Rick, thanks for you help.

RICSWC6503 (enable) sh ver

WS-C6503-E Software, Version NmpSW: 8.5(1)

Copyright (c) 1995-2005 by Cisco Systems

NMP S/W compiled on Oct 22 2005, 10:32:14

System Bootstrap Version: 12.2

System Boot Image File is 'bootdisk:cat6000-sup32pfc3k8.8-5-1.bin'

System Configuration register is 0x2102

Hardware Version: 1.3 Model: WS-C6503-E Serial #: FOX11070F7D

PS1 Module: PWR-1400-AC Serial #: DTH1052J197

Mod Port Model Serial # Versions

1 9 WS-SUP32-GE-3B SAD0920018W Hw : 4.5 Fw : 12.2

Fw1: 8.5(1)

Sw : 8.5(1)

Sw1: 8.5(1)

WS-F6K-PFC3B SAD091903MB Hw : 2.2

Sw :

2 48 WS-X6148-GE-TX SAL1116M0PG Hw : 7.1

Fw : 7.2(1)

Sw : 8.5(1)

3 48 WS-X6148-GE-TX SAL1116M0PW Hw : 7.1

Fw : 7.2(1)

Sw : 8.5(1)

15 1 WS-F6K-MSFC2A SAD094503XW Hw : 3.0

Fw : 12.2(17d)SXB9

Sw : 12.2(17d)SXB9

DRAM FLASH NVRAM

Module Total Used Free Total Used Free Total Used Free

1 524288K 135665K 388623K 249772K 9772K 240000K 2048K 339K 1709K

Uptime is 34 days, 23 hours, 51 minutes

RICSWC6503 (enable)

switch run-config

begin

set prompt RICSWC6503

set logout 60

!

#mac address reduction

set spantree macreduction disable

!

#vtp

set vtp domain rixixad.com

set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active

set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state active stp ieee

set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active stp ibm

set vlan 1,34

set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state active mode srb aremaxhop 7 stemaxhop 7 backupcrf off

!

#ip

set interface sc0 1 10.10.10.23/255.255.255.0 10.10.10.255

set interface sl0 down

set interface sc1 down

set ip route 0.0.0.0/0.0.0.0 10.10.10.1

!

#dns

set ip dns server X.X.X.X primary

set ip dns server X.X.X.X

set ip dns enable

set ip dns domain rixixad.com

!

#ntp

set ntp client enable

set ntp server 10.10.10.15

set timezone est -5 0

set summertime enable

set summertime recurring second Sunday March 02:00 first Sunday November 02:00 60

!

#set boot command

set boot config-register 0x2102

set boot system flash bootdisk:cat6000-sup32pfc3k8.8-5-1.bin

!

#permit list

set ip permit 10.10.10.0 255.255.255.0 telnet

set ip permit 10.10.10.0 255.255.255.0 ssh

set ip permit 10.10.11.0 255.255.255.0 telnet

set ip permit 10.10.11.0 255.255.255.0 ssh

!

#mls

set mls verify length ip minimum disable

!

#acl

!

# default port status is enable

!

#module 1 : 9-port 1000BaseX Supervisor

set port name 1/9 UPLINK to C4500

!

#module 2 : 48-port 10/100/1000BaseT Ethernet

set port name 2/7 riakvm02

set port name 2/8 riakvm01

!

#module 3 : 48-port 10/100/1000BaseT Ethernet

set vlan 34 3/46-48

set trunk 3/48 on dot1q 1-4094

!

#module 15 : 1-port Multilayer Switch Feature Card

!

#module 16 empty

end

router module run-config

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

ip subnet-zero

!

redundancy

high-availability

single-router-mode

mode none

!

boot system flash c6msfc2a-jsv-mz.122-17d.SXB9.bin

!

interface Vlan34

ip address 10.10.12.42 255.255.255.252

!

router bgp 1

no synchronization

bgp log-neighbor-changes

network 10.10.12.40 mask 255.255.255.252

no auto-summary

!

ip classless

no ip http server

!

dial-peer cor custom

!

end

thanks for you help.

John

Thanks for posting the additional information which is helpful. I see in the switch config that there are 2 VLANs with user ports. Most user ports are in VLAN 1 and a few ports are in VLAN 34. In the router config I see that VLAN 34 is configured with an IP address. This should provide routing for VLAN 34. But I do not see any VLAN interface for VLAN 1. So it will not route for VLAN 1. Is there a reason why there is not a VLAN interface for VLAN 1? I believe that this is the essence of your problem - that you have not provided routing logic for the VLAN with most of the user ports.

