Catalyst 2960 Routage inter-VLAN

Unanswered Question
Mar 25th, 2008

Hello,

I must configured switchs 2960 for a lab (Platform NAP). It's the same as NAC.

My Windows server is configured with fixed address: 192.168.0.1.

On the switch I have several VLANs.

VLAN2: non-compliant users: 192.168.2.x

VLAN3 users conform: 192.168.3.x

VLAN4: Management (all servers): 192.168.0.x my server (DC+DHCP) is in this vlan.

The enforcement work fine, but i can not access to my domain because the server is in the VLAN4

How can i do (without ROUTER) to access to my server who is on the VLAN4 ?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mattcalderon Tue, 03/25/2008 - 09:28

What vlan on are you on trying to access vlan 4?

All of the interface vlans are configured and will route between them. I do notice you have ACLs configured and you may want to verify that you are not being blocked by any of them.

amirovic13 Tue, 03/25/2008 - 09:43

Hi,

When the computer is compliant, he is affected to the Vlan3 and when he is non compliant, he is affected to the Vlan2.

Now, for example, i'm compliant, so i'm on the vlan 3 with ip address 192.168.3.x.

I want to access to the domain. My Server (DC) he is configured with fixed ip: 192.168.0.1 so on the vlan4. I can not access because the switch can not route.

How can i do ?

I removed the ACL. Even, the ACLs are not a problem because I did not prohibit access to networks 192.168.0.x.

Thanks for your help

mattcalderon Tue, 03/25/2008 - 10:18

Yes you do have a 2960 and can not do L3 switching with it. So for you to be able to talk to another vlan on this switch without the use of a router is not possible. you need a router to be able to identify different vlans and forward them properly.

M

amirovic13 Tue, 03/25/2008 - 10:24

I haven't router but i have switch 3750.

Can i trunk 16 switchs 2960 with the switch 3750 to route inter-vlan ?

I know that 3750 is not a router but he has a fonctionnality of rooting, so my question is, if it is possible to do a trunk in this case and how exactly can i do it?.

Thank you very much for your help

mattcalderon Tue, 03/25/2008 - 10:49

Yes a 3750 can do your routing. What you will need to do is enable routing (ip routing) and then trunk all of your access 2960 switches back to the 3750. The 3750 will be able to route not using physical interfaces but using the Switched Virtual Interface (SVI). These SVIs are your interface vlans. Ensure that the default gateways for your hosts are the interface vlans ip on the 3750. If you need to route out side of this scenario ensure that you put a gateway of last resort on the 3750 to your next hop.

MC

Hope this helps!

amirovic13 Tue, 03/25/2008 - 11:06

I would be grateful if you can precise your answer with an example.

- How i configure the SVI?

- How do I specify that the default gateway for my hosts are the interfaces vlans ip on the 3750 ?

- On the Switch 2960, when i want to configure the Trunk, i put:

switch# int fast 0/1

switch# switchport mode trunk

switch# switchport trunk "i don't find ENCAPSULATION here" .........i have "allowed" "native" or "pruning", so what can i put?

Thank so much

mattcalderon Tue, 03/25/2008 - 11:23

The SVI is just your interface vlan that you create on your router

interface vlan 111

ip add x.x.x.x x.x.x.x <----The int vlan is an SVI

Your default gateway can either be statically set or be placed in your dhcp scope as the default gateway

--encapsulation is dot1q by default on a 2960

amirovic13 Tue, 03/25/2008 - 12:17

I tried to configure the routing 3750 but still not working.

Can you help me, and show me how i must configure the switch 3750 (router) in my case ?

Thank you very much

amirovic13 Wed, 03/26/2008 - 04:16

Hello,

i send you my config on the switch 2960 and 3750.

On the SWITCH 2960:

switch2960# int fastethernet 0/1

switchport mode trunk

switchport trunk native vlan 2

switchport trunk native vlan 3

switchport trunk native vlan 4

and i put also:

switch2960# default gateway 192.168.100.1

switch3750# switchport mode trunk

switchport trunk encapsulation dot1q

i configure also

switch3750# interface VLAN1

ip address 192.168.100.1 255.255.255.0

Normally, i must put the ip on the interface

switch3750#interface gigabitethernet 1/0/13

ip "address".........but the command "address" doesn't exist here. It's the reason why i put the address on the interface of VLAN1

With this confiuration, routing doesn't work.

