How can I get 2 VLAN's to communicate with each other

Unanswered Question
Sep 23rd, 2008

Hi,

I'm just setting up a lab, I have 2 VLAN's on a Cisco 2950, one for servers and one for users. Both VLANS are on different subnets:

Users: 192.168.1.x/24

Servers: 192.168.2.x/24

Would I have to make the VLAN's layer 3 and give each VLAN an IP and add some sort of static route?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
karim.benhabyles Tue, 09/23/2008 - 01:46

Cisco Catalyst 2950 is a layer 2 switch. In order to allow your vlan to communicate you need to have either a router or a layer 3.

this will allow you to activate inter vlan routing.

Regards,

Karim

VictorAKur Tue, 09/23/2008 - 02:01

I agree with karim. In order to set this up you will need a so called "Router on a stick" - a router connected to the 2950 with a single link (a better option). You will need to configure the interface on the 2950 connected to the router as a trunk (switchport mode trunk blah blah), and configure two (per a VLAN) subinterfaces on the router. Make sure the IOS on the router supports dot1q. Then you will need to assign IP addresses to these subinterfaces in the same ranges as your VLANs. You will need to set default gateways on your PCs to the IPs of the subinterfaces, corresponding to the VLANs the PCs are in.

Job done.

The second option is to use a L3 switch instead of the router. You will need to connect it to the 2950 over a trunk, configure the same VLANs on the L3 switch AND configure VLAN interfaces with the IP addresses in the same ranges as your VLANs. The rest is the same as in the first option.

And option 3 - to use a L3 switch instead of 2950. Then you will skip the step with trunk ports and start from the VLAN interfaces.

whiteford Tue, 09/23/2008 - 02:13

Hi,

"Router on a stick" - a router connected to the 2950 with a single link (a better option) - can you explain this a bit better, I have a Cisco 2620, 1721 any good?

Would a Cisco 3550 switch help to I have one?

It's for a CCNA lab so it would be good to learn all.

Thanks

VictorAKur Tue, 09/23/2008 - 02:29

Router on a stick

the idea is to have a L3 interface per a VLAN to be able to route between them. In your case (as 2950 does not provide this option) this can be achieved by either connecting as many physical interfaces from your router to the switch as the number of VLANs you have (which is normally not possible or wise), or by configuring the corresponding number of subinterfaces on the router on one of teh interfaces and then connecting the physical interface to the switch. By configuring the port on the switch as a trunk you will allow it to pass traffic for all VLANs. Router's IOS must support dot1q encapsulation in order to understand what is going on.

So as a result each subinterface on the router will act as a virtual router for each corresponding VLAN on the switch. Traffic between VLANs will be sent up the trunk to the router, where the router will make a desision what to do with it and then it will send it down one of the subinterfaces to the destination VLAN.

2620 will do it, just check with cisco.com that the IOS supports dot1q, 1721 should be able to do it too, depending on whether it can run the required IOS level or not.

3550 switch is a layer 3 switch and will do all that itself without an external router. You will need to configure VLAN interfaces one per a VLAN and assign IP addresses to them.

shane.kearney Tue, 09/23/2008 - 02:22

Hi, this is how I would over come this issue.

Inter VLAN Routing,

set up the network like normal, connecting the servers to the ports that are contained in the wanted VLAN, Servers VLAN 10 and users in VLAN 20, OK with that done our next step is to set the port on the switch that is connected to the router to a trunk port, next move to the router and enter

interface fa 0/1.10, encapsulate it using ISL or (dot1q 10) assign the interface an IP address within the server subnet, this IP will act as the default gateway for the server subnet.

when finished in this interface exit and then enter the interface fa 0/1.20 do the same here, encapsulate it in (dot1q 20)this is the default gateway for the Users subnet,

Now "do not" assign an IP address to the interface fa0/1 instead make it a trunking interface.

this is a quick run down of the commands for the router.

config-if)#interface

fastethernet 0/0.10

config-subif)#encapsulation

dot1q 10

ip address

192.168.1.1 255.255.255.0

config-if)#interface

fastethernet 0/0.20 is for the vlan number created on the switch

config-subif)#encapsulation

dot1q 20

ip address

192.168.2.1 255.255.255.0

whiteford Tue, 09/23/2008 - 02:30

Looks like my routers on have 1 FE port and the WIC-1T WAN port. I guess I need another router?

whiteford Tue, 09/23/2008 - 02:33

2 x 2620's with 1 x Ethernet and 2 x WIC-1T cards

1 x 1721 with 1 x FE and 1 x WIC-1T

shane.kearney Tue, 09/23/2008 - 02:37

I have two 2500 routers and two 2950 switches, I couldnt do intervaln routing with these because it was not supported by the IOS and for some reason I cannot download an IOS, so I bought a 800series router for England and got it this week, now no probs all works well

VictorAKur Tue, 09/23/2008 - 05:04

2950 won't do it as it is a L2+ switch - you can have only one VLAN interface on it for management. If you try to configure lets say interface VLAN 10 on it, it will admin down the default VLAN 1 interface.