HTH

Rick

What's the need for configuring BGP without having any neighbors ?

If you want to route between Vlans, having an IP address under the SVI (switch virtual interface) should be sufficient if 'ip routing' is enabled.

inter-vlan routing does not need a dynamic routing protocol.

Rick and Edison,

thanks for the input. i should have put a little more information. this switch currently has 2 VLAN's. However, i do not want these VLAN's to talk to each other at all. What I have done is assign 3 ports to to VLAN 34 and i want one of those ports to connect to a TLS circuit. acting at the router for that circuit. the other two ports will have a pix 515e fw w/fo connected to it. i have been able to do this beofe with other L3 switches, but having an issue with this one. any help would be appreciated. thanks -- John

John

I am still not sure that I understand your issue. The original post talked about problems routing between VLANs - or at least that is what I thought it was about. Now you say that you do not want the VLANs to talk to each other.

What you have configured will allow the ports in VLAN 34 to participate in the configured subnet. But who will they talk to? There is no configured default route, no configured route to other networks or subnets, and as Edison has pointed out the BGP with no neighbors will not learn any routes. So who will they talk to?

HTH

Rick

Rick,

on the other end of one of those ports will be a another router the other half of a /30 subnet. within the router module of my switch i created a vlan 34 with my half of the /30 subnet. the other two ports will connect to a pix 515e fw w/fo. i am just trying to have one of the 3 ports on the vlan 34 to talk to the router at the other end of the circuit. hope this explains it more. i have been able to create this with other L3 switches. this one however it seems that instead of the swithc and router options working together they are separated. for example i created the vlan34 on the switch side and assigned the ports, then i had to go into the router module, create the vlan34 again ans assign it an IP address.

thanks,

john

What's the provider transit vlan ? You must have this vlan created in your switch's vtp database and configured on the switchport facing the TLS handoff.

Same configuration must be done at the remote location.

Once you do that, the devices should be able to see each other via CDP.

There isn't any routing involved on what you are trying to accomplish. It's pure Layer2.

I agree. I should be able to do this all at layer 2, however, even with VTP configured and the VLAN configured, I have not been able to just have the two ends talk to each other. The other Network administrator is using a Layer 3 switch with VLAN34 configured on this ports.

Anyway, i will continue to troubleshoot it. thanks for your help.

You need to contact your TLS provider and ask them for the transit Vlan. This information is vital and without this, they won't be able to see each other.

I will contact them to get this information. however when i connect the circuit directly to my pix firewall, everythign works. the only reason i cannot do this is because of the failover appliance. this is why i was trying to use the router features of the L3 switch.

The PIX would be a routed port therefore it sounds like your TLS was provisioned as Layer3 TLS, not Layer2.

What IP subnet the PIX was using when it worked vs the one being used in your 6500 now ?

i have two subnets. currently i am using a /30 on the switch. this is the configuration on the other side. when i plugged it directly into the firewall, i was using a /28 with the gateway being the switch/router on the other end of the TLS. i think that you were correct to begin with, i think that the TLS is provisioned as a L2 TLS. this is why i am pulling my hair out because i should be able to take a few ports on my switch, configure the VLAN and all should work, i mean i have that working right now with other circuits and other VLAN's from my corporate network. but it does not seem to work with this circuit. Also for some other reason, when I connected to the firewall, i had the interface hardcoded as full/100, which works, but when i do auto/auto, it becomes half/10 and it stops working. Extermely fursturating. Now back on the switch, since i was able to make it work with the firewall working as the router for the circuit, i thought i could use the switches router capabilities to accomplish the same action. but as i think about it, it seems that the firewall was just acting as a part of the extended LAN since the gateway was at the other end of the TLS circuit. i just need to get in touch with the SA on other end and go over his configuration, maybe he is doing something flaky and i think that the problem is on my end. thaks for you help.

The speed/duplex needs to match with the provisioned circuit. Remember, you have a inter-switch link with the provider's switch and that switch hard-code its speed in order to limit your bandwidth.

What you are seeing, it's a duplex mismatch behavior. Make sure to hard-code speed/duplex to match provider's.