Unable to have multiple VLANs up on the same Cisco switch and wanting to telnet via 2 ports not all of them

Hello,

I am new to configuring Cisco switches.  Here is the config I have created:

en
config t
hostname GEMSWI0000
en secret testing
!
line con 0
password testing
login
!
vlan 128
name Office
int vlan128
ip address 192.168.128.254 255.255.255.0
no shut
!
vlan 217
name GEM
int vlan217
ip address 192.168.217.254 255.255.255.0
no shut
!
int fa0/1
switch access vlan 217
!
int fa0/2
switch access vlan 217
!
int fa0/3
switch access vlan 217
!
int fa0/4
switch access vlan 217
!
int fa0/5
switch access vlan 217
!
int fa0/6
switch access vlan 217
!
int fa0/7
switch access vlan 217
!
int fa0/8
switch access vlan 217
!
int fa0/9
switch access vlan 217
!
int fa0/10
switch access vlan 217
!
int fa0/11
switch access vlan 217
!
int fa0/12
switchport mode access
switchport port-security max 4
switchport port-security mac-address sticky
switchport port-security violation shutdown
switch access vlan 217
no shut
!
int fa0/13
switch access vlan 128
!
int fa0/14
switch access vlan 128
!
int fa0/15
switch access vlan 128
!
int fa0/16
switch access vlan 128
!
int fa0/17
switch access vlan 128
!
int fa0/18
switch access vlan 128
!
int fa0/19
switch access vlan 128
!
int fa0/20
switch access vlan 128
!
int fa0/21
switch access vlan 128
!
int fa0/22
switch access vlan 128
!
int fa0/23
switch access vlan 128
!
int fa0/24
switchport mode access
switchport port-security max 4
switchport port-security mac-address sticky
switchport port-security violation shutdown
switch access vlan 128
no shut
exit
!
line vty 0 15
password testing
login


As soon as I input this config, both VLAN 1 and VLAN 128 are administratively shut down.  If I enable VLAN 128, then VLAN 217 is listed as administratively shut down.

Also, I want to be able to telnet via port 12 and 24 only.  Currently, I am able to telnet via any port of a VLAN that is up.

Please advise.

Have a great weekend,

Don
GEMCCAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

corey_jonesCommented:
your ports are in access mode and vlan1 needs to be labeled as the native vlan
markc56Commented:
Restrict telnet with an access list.
GEMCCAuthor Commented:
Hello,

I understand VLAN1 is the default VLAN.  I need to name it "native"?
I understand the ports are in access mode, but I cannot figure out how to get the ports assigned to the VLANs otherwise.

Why are any of the VLANs being shutdown?

Please advise.

Don
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

corey_jonesCommented:
ok now i see vlan 1 is shut down because all your ports are in access mode and is assigned a vlan.
Don JohnstonInstructorCommented:
I'm guessing that this is a layer-2 switch?

On Layer-2 switches, only one SVI (VLAN interface) can be up.  When you "no shut" an SVI that is shutdown, whatever SVI that is up will automatically shut down.
GEMCCAuthor Commented:
Yes this is a layer-2 switch, Cisco 2950.  If I were to create 1 VLAN and then leave the other ports on VLAN1, would both the VLAN I created plus VLAN1 be up at the same time?
corey_jonesCommented:
also what is the switch model #?
corey_jonesCommented:
ok i concur with Don's comment
GEMCCAuthor Commented:
It is a WS-2950-24.  If that is the case, then what is the point in having the ability to create multiple VLANs on a Layer-2 switch?
Don JohnstonInstructorCommented:
I think you're confusing VLAN's with SVI's.  

VLAN's are layer-2 and allow segregating traffic.
SVI's are layer-3 and are used for management of the switch only.

If you need to manage the switch from a different network (VLAN), then the traffic will have to be routed through a router or layer-3 switch.
GEMCCAuthor Commented:
OK, so what I think you are saying is that I can have multiple VLANs on this switch, just one of them will be able to manage the switch, correct?

Is someone able to edit my config so it fits what I am attempting to do so I can learn from it?

Have a great weekend,

Don
Bryant SchaperCommented:
Let me wage in on this, so if I understand you want a switch, 2950 that has multiple vlans, and you want to manage it from those vlans directly, ie by connecting to the ip on vlan 1 or vlan 2.

This is totally possible, take a look below.  You need to assign IP addresses on each vlan, then set your access and trunk ports.  You will not be able to access a device from VLAN 1 on VLAN 2 without a router or layer 3 switch.

As far as limiting access, you would use an ACL, better yet a 3rd vlan for management.

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PHXSW01
!
boot-start-marker
boot-end-marker
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 description Cubicle1
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 description side cashier
 switchport mode trunk
 switchport nonegotiate
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/10
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 switchport access vlan 4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 description Server Room Printer
 switchport access vlan 4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 description Receipt Printer 1
 switchport access vlan 4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 switchport access vlan 4
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
 switchport mode access
 switchport voice vlan 2
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 description Uplink Router
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 description Uplink PHXSW02
 switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 10.100.1.5 255.255.255.0
!
interface Vlan2
 ip address 10.100.2.5 255.255.255.0
!
interface Vlan3
 ip address 10.100.3.5 255.255.255.0
!
interface Vlan4
 ip address 10.100.4.5 255.255.255.0
!
ip default-gateway 10.100.1.1
ip http server
ip http secure-server
!
line con 0
line vty 0 4
 privilege level 15
 login local
 length 0
 transport input all
line vty 5 15
 privilege level 15
 login local
 transport input all
!
end
Don JohnstonInstructorCommented:
OK, so what I think you are saying is that I can have multiple VLANs on this switch, just one of them will be able to manage the switch, correct?
Correct.
Is someone able to edit my config so it fits what I am attempting to do so I can learn from it?
No. Telnet access to the switch can't be limited by physical port number.  Only IP address.  Although you could configure the switch to be managed from a VLAN that is only assigned to one port. Not sure if that would meet your requirements.
Don JohnstonInstructorCommented:
Hey guys... Please use the "code" feature when posting configs.
Don JohnstonInstructorCommented:
This is totally possible, take a look below.  You need to assign IP addresses on each vlan,
No, it's not.  A 2950 will only have one SVI (VLAN interface) active at any time. So while you can assign IP addresses to as many VLAN interfaces you want, only one of those interfaces will be up at any time.
Bryant SchaperCommented:
it is possible, I do it all the time, and have been doing this for the past 15 years on 2950's.  This same thing has been told to me many times, but trust me it works.

All my switches have vlan interfaces on 4 to 5 vlans, and I can ssh to any of those 4 or 5 ip addresses.

i can ssh to 10.100.1.5, 10.100.2.5, 10.100.3.5 and 10.100.4.5 for example on this switch.
Don JohnstonInstructorCommented:
On a 2950, when you "no shut" an SVI, any other SVI's will automatically shutdown.

If you're got a 2950 with multiple SVI's in the UP/UP state, I'd love to see an output of a "show ip int brief" for that switch.
GEMCCAuthor Commented:
Hi Guys,

OK, I made a few (very few) changes per the discussion.  Please see the attached code.

I see there is a debate as to whether I can have a port on each VLAN for telnetting.  What is the final decision?  If it is possible, I would like to have this feature.

Also, when I run sh run, all of the VLAN are shutdown with exception of the last one (999).  I have to do a no shut to enable a VLAN, but then the one that was up becomes down.  While VLAN999 is up, I can move over to VLAN217 for example with one laptop and ping 192.168.217.254, but another laptop will not ping the address.  The laptop that can ping is a year old while the one that is not able to ping either the VLAN IP address or the other laptop's IP address is 6-8 years old.

en
!
config t
hostname GEMSWI0000
en secret Pa55w0rd
!
line con 0
password Pa55w0rd
login
!
line vty 0 15
password Pa55w0rd
login
!
!
vlan 128
name Office
int vlan128
ip address 192.168.128.254 255.255.255.0
no shut
!
vlan 217
name GEM
int vlan217
ip address 192.168.217.254 255.255.255.0
no shut
!
vlan 999
name GEM-Admin
int vlan999
ip address 192.168.255.254 255.255.255.252
no shut
!
!
int fa0/1
switch access vlan 217
!
int fa0/2
switch access vlan 217
!
int fa0/3
switch access vlan 217
!
int fa0/4
switch access vlan 217
!
int fa0/5
switch access vlan 217
!
int fa0/6
switch access vlan 217
!
int fa0/7
switch access vlan 217
!
int fa0/8
switch access vlan 217
!
int fa0/9
switch access vlan 217
!
int fa0/10
switch access vlan 217
!
int fa0/11
switch access vlan 217
!
int fa0/12
switch access vlan 217
!
!
int fa0/13
switch access vlan 128
!
int fa0/14
switch access vlan 128
!
int fa0/15
switch access vlan 128
!
int fa0/16
switch access vlan 128
!
int fa0/17
switch access vlan 128
!
int fa0/18
switch access vlan 128
!
int fa0/19
switch access vlan 128
!
int fa0/20
switch access vlan 128
!
int fa0/21
switch access vlan 128
!
int fa0/22
switch access vlan 128
!
int fa0/23
switch access vlan 128
!
int fa0/24
switchport mode access
switchport port-security max 4
switchport port-security mac-address sticky
switchport port-security violation shutdown
switch access vlan 999
no shut
!
!
exit

Open in new window


Please advise.  I feel like I am real close to get this done.

Thanks for your help,

Don
Don JohnstonInstructorCommented:
I see there is a debate as to whether I can have a port on each VLAN for telnetting.
I don't think there is any debate on that.  I believe the debate is on whether you can have multiple SVI's active simultaneously.

