Matthew Cioffi
asked on
Programming a Cisco Catalyst 2960 for VLANS
Hi Folks,
I have inherited a situation where I'm somewhat out of my element. I have to check and reprogram if necessary 2 Cisco Catalyst 2960 switches. I have very little experience with these and need some guidance on setting these up properly.
Things I need:
1. How to back up the current config for restore if everything gets messed up.
2. How to restore the backup if needed.
3. How to check and see if the VLANS configured already are done correctly.
a. is the trunking port setup properly
b. are the vlans getting tagged correctly
4. How to program the switch for VLANS with a trunk port and VLAN tagging
thanks very much.
I have inherited a situation where I'm somewhat out of my element. I have to check and reprogram if necessary 2 Cisco Catalyst 2960 switches. I have very little experience with these and need some guidance on setting these up properly.
Things I need:
1. How to back up the current config for restore if everything gets messed up.
2. How to restore the backup if needed.
3. How to check and see if the VLANS configured already are done correctly.
a. is the trunking port setup properly
b. are the vlans getting tagged correctly
4. How to program the switch for VLANS with a trunk port and VLAN tagging
thanks very much.
Here is a link to the Cisco configuration for your switch.
To help you can log into your switch and do a Show Tech command. This will create a clean copy of your config (no Passwords) HOWEVER, you must be able to capture the logging of the output as it will be long. So make sure you're able to capture it. Putty will do this when you configure it properly.
To help you can log into your switch and do a Show Tech command. This will create a clean copy of your config (no Passwords) HOWEVER, you must be able to capture the logging of the output as it will be long. So make sure you're able to capture it. Putty will do this when you configure it properly.
1. run the following on the command line "copy running-config flash:/backup.cfg". I would also recommend running the command "copy running-config startup-config" before doing anything. This will allow you to perform number 2 as follows.
2. If your configuration gets messed up, *AND* you have not written the config, just power cycle and it will revert to the current startup config. If that is not an option for you, you can simply run "copy flash:/backup.cfg running-config".
3. Run the command "show int trunk". This will display all currently active trunk interfaces and what VLANs are allowed on them. You can also run the command "sh vlan" to see a list of all VLANs configured on the switch.
4. To configure additional trunk interfaces, just follow what Spartan_1337 wrote for his number 4.
2. If your configuration gets messed up, *AND* you have not written the config, just power cycle and it will revert to the current startup config. If that is not an option for you, you can simply run "copy flash:/backup.cfg running-config".
3. Run the command "show int trunk". This will display all currently active trunk interfaces and what VLANs are allowed on them. You can also run the command "sh vlan" to see a list of all VLANs configured on the switch.
4. To configure additional trunk interfaces, just follow what Spartan_1337 wrote for his number 4.
ASKER
So I have the output from the show int trunk and the sh vlan. Can you tell me if this is setup properly? Can I fix the VLANS and tag them properly?
CSW-LNX-2960-1#show int trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094
Port Vlans allowed and active in management domain
Po1 1,36-37,39,42,255
Port Vlans in spanning tree forwarding state and not pruned
Po1 1,36-37,39,42,255
CSW-LNX-2960-1#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/45
36 User_Vlan active Gi0/2, Gi0/3, Gi0/4, Gi0/5
Gi0/6, Gi0/7, Gi0/8, Gi0/9
Gi0/10, Gi0/11, Gi0/12, Gi0/13
Gi0/14, Gi0/15, Gi0/16, Gi0/17
Gi0/18, Gi0/19
37 Wireless_Vlan active Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34
39 Phone_Vlan active Gi0/20, Gi0/21, Gi0/22, Gi0/23
Gi0/24
42 Video_Vlan active Gi0/35, Gi0/36, Gi0/37, Gi0/38
Gi0/39, Gi0/40, Gi0/41, Gi0/42
Gi0/43, Gi0/44
255 Firewall_Vlan active Gi0/1
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
36 enet 100036 1500 - - - - - 0 0
37 enet 100037 1500 - - - - - 0 0
39 enet 100039 1500 - - - - - 0 0
42 enet 100042 1500 - - - - - 0 0
255 enet 100255 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
The full config is below.
CSW-LNX-2960-1#
CSW-LNX-2960-1#
CSW-LNX-2960-1#sh run
Building configuration...
Current configuration : 20156 bytes
!
! Last configuration change at 17:48:23 SUMMER Sun Mar 28 1993 by !admin!
