Cisco VLAN / Trunking

CraggyIslander

Hope somebody here can help me, I've been asked to set up a managed services offices and need to create VLANs on a cisco 3560 24 port switch (1 Trunk to a Juniper Firewall and up to 23 vlans to provide customers with their own separate networks. Each VLAN will connect to a smaller switch providing the port capacity.

Following Cisco's documentation I have created the trunkport on port 1 and switch and firewall are accessible (both use default vlan id 1).

When I create a second VLAN and assign a port to it (again following cisco documentation) I lose all connectivity on that port, With a laptop connected the switch's main ip is inaccessible and the route to the firewall doesnt exist either.

I'm probably missing something simple, the running config of the switch is below:

Switch#show running-config
Building configuration...

Current configuration : 1833 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret <mysecret>
enable password <noneya>
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name vlan0002
!
vlan 3
name vlan0003
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/2
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
ip address 192.168.23.251 255.255.255.0
!
interface Vlan2
no ip address
!
ip default-gateway 192.168.23.254
ip classless
ip http server
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line vty 0 4
password <noneya>
login
line vty 5 15
password <noneya>
login
!
end

Switch#

FusionNet

My business partner is Cisco trained and may be able to help. Ill ask him to have a look at your post and see if he can give you a pointer. We're very busy at the minute so it may be Monday evening, that ok?

accensi0n

For each of the VLAN's to get off of their own network they will need to have a logical layer 3 interface.

You can configure Switch Virtual Interface's for each VLAN.
For each host in a VLAN, you would set their default gateway as the IP address of the VLAN's SVI.

This would then mean that each of the VLAN's could communicate with each other as well as getting out to the Internet etc. So, you would then have to create access lists to block traffic between the VLAN's.

With this setup, you would have a load of networks and a load of access lists.


I think using PVLAN's might be a good idea.

3560's support Private VLAN's (PVLAN's).

PVLAN's allow you to use a single IP network for multiple VLAN's so it makes management easier. You create a primary VLAN and then all the secondary VLAN's you require (23 in your case). No traffic will pass between the customer VLAN's and they can all reach the firewall IP for their default gateway.

CraggyIslander

thanks guys, any pointers you can give me are greatly appreciated. I wont be back on site until tomorrow morning and will have a crack at th PVLAN. Presume I can leave the default VLAN1 as the primary vlan and also leave port1 as the trunk.

NullZer0

Heres a basic tutorial on Inter-VLAN routing that I posted on the Cisco Website about 2 years ago (had forgotten about this):
https://learningnetwork.cisco.com/docs/DOC-2935

CraggyIslander

Thanks iRock, but I wanted to do opposite of inter VLAN routing as it's a hosted environment with multiple customers and providing each with their own private network, yet sharing the internet connection.

Took a while to get my head around the private VLANs, but that seems to be doing the trick so far trying to re-use VLAN1 was a BAD idea tho

Many thanks to accensi0n for pointing me in right direction

msg11

Here are some configs I have running for vlans and intervlan routing

Switch 1 wrote:

C2950 Boot Loader (C2950-HBOOT-M) Version 12.1(11r)EA1, RELEASE SOFTWARE (fc1)
Compiled Mon 22-Jul-02 18:57 by miwang
Cisco WS-C2950-24 (RC32300) processor (revision C0) with 21039K bytes of memory.
2950-24 starting...
Base ethernet MAC Address: 000A.F3D0.51B8
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 1 files, 0 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 64016384
flashfs[0]: Bytes used: 3058048
flashfs[0]: Bytes available: 60958336
flashfs[0]: flashfs fsck took 1 seconds.
...done Initializing Flash.

Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4


Loading "flash:/c2950-i6q4l2-mz.121-22.EA4.bin"...
######################### [OK]
Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706



Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 18-May-05 22:31 by jharirba

Cisco WS-C2950-24 (RC32300) processor (revision C0) with 21039K bytes of memory.
Processor board ID FHK0610Z0WC
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

63488K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 000A.F3D0.51B8
Motherboard assembly number: 73-5781-09
Power supply part number: 34-0965-01
Motherboard serial number: FOC061004SZ
Power supply serial number: DAB0609127D
Model revision number: C0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FHK0610Z0WC

Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 18-May-05 22:31 by jharirba

Press RETURN to get started!


%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
%LINK-5-CHANGED: Interface Vlan99, changed state to up
%SYS-5-CONFIG_I: Configured from console by console
%LINK-5-CHANGED: Interface Vlan99, changed state to down
%LINK-5-CHANGED: Interface Vlan99, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/11, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/18, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/6, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/6, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/22, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/22, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/5, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to up

User Access Verification

Password:
Password:

S2>en
Password:
S2#show run
Building configuration...

Current configuration : 1688 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S2
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
no ip domain-lookup
!
!
interface FastEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
!
interface FastEthernet0/2
switchport trunk native vlan 99
switchport mode trunk
!
interface FastEthernet0/3
switchport trunk native vlan 99
switchport mode trunk
!
interface FastEthernet0/4
switchport trunk native vlan 99
switchport mode trunk
!
interface FastEthernet0/5
switchport access vlan 50
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 40
switchport mode access
!
interface FastEthernet0/24
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 172.17.99.12 255.255.255.0
!
ip default-gateway 172.17.99.1
!
!
line con 0
password cisco
login
!
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

Router 1 wrote:

R1#show run
Building configuration...

Current configuration : 1089 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 172.17.1.1 255.255.255.0
!
interface FastEthernet0/1.5
encapsulation dot1Q 50
ip address 172.17.50.1 255.255.255.0
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 172.17.10.1 255.255.255.0
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 172.17.20.1 255.255.255.0
!
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 172.17.30.1 255.255.255.0
!
interface FastEthernet0/1.40
encapsulation dot1Q 40
ip address 172.17.40.1 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
!
!
!
!
line con 0
password class
login
line vty 0 4
login
!
!
!
end

accensi0n

Looks like he's gone with PVLAN's msg11.

Also, he has a 3560 which is a multilayer switch so no need for the horrible bottleneck that is router on a stick.

msg11

accensi0n wrote: »

Looks like he's gone with PVLAN's msg11.

Also, he has a 3560 which is a multilayer switch so no need for the horrible bottleneck that is router on a stick.

I just quickly read over the question, sure it might be usefull for someone on the site.

On a side note, just looking over the Config for the Private Vlan(Cisco.Com). I don't think that topic is covered in the CCNA(at leased I cannot remember it), Suppose it is only Switching Basics.

accensi0n

msg11 wrote: »

I just quickly read over the question, sure it might be usefull for someone on the site.

On a side note, just looking over the Config for the Private Vlan(Cisco.Com). I don't think that topic is covered in the CCNA(at leased I cannot remember it), Suppose it is only Switching Basics.

Your right, it's not.

It's covered in the CCNP switching exam though.

Dardania

accensi0n wrote: »

Your right, it's not.

It's covered in the CCNP switching exam though.

I know I'm coming at the fromn the persepctive of someone that's only doing the CCNA at the moment, but is PVLANs not just VLANs, with some access control lists to keep everyone segregated away from each other?

doohan

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 2,3 (and however many more you want to add)
!
interface GigabitEthernet0/2
switchport access vlan 2
switchport mode encapsulation dot1q-tunnel
!
interface GigabitEthernet0/3
switchport access vlan 3
switchport mode encapsulation dot1q-tunnel