Re: CISCO 6509 VLANS - Page 2

par13 · ‎07-08-2009

I have created three vlans

VLAN 100

VLAN 200

VLAN 300

The cisco 3550 are configure with each respective vlan 100, 200, and 300.

As soon as I plug the switch on the fiber module, I notices the switch been added to the proper VLAN. I have execute the command sh vlan 100, and it shows the switches configure for vlan 100. The same thing for vlan 200 and 300.

However, I notices some switches were added to the wrong vlans. Is there a command or configuration that I am doing that is causing this issue?

Thanks

par13 · ‎07-09-2009

I think my configuration match to this configuration. We are able to have two switches working with the cisco 6509. Howeve, other switches on difeferent vlans 100 and 200 will not talk to the router.

The switches complaint the vlan mistmatch configuration. Therefore, on the router, the native vlan is set to 1 when it should be set to either 100 or 200 or even 300.

I'm not sure how the router can work fine with two swtiches but not the other switches. It is the same configuration on the rest of the switches.

My thinking is that there is something in the router that will not allow the other switches to work correctly.

Can you explain?

Jerry Ye · ‎07-09-2009

Hi Pedro,

You have to fix the native vlan mismatch first. This is can cause spanning tree loop which can lead to a network outage.

I saw your configuration has HSRP configured, do you have a 2nd pair of 6500? Also, Can your 3550's ping the default gateway? If not, make sure you have the following commands if the 3550's will be doing L2 only:

no ip routing

ip default-gateway x.x.x.1

HTH,

jerry

par13 · ‎07-09-2009

Hi Jerry,

no, the switches having issues can not ping their default gateway, or the router can't ping the switches ip address.

I started changing the switches using

vtp transparent

Can I use vtp server, too?

thanks

par13 · ‎07-09-2009

Jerry,

the ip default-gateway is this for the switch management ip address or the host ip address.

thanks

Jerry Ye · ‎07-09-2009

Hi Pedro,

The ip default-gateway command is for the switch management.

I don't suggest you to put the 3550's into server mode. You can leave them on client. If you've decided to changed the VTP mode to client from transparent, please make sure revision number is lower than the server.

Regards,

jerry

par13 · ‎07-09-2009

Jerry,

the ip default-gateway is this for the switch management ip address or the host ip address.

thanks

Jerry Ye · ‎07-09-2009

Hi Pedro,

ip default-gateway is for the switch management. It has nothing to do with the host.

For example, when a host on VLAN100 is attached to the 3550, traffic will trunked to your 6500, if it wants to access anything outside VLAN100. It will use the ip address on the 6500's interface vlan 100 as its default router.

Regards,

jerry

par13 · ‎07-09-2009

ok, let's start with my basic switch configuration. Can you critic or say if this is correct?

en

vlan database

vtp transparent

apply

exit

Config t

hostname LV-126B-AC-181-194

!

enable secret 5 $1$27ar$DnvrYBhnNW5eyTF2JgHIe.

enable password 7 0307585A5E5A744058

!

username admin password 7 1414115A54517F2732

!no aaa new-model

!ip subnet-zero

!

ip domain-name lv.psu.edu

ip ssh version 2

!

int range f0/1 - 24

description academic

switchport access vlan 100

switchport mode access

!

interface GigabitEthernet0/1

description Trunk to Cisco6509 router

switchport trunk encapsulation dot1q

switchport mode trunk

no shut

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

no shut

!

interface Vlan100

description Academic

ip address 172.31.181.194 255.255.255.192

ip default-gateway 172.31.181.193

no shut

ip classless

ip http server

ip http secure-server

!

banner motd #

*****************************************************

** **

** WARNING: Unauthorized access to this system **

** is forbidden and will be prosecuted by law. **

** By accessing this system, you agree that your **

** actions may be monitored if unauthorized usage **

** is suspected. Only authorized Penn State **

** Lehigh Valley Campus **

*****************************************************

#

!

line con 0

exec-timeout 0 0

line vty 0 4

password 7 1511085D5C7F7E283E

login local

transport input telnet ssh

line vty 5 15

password 7 094F4D584150421E1D

no login

!

end

wr

Jerry Ye · ‎07-09-2009

!

interface Vlan100

description Academic

ip address 172.31.181.194 255.255.255.192

no shut

!

ip default-gateway 172.31.181.193

no ip routing

par13 · ‎07-09-2009

As far the cisco router, the OS version use set commands and not the latest cisco IOS. what do I need to eliminated or add to this configuration?

SRVRM-6509-MSFC1#sh run

Building configuration...

Current configuration : 3547 bytes

!

! Last configuration change at 08:52:47 EDT Thu Jul 9 2009

! NVRAM config last updated at 17:08:29 EDT Wed Jul 8 2009

!

version 12.1

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname SRVRM-6509-MSFC1

!

boot system bootflash:c6msfc2-psv-mz.121-13.E3.bin

boot bootldr bootflash:c6msfc2-boot-mz.121-13.E3.bin

no logging console

enable secret 5 $1$k3j8$vSFg2vXjmUMrtU/pxlCTX/

enable password 7 08121C430B0B0005424A

!

clock timezone EST -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

clock calendar-valid

ip subnet-zero

!

interface Loopback0

ip address 10.5.12.1 255.255.255.255

!

interface Vlan1

description Management VLAN

ip address 172.31.181.189 255.255.255.192

no ip redirects

standby 1 ip 172.31.181.129

standby 1 priority 120

standby 1 preempt

!