Thank you very much

Attachment: 
Jon Marshall Wed, 03/26/2008 - 04:32

Hi

1) You need to move all the interface vlan config from 2960 t9 3750 so as an example

interface Vlan2

ip address 192.168.2.254 255.255.255.0

ip helper-address 192.168.0.1

delete this from the 2960 and put it on the 3750. Do this for all the vlans.

2) On the 2960 you need to give the vlan 1 interface an ip address from the vlan 1 subnet range ie.

int vlan 1

ip address 192.168.100.x

Your default-gateway on the 2960 is fine

3) Your trunk connection - you need to have the same native vlan on both ends of the link ie. on the 2960o and the 3750.

Jon

mattcalderon Wed, 03/26/2008 - 05:08

Jon is exactly correct. Really it almost looks like you need to swap the configs between your 3750 and your 2960. Your interface vlans on the 3750 are what do your "routing". Once those interface vlans are taken off of the 2960 and applied to the 3750 you should be good to go. Like jon said above about your trunking connection. Just trunk your 2960 and your 3750 together and have the same native vlan "by default it's vlan 1"

amirovic13 Wed, 03/26/2008 - 11:48

It's the switch 2960 who do the authentiction, so why i must delete all the interface VLAN from 2960 to 3750 ?

Thank you

evsrajatgupta Wed, 03/26/2008 - 05:12

Hi Amirovic13,

Your network is simple, and it will be great if you fellow the cisco guidelines as it will help you in future expantion.

I recommend the following implantation in your network

1) Configuration trunking between 3750 and 2960 (use GigabitEthernet for good result)

For trunking on 3750 and 2960 user the following command on the interface mode

switchport trunk encapsulation dot1q

switchport mode trunk

For detail check on www.cisco.com

2) Configuration 3750 as vtp server and 2960 as vtp clint

When 350 become a vtp server all Vlan will be config on 3750 only and the same will be reflected on 2960. Port can be config for any on both the switchs

Command

On 3750 in configuration mode

Vtp mode sever

Vtp server “any name”

Vtp password “any password”

On 2960

Vtp mode clint

Vtp server “any name”

Vtp password “any password”

Note:

1) trunking should be enable before vtp is configured.

2) Only VLAN on the server will remain after the implementation. You can re-create the Vlan on the 3750. All the port on 2960 will stop forwarding during the implementation.

All ports on 2960 will start to function after the Vlan database is replicated from 3750 to 2960.

3) Vlan interface should have the default gateway IP address of the respective IP Address. This is where Inter-Vlan routing happens.

For detail check on www.cisco.com

3) apply all your access list on the 3750 switch (the command remain the same)

4) Make 3750 switch stp root.( this is option)

For detail check on www.cisco.com

General Precaution

1) IP routing should be enable on 3750

2) A default routing should on the 2960 pointing towards to 3750.

You can use the 3750 for the external connectivity as any port of 3750 can be use a L3 port with the no switchport command.

evsrajatgupta Wed, 03/26/2008 - 05:16

I for got one more imp point

1) DHCP

On all vlan interface of 3750 to need to apply this command

ip helper-address "ip address of the dhcp server"

amirovic13 Wed, 03/26/2008 - 08:17

I need help and it's very very important.

I made the changes, but it still does not work.

I don't use vtp server.

I send you my config

Thank you for your help

Attachment: 
amirovic13 Wed, 03/26/2008 - 08:29

yes i issued the command "ip routing" on the switch 3750.

The client can not obtain address ip because he can not access to my server DHCP (with @ip 192.168.0.1) but i don't think that is the mainly problem.

Thank you

mattcalderon Wed, 03/26/2008 - 08:32

What switchport on the 2960 are you plugging into to get to your dhcp server and what port is your dhcp server plugged into? you need to verify that your dhcp server is plugged into a switchport that is in vlan 4 with a default gateway of your interface vlan 4.

amirovic13 Wed, 03/26/2008 - 08:41

On the the switch 2960, i plugged my server on the port 47 and my computer client on the port 11.

i put the trunk beteween the port gigabitEthernet 2 of the switch 2960 and the port 13 of the switch 3750

mattcalderon Wed, 03/26/2008 - 08:49

On port 11 as a test, just put that port in access vlan 5 and see if you can pull a DHCP address. This will bypass your .1x config.

also sho output of "sh int trunk" from both switches

amirovic13 Wed, 03/26/2008 - 09:27

i don't understand your answer. The port 5 is in access vlan 5

Thank you

Actions

This Discussion