!
version 15.0
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
service counters max age 5
!
hostname CSW-LNX-2960-1
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 5 $1$L80Z$Ba1iCwlBSBme.NlVC9Tpd0
!
username !support! privilege 15 password 7 100F05100B0F532B4F
username !admin! privilege 15 password 7 030852051E1A324D0F295A41
no aaa new-model
clock timezone EST -5 0
clock summer-time SUMMER recurring
system mtu routing 1500
vtp mode transparent
udld aggressive
no ip source-route
ip routing
no ip gratuitous-arps
ip dhcp excluded-address 192.168.36.1 192.168.36.20
ip dhcp excluded-address 192.168.39.1 192.168.39.20
ip dhcp excluded-address 192.168.42.1 192.168.42.20
ip dhcp excluded-address 192.168.37.1 192.168.37.20
!
ip dhcp pool User_Vlan
network 192.168.36.0 255.255.255.0
default-router 192.168.36.1
dns-server 192.168.36.1
!
ip dhcp pool Wireless_Vlan
network 192.168.37.0 255.255.255.0
default-router 192.168.37.1
dns-server 192.168.36.1
!
ip dhcp pool Video_Vlan
network 192.168.42.0 255.255.255.0
default-router 192.168.42.1
dns-server 192.168.36.1
!
ip dhcp pool Phone_Vlan
network 192.168.39.0 255.255.255.0
default-router 192.168.39.1
dns-server 192.168.36.1
!
ip dhcp pool test
!
!
no ip domain-lookup
ip domain-name linx-usa.com
login block-for 10 attempts 3 within 30
login delay 1
login on-failure log
!
mls qos map policed-dscp 0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint TP-self-signed-1229112064
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1229112064
revocation-check none
rsakeypair TP-self-signed-1229112064
!
!
crypto pki certificate chain TP-self-signed-1229112064
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323239 31313230 3634301E 170D3933 30333031 30303236
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32323931
31323036 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ABE6 C11BD378 1296BBC2 480E4C52 B2E1C92F B58E395E 58BA60F6 7F339049
289DCD77 2A55AFE0 4A903F92 F546538E C1EB37EA 6AEFD6C2 06F08D18 9724A261
B3A0C5D9 4C1E212A 5531082C B3DD66C4 B74E943C DB364A0A 9A09AB25 96548B7E
F602FBA9 887217A4 6F669E9B 0E74B112 B5B438BE FA8D3ED0 32EE40EF 2B7AC60A
11FF0203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603
551D1104 13301182 0F426F74 746F6D2E 4C696E78 2E636F6D 301F0603 551D2304
18301680 14D8170F 117D0752 D2734B3C F96939E1 CA642D67 08301D06 03551D0E
04160414 D8170F11 7D0752D2 734B3CF9 6939E1CA 642D6708 300D0609 2A864886
F70D0101 04050003 81810092 1D90EBC9 61C40043 E5205152 A4CA9979 00751CF3
B73BAA61 3630DEE4 215A4409 8070E09F FC327665 BD4FE626 C5630B5A 33A5AA98
1A275AD2 35680690 66864614 4D9C9A46 B23F7108 42C961DF 171D6434 6360B581
44912AF1 D6698EB8 C37AA11E 14C15FA4 B64CFC7C F69EB692 D2DE7B85 10BA59B8
7CDE8615 20A685CC 1A3A72
quit
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig (STP)
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery interval 90
auto qos srnd4
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 36
name User_Vlan
!
vlan 37
name Wireless_Vlan
!
vlan 39
name Phone_Vlan
!
vlan 42
name Video_Vlan
!
vlan 255
name Firewall_Vlan
!
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
police 128000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
police 32000 8000 exceed-action policed-dscp-transmit
class AUTOQOS_DEFAULT_CLASS
set dscp default
police 10000000 8000 exceed-action policed-dscp-transmit
!
!
!
!
!
!
interface Port-channel1
description ***Port-Channel to CSW-LNX-2960-2***
switchport mode trunk
!
interface GigabitEthernet0/1
description *** To Firewall Port 0/2 ***
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet0/2
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/3
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/4
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/5
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/6
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/7
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/8
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/9
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/10
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/11
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/12
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/13
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/14
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/15
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/16
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/17
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/18
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/19
description ***Data Port***
switchport access vlan 36
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/20
description ***Phone Port***
switchport access vlan 39
switchport mode access
srr-queue bandwidth share 1 30 35 5
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
storm-control broadcast level 10.50
storm-control action trap
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!
interface GigabitEthernet0/21
description ***Phone Port***
switchport access vlan 39
switchport mode access
srr-queue bandwidth share 1 30 35 5
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
storm-control broadcast level 10.50
storm-control action trap
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!
interface GigabitEthernet0/22
description ***Phone Port***
switchport access vlan 39
switchport mode access
srr-queue bandwidth share 1 30 35 5
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
storm-control broadcast level 10.50
storm-control action trap
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!
interface GigabitEthernet0/23
description ***Phone Port***
switchport access vlan 39
switchport mode access
srr-queue bandwidth share 1 30 35 5
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
storm-control broadcast level 10.50
storm-control action trap
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!
interface GigabitEthernet0/24
description ***Phone Port***
switchport access vlan 39
switchport mode access
srr-queue bandwidth share 1 30 35 5
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
storm-control broadcast level 10.50
storm-control action trap
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!
interface GigabitEthernet0/25
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/26
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/27
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/28
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/29
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/30
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/31
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/32
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/33
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/34
description ***Wireless Port***
switchport access vlan 37
switchport mode access
mls qos trust dscp
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/35
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/36
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/37
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/38
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/39
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/40
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/41
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/42
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/43
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/44
description ***Video Port***
switchport access vlan 42
switchport mode access
storm-control broadcast level 10.50
storm-control action trap
spanning-tree portfast
!
interface GigabitEthernet0/45
description *** To CSW-LNX-2960-2 G0/45 ***
switchport mode trunk
mls qos trust dscp
channel-group 1 mode desirable
!
interface GigabitEthernet0/46
description *** To CSW-LNX-2960-2 G0/46 ***
switchport mode trunk
mls qos trust dscp
channel-group 1 mode desirable
!
interface GigabitEthernet0/47
description *** To CSW-LNX-2960-2 G0/47 ***
switchport mode trunk
mls qos trust dscp
channel-group 1 mode desirable
!
interface GigabitEthernet0/48
description *** To CSW-LNX-2960-2 G0/48 ***
switchport mode trunk
mls qos trust dscp
channel-group 1 mode desirable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan36
description *** User_Vlan ***
ip address 192.168.36.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan37
description *** Wireless_Vlan ***
ip address 192.168.37.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan39
description *** Phone_Vlan ***
ip address 192.168.39.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan42
description *** Wireless_Vlan ***
ip address 192.168.42.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan255
description *** Firewall_Vlan ***
ip address 192.168.255.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip default-gateway 192.168.255.1
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.36.1
!
ip access-list extended AUTOQOS-ACL-DEFAULT
permit ip any any
logging esm config
logging facility local6
banner exec ^CCCC
Device Name: CSW-LNX-2960-1
Company: Linx
Site: Wellesley
Address: 141 Linden Street
City: Wellesley, MA 02482
Switch: WS-C2960G-48TC-L
Serial Number: FOC1144Z784
^C
banner motd ^CCCC
* * * AUTHORIZED ACCESS ONLY * * *
Individuals using this system with or without proper authority
are subject to having all of their activities on this system
monitored and recorded. Anyone using this system expressly
consents to such monitoring and to all appropriate disclosure
of any evidence of violation of the Firm's rules including,
but not limited to, criminal activity.
* * * AUTHORIZED ACCESS ONLY * * *
^C
!
line con 0
login local
line vty 0 4
login local
length 0
transport input ssh
transport output ssh
line vty 5 15
login local
transport input ssh
transport output ssh
!
end
Everything appears to be in good order, however I do not know the current status of your network, as in is everything currently working. Among the VLANs that are listed in the output above, are the two VLANs that you are looking to add among them? As for tagging VLANs, everything as far as current VLANs look to have a path of some sort, whether in access mode or trunk mode.
Can you tell me if you still need to add VLANs or if they're there currently?
Can you tell me if you still need to add VLANs or if they're there currently?
Also, your trunk ports are all part of an etherchannel (Port-channel interface), where they're "bonded" to be seen as 1 logical path, and frames are load-balanced in some method across 4 different interfaces. According to the configuration, these ports, Gi0/45-48, are all connecting to a CSW-LNX-2960-2, which I assume is the other switch in your network.
ASKER
Hello Jordan,
Yes there is a second switch in the network.
What I need to do is ensure that the switches are passing the traffic properly so that my Sonicwall firewall can see the traffic from the VLANS.
The only VLANS we have are the ones that are already built, but the problem I was having is that when I connected the firewall to the switch nothing worked properly. It looked like the traffic was not getting tagged properly for the firewall to see it coming out of the switch.
I setup sub interfaces on the firewall for each vlan according to the proper practices for vlans but only one vlan worked. The 36.x seemed to be ok, but none of the others seemed to work properly.
