altu
join:2005-12-18
Beverly Hills, CA
| [Config] Secondary VLAN issue
Hello,
I would like to know how to setup a secondary VLAN on a 3560.
My setup is as follows:
**Internet
*****|
_____|________
Cisco*501*PIX*|
______________|
*****|
_____|_____********__________
Cisco*3560*|______|Cisco*2950|
___________|******|__________|
************************|
*******************_____|_____
******************|Application|
******************|___________|
Ignore the *s.
The 3560 is trunked with the 2950, the latter being the server and the former the client.
In order to setup the secondary VLAN on the port that is connected with the PIX, I need to set both of the switches to transparent. Then, what is it that I need to do?
Clients connected to the 3560 are able to browse the internet, all of them VLAN1. Clients on the 2950 which are on VLAN1 are also able to browse. The clients on the other vlan, VLAN20, are not.
PIX Internal IP: 192.168.0.254
App. PC IPs: 192.168.0.100 & 10.27.22.100
3560:
Current configuration : 4627 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname XXXXXX
!
no logging console
enable secret 5 XXXXXXX
!
no aaa new-model
ip subnet-zero
ip routing
!
no ip igmp snooping vlan 1
ip igmp snooping vlan 20 immediate-leave
!
!
!
no file verify auto
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport mode access
spanning-tree portfast
!
...
interface FastEthernet0/38
description Interface to PIX
switchport mode access
spanning-tree portfast
!
...
interface FastEthernet0/48
description Trunk with 2950
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
ip address 192.168.0.250 255.255.255.0
!
interface Vlan20
ip address 10.27.22.250 255.255.0.0
!
ip classless
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password XXXXXX
login
line vty 5 15
no login
!
!
end
2950:
Current configuration : 3141 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXX
!
no logging console
enable secret 5 XXXXXXX
!
ip subnet-zero
no ip igmp snooping vlan 1
ip igmp snooping vlan 20 mrouter interface Gi0/2
ip igmp snooping vlan 20 immediate-leave
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
switchport access vlan 20
no ip address
spanning-tree portfast
!
...
interface FastEthernet0/16
description Trunk to 3560
switchport trunk allowed vlan 1,20
switchport mode trunk
no ip address
!
...
interface GigabitEthernet0/1
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/2
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface Vlan1
ip address 192.168.0.252 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan10
no ip address
no ip route-cache
shutdown
!
interface Vlan20
ip address 10.27.22.252 255.255.0.0
no ip route-cache
!
ip default-gateway 10.27.22.100
ip http server
!
!
line con 0
line vty 0 4
password 7 XXXXXXXXX
login
line vty 5 15
password 7 XXXXXXXXX
login
!
end
Any and all help would be appreciated. |
|
aryoba
Premium,MVM
join:2002-08-22 | Can you post both "show vlan" and "show vtp status" of both switches? |
|
altu
join:2005-12-18
Beverly Hills, CA
| reply to altu
3560#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Fa0/25, Fa0/26, Fa0/27, Fa0/28
Fa0/29, Fa0/30, Fa0/31, Fa0/32
Fa0/33, Fa0/34, Fa0/35, Fa0/36
Fa0/37, Fa0/38, Fa0/39, Fa0/40
Fa0/41, Fa0/42, Fa0/43, Fa0/44
Fa0/45, Fa0/46, Fa0/47, Gi0/1
Gi0/2, Gi0/3, Gi0/4
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
3560#sh vtp stat
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
VTP Operating Mode : Client
VTP Domain Name : XXXXX
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xE9 0x96 0xBF 0x95 0xF4 0x09 0xBC 0x1E
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
2950#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
20 VLAN0020 active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Gi0/1
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 trcrf 101003 4472 1005 3276 - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trbrf 101005 4472 - - 15 ibm - 0 0
VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7 7 off
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
2950#sh vtp stat
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 250
Number of existing VLANs : 6
VTP Operating Mode : Server
VTP Domain Name : XXXXX
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x29 0x1E 0xE0 0x06 0x3A 0xB4 0x16 0x2E
Configuration last modified by 10.27.22.252 at 0-0-00 00:00:00
Local updater ID is 10.27.22.252 on interface Vl20 (lowest numbered VLAN interfa
ce found) |
|
vipergg
join:2003-12-17
| reply to altu
First of all you can only have 1 SVI on the 2950 active at a time , this address is to manage the switch only so you need to determine which vlan you want the 2950 managed in , vlan 1 or vlan 20 . If you use vlan 20 like you currently have on the 2950 then the default gateway would point to the 3560 interface for vlan 20 (10.27.22.250) . Then I think the only other thing you would need is to put in a default static route on the 3560 pointing towards the pix address (ip route 0.0.0.0 0.0.0.0 192.168.0.254 ) . The other reccomendation would be to let the 3560 be the vtp server and the 2950 as the client . |
|
altu
join:2005-12-18
Beverly Hills, CA
| reply to altu
VLAN1 is being used for management.
The default gateway for the 2950 is the application server on 10.27.22.100. The application server has also another network card 192.168.0.100 and does routing in between the two networks.
I wanted the secondary vlan on the port that connects to the PIX. Is that possible?
Thanks again. |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
December 19th, @09:26AM
| 1. Comment on "I need to set both of the switches to transparent"
In switch environment (read: VTP Domain), there MUST be one AND only one switch act as VTP Server to handle the switch management (i.e. VLAN and trunking info). Other switches must be in either VTP client or transparent. If your network only consists of two switches, one of them must be the VTP Server. You CANNOT set both switches as transparent.
2. VTP Server, Client, and Transparent assignment
If I were you, I would set the 3560 to be the VTP Server and the 2950 to be the VTP client or transparent. Since the 3560 is handling the inter-VLAN routing, it makes sense at the same time to be the VTP Server.
3. VLAN Management
DO NOT use VLAN 1 for user data since VLAN 1 is reserved for switch management. Setup a new VLAN for users on 3560 switch (i.e. VLAN 10) and a new VLAN for the PIX Firewall (i.e. VLAN 2).
4. VTP Domain name
Since both switches are to be in the same VTP Domain, both switches must have the same VTP Domain name. Otherwise VLAN and trunking info (among other things) are not known on both switches.
5. Subnet separations
The PIX inside (internal) interface subnet should be different than the subnet of 3560 users. As illustrated previously, VLAN 2 could belong to the PIX and VLAN 10 could belong to the 3560 users.
6. 2950 Default Gateway
The 2950 default gateway should be the 3560 interface VLAN 20 IP address since (again) the 3560 is handling the inter-VLAN routing.
7. The "spanning-tree portfast" command usage
The "spanning-tree portfast" command should be applied on ports only when those ports go to COMPUTERS ONLY. When such ports go to different device other than computers (i.e. firewall or router), there should be no "spanning-tree portfast" command applied.
8. The Application Box that acts as a router
Since basically there are at least two routers in your network (the 3560 and the application box), there should be some kind of routing protocol mechanism between the two. You might want to run dynamic routing protocol or just static routing.
CLARIFICATION:
I believe your network has two Internet gateways. One goes through the PIX and another goes through the application box. Is this true?
Or maybe the application box go to internal network?
Can you redraw your network setup? This time please include the 2nd network and everything.
Tips:
You can use the HTML code "PRE" and "/PRE" when drawing the network. Therefore you don't have to add the ***  |
|
vipergg
join:2003-12-17
| reply to altu
I guess I'm a little confused on the setup , don't understand why you have the application server doing routing also along with the 3750 . Also a little confused on other posters comments about trunking . You can certainly run both sides as transparent as long as you don't want to run the client/server setup where the server controls the adding of vlans to the domain . If you both sides are transparent you just have to manually create the vlans on both sides , we do it all the time . Maybe I misunderstood what he was saying. |
|
aryoba
Premium,MVM
join:2002-08-22
| It is always a good practise for a VTP Domain to have VTP Server. Aside of avoiding manual creations of VLANs, you might have growing Spanning Tree problem without a presence of VTP Server. The following is detail on VTP and Spanning Tree Protocol (STP):
»www.cisco.com/en/US/tech/tk389/t···52.shtml |
|
altu
join:2005-12-18
Beverly Hills, CA
| reply to altu
I apologize for the delay in getting back to you.
I do understand the importance of having a VTP domain and only one VTP server. I set this up when I needed to trunk both the 3560 and the 2950.
Now that the trunking is done, I can set them both to transparent. Will the trunk still work, passing all VLAN information ?
My original switch was the 2950 and all VLAN information was stored on it. The 3560 is a recent addition. I set it to be a client so that my 2950 server could propogate the VLAN information to it. Now that the switches are in sync, I could set both to transparent to configure the secondary vlan on the port in question. The port is on the 3560.
How do I go about configuring inter-vlan routing on the 3560?
I'll set up a VLAN 10 as suggested and move all users on it.
Why do you stress on subnet separation PIX vs. 3560 users? Security?
The 2950's default gateway is the application machine which is a UNIX variant. The 2950 has 5 clients that access the application machine. I cannot set anything on those clients (proprietary). The clients are fed IP Addresses of their subnet from this application machine, and they are also natted across to the other subnet for internet access.
Thanks for the heads up on the spanning-tree portfast.
I'll draw up the diagram and post it soon. |
|
altu
join:2005-12-18
Beverly Hills, CA
| reply to altu
This is the diagram. |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
December 20th, @06:05AM
| reply to altu
Q1:
"Now that the trunking is done, I can set them both to transparent. Will the trunk still work, passing all VLAN information ?"
A:
Trunk will still work. However it is not reliable when none of the switches in your VTP Domain work as VTP server. Set the 3560 as the server and 2950 as client, then the VLAN and trunk info will be more reliable. Check out the link I provided for more info.
Q2:
"Why do you stress on subnet separation PIX vs. 3560 users? Security?"
A:
I believe there should (or would) be a need from users behind the 3560 and behind the 2950 to go to the Internet through the PIX or go to the 2nd network through the application box. I also believe that there should (or would) be a need to go to each other between the two group of users.
In short, there are traffic to go from one network segment to another. This is called inter-VLAN routing. To make the inter-VLAN routing run well, you need to break up each network segment to their own subnet.
Q3:
"How do I go about configuring inter-vlan routing on the 3560?"
A:
As mentioned, there should a routing protocol to handle traffic between all subnets. However before going further, you need to answer the following questions.
QUESTIONS:
1) What are the things you can configure the application box as? Can you configure it for specific gateway, IP address, subnet, DNS server?
2) Which routing protocol this application machine is capable running of? Is it capable to run RIP, OSPF, or BGP?
3) Can you also post the application box box configuration? The info I would like to see are IP Address, subnet, gateway (both primary and secondary). |
|
altu
join:2005-12-18
Beverly Hills, CA | reply to altu
Primarily, RIP (both version 1 and version 2) and IRDP. Support for BGP v4, OSPF v2, and other routing protocols is also available. |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
December 20th, @06:15AM
| Questions:
1) Why are there two network segments on the application box; the primary and secondary? Why can't you just use one network segment on the box? Just the 192.x.x.x or just the 10.x.x.x?
2) Which is the primary subnet on the application box; the 192.x.x.x or the 10.x.x.x? |
|
altu
join:2005-12-18
Beverly Hills, CA | reply to altu
Services.
The application box streams services to the 10.x.x.x range and not to the 192.x.x.x range. But, it still needs the 192.x.x.x range for the internet service. |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
December 20th, @07:05AM
| Assuming the application box acts as "full router", then you don't have to setup two subnets on it. Having two subnets in one box is a messy business and you really don't want to be in it. You can just use the 10.x.x.x, remove the 192.x.x.x, and still be able to go to the Internet.
Here are the steps:
1. Set the 3560 as VTP server and 2950 as VTP client
2. Create separate subnet for PIX inside interface, hosts of 3560, and hosts of 2950
As for the routing, static routes should be sufficient:
3. On the PIX, point the 10.x.x.x and 192.x.x.x traffic to the 3560 IP address.
4. I assume you can let the PIX default gateway as it is since it is working, correct?
5. On the 3560, point the 10.x.x.x traffic to the application box IP address. Set the default gateway to the PIX inside interface IP address
6. On the application box, set the default gateway to the 3560 IP address.
Here is an illustration:
1) Let's say the subnets and VLANs are
172.16.0.0/30 for PIX inside interface (VLAN 2)
10.26.0.0/30 for 2950 switch management (VLAN 3)
192.168.0.0/24 for 3560 hosts (VLAN 10)
10.27.22.0/16 for 2950 hosts (VLAN 20)
2) Set 3560 as VTP server and 2950 as VTP client
3560:
Switch(conf)# vtp mode server
2950:
Switch(conf)# vtp mode client
3) Assume the following IP addresses:
172.16.0.1 for PIX inside interface
10.27.22.250, 10.26.0.1, 172.16.0.2, and 192.168.0.250 for 3560
10.27.22.100 for the application box
10.26.0.2 for the 2950
4) PIX configuration
ip address inside 172.16.0.1 255.255.255.252
route inside 10.0.0.0 255.0.0.0 172.16.0.2
route inside 192.168.0.0 255.255.0.0 172.16.0.2
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
5) 3560 configuration
interface VLAN1
description Switch Management - DO NOT USE
shutdown
interface VLAN2
description PIX Inside Subnet
ip address 172.16.0.2 255.255.255.252
interface VLAN3
description 2950 Management
ip address 10.26.0.1 255.255.255.252
interface VLAN10
description 3560 Hosts
ip address 192.168.0.250 255.255.255.0
interface VLAN20
description 2950 Hosts
ip address 10.27.22.250 255.255.0.0
ip route 0.0.0.0 0.0.0.0 172.16.0.1
6) 2950 configuration
interface VLAN1
description Switch Management - DO NOT USE
shutdown
interface VLAN3
description 2950 Management
ip address 10.26.0.2 255.255.255.252
ip default gateway 10.26.0.1
7) Application Box
IP Address: 10.27.22.100
Subnet: 255.255.0.0
Gateway: 10.27.22.250 |
|
altu
join:2005-12-18
Beverly Hills, CA
edit:
December 20th, @06:59AM
| reply to altu
The application box is out of bounds.
