 no ip route-cache
 shutdown
!
ip default-gateway 192.168.251.1
ip http server
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
end
0
Craig BeckCommented:
Which port does the ESXi and DRAC connect to?
0
gopher_49Author Commented:
port 17 and 19
0
Craig BeckCommented:
If you don't set a VLAN ID on the DRAC, which VLAN does it work on?
0
gopher_49Author Commented:
When it's blank it works.. This seems to default to VLAN ID 1
0
gopher_49Author Commented:
I think it's working now.. The IP I was testing (I'm currently remote) was not set like it should of been..  I'll update the ticket shortly.
0
gopher_49Author Commented:
okay..  I'm now able to ping from my desktop to the ESXi server via the syntax below.  My desktop is plugged into 0/21.  How do I make it where my desktop can also access host on the default VLAN ID 1?

interface FastEthernet0/21
 switchport access vlan 251
 spanning-tree portfast
0
naderzCommented:
If your desktop is confiugured with the correct default-gateway, then the switch will route the traffic between VLANs.

From what you have above the default-gateway for devices on Vlan 1 should be 192.168.254.101 and devices on Vlan 251 should have 192.168.251.102 as default-gateway.

I also see that interface vlan 251 is shutdown. You need to unshut that.

Also, what IP address is 192.168.251.1? Your switches default-gateway is pointing to that IP. This setting is for switch's own use.
0
gopher_49Author Commented:
I'll be onsite tomorrow and will adjust further.  I have a firewall that I plan to introduce to route traffic between vlans.  Should I just use that?  See.  The Catalyst will be replaced once I ship the cluster I'm configuring.  Everything will end up on a layer 2 gigabit switch...  So, assuming I'll be using my firewall to route between VLAN's.   Should I remove the gateway statements I currently have to test the firewall routing?  I plan to test it tomorrow.
0
naderzCommented:
You could use the firewall to route internal VLANs, but I wouldn't. I would let the internal traffic stay within the internal routers and switches and let the firewall worry about inside/outside ACLs and NAT and VPN and other things it is designed to do. But, it is of course doable.

If you do use the firewall then yes, the default-gateways for each device would have to point to the interface on the firewall. Depending on your firewall configuration and type you would also need to setup another trunk between the L2 swtich and the firewall if there are multiple VLANs.

Any particular reason for not using a L3 switch before the firewall?
0
Craig BeckCommented:
If you're using a layer-2 only switch you can't do inter-VLAN routing with it.
0
gopher_49Author Commented:
Very rarely do my host need to talk to each other through the vlans.  I only need VLAN's in this instance for a isolated wifi, isolate ESXi management, and to assign DHCP servers to each vlan via my firewall.  And..  For extra IP's... So, using the router/firewall in a stick methology seems to be an okay method.
0
naderzCommented:
Fair enough. What kind of firewall/router are you using and have you had it setup for routing internal traffic before, or is this a new installation?
0
gopher_49Author Commented:
I use trunk mode on NICs/appliances that are trunked and on my windows boxes I simply added them to a VLAN but not in trunk mode.  I wasn't being patient enough when waiting for the port to detect a host... spantree fastport will help but I need to be more patient.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.