Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VLAN Basics

Reply
Thread Tools

VLAN Basics

 
 
Mark St Laurent
Guest
Posts: n/a
 
      10-06-2005
I am new to VLAN concepts. I would like to configure my 8 2950 series
switches with the latest IOS version installed, to incorperate multiple
VLANS to isolate different departments. I am comming to the conclusion that
internet traffic generated from each VLAN will require separate trunk ports
connected to !!their own interface on the router!!. Is there a way around
this using only C2950C24 series switches and C2811 series router. I've seen
posts refering to PBR but don't believe this is supported on C2950 being
layer2 device. How is this typically configered. Currently running 130 + on
Native VLAN1.

Thanks


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      10-06-2005
In article <sIf1f.9443$(E-Mail Removed)> ,
Mark St Laurent <stormrunner'_removethis'@comcast.net> wrote:
:I am new to VLAN concepts. I would like to configure my 8 2950 series
:switches with the latest IOS version installed, to incorperate multiple
:VLANS to isolate different departments.

OK.

:I am comming to the conclusion that
:internet traffic generated from each VLAN will require separate trunk ports
:connected to !!their own interface on the router!!.

No, that's not the case at all. When you designate a port as a trunk
port, you can add multiple VLANs to it, and all the VLAN traffic will
be multiplexed over the one interface. The method for adding multiple
VLANs to a port varies a bit, but typically in IOS it involves
creating "subinterfaces" and telling the subinterface that it is part
of the VLAN.

--
These .signatures are sold by volume, and not by weight.
 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      10-06-2005
You could home 7 of the 2950 to a "master" 2950 and then connect the
master 2950 to the 2811 router. To have more than one VLAN on a
particular 2950, you would need to enable trunking between the 2950 and
the master 2950. The master 2950 would also have trunking enabled
between iot and the 2811 router. Do not use VLAN 1 when and if you
move to multiple VLANs.

 
Reply With Quote
 
Mark St Laurent
Guest
Posts: n/a
 
      10-06-2005
I have created for instance on C2950C24 running 12.1(22)EA4 a VLAN 5 and
enabled 802.1q trunking on fa 0/1 which is the port for 2811 router.On the
same switch in fa 0/17 which is configured for VLAN 5, when I plug my laptop
into this port and manually configure IP address to 192.168.1.212 I cannot
ping the gateway at 192.168.1.253 I realize that once working I should
configure VLAN5 to 192.168.2.xxx then create another NAT overload on
external router interface but can't get anything from VLAN 5 FA 0/17 to
forward to router. Note if I do( no shut )on INT VLAN5 I can then at least
access the switch (telnet)

Any help greatly appreciated

> C2811(192.168.1.253)
> |
>_FA 0/1_______________________FA 0/17_____________________________FA 0/26
>VLAN ALL (VLAN5) |
>|
>
> Laptop(192.168.1.212) |
>
>
> Next Switch


spanning-tree mode rapid-pvst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
macro global description cisco-global
!
interface FastEthernet0/1
description C2811
switchport trunk pruning vlan none
switchport mode trunk
switchport nonegotiate
mls qos trust dscp
auto qos voip trust
macro description cisco-router
spanning-tree portfast
spanning-tree bpduguard enable

interface FastEthernet0/17
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/26
switchport mode trunk
switchport nonegotiate
mls qos trust cos
auto qos voip trust
macro description cisco-switch
spanning-tree link-type point-to-point

!
interface Vlan1
ip address 192.168.1.249 255.255.255.0
no ip route-cache
!
interface Vlan5
no ip address
no ip route-cache
shutdown
!
ip default-gateway 192.168.1.253

C2950Cs1#sh vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 250
Number of existing VLANs : 6
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Enabled
MD5 digest : 0x0C 0x12 0xEB 0x17 0xC7 0xF6 0x63 0x87
Configuration last modified by 192.224.60.249 at 10-6-05 20:53:29
Local updater ID is 192.168.1.249 on interface Vl1 (lowest numbered VLAN
interf
ace found)

C2950Cs1#sh vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12,
Fa0/13
Fa0/14, Fa0/15, Fa0/16,
Fa0/18
Fa0/19, Fa0/20, Fa0/21
5 VLAN0005 active Fa0/17
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1
Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------







"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:di41ml$i1$(E-Mail Removed)...
> In article <sIf1f.9443$(E-Mail Removed)> ,
> Mark St Laurent <stormrunner'_removethis'@comcast.net> wrote:
> :I am new to VLAN concepts. I would like to configure my 8 2950 series
> :switches with the latest IOS version installed, to incorperate multiple
> :VLANS to isolate different departments.
>
> OK.
>
> :I am comming to the conclusion that
> :internet traffic generated from each VLAN will require separate trunk
> ports
> :connected to !!their own interface on the router!!.
>
> No, that's not the case at all. When you designate a port as a trunk
> port, you can add multiple VLANs to it, and all the VLAN traffic will
> be multiplexed over the one interface. The method for adding multiple
> VLANs to a port varies a bit, but typically in IOS it involves
> creating "subinterfaces" and telling the subinterface that it is part
> of the VLAN.
>
> --
> These .signatures are sold by volume, and not by weight.



