Cisco VLAN addition

Is the IP on the SVI of the 3560 the gateway address of the devices

eg
for vlan 1300 default gateway on clients = 10.13.0.254
for vlan 1301 default gateway on clients = 10.13.1.1
for vlan 1302 default gateway on clients = 10.13.2.1
for vlan 1303 default gateway on clients = 10.13.3.1

Also, post the result of "show ip route"

Hello,
Thank you for your reply.
You have listed the vlans and gateways correctly.

--------------------------------------
User Access Verification

Username:
Password:
#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.13.0.1 to network 0.0.0.0

S    192.168.77.0/24 [1/0] via 10.13.0.3
     10.0.0.0/8 is variably subnetted, 10 subnets, 3 masks
C       10.13.3.0/24 is directly connected, Vlan1303
C       10.13.2.0/24 is directly connected, Vlan1302
C       10.13.1.0/24 is directly connected, Vlan1301
C       10.13.0.0/24 is directly connected, Vlan1300
S       10.3.0.0/22 [1/0] via 10.13.0.3
S       10.0.0.0/8 [1/0] via 10.13.0.2
S       10.29.0.0/22 [1/0] via 10.13.0.3
S       10.60.0.0/22 [1/0] via 10.13.0.1
S       10.66.0.0/22 [1/0] via 10.13.0.1
S       10.89.0.0/22 [1/0] via 10.13.0.3
S*   0.0.0.0/0 [1/0] via 10.13.0.1
S    192.168.0.0/16 [1/0] via 10.13.0.4

The issue seems to be in your routes.

IP Helper address are normally used for UDP.

Do you have any firewalls in place? Also you may have to add in a static route.

ip route 0.0.0.0 0.0.0.0 10.13.0.1
ip route 10.0.0.0 255.0.0.0 10.13.0.2
ip route 10.3.0.0 255.255.252.0 10.13.0.3 <------------You may have to pull this one.

I need the IP helpers, as that 10.13.1.2 is my DHCP server.
I think it works because items can get the 10.13.3.x addresses.

ip route 10.3.0.0...why would this be an issue?

10.13.0.1, 10.13.0.2, 10.13.0.3, 10.13.0.4 are all firewalls.

Is it something as simple as not giving the clients on the new VLAN the correct gateway address?

It could be that your DHCP server is using 10.13.0.1 as its default gateway, and has static routes configured, but that's unlikely if the clients are actually getting IP addresses.

craigbeck, I re-checked and the gateway is listed at 10.13.3.1
I can even put in a static IP and get the same results.

Here is a test. Add a static route on one of your client's route tables and make sure you have the gateway set.

Working from a static IP, plugged into port 8

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\>route print
===========================================================================
Interface List
 12...f0 4d a2......Broadcom
 11...00 ff 72 ......TAP-Win32 Adapter V9
  1...........................Software Loopback Interface 1
 35...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask   Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.13.3.1       10.13.3.20    266
        10.13.3.0    255.255.255.0         On-link        10.13.3.20    266
       10.13.3.20  255.255.255.255         On-link        10.13.3.20    266
      10.13.3.255  255.255.255.255         On-link        10.13.3.20    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.13.3.20    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.13.3.20    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0        10.13.3.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\

did
route add 10.13.1.0 mask 255.255.255.0 10.13.3.1

route added successfully.
Made no change to my problem.

OK can you confirm what the gateway of a client on VLAN 1301 is?

VLAN 1301 gateway is 10.13.1.1

Can hosts on the new VLAN ping each other?

Run the following commands on the 3560 and post only the 1st one
- show interface status

You don't have to post the results of the following, just identify whether pass or fail

- ping 10.13.0.254 source 10.13.0.254
- ping 10.13.1.1 source 10.13.0.254
- ping 10.13.2.1 source 10.13.0.254
- ping 10.13.3.1source 10.13.0.254

