Adding VLAN to 3560 (Help Configuring) 2

[devdevil85]

I am trying to add an extra VLAN (VLAN10, .10 subnet) to my 3560 and to get devices on the VLAN to acquire network information via an external DHCP Server and to also be able to the internet like devices on VLAN1.

Here is my problem with my current configuration:

1) DHCP on VLAN10 does not work meaning a device plugged into a port associated w/ VLAN10 will not get an address via DHCP. I have tried DHCP relay agent and I have configured the DHCP server w/ scope options for the VLAN10, .10 subnet. I have also configured option 82 and enabled dhcp snooping on the VLANs.

2) Devices on VLAN10 are unable to get to the internet while devices on VLAN1 can.

3) In order for my VLANs to communicate I have to change my GW (for devices on VLAN1) from the Router to the 3560. If not, then inter-vlan routing does not work. (Confused on why)

Anyways, with the GW changed to the 3560 for devices on VLAN1, they are able to ping devices on VLAN10 and vice versa. Devices on VLAN10 cannot ping the Router, but can ping the 3560.

Right now w/ the config that I have I don't know what else to do. Hopefully somebody can tell me what I am doing wrong.

No devices are connected to ports on VLAN10 at the moment, so VLAN10 isn't showing up in the routing table.

Here's my config:


User Access Verification

Current configuration : 1705 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Cisco_POE
!
ip subnet-zero
ip routing
!
ip dhcp snooping vlan 1,10
ip dhcp snooping
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
description port on VLAN10
switchport access vlan 10
switchport mode access
ip dhcp snooping trust
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.7 255.255.254.0
!
interface Vlan10
ip address 192.168.10.1 255.255.254.0
ip helper-address 192.168.1.1
!
router rip
version 2
network 192.168.1.0
network 192.168.10.0
!
ip classless
ip default-network 192.168.1.0
ip route 0.0.0.0 0.0.0.0 192.168.1.15
ip http server
!
!
control-plane
!
!
end

Cisco_POE#

 

[vipergg]

Do a "show vlan" command and make sure vlan 10 is in there and shows active.

 

[vipergg]

Also on your user interfaces add spanning-tree portfast .

 

[vipergg]

You have to have the 3560 as the gateway because it is doing the routing . All devices gateway for vlan 10 must be
192.168.10.1 . They should be able to talk to each if the gateways are correct for each subnet because they are directly connected subnets to the 3560's , you don't even need a routing protocol to get that far . And any traffic that is not known on the 3560's routing table would then follow your default static which I assume is the connection to the internet router or firewall at 192.168.1.15.

 

[devdevil85]

Thanks viper. I will see if this helps.

 

[devdevil85]

Yeah, our default static route is to our Kentrox L3 Router/Firewall (which we are only wanting to use if devices need to get to the internet; any other L3 traffic we want the 3560 to route) which is then connected to our Nuvox Box that gets us to the internet.

So you are saying that the GW for VLAN1 devices is the 3560 and the GW for VLAN10 devices is VLAN10 itself?

Do I need to give VLAN10, itself, a GW?

Thanks

 

[devdevil85]

Here's my layout:

My PC --> 3560 --> Kentrox Router/Firewall --> Nuvox Box

An externtal DHCP Server is also connected to 3560.

What I want to happen:

VLAN1 & VLAN10 can communicate
My PC (VLAN1) --> 3560 --> Other PC (VLAN10) & vice versa

DHCP addresses get to VLAN10 from the external server (I have already setup the scope for the .10 subnet on server)
Other PC --> 3560 --> DHCP Server --> 3560 --> Other PC

I also want the Other PC to be able to get to the internet just like My PC can on VLAN1. Right now it cannot.

 

[devdevil85]

Question: If I configure a L3 interface on the 3560 (no switchport cmd, IP address command, etc.), does it have to left unused w/ nothing plugged into it or can I still use it as a L2 port like the rest of the ports?

Also, once I give the L3 interface an IP address does VLAN1's GW change to that IP address? while VLAN10's stays the same (VLAN10's IP)?

Thanks

 

[devdevil85]

anybody? viper? any suggestions?...please...

 

[burtsbees]

On the L3 switch, if you plan to connect the switch to a node in a vlan, it must have switchport mode access on it.

Burt

 

[vipergg]

You would only put an address on interface itself if you were going to connect it to another routing device. Otherwise you do as you did in your original config and use a SVI and then put a port in that that vlan, "switchport access vlan 10" . On your firewall do you have a route back to the .10 subnet ? Check to see how the firewall is routing the current vlan 1 connections and if need be add a static route for the .10 subnet probably pointing to the vlan 1 address on the 3560 if that is the connection between the 3560 and the firewall.. If your dhcp server is not on the .10 subnet you will need a ip helper address on the SVI for vlan 10 so it knows where to send the dhcp request . If it doen't pull an address I would suspect the dhcp server setup , can't really help you there . Clients default gateway address for each vlan will be the 3560 address for each vlan . For vlan 1 it is 192.168.1.7 , for vlan 10 it is 192.168.10.1 .

 

[devdevil85]

Thanks viper for the help. Just so you know, the Kentrox isn't the one routing between the vlans, or atleast it shouldn't be. The 3560 should actually doing the inter-vlan routing.

Is an SVI basically a vlan?

 

[vipergg]

A SVI (switch virtual interface) is where you define your layer 3 information for a vlan. People seem to get this and a layer 2 vlan mixed up .

interface vlan XX
ip address xx.xx.xx.xx <mask>