03-25-2008 09:22 AM - edited 03-05-2019 09:57 PM
Hello,
I must configured switchs 2960 for a lab (Platform NAP). It's the same as NAC.
My Windows server is configured with fixed address: 192.168.0.1.
On the switch I have several VLANs.
VLAN2: non-compliant users: 192.168.2.x
VLAN3 users conform: 192.168.3.x
VLAN4: Management (all servers): 192.168.0.x my server (DC+DHCP) is in this vlan.
The enforcement work fine, but i can not access to my domain because the server is in the VLAN4
How can i do (without ROUTER) to access to my server who is on the VLAN4 ?
Thank you
03-25-2008 09:28 AM
What vlan on are you on trying to access vlan 4?
All of the interface vlans are configured and will route between them. I do notice you have ACLs configured and you may want to verify that you are not being blocked by any of them.
03-25-2008 09:43 AM
Hi,
When the computer is compliant, he is affected to the Vlan3 and when he is non compliant, he is affected to the Vlan2.
Now, for example, i'm compliant, so i'm on the vlan 3 with ip address 192.168.3.x.
I want to access to the domain. My Server (DC) he is configured with fixed ip: 192.168.0.1 so on the vlan4. I can not access because the switch can not route.
How can i do ?
I removed the ACL. Even, the ACLs are not a problem because I did not prohibit access to networks 192.168.0.x.
Thanks for your help
03-25-2008 10:18 AM
Yes you do have a 2960 and can not do L3 switching with it. So for you to be able to talk to another vlan on this switch without the use of a router is not possible. you need a router to be able to identify different vlans and forward them properly.
M
03-25-2008 10:24 AM
I haven't router but i have switch 3750.
Can i trunk 16 switchs 2960 with the switch 3750 to route inter-vlan ?
I know that 3750 is not a router but he has a fonctionnality of rooting, so my question is, if it is possible to do a trunk in this case and how exactly can i do it?.
Thank you very much for your help
03-25-2008 10:49 AM
Yes a 3750 can do your routing. What you will need to do is enable routing (ip routing) and then trunk all of your access 2960 switches back to the 3750. The 3750 will be able to route not using physical interfaces but using the Switched Virtual Interface (SVI). These SVIs are your interface vlans. Ensure that the default gateways for your hosts are the interface vlans ip on the 3750. If you need to route out side of this scenario ensure that you put a gateway of last resort on the 3750 to your next hop.
MC
Hope this helps!
03-25-2008 11:06 AM
I would be grateful if you can precise your answer with an example.
- How i configure the SVI?
- How do I specify that the default gateway for my hosts are the interfaces vlans ip on the 3750 ?
- On the Switch 2960, when i want to configure the Trunk, i put:
switch# int fast 0/1
switch# switchport mode trunk
switch# switchport trunk "i don't find ENCAPSULATION here" .........i have "allowed" "native" or "pruning", so what can i put?
Thank so much
03-25-2008 11:23 AM
The SVI is just your interface vlan that you create on your router
interface vlan 111
ip add x.x.x.x x.x.x.x <----The int vlan is an SVI
Your default gateway can either be statically set or be placed in your dhcp scope as the default gateway
--encapsulation is dot1q by default on a 2960
03-25-2008 12:17 PM
I tried to configure the routing 3750 but still not working.
Can you help me, and show me how i must configure the switch 3750 (router) in my case ?
Thank you very much
03-25-2008 12:42 PM
what is the config on your 3750?
03-26-2008 04:16 AM
Hello,
i send you my config on the switch 2960 and 3750.
On the SWITCH 2960:
switch2960# int fastethernet 0/1
switchport mode trunk
switchport trunk native vlan 2
switchport trunk native vlan 3
switchport trunk native vlan 4
and i put also:
switch2960# default gateway 192.168.100.1
switch3750# switchport mode trunk
switchport trunk encapsulation dot1q
i configure also
switch3750# interface VLAN1
ip address 192.168.100.1 255.255.255.0
Normally, i must put the ip on the interface
switch3750#interface gigabitethernet 1/0/13
ip "address".........but the command "address" doesn't exist here. It's the reason why i put the address on the interface of VLAN1
With this confiuration, routing doesn't work.
Thank you very much
03-26-2008 04:32 AM
Hi
1) You need to move all the interface vlan config from 2960 t9 3750 so as an example
interface Vlan2
ip address 192.168.2.254 255.255.255.0
ip helper-address 192.168.0.1
delete this from the 2960 and put it on the 3750. Do this for all the vlans.
2) On the 2960 you need to give the vlan 1 interface an ip address from the vlan 1 subnet range ie.
int vlan 1
ip address 192.168.100.x
Your default-gateway on the 2960 is fine
3) Your trunk connection - you need to have the same native vlan on both ends of the link ie. on the 2960o and the 3750.
Jon
03-26-2008 05:08 AM
Jon is exactly correct. Really it almost looks like you need to swap the configs between your 3750 and your 2960. Your interface vlans on the 3750 are what do your "routing". Once those interface vlans are taken off of the 2960 and applied to the 3750 you should be good to go. Like jon said above about your trunking connection. Just trunk your 2960 and your 3750 together and have the same native vlan "by default it's vlan 1"
03-26-2008 11:48 AM
It's the switch 2960 who do the authentiction, so why i must delete all the interface VLAN from 2960 to 3750 ?
Thank you
03-26-2008 05:12 AM
Hi Amirovic13,
Your network is simple, and it will be great if you fellow the cisco guidelines as it will help you in future expantion.
I recommend the following implantation in your network
1) Configuration trunking between 3750 and 2960 (use GigabitEthernet for good result)
For trunking on 3750 and 2960 user the following command on the interface mode
switchport trunk encapsulation dot1q
switchport mode trunk
For detail check on www.cisco.com
2) Configuration 3750 as vtp server and 2960 as vtp clint
When 350 become a vtp server all Vlan will be config on 3750 only and the same will be reflected on 2960. Port can be config for any on both the switchs
Command
On 3750 in configuration mode
Vtp mode sever
Vtp server âany nameâ
Vtp password âany passwordâ
On 2960
Vtp mode clint
Vtp server âany nameâ
Vtp password âany passwordâ
Note:
1) trunking should be enable before vtp is configured.
2) Only VLAN on the server will remain after the implementation. You can re-create the Vlan on the 3750. All the port on 2960 will stop forwarding during the implementation.
All ports on 2960 will start to function after the Vlan database is replicated from 3750 to 2960.
3) Vlan interface should have the default gateway IP address of the respective IP Address. This is where Inter-Vlan routing happens.
For detail check on www.cisco.com
3) apply all your access list on the 3750 switch (the command remain the same)
4) Make 3750 switch stp root.( this is option)
For detail check on www.cisco.com
General Precaution
1) IP routing should be enable on 3750
2) A default routing should on the 2960 pointing towards to 3750.
You can use the 3750 for the external connectivity as any port of 3750 can be use a L3 port with the no switchport command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide