Enabling a VLAN Disables the other

Answered Question
Feb 1st, 2007

Hi,

We have a 2950 Switch connected to a Cisco router, and a Mitel server.

The switch has VLAN 1 and 100 configured on it - all ports being in both. We have voice traffic on VLAN100.

When I try to enable VLAN100, VLAN1 shuts off.

All ports are configured as access-ports.

My goal is to have the switch forward packets to the router to a branch site, if needed, and vise versa.

Am I going to have to enable trunking and interVLAN routing on both the switch and the router?

Thanks,

Al

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 7 months ago

Al

It sounds to me like you are doing the right things. If you can not access the Mitel, then I suspect that it is some issue on the Mitel. If they are going to check the Mitel server I believe the obvious things to check include that its configured IP address and netmask are as you expect them to be and that they match what you configured on the router subinterface. Also check to verify that the default gateway configured is the address configured on the router subinterface.

I also wonder if it could be an issue with ping. Some servers are configured in a "hardened" mode and may not respond to ping as a policy. While tracert from a Windows PC uses ping (and is not useful for the immediate purpose) traceroute from the Cisco router uses UDP packets. So it might be useful to traceroute from the router to the Mitel and see if there is any response. Or have the folks at the site see if they can access anything from the Mitel.

HTH

Rick

Correct Answer by Richard Burts about 9 years 8 months ago

Al

Thanks for the response. Yes you have it right: you do not need interface vlan 100 on the switch and attempting to no shut it will result in interface vlan 1 going into shutdown.

Whether interface vlan 100 exists or not (is up or down) does not really have anything to do with the switch forwarding frames at layer 2. What what you have posted it looks like VLAN 100 is active at layer 2 and the switch should be forwarding frames in VLAN 100 just fine. Assuming that the trunking is configured correctly and the subinterfaces on the router are right, then the router should be able to access the server in VLAN 100.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (6 ratings)
Loading.
Richard Burts Thu, 02/01/2007 - 09:50

Al

If you have 2 active VLANs on your 2950 switch then yes I believe that you will need to configure trunking and to configure inter VLAN routing on the router. The 2950 is a layer 2 switch and you will not be able to configure routing on the layer 2 switch.

The 2950 can have multiple VLANs configured and active. But it can have only 1 VLAN interface active. The primary purpose of the VLAN inteface is to provide management access to the switch. You can put an IP address on the VLAN interface and that is how you access the switch. But you can not have an active IP address in both VLAN 1 and VLAN 100. Whichever one you activate will shut down the other one.

This is normal behavior.

I guess if you do not want to configure trunking there might be an alternative. If you have two available Ethernet interfaces on the router you could connect an access port from the swtich VLAN 1 into one interface and connect an access port from the switch VLAN 100 into the other router interface. In that situation the router does inter VLAN routing and there is no trunking (but it occupies 2 router interfaces).

HTH

Rick

amiralisetoudeh Thu, 02/01/2007 - 14:16

Thanks for the articulate reply Rick.

There actually is a free interface on the router. I was wondering how would I go about connecting the switchports to the router - with the intention of the router performing the routing without trunking.

To clarify, since all the ports on the switch are members of VLAN1 and VLAN100, which port would I want to connect to each port on the router?

Thanks Rick!

Al

glen.grant Thu, 02/01/2007 - 15:08

Just connect a port off the switch that is in the vlan you want to route back to the router and you put your gateway address on that router port . Say vlan 100 ports on the switch , run a single cable to the router interface, put your gateway address on the router such as 172.68.100.254 , then put a description field on that router interface so you know which vlan that feeds on your switch . No shut the interface , do the same for vlan 1 and away you go .

Richard Burts Thu, 02/01/2007 - 19:48

Al

I do not understand the statement in your reply which says that all ports are members of VLAN1 and VLAN100. To my understanding the only way for a switch port to be a member of more than 1 VLAN is for the port to be a trunk. Are you saying that individual switch ports are members of both VLANs?

If individual switch ports are members of one VLAN or the other, then you take an access port in VLAN1 and connect it to one router interface and you take an access port in VLAN100 and connect it to the other router interface.

If my understanding is different from what you are saying, then perhaps you can clarify the environment on your switch.

HTH

Rick

amiralisetoudeh Fri, 02/02/2007 - 07:18

I want to thank you guys again for the replies.

Rick, here is the sh vlan output on the 2950 Switch (I hope it's readable):

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

100 VLAN0100 active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/23, Fa0/24

Basically, ports 1 through 24 are members of VLANs 1 and 100...

Here is the configuration of one of the access ports that is identical to all the other ports on the switch:

interface FastEthernet0/24

switchport mode access

switchport voice vlan 100

mls qos trust cos

spanning-tree portfast

Again, this switch has a Mitel 3300 and a Cisco router connected to it, but since VLAN100 is shut off, the router can't see it and won't forward packets to the branch site. In an attempt to no shut on VLAN100, VLAN1 shuts off which prevents data traffic from passing through... which you said is normal behavior I guess for it to shut it down...

Based on the above output, would you suggest changing anything in regards to the VLAN configuration?

Thanks!!

Al

Richard Burts Fri, 02/02/2007 - 09:03

Al

The additional information in your post is helpful - especially seeing that VLAN 100 is a VOICE VLAN. Configuring the VOICE VLAN introduces tagged frames and is the situation where an access port does legitimately belong to 2 VLANs.

I suspect that the issue is that the router is connected to an access port of the switch and is not looking for tagged frames. My suggestion is that you configure the router interface as if it were connected to a trunk with VLAN 1 as the native (untagged) VLAN and VLAN 100 as the tagged VLAN.

And on layer 2 switches like the 2950 it is normal behavior that if you configure interface VLAN 100 and do no shut on it that it will shut down interface VLAN 1. It is quite possible for VLAN 100 to exist on the 2950 without having interface VLAN 100. Configuring the interface VLAN X is a layer 3 activity and is a way to establish a management interface on the switch and is not necessary to operate the VLAN on the switch (at layer 2).

HTH

Rick

amiralisetoudeh Fri, 02/02/2007 - 09:35

Rick - awesome explanation... appreciated.

So basically what I'm going to do is:

Create subinterfaces on the router, say 0.1 and 0.2, and assign an IP to the subinterfaces from their respective VLANs' subnet.

Fa0/0.1

ip address 10.0.144.1 < ip subnet of Data VLAN

Fa0/0.2

ip address 10.0.208.1 < ip subnet of Voice VLAN

and for VLAN 1:

encapsulation dot1Q 1 native

And on the switch, I would have to convert the access port that's connected to the router, to a trunk port...

I guess my question now would be, will the router see the subnet on VLAN100 after we make the changes? (I'm still feeling weird about VLAN100 being shut off...)

Thanks again Rick!!

Al

Richard Burts Fri, 02/02/2007 - 10:18

Al

Thanks for the kind words.

I have not actually done what we are talking about, so I can not speak from experience. But from my understanding the subinterfaces and dot1Q native should work fine. I am not sure that you necessarily need to configure a trunk port on the switch (unless there were to be a third VLAN introduced). I did find one reference talking about trunking when sending the VOICE VLAN so I believe it would work. I believe that as long as the router is connected to a switch port configured as shown in your previous post with a VOICE VLAN configured that the router should see untagged frames from VLAN 1 and should see tagged frames from VLAN 100. The key thing is that the router will see some tagged frames and some untagged frames which is typically a trunk environment, so the router needs to be configured to process that way.

HTH

Rick

Ahmede Fri, 02/02/2007 - 12:23

You will need this configuration

Fa0/0.1

encapsulation dot1q 1

ip address 10.0.144.1 < ip subnet of Data VLAN

Fa0/0.2

encapsulation dot1q 100

ip address 10.0.208.1 < ip subnet of Voice VLAN

On the switch just configure a trunk with native VLAN 1

amiralisetoudeh Fri, 02/02/2007 - 15:08

Thanks for the reply -

I'll give an update on what I've done:

On the router, I've configured

Fa0/0.1

encapsulation dot1q 1

ip address 10.0.144.1 < ip subnet of Data VLAN

Fa0/0.2

encapsulation dot1q 100

ip address 10.0.208.1 < ip subnet of Voice VLAN

and I set the port on the switch as a trunk, enabling VLANs 1 and 100.

As I had mentioned, VLAN100 is shut down so I can't ping anything in that VLAN (10.0.208.X, 208.2 is the Mitel server).

So after configuring as stated above, I attempted to no shut the VLAN100 interface, which caused me to lose my connection... (someone has to reboot the switch I guess - or if I remember correctly the switches write mem automatically and we have to console to it?)

I just want the VLAN100 turned on so the router can see it... and I just don't know why I can't get it to do so...

Thanks,

Al

Richard Burts Fri, 02/02/2007 - 15:30

Al

I am trying to understand your comment about VLAN 100 being shut down.

Maybe we need to clarify a bit. From one of your previous posts:

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

100 VLAN0100 active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/23, Fa0/24

I believe that this means that VLAN 100 is active.

I think that we also need to clarify the layer 2 aspects and layer 3 aspects of VLANs. As long as VLAN 100 is in the VLAN database and as long as there are ports that are active and are members of VLAN 100 then it should be functional at layer 2. Note that you do not need to configure interface vlan 100 on a layer 2 switch to get the VLAN to work at layer 2. You only need to configure interface vlan 100 if you want the switch to do something at layer 3 in the VLAN. And I think that you do not need the switch to do anything at layer 3 for VLAN 100.