interface Vlan100

description Lab 214 VLAN

ip address 146.186.50.253 255.255.255.0

no ip redirects

standby 1 ip 146.186.50.1

standby 1 priority 120

standby 1 preempt

!

interface Vlan200

description LAB 200 VLAN

ip address 146.186.27.253 255.255.255.0

ip helper-address 146.186.27.3

no ip redirects

standby 1 ip 146.186.27.1

standby 1 priority 120

standby 1 preempt

!

interface Vlan300

description Wireless Lan

ip address 172.31.13.254 255.255.255.0

no ip redirects

standby 1 ip 172.31.13.1

standby 1 priority 120

standby 1 preempt

!

ip classless

ip route 146.186.27.0 255.255.255.0 172.31.181.129

ip route 146.186.50.0 255.255.255.0 172.31.181.193

ip route 172.31.13.0 255.255.255.0 172.31.13.1

no ip http server

!

access-list 101 permit ip 146.186.27.0 0.0.0.255 0.0.0.0 255.255.255.0

access-list 102 permit ip 146.186.27.0 0.0.0.255 0.0.0.0 255.255.255.0

access-list 103 permit ip 146.186.27.0 0.0.0.255 0.0.0.0 255.255.255.0

access-list 105 permit ip 146.186.27.0 0.0.0.255 host 172.31.181.131

access-list 106 permit ip 146.186.27.0 0.0.0.255 host 172.31.13.10

access-list 107 permit ip 146.186.27.0 0.0.0.255 0.0.0.0 255.255.255.192

access-list 121 permit ip 172.31.181.0 0.0.0.255 172.31.13.0 0.0.0.255

snmp-server community BR0WSE RO

snmp-server community b0wl1ng RW

snmp-server community private RW

snmp-server community BROWSE RO

snmp-server enable traps snmp authentication warmstart

snmp-server enable traps slb real virtual csrp

snmp-server enable traps flash insertion removal

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps bgp

snmp-server enable traps rsvp

snmp-server enable traps frame-relay

snmp-server enable traps rtr

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps dlsw

snmp-server host 10.5.1.163 2

!

tacacs-server host 10.0.13.110

tacacs-server timeout 10

tacacs-server key 1cecacseng1key1

ntp clock-period 17179855

ntp source Loopback0

ntp master 2

ntp update-calendar

end

Jerry Ye · ‎07-09-2009

Hi Pedro,

I finally see what is the problem. On your 3550 LV-126B-AC-181-194, you cannot assign Vlan100 with the IP address of 172.31.181.194. The reason is this Vlan100 is the same Vlan100 on your 6500, they cannot be o different IP subnet. Also, which is your default gateway for management Vlan? Which router is 172.31.181.193? I can only see your default to be 172.31.181.129.

To get the 3550 to work, this is what you can do:

no interface vlan100

!

interface Vlan1

description Academic

ip address 172.31.181.194 255.255.255.192

no shut

!

ip default-gateway 172.31.181.129

HTH,

jerry

par13 · ‎07-09-2009

Hi Jerry

I was assigned three subnets to manage the administrative switches, academic switches and the wireless switches.

Administrative switches 172.31.181.128/26

Academic Switches 172.31.181.128/26

Wireless Switches and APs 172.31.13.0/24

Do I use one address of the three subnets, or do I need to have a separate subnet for the router. And/or all network switches needs to be under one single subnet?

Thanks

Jerry Ye · ‎07-09-2009

Hi Pedro,

Okay, let's talk about design. Since your Administrative switches and your Acadamic switches are in the same subnet, 172.31.181.128/26, they need to be on the same VLAN.

Since Wireless Switches and AP's are in 172.31.13.0/24, this need to be on a different VLAN.

I am assuming this is for management devices.

HTH,

jerry

par13 · ‎07-09-2009

ok,

If I understood correctly, the two subnets

172.31.181.128/26 and 172.31.181.192/26 needs to be let's say VLAN 200.

And, wireless network 172.31.13.0/24 on VLAN 300.

Now, before I carry away, I'm not sure if you notice the router has three vlans, 100, 200 and 300 with the gateway of each respective subnet.

thanks

Jerry Ye · ‎07-09-2009

Hi Pedro,

"172.31.181.128/26 and 172.31.181.192/26 needs to be let's say VLAN 200", these are two (2) different networks and they need to be on two (2) different VLAN, let's say 200 VLAN 201 and VLAN 202.

On your current 6500 configuration -

!

interface Vlan100

description Lab 214 VLAN

ip address 146.186.50.253 255.255.255.0

no ip redirects

standby 1 ip 146.186.50.1

standby 1 priority 120

standby 1 preempt

!

interface Vlan200

description LAB 200 VLAN

ip address 146.186.27.253 255.255.255.0

ip helper-address 146.186.27.3

no ip redirects

standby 1 ip 146.186.27.1

standby 1 priority 120

standby 1 preempt

!

interface Vlan300

description Wireless Lan

ip address 172.31.13.254 255.255.255.0

no ip redirects

standby 1 ip 172.31.13.1

standby 1 priority 120

standby 1 preempt

!

You are using VLAN100 for Lab 214 and VLAN 200 for Lab 200. You cannot reuse this VLAN ID for other address, this is the reason why the two (2) 3550's (VLAN100 and VLAN200) cannot take the the default gateway. VLAN300 is correct by comparing from the information you gave me.

HTH,

jerry