If you want to be able to telnet from multiple VLANs to the switch, you just need a router or multi-layer switch to route the traffic from the non-management VLAN.

While VLAN999 is up, I can move over to VLAN217 for example with one laptop and ping 192.168.217.254, but another laptop will not ping the address.
You're saying that you can ping the IP address assigned to the VLAN interface which is down?  Are there any other devices that could also have that address?
GEMCCAuthor Commented:
OK, put the SVI issue to the side.  It is merely a "bonus" if I/we can get it working.  My biggest issue is getting all of the VLANs up at the same time.

Please drop the SVI issue for now.

Please advise.

Thanks,

Don
Don JohnstonInstructorCommented:
Please drop the SVI issue for now.
My biggest issue is getting all of the VLANs up at the same time.
Sorry.  Your prior post mentioned "shut" and "shutdown" with respect to VLANs.  VLAN's can't be shutdown.  Only SVI's can.  So I assumed you were referring to SVI's.

Why do you think the all VLAN's are not "up"? If you issue a "show vlan", the third column should be "status".  Do you not see "Active" for each VLAN?
GEMCCAuthor Commented:
Yes I do , but when I run sh run, it shows all but one VLAN shutdown.

Please advise.
Don JohnstonInstructorCommented:
Once again.  You are referring to the SVI's (VLAN interfaces).  Which you said to drop.

So I really don't know what to do.
GEMCCAuthor Commented:
As mentioned in the first post, I am new to configuring Cisco switches.  The only thing I know anything about are VLANs.  I have not heard of SVIs so I do not know what they are and how they relate to VLANs.

Please advise.
Don JohnstonInstructorCommented:
As mentioned in the first post, I am new to configuring Cisco switches.  The only thing I know anything about are VLANs.  I have not heard of SVIs so I do not know what they are and how they relate to VLANs.

VLAN's are layer-2 and allow segregating traffic.
SVI's are layer-3 and are used for management of the switch only.
On a 2950, only one SVI can be up at any one time.
You can have about 4,000 VLANs active though.

If you need to manage the switch from a different network (VLAN), then the traffic will have to be routed through a router or layer-3 switch.

What is the question (or problem)?
Don JohnstonInstructorCommented:
Let me try this.

Below is a snippet of the config of a 2950.  

hostname P1SW
!
vtp domain Pod1
vtp mode transparent
!
spanning-tree mode rapid-pvst
!
spanning-tree vlan 2 priority 24576
!
vlan 2
 name Test2
vlan 3
 name Test3
!
interface FastEthernet0/1
 description To PC1
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/2
 description To PC2
 switchport access vlan 2
 switchport mode access
!
interface Vlan1
 ip address 10.1.1.113 255.255.255.0
!
interface Vlan1
 ip address 10.2.1.113 255.255.255.0
 shutdown
!
interface Vlan1
 ip address 10.3.1.113 255.255.255.0
 shutdown
!
ip default-gateway 10.1.1.112
!
end

Open in new window


Lines 10-13 are the actual VLANs.  If your switch is in VTP Server mode, you won't see these lines.  The only way to see what VLANs have been defined in that case is with the "show vlan" command.  

But these two VLANs (three if you count VLAN 1) can have physical ports that are members of those VLANs.  This membership can be seen on lines 17 and 22.  Here, ports F0/1 and F0/2 are both members of VLAN 2.  This means that if you're a PC connected to F0/1 (Let's call it PC1), you can talk to a PC connected to F0/2 (PC2).

Farther down on lines 25-34 are the Switch Virtual Interfaces (SVI's). We have to create these three (interface VLAN 1, interface VLAN 2 and interface VLAN 3) SVI's separately (in addition to) creating the VLANs. Creating the VLANs does not create the SVI's.  The SVI's are only used to manage the switch. As in telnet to the switch so you can look at statistics, configure the switch, etc.

You'll notice that the VLAN 2 SVI is currently "shutdown".  This has no affect on the PC's connected to F0/1 and F0/2.  PC1 and PC2 can talk to each other all day long.  VLAN 2 is active and completely functional.  But you will not be able to ping or telnet to the switch.  Because the VLAN 2 interface is shutdown.

Now we can do a "no shutdown" to the VLAN 2 interface.  The only change in the config will be:

interface Vlan1
 ip address 10.1.1.113 255.255.255.0
 shutdown
!
interface Vlan2
 ip address 10.2.1.113 255.255.255.0

Open in new window


Notice how doing a "no shutdown" on interface VLAN 2 automatically shuts down the VLAN 1 SVI.
Now PC1 and PC2 can both ping and telnet to the switch (once again, this would be so they could manage the switch).  And, of course, PC1 and PC2 can still talk to each other.

If we have devices connected to ports that members of VLAN3, they will be able to talk to each other (as they were always able to do).  But they will not be able to manage the switch because the VLAN3 SVI is shutdown.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GEMCCAuthor Commented:
Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.