- ping 10.13.2.1 source 10.13.1.1
- ping 10.13.3.1 source 10.13.1.1

- ping 10.13.3.1 source 10.13.2.1

#show interface status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1     *** Vestibule (VLA connected    1300       a-full  a-100 10/100/1000BaseTX
Gi0/2     *** Vestibule (VLA connected    1300       a-full  a-100 10/100/1000BaseTX
Gi0/3     *** Vestibule (VLA connected    1300       a-full  a-100 10/100/1000BaseTX
Gi0/4     *** Vestibule (VLA connected    1300         full    100 10/100/1000BaseTX
Gi0/5     *** Data (VLAN 130 connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi0/6     *** Data (VLAN 130 connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi0/7     *** Data (VLAN 130 connected    trunk      a-full  a-100 10/100/1000BaseTX
Gi0/8     *** Data (VLAN 130 notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/9     *** Data (VLAN 130 connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi0/10    *** Data (VLAN 130 notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/11    *** Data (VLAN 130 connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi0/12    *** Data (VLAN 130 connected    trunk      a-full  a-100 10/100/1000BaseTX
Gi0/13    *** Data (VLAN 130 connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi0/14    *** Data (VLAN 130 notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/15    *** Data (VLAN 130 connected    trunk      a-full  a-100 10/100/1000BaseTX
Gi0/16    *** Data (VLAN 130 connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi0/17    *** Data (VLAN 130 connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi0/18    *** Data (VLAN 130 connected    trunk      a-full a-1000 10/100/1000BaseTX
Gi0/19    *** To Voice (VLAN notconnect   1302         auto   auto 10/100/1000BaseTX
Gi0/20    *** Vestibule (VLA connected    1300       a-full a-1000 10/100/1000BaseTX
Gi0/21    *** To Data (VLAN  connected    1301       a-full a-1000 10/100/1000BaseTX
Gi0/22    *** To Data (VLAN  connected    1301       a-full a-1000 10/100/1000BaseTX
Gi0/23    *** To Data (VLAN  connected    1301       a-full a-1000 10/100/1000BaseTX
Gi0/24    *** To Data (VLAN  notconnect   1300         auto   auto 10/100/1000BaseTX
Gi0/25    *** Trunk (VLANs 1 connected    trunk      a-full a-1000 1000BaseCX SFP Cable
Gi0/26    *** Trunk (VLANs 1 connected    trunk      a-full a-1000 1000BaseCX SFP Cable
Gi0/27    *** Trunk (VLANs 1 connected    trunk      a-full a-1000 1000BaseCX SFP Cable
Gi0/28    *** Trunk (VLANs 1 notconnect   1            auto   auto Not Present
swCoquitlam-01#

- ping 10.13.0.254 source 10.13.0.254 - PASS
- ping 10.13.1.1 source 10.13.0.254 - PASS
- ping 10.13.2.1 source 10.13.0.254 - PASS
- ping 10.13.3.1source 10.13.0.254 - PASS
- ping 10.13.2.1 source 10.13.1.1 - PASS
- ping 10.13.3.1 source 10.13.1.1 - PASS
- ping 10.13.3.1 source 10.13.2.1  - PASS

Can hosts on the new VLAN ping each other?
- Good question, I don't know. I don't think I tried that.

I'll have to put two host on and make the attempt.
I'm out of the office today, will attempt tomorrow.

Hosts on the new 1303 VLAN can ping each other.
(10.13.3.5 can ping and be pinged by 10.13.3.6...and so on.)

Other possibly useful information.....

#show ip route
Gateway of last resort is 10.13.0.1 to network 0.0.0.0

S    192.168.77.0/24 [1/0] via 10.13.0.3
     10.0.0.0/8 is variably subnetted, 10 subnets, 3 masks
C       10.13.3.0/24 is directly connected, Vlan1303
C       10.13.2.0/24 is directly connected, Vlan1302
C       10.13.1.0/24 is directly connected, Vlan1301
C       10.13.0.0/24 is directly connected, Vlan1300
S       10.3.0.0/22 [1/0] via 10.13.0.3
S       10.0.0.0/8 [1/0] via 10.13.0.2
S       10.29.0.0/22 [1/0] via 10.13.0.3
S       10.60.0.0/22 [1/0] via 10.13.0.2
S       10.66.0.0/22 [1/0] via 10.13.0.1
S       10.89.0.0/22 [1/0] via 10.13.0.3
S*   0.0.0.0/0 [1/0] via 10.13.0.1
S    192.168.0.0/16 [1/0] via 10.13.0.4


#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/8, Gi0/10, Gi0/28
1000 Vestibule                        active
1001 Data                             active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
1300 VLAN1300                         active    Gi0/1, Gi0/2, Gi0/3, Gi0/4, Gi0/20, Gi0/24
1301 VLAN1301                         active    Gi0/21, Gi0/22, Gi0/23
1302 VLAN1302                         active    Gi0/19
1303 VLAN1303                         active

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
1000 enet  101000     1500  -      -      -        -    -        0      0
1001 enet  101001     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0
1300 enet  101300     1500  -      -      -        -    -        0      0
1301 enet  101301     1500  -      -      -        -    -        0      0
1302 enet  101302     1500  -      -      -        -    -        0      0
1303 enet  101303     1500  -      -      -        -    -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Your routes are good. The networks are talking to each other based on the results of the source pings.

There's no switchport assigned to vlan 1303. That's the problem

Do that 1st

@Akinsd - VLAN1303 may be assigned to a trunk.  Something must be in that VLAN or the route wouldn't appear in the routing table.

Just a thought?

Ok. I think I see what you are seeing...

1300 VLAN1300                         active    Gi0/1, Gi0/2, Gi0/3, Gi0/4, Gi0/20, Gi0/24
1301 VLAN1301                         active    Gi0/21, Gi0/22, Gi0/23
1302 VLAN1302                         active    Gi0/19
1303 VLAN1303                         active

So I'd want to copy the port settings of 1301?

Can you point me in the right direction with some commands?

conf t
int gi0/8
switchport mode access
switchport access vlan 1303
no shut
wr me

This is assuming you want to plug the device that belongs to vlan 1303 to port gi0/8

Apply the command to the appropriate port.


Just FYI
you have a lot of ports configured as trunk. You should hardcode unused ports as access ports and assign them to an inactive vlan. You should also shut those ports down and only enable them as needed.  Configuring switchport security and/or authentication are other additional or advanced security measures. This prevents someone just connecting a switch to your network and cause really bad damage or issues.

you have a lot of ports configured as trunk. You should hardcode unused ports as access ports and assign them to an inactive vlan. You should also shut those ports down and only enable them as needed.  Configuring switchport security and/or authentication are other additional or advanced security measures. This prevents someone just connecting a switch to your network and cause really bad damage or issues.

Good advice!


I've had another read through everything and noticed this...

Working from a static IP, plugged into port 8

That won't work with the port's current config...

interface GigabitEthernet0/8
 description *** Data (VLAN 1301, 1303) and Voice (VLAN 1302) port
 switchport trunk encapsulation dot1q
switchport trunk native vlan 1301
 switchport trunk allowed vlan 1301-1303
 switchport mode trunk
 priority-queue out
 service-policy input plmDataPolicies

...the port is untagging traffic in VLAN 1301, not 1303.

Do as Akinsd suggests and put a port into access mode in VLAN 1303 and try again.

thank you for the input.

Akinsd
I'd like VLAN 1303 viable on ports 5-18, 25-28.   Same as VLAN 1301.
So I believe I should do the command you listed for all the ports in the sentence above, correct?

Craigbeck...Do I need to remove that line "switch port trunk native vlan 1301"
again, for 5-18, 25-28?

If you're only connecting one device to a switchport, unless that device does 802.1Q you should configure the port as an access port (so remove all trunk config).

So all ports where PCs/Servers/Printers/Phones/etc will connect should look like...

interface GigabitEthernet0/8
 description *** Data VLAN 1303
 switchport access vlan 1303
 switchport mode access
 switchport voice vlan 1302
 priority-queue out
 service-policy input plmDataPolicies
 spanning-tree portfast

Select allOpen in new window

I think you're confusing the issue a little by configuring the ports as trunks (I'm guessing for phones?).  You don't need to do this if the phones do CDP or LLDP (see the switchport voice vlan command), although you will if the phones are configured to get their VLAN info via DHCP.

Phones rely on DCHP to get their VLAN info.

conf t
int range gi05 - 18
switchport mode access
switchport access vlan 1303
no shut
exit

int range gi0/25 - 28
switchport mode access
switchport access vlan 1303
no shut
wr me

Ok, you do need trunk ports then.

interface GigabitEthernet0/8
 description *** Data (VLAN 1303) and Voice (VLAN 1302) port
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 1303
 switchport trunk allowed vlan 1302-1303
 switchport mode trunk
 priority-queue out
 service-policy input plmDataPolicies

Select allOpen in new window

(Notice the native VLAN is 1303)

Will changing the native vlan from  1301   to   1303   mess with the 10.13.1.1 network, and all the towers that pull ip address on the 10.13.1.1 network?

Native Vlan just means any traffic that is not tagged is treated to be in that vlan. Computers don't tag their traffic but the switchport is.

So to answer your question, it depends on what you currently have on the network. The computers will not be affected really as their switchports are tagged, the issue will be on devices attached to trunk ports. You can also change the native vlan on the trunk ports, but be aware to make necessary changes on devices connected to them.

Items on my network are pretty standard.
Windows tower/laptops
Printers (static ip)
Avaya IP phones
smart phones/tablets

I will implement craigbeck's recommendations (3 post up) tonight and report back in the morning.

Craigbeck -
why does line 5 read:
switchport trunk allowed vlan 1302-1303
and not
switchport trunk allowed vlan 1301-1303


and
is a different configuration needed for ports 25-28?

You dont need VLAN 1301 on the port.  1302 is voice and 1303 is the new data subnet.  Yiu can only allow either 1301 or 1303 on the port if its an access port.

Hello,
Taking longer than expected.
The config below works....but only for address 10.13.2.x and 10.13.3.x
So if you have a static IP (10.13.1.x) and are in one of the configured jacks, you cannot communicate.
It would be ideal if the config worked for all 3 subnets.

interface GigabitEthernet0/X
 description *** Data (VLAN 1303) and Voice (VLAN 1302) port
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 1303
 switchport trunk allowed vlan 1302-1303
 switchport mode trunk
 priority-queue out
 service-policy input plmDataPolicies

Let's recap.

You're not adding a subnet to an existing VLAN; you're adding a new VLAN and subnet.  Therefore you can't expect a client on VLAN 1301 to be able to connect to a port which is configured in VLAN 1303.  That's just not possible.

Here we're setting some ports in VLAN 1301 and some ports in VLAN 1303.  Unfortunately we can't have the ports in both VLANs unless the clients can do 802.1Q.  What's confusing the situation (I think) is the fact that the phones work at the same time as a client.  This is due to the phone supporting CDP and 802.1Q.

Ok. I see the error of my thought process.
What I was trying to create, does not deliver what I want.

^^
Ok, that sounds more like what I want to do.
Please provide more details on "Adding a secondary IP address to existing VLAN."

Hello,

The Adding a Secondary IP address worked!

ip address x.x.x.x  y.y.y.y secondary

Glad it worked - sorry for not replying to your earlier question I didn't see a notification that you'd responded!?