Solved: setup a switch port for 2 vlans

huwyhuwy123 · ‎11-09-2011

hi there,

I'm trying to setup a port on a catalyst 3750 so it will pass traffic for 2 vlans. It connects to a (watchguard) firewall which I've configured with a primary IP (for vlan 27) and a secondary IP (for vlan 29).

However I can't seem to find the correct commands to enter on the cisco switch port (I've tried a variety). Can anyone help?

Cheers,

Al

FYI the current configuration is...

interface FastEthernet1/0/38

description ## Connection to WG vlan27 and vlan 29 ##

switchport trunk encapsulation dot1q

switchport trunk native vlan 27

switchport trunk allowed vlan 27,29

switchport mode trunk

switchport nonegotiate

no logging event link-status

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

priority-queue out

mls qos trust cos

auto qos voip trust

no mdix auto

spanning-tree portfast

spanning-tree bpduguard enable

Reza Sharifi · ‎11-09-2011

Hi Alain,

The suggestion I provided is for the 3750 side of the connection. I am not sure if the watchguard is capable to do dot.1q. According to this PDF it is, If not, then as you noted it is not going to work.

http://www.watchguard.com/help/docs/edge/10/v101edgeuserguide.pdf

Thanks,

Reza

View solution in original post

Latchum Naidu · ‎11-10-2011

Hi,

I looked at the watchguard document and it support 802.1Q
Why dont you use the same trunking method at both ends.

Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

huwyhuwy123 · ‎11-09-2011

I should add that the above works for vlan27 (i.e. I can ping the firewall) but not for vlan 29.

Marvin Rhoads · ‎11-09-2011

You need to have both the Layer 2 (VLAN) and Layer 3 (network) settings matching up on both the switch and firewall. I suspect you may not be negotiating a trunking protocol and are thus sending frames untagged to the firewall on Vlan 27 (as a result of the 'switchport trunk native vlan 27' line). Thus when you address a Layer 3 IP from the range served up on Vlan 29 you get no reply.

Hope this helps.

Reza Sharifi · ‎11-09-2011

To make a port a trunk port, these are the only commands you need:

interface FastEthernet1/0/38

description ## Connection to WG vlan27 and vlan 29 ##

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 27,29

switchport mode trunk

so, test with this config and provide the results.

HTH

cadet alain · ‎11-09-2011

Hi reza,

I don't think it will work if he doesn't do 802.1Q on the Watchguard which he isn't doing now.

Regards.

Alain

Don't forget to rate helpful posts.

Reza Sharifi · ‎11-09-2011

Hi Alain,

The suggestion I provided is for the 3750 side of the connection. I am not sure if the watchguard is capable to do dot.1q. According to this PDF it is, If not, then as you noted it is not going to work.

http://www.watchguard.com/help/docs/edge/10/v101edgeuserguide.pdf

Thanks,

Reza

huwyhuwy123 · ‎11-10-2011

Thanks for all the replies. I really appreciate your help.

Are you guys saying that if the watchguard doesn't support dot1q then it won't work? Is there a way to pass traffic from both vlans untagged?

The watchguard is an XTM505 btw.

Cheers again,

Al

Latchum Naidu · ‎11-10-2011

Hi,

I looked at the watchguard document and it support 802.1Q
Why dont you use the same trunking method at both ends.

Please rate the helpfull posts.
Regards,
Naidu.

huwyhuwy123 · ‎11-11-2011

Thanks guys. I setup vlan tagging on the watchguard and got this working.

Cheers again,

Al