I believe that interface vlan 100 on the switch is a distraction and suggest that you remove interface vlan 100 on the switch and let interface vlan 1 be the only vlan interface on the switch.

If you do that and can still not access the server then we need to investigate some more. Perhaps you could explain a bit more about what is going on.

HTH

Rick

amiralisetoudeh Mon, 02/05/2007 - 10:27

Hey Rick,

Sorry for the late reply... I had to wait for the switch to be rebooted today.

About the VLAN being shutdown, this is what I have when I initiate a show int vlan 100

sh int vlan 100

Vlan100 is administratively down, line protocol is down

Hardware is CPU Interface, address is 0014.f2b8.d700 (bia 0014.f2b8.d700)

Description: Voice VLAN

Internet address is 10.0.208.1/20

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

and in any attempt to 'no shut' the interface, the VLAN1 will administratively shut down, causing loss of connectivity.

From your explanation, I understand that I really don't need interface VLAN100, simply because there will be no layer 3 processing on the switch for the VLAN.

I will disable the VLAN and notify you of what happens.

If you need any additional information from me, I will be glad to provide it.

Thanks Rick!

Al

Correct Answer
Richard Burts Mon, 02/05/2007 - 10:44

Al

Thanks for the response. Yes you have it right: you do not need interface vlan 100 on the switch and attempting to no shut it will result in interface vlan 1 going into shutdown.

Whether interface vlan 100 exists or not (is up or down) does not really have anything to do with the switch forwarding frames at layer 2. What what you have posted it looks like VLAN 100 is active at layer 2 and the switch should be forwarding frames in VLAN 100 just fine. Assuming that the trunking is configured correctly and the subinterfaces on the router are right, then the router should be able to access the server in VLAN 100.

HTH

Rick

amiralisetoudeh Tue, 02/06/2007 - 07:16

Hi again,

I just wanted to give an update -

I've configured the subinterfaces on the router, assigning the right ip addresses to the subinterfaces.

I've removed interface VLAN100 from the switch, and configured the port that's attached to the router as a trunk, allowing VLAN1 & 100 to pass through.

I can ping the subinterfaces on the router from the switch, and even from branch offices.

I just can't see the Mitel (ping)... I've checked spanning tree and VLAN config... all look fine. I'm not physically at the location so I emailed the guys over there to take a look at the server and see if they can log into it and initiate pings and what not...

I'll let you guys know what I find out.

You're awesome!!

Al

Correct Answer
Richard Burts Tue, 02/06/2007 - 07:37

Al

It sounds to me like you are doing the right things. If you can not access the Mitel, then I suspect that it is some issue on the Mitel. If they are going to check the Mitel server I believe the obvious things to check include that its configured IP address and netmask are as you expect them to be and that they match what you configured on the router subinterface. Also check to verify that the default gateway configured is the address configured on the router subinterface.

I also wonder if it could be an issue with ping. Some servers are configured in a "hardened" mode and may not respond to ping as a policy. While tracert from a Windows PC uses ping (and is not useful for the immediate purpose) traceroute from the Cisco router uses UDP packets. So it might be useful to traceroute from the router to the Mitel and see if there is any response. Or have the folks at the site see if they can access anything from the Mitel.

HTH

Rick

amiralisetoudeh Tue, 02/06/2007 - 14:56

Great information, as always...

Things are looking good here...

I had the guys at the branch convert the port connected to Mitel to a trunk, and now both Mitel's at each site can see eachother. (Yes!)

The only thing is that the voice traffic is not traversing the link between the branch and main site... I think once the routers have routes to the voice subnets they should be able to forward voice data back and forth... the admins on site said it's most likely a signalling configuration on the line with the telco - I'm not quite sure about that though.

They're having the telco personel go check that because they don't have logon access to the Mitel's. So I'm basically waiting to hear back from them.

Wonderful help Rick... you rock!

Al

Richard Burts Tue, 02/06/2007 - 15:09

Al

Thanks for the kind words (and for the ratings). And thanks for using the ratings to indicate that the problem has been solved. It makes the forum more useful when people can read about a problem and know that a solution was found and to be able to read the solution along with the problem.

I am not clear about the topology. In general if the VLANs are correctly configured, if trunking is correctly configured, and if the routers have the correct routes I would expect the voice traffic to flow.

I notice that you say that the port connected to Mitel is now a trunk (at least I think that is what you are saying). I wonder if Mitel might be doing something with tagging or not tagging frames that is confusing things.

HTH

Rick

Actions

This Discussion