VLAN setup with c3750

Answered Question
Nov 1st, 2008

Hi All,

I am new with VLAN, and need help. I have read previous post but cannot solve all my needs, so here is the question. The network diagram is as attached. VLAN 1 will be those Windows 2003 DC and DHCP, DNS.

VLAN 2, and 3 are workstations.

All workstations in VLAN 2 and 3 can get IP address, DNS service, and file service from DC in VLAN1, and access Internet through Firewall Proxy in VLAN1.

TIA

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 4 weeks ago

3750(config)# ip routing

3750(config)# vlan 2

3750(config-vlan)# name vlan2

3750(config)# vlan 3

3750(config-vlan)# name vlan3

3750(config)# int vlan 1

3750(config-if)# ip address 192.168.16.1 255.255.240.0

3750(config)# int vlan 2

3750(config-if)# ip address 192.168.32.1 255.255.240.0

3750(config-if)# ip helper-address

3750(config-if)# no shut

3750(config)# int vlan 3

3750(config-if)# ip address 192.168.48.1 255.255.240.0

3750(config-if)# ip helper-address

3750(config-if)# no shut

Then you need to assign ports into vlans so for example PC on port gi1/0 you want in vlan 2

int gi1/0

switchport access vlan 2

Each server/PC's defaul-gateway will be it's respective IP address on the L3 vlan interface you configured above.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 11/01/2008 - 08:19

3750(config)# ip routing

3750(config)# vlan 2

3750(config-vlan)# name vlan2

3750(config)# vlan 3

3750(config-vlan)# name vlan3

3750(config)# int vlan 1

3750(config-if)# ip address 192.168.16.1 255.255.240.0

3750(config)# int vlan 2

3750(config-if)# ip address 192.168.32.1 255.255.240.0

3750(config-if)# ip helper-address

3750(config-if)# no shut

3750(config)# int vlan 3

3750(config-if)# ip address 192.168.48.1 255.255.240.0

3750(config-if)# ip helper-address

3750(config-if)# no shut

Then you need to assign ports into vlans so for example PC on port gi1/0 you want in vlan 2

int gi1/0

switchport access vlan 2

Each server/PC's defaul-gateway will be it's respective IP address on the L3 vlan interface you configured above.

Jon

markxgzhang Sat, 11/01/2008 - 16:19

Jo, The configure is done, but tried to connect a client on VLAN2, and it cannot get an IP from DHCP. And also, cannot ping 192.168.32.1 when client is physically attached to VLAN1. Attached DHCP snapshot. Does trunk need here for a single switch? Here is the run list

Current configuration : 1700 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

!

no aaa new-model

switch 2 provision ws-c3750-24ts

system mtu routing 1500

vtp domain zad

vtp mode transparent

ip subnet-zero

ip routing

!

!

!

! no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 2

name vlan2

!

vlan 3

name vlan3

!

vlan 10

name servers

!

vlan 20

name workstations

!

interface FastEthernet2/0/1

!

interface FastEthernet2/0/2

!

interface FastEthernet2/0/3

!

interface FastEthernet2/0/12

!

interface FastEthernet2/0/13

switchport access vlan 2

switchport mode access

!

!

interface FastEthernet2/0/24

!

interface GigabitEthernet2/0/1

!

interface GigabitEthernet2/0/2

!

interface Vlan1

ip address 192.168.16.1 255.255.240.0

!

interface Vlan2

ip address 192.168.32.1 255.255.240.0

ip helper-address 192.168.16.2

!

interface Vlan3

ip address 192.168.48.1 255.255.240.0

ip helper-address 192.168.16.2

!

ip classless

ip http server

!

!

control-plane

!

!

line con 0

line vty 0 4

interface Vlan2

ip address 192.168.32.1 255.255.240.0

ip helper-address 192.168.16.2

!

interface Vlan3

ip address 192.168.48.1 255.255.240.0

ip helper-address 192.168.16.2

!

ip classless

ip http server

!

!

control-plane

!