The leasing company would throw more than a fit, it would cancel our contract.
>3. On the PIX, point the 10.x.x.x and 192.x.x.x traffic to the 3560 IP address
How do I got about doing that?
Is this OK?
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 2 10.27.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
global (outside) 2 interface
I can do the "Set the default gateway to the PIX inside interface IP address"
How do I got about doing "On the 3560, point the 10.x.x.x traffic to the application box IP address." ?
Forgive my ignorance. |
|
aryoba
Premium,MVM
join:2002-08-22 | If you cannot change the application box configuration, then you can leave it as it is. Since its primary subnet is the 10.x.x.x; you can just go along with it. My previous illustration should show you sufficiently. |
|
altu
join:2005-12-18
Beverly Hills, CA | reply to altu
Thank you for all the information. Please allow me some time to incorporate the suggestions that you have brought up, and I'll get back to you. |
|
aryoba
Premium,MVM
join:2002-08-22
| Just a reminder. Here are steps of layer-2 configurations:
3560:
1) Set VTP Mode
Switch(config)#vtp mode server
2) Configure and Name VLANs
Switch(config)#vlan 2
Switch(config-vlan)#name PIX_Inside
Switch(config-vlan)#exit
Switch(config)#vlan 3
Switch(config-vlan)#name 2950_Management
Switch(config-vlan)#exit
Switch(config)#vlan 10
Switch(config-vlan)#name 3560_Hosts
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name 2950_Hosts
Switch(config-vlan)#exit
3) Set VTP Domain Name
Switch(config)#vtp domain [ENTER VTP DOMAIN NAME HERE]
4) Configure PIX Ports
Let's say it is port 38. Then:
Switch(config)#interface fastethernet 0/38
Switch(config-if)#description PIX Inside
Switch(config-if)#switchport mode access
Switch(config-if)#no spanning-tree portfast
Switch(config-if)#switchport access vlan 2
Switch(config-if)#end
5) Configure Hosts' ports
Let's say 3560 hosts are using port 1 to 37. Then:
Switch(config)#interface range fastethernet 0/1 -37
Switch(config-if-range)#description Hosts
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
Switch(config-if-range)#spanning-tree portfast
Switch(config-if-range)#exit
6) Configure Trunk ports
Let's say you use port 48 to trunk to 2950. Then:
Switch(config)#interface fastethernet 0/48
Switch(config-if)#description Trunk To 2950
Switch(config-if)#switchport mode dynamic desirable
Switch(config-if)#switchport trunk allowed vlan 1,3,20
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#end
2950:
The similar sense applies to the 2950
Switch(config)#vtp mode server
Switch(config)#vlan 3
Switch(config-vlan)#name 2950_Management
Switch(config)#vlan 20
Switch(config-vlan)#name 2950_Hosts
Switch(config-vlan)#exit
Switch(config)#vtp domain [ENTER VTP DOMAIN NAME HERE]
Switch(config)#vtp mode client
Switch(config)#interface range fastethernet 0/1 -15
Switch(config-if-range)#description 2950 Hosts
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20
Switch(config-if-range)#spanning-tree portfast
Switch(config-if-range)#exit
Switch(config)#interface fastethernet 0/16
Switch(config-if)#description Trunk To 3560
Switch(config-if)#switchport mode dynamic desirable
Switch(config-if)#switchport trunk allowed vlan 1,3,20
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#end
To make sure that VTP Server-Client relationship is established, issue "show vlan" and "show vtp status" on both switches. |
|
altu
join:2005-12-18
Beverly Hills, CA
| reply to altu
Thank you for being patient.
I have just one issue which needs to be resolved.
The 2950's original configuration has:
ip default-gateway 10.27.22.100
That IP belongs to the application server.
If I plug in the proprietary clients to this switch with the default gateway set to the application server, my services work fine.
If I plug in the same devices to the 3560, whish is trunked with the 2950, into a port with the correct VLAN, the services don't work.
Should I change the default gateway for the 3560 also to the application server? |
|