VictorAKur Tue, 09/23/2008 - 07:08

2950 can do as many VLANs as you need (up to the maximum of 4096) but it can only do one VLAN interface. In other words - you can use this one interface for managing the box (telnet to it for example), but the box will never be able to do inter VLAN routing without help of an external router.

VictorAKur Tue, 09/23/2008 - 02:34

1 port is all you need. Remember though - IOS must support encapsulation (ISL or DOT1Q).

hm... I am not sure 2950 does ISL by the way.

whiteford Tue, 09/23/2008 - 02:46

So from the 2950 I would just the one port off this for the router and the router would work our the routing and trunk info and send it back down that port to the right VLAN?

Is very simple terms

Thanks

glen.grant Tue, 09/23/2008 - 03:30

Yes , one port on the router set up with subinterfaces for each subnet and the the 2950 side port set up to trunk with the trunk forced on "switchport mode trunk" . This will route all vlans between each other.

whiteford Tue, 09/23/2008 - 04:08

What a great idea, I'm studying for my CCNA and someone told me youdon't need to learn scenarios like this but I think it helps. Am I gettign ahead of myself, trunking is part of the CCNA I beleive?

glen.grant Tue, 09/23/2008 - 06:43

Trunking is part of everyday life in networking and absolutely something you should know like the back of your hand . :-)

whiteford Tue, 09/23/2008 - 06:52

So the 2950 and the 1721 or 2620 will need to support dot1q trunking? How can I find this out as I will need to upload the correct IOS.

VictorAKur Tue, 09/23/2008 - 07:19

its easy enough to find out - try to configure a subinterface as per one of the posts in this thread. If it accepts commands - it is supported. If not - go on cisco.com and look for the minimum version for your hardware with required support.

whiteford Tue, 09/23/2008 - 13:21

Here are my configs, I have the routers FE 0/0 port plugged into the switches FE 0/1 port.

A laptop in the switches FE 0/9 VLAN 10 - 192.168.2.50/24 gateway of 192.168.2.1

A laptop in the Switches FE 0/17 VLAN 20 - 192.168.3.50/24 gateway 192.168.3.1

They can't ping each other or their own gateways, have I missed something?

Switch#sh interfaces fastEthernet 0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

Attachment: 
VictorAKur Tue, 09/23/2008 - 14:30

Well... you do have the Native VLAN 1 on the switch and VLAN 10 in the same network range - 192.168.2.0/24. Change the IP range of one of the VLANs. In fact you can shut down the VLAN 1 interface completely, unless you are planning to use telnet to connect to the switch in the future.

Have a look here:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

All you need really... :)

whiteford Tue, 09/23/2008 - 23:10

I will test with no VLAN1, however how would I set the switch up so I could telnet to it as well?

Also how did you find that link, I did a search and found nothing! :)

VictorAKur Wed, 09/24/2008 - 00:46

You cannot take the VLAN1 off the switch (not 2950 any way) all you can do is to either admin down the VLAN1 interface, or change the IP range.

To telnet onto it configure a third subinterface on the router with the IP range of the VLAN 1 interface (that is if you choose the VLAN 1 as your management VLAN, typically it is advisable to configure a VLAN with some random number to be your management VLAN, for security sake).

How did I find the link? :) It is easy enough - go to http://www.cisco.com and type something like "inter vlan routing" in the search field :)

I think cisco.com is a VERY good place to look for networking solutiuons.

whiteford Wed, 09/24/2008 - 01:03

I guess it's knowing what to look for like "inter vlan routing" it's difficult if you don't know the correct wordind somtimes :)

I will configure a differnt VLAN and give it the same range as what WLAN 1 was or VLAN 10 for the users as that's where I will be.

whiteford Wed, 09/24/2008 - 12:07

A little progress, the trunk is nearly working I think.

I have a PC (PC A) with:

IP address - 192.168.2.50

Gateway - 192.168.2.1

In Port 9 of switch

I have a PC (PC B) with:

IP address - 192.168.3.10

Gateway - 192.168.3.1

In Port 17 of switch

PC A can ping 192.168.2.1 and 192.168.3.1

PC B can ping 192.168.3.1 but NOT 192.168.2.1

What could this be?

Attachment: 
whiteford Tue, 09/23/2008 - 12:39

Hi,

I'm not sure my Cisco 2620 (45 or 48mb mem) can to trunking, would it me the same trunk commands as the switch?

Trying to look for an IOS with not much luck.

VictorAKur Tue, 09/23/2008 - 14:33

Check the IP addresses on your VLANs 1 and 10 - they are in the same range. If it could't do trunking it wouldn't have accepted the commands.

Actions

This Discussion