So what I need to figure out is:
Do we have a proper trunk port setup? If so which one is it? Could I remove port 2 from the 36.x vlan and set that up as the trunk port passing the traffic and have the VLANS properly tagged so that the sonicwall will see them? Right now I have to do most of this remotely. I can connect remotely and change the switches and the firewall. If I can change the trunk port then I do not need to be onsite.
Does that make sense?
Thanks very much.
Yes there is a second switch in the network.
What I need to do is ensure that the switches are passing the traffic properly so that my Sonicwall firewall can see the traffic from the VLANS.
The only VLANS we have are the ones that are already built, but the problem I was having is that when I connected the firewall to the switch nothing worked properly. It looked like the traffic was not getting tagged properly for the firewall to see it coming out of the switch.
I setup sub interfaces on the firewall for each vlan according to the proper practices for vlans but only one vlan worked. The 36.x seemed to be ok, but none of the others seemed to work properly.
So what I need to figure out is:
Do we have a proper trunk port setup? If so which one is it? Could I remove port 2 from the 36.x vlan and set that up as the trunk port passing the traffic and have the VLANS properly tagged so that the sonicwall will see them? Right now I have to do most of this remotely. I can connect remotely and change the switches and the firewall. If I can change the trunk port then I do not need to be onsite.
Does that make sense?
Thanks very much.
I would make port 2 a trunk port with the following configuration...
interface GigabitEthernet0/1
description *** To Firewall Port 0/2 ***
switchport mode trunk
...then I would make sure that the devices on your network are using the firewall as their gateways. Trying to make this 2960 switch perform inter-VLAN routing, I just don't see the need for it when you have a device that will provide that functionality, as well as a point of access control.
interface GigabitEthernet0/1
description *** To Firewall Port 0/2 ***
switchport mode trunk
...then I would make sure that the devices on your network are using the firewall as their gateways. Trying to make this 2960 switch perform inter-VLAN routing, I just don't see the need for it when you have a device that will provide that functionality, as well as a point of access control.
ASKER
Thank you. I will see about trying that.
Can you tell me if the switch is set to tag the vlans properly?
Also, if I change port 2 to the trunking port will I need to alter ip settings for the firewall? Right now port 2 from the switch is connected to the LAN port on the firewall as 192.168.36.1 on the firewall side. Would this need to be different?
Can you tell me if the switch is set to tag the vlans properly?
Also, if I change port 2 to the trunking port will I need to alter ip settings for the firewall? Right now port 2 from the switch is connected to the LAN port on the firewall as 192.168.36.1 on the firewall side. Would this need to be different?
The VLANs are all allowed across the trunk links, as is default. There should be no need to do anything past configuring port 2 as a trunk port.
As for the firewall, you'll need to configure an IP address on each VLAN sub-interface on the sonicwall device.
As for the firewall, you'll need to configure an IP address on each VLAN sub-interface on the sonicwall device.
Alternatively, based on your current configuration, you can leave the switch alone entirely, change the firewall to have IP address 192.168.255.1/24 on the LAN interface, with no sub interfaces or VLAN configurations, connect it to port 2 on the switch. You will need to add routes for the rest of your LAN subnets on the firewall though so that it knows how to get to each. You may also need to modify your NAT configurations on the sonicwall to allow the rest of the subnets to be NAT'd.
ASKER
Hi Jordan,
I have routes right now and it is causing issues. We have to reboot the firewall every day to "clear" it out. Performance suffers greatly in about 18 - 24 hours. A reboot clear it up and it works fine for a short time.
Can you tell from the details I sent that I have the proper VLAN ID's? To me it looks like they should be 37, 39 and 42. The sonicwall only allows 4 characters in the VLAN TAG window.
Is this the proper details I should be looking at, where VLAN 1,36,37,39,42 are the id's that are tagged?
VLAN Name Status Ports
---- -------------------------- ------ --------- -------------------------- -----
1 default active Gi0/45
36 User_Vlan active Gi0/2, Gi0/3, Gi0/4, Gi0/5
Gi0/6, Gi0/7, Gi0/8, Gi0/9
Gi0/10, Gi0/11, Gi0/12, Gi0/13
Gi0/14, Gi0/15, Gi0/16, Gi0/17
Gi0/18, Gi0/19
37 Wireless_Vlan active Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34
39 Phone_Vlan active Gi0/20, Gi0/21, Gi0/22, Gi0/23
Gi0/24
42 Video_Vlan active Gi0/35, Gi0/36, Gi0/37, Gi0/38
Gi0/39, Gi0/40, Gi0/41, Gi0/42
Gi0/43, Gi0/44
I have routes right now and it is causing issues. We have to reboot the firewall every day to "clear" it out. Performance suffers greatly in about 18 - 24 hours. A reboot clear it up and it works fine for a short time.
Can you tell from the details I sent that I have the proper VLAN ID's? To me it looks like they should be 37, 39 and 42. The sonicwall only allows 4 characters in the VLAN TAG window.
Is this the proper details I should be looking at, where VLAN 1,36,37,39,42 are the id's that are tagged?
VLAN Name Status Ports
---- --------------------------
1 default active Gi0/45
36 User_Vlan active Gi0/2, Gi0/3, Gi0/4, Gi0/5
Gi0/6, Gi0/7, Gi0/8, Gi0/9
Gi0/10, Gi0/11, Gi0/12, Gi0/13
Gi0/14, Gi0/15, Gi0/16, Gi0/17
Gi0/18, Gi0/19
37 Wireless_Vlan active Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34
39 Phone_Vlan active Gi0/20, Gi0/21, Gi0/22, Gi0/23
Gi0/24
42 Video_Vlan active Gi0/35, Gi0/36, Gi0/37, Gi0/38
Gi0/39, Gi0/40, Gi0/41, Gi0/42
Gi0/43, Gi0/44
That seems to be right. Why do you have to reboot your FW to "Clear it out" are you running in DEBUG mode or have logging turned all the way up? You might want to check that as well.
That does look accurate. You should have VLANs 1,36-37,39,42 configured on your firewall, with IP addresses as the gateways, and just configure port 2 as a trunk port, as posted above. Make sure to remove the IP addresses from the SVI interfaces ("interface vlan xx") so that there is no conflict, and that the switch is no longer acting as the gateway.
ASKER
Interesting idea about debugging mode and logging. I don't think so, but i will check.
It was pretty much a default build that we had to change very little on.
I Don't know yet why we need to reboot it. But that solves the problem and restores performance.
It was pretty much a default build that we had to change very little on.
I Don't know yet why we need to reboot it. But that solves the problem and restores performance.
ASKER
Hi Jordan,
I want to be sure, we're do I remove IP addresses from the SVI? Sorry if this is a basic question, I just need to resolve this.
Thanks Again.
I want to be sure, we're do I remove IP addresses from the SVI? Sorry if this is a basic question, I just need to resolve this.
Thanks Again.
You would remove as such...
Just make sure to do this during off hours, as well ensure that those IP addresses get configured on your firewall, and allow traffic on those segments to pass to others unimpeded if necessary, on your firewall as well. This is not something to do during production hours.
interface vlan 36
no ip address
interface vlan 37
no ip address
interface vlan 39
no ip address
interface vlan 42
no ip address
Just make sure to do this during off hours, as well ensure that those IP addresses get configured on your firewall, and allow traffic on those segments to pass to others unimpeded if necessary, on your firewall as well. This is not something to do during production hours.
ASKER
Thank you very much.
We are doing this during a "maintenance" window today.
So to sum up here for the switch:
copy running-config flash:/backup.cfg
interface vlan 36
no ip address
interface vlan 37
no ip address
interface vlan 39
no ip address
interface vlan 42
no ip address
interface GigabitEthernet0/1
description *** To Firewall Port 0/2 ***
switchport mode trunk
in looking at the trunk port setting, should that GigabitEthernet0/2 and not 0/1?
Does that look right?
We are doing this during a "maintenance" window today.
So to sum up here for the switch:
copy running-config flash:/backup.cfg
interface vlan 36
no ip address
interface vlan 37
no ip address
interface vlan 39
no ip address
interface vlan 42
no ip address
interface GigabitEthernet0/1
description *** To Firewall Port 0/2 ***
switchport mode trunk
in looking at the trunk port setting, should that GigabitEthernet0/2 and not 0/1?
Does that look right?
The VLAN's look correct, however I am confused. I was under the impression that Gi0/2 was connecting to your firewall. However the trunk configuration is correct for whichever port is to connect to your firewall.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Take the number of people who contributed and divide by 500 :)
a. Set terminal 0 (this will prevent breaks for the following command)
b. Show run - this will output the entire config of the switch.
exit and you have a backup of your switch.
2. To restore, just cut and paste backup (previous step) into switch
3. Tricky question, for that you will have to post config and see if there is anything odd.
4. Commands required:
conf t
Interface (fa/gi) (1/1 or 1/0/1) ex: int gi1/0/1
switchport trunk encapsulation dot1q **This allows port to become trunk
switchport mode trunk ***sets port to trunk
switchport trunk allowed vlan (whatever VLAN's you have or want to pass, put here)