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

End

Try to ping

Switch#ping 192.168.32.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.32.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5

Attachment: 
Jon Marshall Sun, 11/02/2008 - 04:04

Mark

Can you

1) Leave the DHCP/DNS server in vlan 1

2) Attach your client to a port allocated into vlan 2

3) Hardcode an IP address from the vlan 2 range on your client and then try

i) ping 192.168.32.1

ii) ping 192.168.16.2

Let me know results.

Edit - after doing the above could you also post the output of

"sh vlan"

"sh ip int brief"

Note that your L3 vlan interfaces will only show up/up if you have an active port in that vlan so you will not be able to ping 192.168.32.1 if you don't have a client up and running allocated into that vlan.

Jon

markxgzhang Sun, 11/02/2008 - 13:08

Hi Jon,

Actually I found where the problem is. It is all coming back to basics. The DHCP box's default gateway was pointing to somewhere else instead of the default gateway of the vlan. After I changed to the gateway of the vlan, DHCP is working. Devices from different VLAN can get IP address, and access things across VLANs.

thank you very much.

markxgzhang Sun, 11/02/2008 - 20:56

Thanks Jon.

There is another question from this dummy guy. If I want to route traffic out of VLANs to access Internet through a firewall, do I need a routed-port on the switch as a representitive of VLANs? How to extablish this relationship between the routed-port and VLANs? What should I do to achieve this?

Thanks

Jon Marshall Mon, 11/03/2008 - 00:36

Mark

Glad you got it working and no problem with further questions, that's what NetPro is for :-)

Is the firewall connected to the 3750 switch ?

You don't necessarily need a routed port, you could just use another vlan. It really depends on where the firewall is in relation to your addressing.

What you would need is a default-route on your 3750 pointing to the internal interface of your firewall ie.

ip route 0.0.0.0 0.0.0.0

then on the firewall you would need to add routes for the vlans on the 3750 switch. The next-hop would either be a vlan interface on the 3750 or as you say it could be a routed port.

If you could let me know whether the firewall is in one of your existing vlans and where it is connected to i can be more specific.

Jon

markxgzhang Sun, 11/02/2008 - 00:22

Hi Jon,

Here is the command list

Switch(config)# int vlan 1

Switch(config-if)# ip address 192.168.16.1 255.255.240.0

Switch(config-if)# no shut

Switch(config)# int vlan 2

Switch(config-if)# ip address 192.168.32.1 255.255.240.0

Switch(config-if)# ip helper-address 192.168.16.2

Switch(config-if)# no shut

Switch(config)# int vlan 3

Switch(config-if)# ip address 192.168.48.1 255.255.240.0

Switch(config-if)# ip helper-address 192.168.16.2

Switch(config-if)# no shut

Switch(config)#int range fa1/0/7 - 12

Switch(config-if-range)#switchport access vlan 2

Switch(config-if-range)#switchport mode access

Switch(config)#int range fa1/0/13 - 18

Switch(config-if-range)#switchport access vlan 3

Switch(config-if-range)#switchport mode access

Test results as follow:

When I plug the Windows 2003 DC and DHCP server into one of the VLAN1 port, and plug one WinXP into another VLAN1 port, the WinXP can get ip address from the DHCP server, which is an address within the VLAN1 range.

When I plug the Windows 2003 DC and DHCP server into one of the VLAN1 port, and plug one WinXP into one of VLAN2 port, the WinXP CANNOT get IP address from the DHCP server.

When I plug the Windows 2003 DC and DHCP server into one of the VLAN2 port, and plug one WinXP into one of VLAN2 port, the WinXP CAN get an ip address, but it is an address from VLAN1 range. Either than that, everything is fine. But VLAN here realy does not have any meaning, does it?

Can anyone tell me how to fix this problem please?

ohassairi Sun, 11/02/2008 - 01:40

try to add this command under inetrface vlan 2, 3,..

Ip directed-broadcast

markxgzhang Sun, 11/02/2008 - 20:59

Thanks guys,

There is another question from this dummy guy. If I want to route traffic out of VLANs to access Internet through a firewall, do I need a routed-port on the switch as a representitive of VLANs? How to extablish this relationship between the routed-port and VLANs? What should I do to achieve this?

Thanks

Actions

This Discussion