 
Reply With Quote
 
Mark St Laurent
Guest
Posts: n/a
 
      10-06-2005
As you can see from above "RE Walter" I believe I have done this but it does
not work maybe I am missing something quite simple? don't know please
advise.

Thanks


"Merv" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> You could home 7 of the 2950 to a "master" 2950 and then connect the
> master 2950 to the 2811 router. To have more than one VLAN on a
> particular 2950, you would need to enable trunking between the 2950 and
> the master 2950. The master 2950 would also have trunking enabled
> between iot and the 2811 router. Do not use VLAN 1 when and if you
> move to multiple VLANs.
>



 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      10-06-2005
post your router config also

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      10-06-2005
In article <EFg1f.1555$(E-Mail Removed)>,
Mark St Laurent <stormrunner'_removethis'@comcast.net> wrote:
>I have created for instance on C2950C24 running 12.1(22)EA4 a VLAN 5 and
>enabled 802.1q trunking on fa 0/1 which is the port for 2811 router.On the
>same switch in fa 0/17 which is configured for VLAN 5


>C2950Cs1#sh vlan


>5 VLAN0005 active Fa0/17


You want to trunk VLAN 5 over fa 0/1 but you haven't enabled vlan 5 on
fa 0/1 .
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
 
Reply With Quote
 
Mark St Laurent
Guest
Posts: n/a
 
      10-06-2005
My Router Config


Current configuration : 12404 bytes
!

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *************
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-3.bin
boot system flash c2800nm-advsecurityk9-mz.123-8.T6.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 ***************************
!
no aaa new-model
!
resource policy
!
memory-size iomem 20
clock timezone Pacific -8
clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule_102 list 102
no ip bootp server
ip domain name ***************.COM
ip name-server 206.13.29.12
ip name-server 206.13.30.12
ip sla monitor 1
type echo protocol ipIcmpEcho ***.***.***.***
ip sla monitor schedule 1 life forever start-time now
!
!
!

!
!
track 123 rtr 1 reachability
!
class-map match-any p2p
match protocol fasttrack
match protocol gnutella
match protocol napster
match protocol http url "\.hash=*"
match protocol http url "/.hash=*"
match protocol kazaa2
!
!
policy-map p2p
class p2p
police cir 8000 bc 1500 be 1500
conform-action drop
exceed-action drop
!
!
!
bridge irb
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$FW_INSIDE$
ip address 192.168.1.251 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map FAILOVER
duplex auto
speed auto
vrrp 1 ip 192.168.1.253
vrrp 1 priority 254
vrrp 1 authentication md5 key-string 7 ***************** timeout 30
no mop enabled
service-policy input p2p
service-policy output p2p
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 172.18.0.1 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface BVI1
description $FW_OUTSIDE$
mac-address 0000.****.****
ip address ***.***.***.177 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip ips sdm_ips_rule_102 in
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 ***.***.***.182
ip route 0.0.0.0 0.0.0.0 192.168.1.252 20
ip route ***.***.***.125 255.255.255.255 192.168.1.252 permanent
ip flow-export version 5
ip flow-export destination 192.168.1.14 2055
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 2000
!
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface BVI1 overload
ip nat inside source static 172.18.0.2 ***.***.***.178
!
logging trap debugging
logging 192.168.1.7
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 permit 192.168.1.14 log
access-list 2 remark SDM_ACL Category=1
access-list 2 remark HTTP Access-class list
access-list 2 permit 192.168.1.6 log
access-list 2 remark HTTP Access-class list
access-list 2 permit 192.168.1.7 log
access-list 2 deny any
access-list 10 permit 192.168.1.14
access-list 10 permit 192.168.1.6
access-list 10 permit 192.168.1.7
access-list 10 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark ISPrime (Porn)
access-list 100 deny ip any 66.230.128.0 0.0.63.255
access-list 100 deny ip ***.***.***.176 0.0.0.7 any
access-list 100 deny ip 172.18.0.0 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip ***.***.***.176 0.0.0.7 any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit icmp any host ***.***.***.177 echo
access-list 102 remark Auto generated by SDM for NTP (123)
time-a.timefreq.bldrd
oc.gov
access-list 102 permit udp host 132.163.4.101 eq ntp host ***.***.***.177 eq
ntp
access-list 102 remark SBCGlobal DNS
access-list 102 permit udp host 206.13.30.12 eq domain host ***.***.***.177
access-list 102 permit udp host 206.13.29.12 eq domain host ***.***.***.177
access-list 102 deny ip 172.18.0.0 0.0.0.3 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host ***.***.***.177 time-exceeded
access-list 102 permit icmp any host ***.***.***.177 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 remark VTY Access-class list
access-list 103 permit tcp host 192.168.1.6 any eq 22 log
access-list 103 remark VTY Access-class list
access-list 103 permit tcp host 192.168.1.6 any eq 22 log
access-list 103 remark VTY Access-class list
access-list 103 permit tcp host 192.168.1.14 any range 22 telnet log
access-list 103 deny ip any any log
access-list 199 permit ip 192.168.1.0 0.0.0.255 host 206.13.29.12
access-list 199 permit ip 192.168.1.0 0.0.0.255 host 206.13.30.12
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.31.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.15
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.31
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.15
access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.15.255
access-list 199 permit ip host 192.168.1.1 any
access-list 199 permit ip host 192.168.1.2 any
access-list 199 permit ip host 1192.168.1.145 any
access-list 199 permit ip host 192.168.1.146 any
access-list compiled
snmp-server community ******** RO 10
snmp-server enable traps tty
snmp-server host 192.168.1.7 *******
route-map FAILOVER permit 10
match ip address 199
set ip next-hop verify-availability 192.168.1.252 10 track 123
!
route-map FAILOVER permit 20
match ip address 199
set ip next-hop ***.***.***.182
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
banner exec ^C
-----------------------------------------------------------------------
UNAUTHORIZED access is a Federal Offense Punishable by fines and/or
imprisonment. UNAUTHORIZED users must disconnect immediately. Network
traffic may be logged or monitored without further notice, the
resulting logs may be used as evidence in court.
-----------------------------------------------------------------------

