cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2499
Views
0
Helpful
23
Replies

Catalyst 2960 Routage inter-VLAN

amirovic13
Level 1
Level 1

Hello,

I must configured switchs 2960 for a lab (Platform NAP). It's the same as NAC.

My Windows server is configured with fixed address: 192.168.0.1.

On the switch I have several VLANs.

VLAN2: non-compliant users: 192.168.2.x

VLAN3 users conform: 192.168.3.x

VLAN4: Management (all servers): 192.168.0.x my server (DC+DHCP) is in this vlan.

The enforcement work fine, but i can not access to my domain because the server is in the VLAN4

How can i do (without ROUTER) to access to my server who is on the VLAN4 ?

Thank you

23 Replies 23

mattcalderon
Level 4
Level 4

What vlan on are you on trying to access vlan 4?

All of the interface vlans are configured and will route between them. I do notice you have ACLs configured and you may want to verify that you are not being blocked by any of them.

Hi,

When the computer is compliant, he is affected to the Vlan3 and when he is non compliant, he is affected to the Vlan2.

Now, for example, i'm compliant, so i'm on the vlan 3 with ip address 192.168.3.x.

I want to access to the domain. My Server (DC) he is configured with fixed ip: 192.168.0.1 so on the vlan4. I can not access because the switch can not route.

How can i do ?

I removed the ACL. Even, the ACLs are not a problem because I did not prohibit access to networks 192.168.0.x.

Thanks for your help

Yes you do have a 2960 and can not do L3 switching with it. So for you to be able to talk to another vlan on this switch without the use of a router is not possible. you need a router to be able to identify different vlans and forward them properly.

M

I haven't router but i have switch 3750.

Can i trunk 16 switchs 2960 with the switch 3750 to route inter-vlan ?

I know that 3750 is not a router but he has a fonctionnality of rooting, so my question is, if it is possible to do a trunk in this case and how exactly can i do it?.

Thank you very much for your help

Yes a 3750 can do your routing. What you will need to do is enable routing (ip routing) and then trunk all of your access 2960 switches back to the 3750. The 3750 will be able to route not using physical interfaces but using the Switched Virtual Interface (SVI). These SVIs are your interface vlans. Ensure that the default gateways for your hosts are the interface vlans ip on the 3750. If you need to route out side of this scenario ensure that you put a gateway of last resort on the 3750 to your next hop.

MC

Hope this helps!

I would be grateful if you can precise your answer with an example.

- How i configure the SVI?

- How do I specify that the default gateway for my hosts are the interfaces vlans ip on the 3750 ?

- On the Switch 2960, when i want to configure the Trunk, i put:

switch# int fast 0/1

switch# switchport mode trunk

switch# switchport trunk "i don't find ENCAPSULATION here" .........i have "allowed" "native" or "pruning", so what can i put?

Thank so much

The SVI is just your interface vlan that you create on your router

interface vlan 111

ip add x.x.x.x x.x.x.x <----The int vlan is an SVI

Your default gateway can either be statically set or be placed in your dhcp scope as the default gateway

--encapsulation is dot1q by default on a 2960

I tried to configure the routing 3750 but still not working.

Can you help me, and show me how i must configure the switch 3750 (router) in my case ?

Thank you very much

what is the config on your 3750?

Hello,

i send you my config on the switch 2960 and 3750.

On the SWITCH 2960:

switch2960# int fastethernet 0/1

switchport mode trunk

switchport trunk native vlan 2

switchport trunk native vlan 3

switchport trunk native vlan 4

and i put also:

switch2960# default gateway 192.168.100.1

switch3750# switchport mode trunk

switchport trunk encapsulation dot1q

i configure also

switch3750# interface VLAN1

ip address 192.168.100.1 255.255.255.0

Normally, i must put the ip on the interface

switch3750#interface gigabitethernet 1/0/13

ip "address".........but the command "address" doesn't exist here. It's the reason why i put the address on the interface of VLAN1

With this confiuration, routing doesn't work.

Thank you very much

Hi

1) You need to move all the interface vlan config from 2960 t9 3750 so as an example

interface Vlan2

ip address 192.168.2.254 255.255.255.0

ip helper-address 192.168.0.1

delete this from the 2960 and put it on the 3750. Do this for all the vlans.

2) On the 2960 you need to give the vlan 1 interface an ip address from the vlan 1 subnet range ie.

int vlan 1

ip address 192.168.100.x

Your default-gateway on the 2960 is fine

3) Your trunk connection - you need to have the same native vlan on both ends of the link ie. on the 2960o and the 3750.

Jon

Jon is exactly correct. Really it almost looks like you need to swap the configs between your 3750 and your 2960. Your interface vlans on the 3750 are what do your "routing". Once those interface vlans are taken off of the 2960 and applied to the 3750 you should be good to go. Like jon said above about your trunking connection. Just trunk your 2960 and your 3750 together and have the same native vlan "by default it's vlan 1"

It's the switch 2960 who do the authentiction, so why i must delete all the interface VLAN from 2960 to 3750 ?

Thank you

Hi Amirovic13,

Your network is simple, and it will be great if you fellow the cisco guidelines as it will help you in future expantion.

I recommend the following implantation in your network

1) Configuration trunking between 3750 and 2960 (use GigabitEthernet for good result)

For trunking on 3750 and 2960 user the following command on the interface mode

switchport trunk encapsulation dot1q

switchport mode trunk

For detail check on www.cisco.com

2) Configuration 3750 as vtp server and 2960 as vtp clint

When 350 become a vtp server all Vlan will be config on 3750 only and the same will be reflected on 2960. Port can be config for any on both the switchs

Command

On 3750 in configuration mode

Vtp mode sever

Vtp server “any name”

Vtp password “any password”

On 2960

Vtp mode clint

Vtp server “any name”

Vtp password “any password”

Note:

1) trunking should be enable before vtp is configured.

2) Only VLAN on the server will remain after the implementation. You can re-create the Vlan on the 3750. All the port on 2960 will stop forwarding during the implementation.

All ports on 2960 will start to function after the Vlan database is replicated from 3750 to 2960.

3) Vlan interface should have the default gateway IP address of the respective IP Address. This is where Inter-Vlan routing happens.

For detail check on www.cisco.com

3) apply all your access list on the 3750 switch (the command remain the same)

4) Make 3750 switch stp root.( this is option)

For detail check on www.cisco.com

General Precaution

1) IP routing should be enable on 3750

2) A default routing should on the 2960 pointing towards to 3750.

You can use the 3750 for the external connectivity as any port of 3750 can be use a L3 port with the no switchport command.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco