Cisco 3548 XL Vlan

Unanswered Question

I'm traying to setup two simple vlans on the cisco 3548 XL. They both will connect to a cisco 2600. At this moment, I have been succesful creating the two vlans in the cisco 3548 xl and created two entries on the cisco 2600 fa0/0.1 and fa0/0.2.

However, the client computers are not able to ping the gateway. And, on the switch, it is showing the two vlan status down protocol down.

Can you help?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
iyde Tue, 06/16/2009 - 11:56

You have to configure encapsulation on the Fa0/0.1 and Fa0/0.2 interfaces using ISL trunking,as the 3548XL only (as far as I remember) supports ISL. The 'encapsulation isl' command will insclude a VLAN number. These two VLAN numbers will have to be the VLANs you configure on the 3548XL.

The IP addresses on those two sub-interfaces will be the default gateeway for their respective VLAN.

On the 3548XL the interface that connects to the 2600 will have to be configures as a trunk port.

Example:

2600:

interface FastEthernet 0/0

no ip address

interface FastEthernet 0/0.1

encapsulation isl 1

ip address 10.1.1.1 255.255.255.0

!

interface FastEthernet 0/0.2

encapsulation isl 2

ip address 10.1.2.1 255.255.255.0

!

[Note that the sub-interface number and the enccapsulation isl number do not have to be the same, but it is more easy to remember when you make them the same]

3548XL:

interface FastEthernet0/1

description Trunk to Cisco2600 router

switchport mode trunk

!

That should be it - if my memory does not fail me :-)

HTH

I have included two configurations cisco 3548 xl and cisco 2600.

Thanks

CISCO 3548 XL

Current configuration:

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

ip subnet-zero

ip domain-name lv.psu.edu

interface FastEthernet0/1

description Administrative

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,100,1002-1005

!

interface FastEthernet0/47

description Administrative

switchport access vlan 200

spanning-tree portfast

!

interface FastEthernet0/48

description Administrative

switchport access vlan 100

!

interface GigabitEthernet0/1

description Room 147A East Wing Administrative/ Academic Networks

no flowcontrol

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,100,200,1002-1005

switchport mode trunk

!

interface GigabitEthernet0/2

description Room 147A - East Side Administrative/ Academic Networks

keepalive 10

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,100,200,1002-1005

switchport mode trunk

!

interface VLAN1

ip address 172.31.181.133 255.255.255.192

no ip directed-broadcast

no ip route-cache

!

interface VLAN100

ip address 146.186.50.2 255.255.255.0

no ip directed-broadcast

no ip route-cache

shutdown

!

interface VLAN200

ip address 146.186.27.2 255.255.255.0

no ip directed-broadcast

no ip route-cache

shutdown

!

ip default-gateway 146.186.50.1

banner motd ^C

*****************************************************

*****************************************************

** **

** WARNING: Unauthorized access to this system **

** is forbidden and will be prosecuted by law. **

** By accessing this system, you agree that your **

** actions may be monitored if unauthorized usage **

** is suspected. Only authorized Penn State **

** Lehigh Valley Campus **

*****************************************************

*****************************************************

^C

!

line con 0

exec-timeout 0 0

transport input none

stopbits 1

line vty 0 4

password 7 1511085D5C7F7E283E

login local

line vty 5 15

password 7 094F4D584150421E1D

no login

!

end

CISCO 2600

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname psu-lv

!

boot-start-marker

boot-end-marker

!

!

clock timezone EST -5

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

no ip routing

no ip cef

interface FastEthernet0/0

no ip address

no ip route-cache

speed auto

half-duplex

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 146.186.50.1 255.255.255.0

no ip redirects

no ip route-cache

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip address 146.186.27.1 255.255.255.0

no ip redirects

no ip route-cache

!

interface Serial0/0

no ip address

no ip route-cache

shutdown

!

ip http server

ip classless

iyde Tue, 06/16/2009 - 13:15

Okay; 3548XL actually does support dot1Q, then - my bad memory :-)

You actually don't show which interface of the switch is connecting to the 2600; I will assume that it is FastEthernet 0/1.

Looking at your router config you have:

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 146.186.50.1 255.255.255.0

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip address 146.186.27.1 255.255.255.0

On the switch you have:

interface FastEthernet0/1

description Administrative

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,100,1002-1005

So on the router you have in effect made VLAN 1 and VLAN 2 (encapsulation dot1Q x, where x equals the VLAN number) while the switch operates with VLAN 100 and 200 on the access ports.

Change the router encapsulation to 'encapsulation dot1Q 100 native' and 'encapsulatio dot1Q 200', repectively.

Also note that a 3548XL is a Layer 2 switch. This means that the only thing it needs an IP address for is for management. Notice that even though you have (and have been allowed to) configured IP addresses on interface VLAN 100/200, both those interfaces are in shutdown. Only one VLAN interface with an IP address can be active at any given time, and by default it is VLAN 1 on a Cat3548XL.

So to test your setup, you will first have to change the config on the router and secondly put a PC onto a switch access port (like your FastEthernet0/47 or 0/48), give the PC an IP address in the right IP subnet and the IP address of the 2600 router subinterface as the gateway and then you should achieve a positive result.

Edit: I missed some details:

1. On the router, have both speed and duplex of FastEthernet0/0 set to auto. Alternatively, set speed to 100 and duplex to full at both end of the connection (router and switch).

2. If you go with my suggestion of keeping VLAN 100 and VLAN 200 on the switch, the 2600 FastEthernet0/0.1 should have 'encapsulation dot1Q 100' (notice the missing native keyword).

With that the physical interface FastEthernet0/0 will determine the native VLAN, and as you do not have anything here you actually improves the security of the setup. This because the recommendations for avoiding VLAN-hopping is to not have anything running in native VLAN.

3. On switch FstEthernet0/1 you need to allow VLAN 200 as well:

switchport trunk allowed vlan 1,100,200

HTH.

Leo Laohoo Tue, 06/16/2009 - 16:44

In addition to Glenn's post, go to the VLAN database and remove VLANs 100 & 200:

no vlan 100

no vlan 200

exit

As far the cisco 2600, how can I make sure the two subnets do not see each other. I noticed that after configuring the information on the router, now, the two subnets can ping each other or computers see each other.

If I go into production, this could create a security threat.

I have two goals:

1) I have a firewall before the router. The port traffice allow or not allow will be handle at the firewall. The router should not permit the two subnet to interact.

2)I'd like to be able to direct the two individual subnet going out from the router to the firewall in two separate interfaces.

Can you provide example on how to acomplish these two goals?

Thanks

Actions

This Discussion