-----------------------------------------------------------------------
|| ||
|| ||
|||| ||||
..|||||:..|||||:..
c i s c o S y s t e m s

-----------------------------------------------------------------------
^C
banner login ^C
Property of **************** Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 103 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179685
ntp update-calendar
ntp server 192.168.1.252 source FastEthernet0/0
ntp server 132.163.4.101 source BVI1 prefer
!
end



"Merv" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> post your router config also
>



 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      10-06-2005

You would need to enable trunking on the router fast ethernet interface
that faces the 2950. Given this router is in production you would want
to save the current config and do this out of hours.


int fa 0/0.1
description trunk VLAN 1
encap dot1q 1 native
ip address 192.168.1.251 255.255.255.0
exit

int fa 0/0.5
description trunk VLAN 5
encap dot1q 5
ip address 192.168.5.251 255.255.255.0
exit


You might also want to renumber the BVI interface from 1 to something
else (ie. not any of the VLAN numbers you plan to use including VLAN 1.

 
Reply With Quote
 
Mark St Laurent
Guest
Posts: n/a
 
      10-06-2005
When I go into CNA Cisco Network Assistant it says that FA0/1 is configured
for ALL VLAN access," I also found the sh vlan output strange"

CNA Interface List

FA0/1 802.1Q Trunk- Nonnegiotate VLAN ALL

If there is a way via CLI to add VLAN 5 implicitly to FA0/1 what is the
syntax and is this not redundant. The literature implies that creating 802.1
trunk allows ALL by definition you can however exclude via cli entries

Does this apply to what I am doing, It wouldn't be the first time I found
info that looked right but was'nt applicable to my case
FYI enhanced image is installed

Defining the Allowed VLANs on a Trunk
By default, a trunk port sends traffic to and receives traffic from all
VLANs. All VLAN IDs, 1 to 4094 when the EI is installed, and 1 to 1005 when
the SI is installed, are allowed on each trunk. However, you can remove
VLANs from the allowed list, preventing traffic from those VLANs from
passing over the trunk. To restrict the traffic a trunk carries, use the
switchport trunk allowed vlan remove vlan-list interface configuration
command to remove specific VLANs from the allowed list.





"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:di4adt$boh$(E-Mail Removed)...
> In article <EFg1f.1555$(E-Mail Removed)>,
> Mark St Laurent <stormrunner'_removethis'@comcast.net> wrote:
>>I have created for instance on C2950C24 running 12.1(22)EA4 a VLAN 5 and
>>enabled 802.1q trunking on fa 0/1 which is the port for 2811 router.On the
>>same switch in fa 0/17 which is configured for VLAN 5

>
>>C2950Cs1#sh vlan

>
>>5 VLAN0005 active Fa0/17

>
> You want to trunk VLAN 5 over fa 0/1 but you haven't enabled vlan 5 on
> fa 0/1 .
> --
> "No one has the right to destroy another person's belief by
> demanding empirical evidence." -- Ann Landers



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VLAN Basics Mark St Laurent Cisco 0 10-14-2005 12:39 AM
VLAN Basics Mark St Laurent Cisco 0 10-14-2005 12:26 AM
HI, I have some question about native vlan and default vlan. PS2 gamer Cisco 1 05-28-2004 11:47 AM
Auxiliary VLAN V VLan Neil Rowland Cisco 1 04-14-2004 02:03 PM
VLAN or Not to VLAN Paul Cisco 0 10-27-2003 06:16 PM



Advertisments