Network Setup with Cisco Router and Switch

[goosed]

Hey all, I was hoping someone could point me in the right direction as to what I may be doing wrong here. I have a hardware Firewall, Cisco 3640 Router, and Cisco 2924 Switch.

Here is my setup:

Firewall:
LAN: 10.199.199.1/29

Router:
Fa0/0: 10.199.199.2/29
Fa0/1: no IP address
Fa0/1.1: 192.168.10.1/24 encapsulation dot1q 2
Fa0/1.2: 192.168.100.1/24 encapsulation dot1q 3
Default Gateway: 10.199.199.1

IP Routes:
C 192.168.10.0/24 directly connected, Fa0/1.1
10.0.0.0/29 subnetted, 1 subnet
C 10.199.199.0 directly connected, Fa0/0
C 192.168.100.0/24 directly connected, Fa0/1.2
S 0.0.0.0 [0/1] via 10.199.199.1

Switch:
VLAN1: 10.199.199.3/29
VLAN2: 192.168.10.2/24
VLAN3: 192.168.100.2/24
Fa0/1: switchport mode trunk, switchport trunk encapsulation dot1q
Default Gateway: 10.199.199.2

When I do a “Show Interface Fa0/1” I see that it is trunking:
Switchport: Enabled
Administrative Mode: Trunk
Operational Mode: Trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Trunking Native Mode VLAN: 1
Trunking VLANs Enabled: All

Physical Connections:
LAN on Firewall connected to Fa0/0 on Router
Fa0/1 on Switch connected to Fa0/1 on Router
Fa0/2 on Switch connected to Laptop

And my problems:
1. When I do a “show run” on the Switch, all the VLANs show as being down.
2. If I do a “no shutdown” on all three VLANs and then do a “show run” they still all show as “shutdown”.
3. I set Fa0/2 to “switchport access vlan 2”. I cannot do a “no shutdown” for VLAN 2 or any other VLAN. I cannot ping anything.
4. I set Fa0/2 to “switchport access vlan 3”. It does allow me to do a “no shutdown” for VLAN 3 only. I am then able to ping 192.168.100.1 (Router Fa0/1.2) and 192.168.100.2 (Switch VLAN3). However I cannot ping anything else.
5. I am able to ping the Firewall from the Router without any problems.

Any help would be appreciated. Thanks.

 

[zinkann]

post a full show run on the switch please

CCNA, Network+

 

[goosed]

Here is the config off of the Switch:


!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname C2924-01
!
!
!
!
spanning-tree uplinkfast
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
duplex full
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet0/2
duplex full
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/3
duplex full
spanning-tree portfast
!
interface FastEthernet0/4
duplex full
spanning-tree portfast
!
interface FastEthernet0/5
duplex full
spanning-tree portfast
!
interface FastEthernet0/6
duplex full
spanning-tree portfast
!
interface FastEthernet0/7
duplex full
spanning-tree portfast
!
interface FastEthernet0/8
duplex full
spanning-tree portfast
!
interface FastEthernet0/9
duplex full
spanning-tree portfast
!
interface FastEthernet0/10
duplex full
spanning-tree portfast
!
interface FastEthernet0/11
duplex full
spanning-tree portfast
!
interface FastEthernet0/12
duplex full
spanning-tree portfast
!
interface FastEthernet0/13
duplex full
spanning-tree portfast
!
interface FastEthernet0/14
duplex full
spanning-tree portfast
!
interface FastEthernet0/15
duplex full
spanning-tree portfast
!
interface FastEthernet0/16
duplex full
spanning-tree portfast
!
interface FastEthernet0/17
duplex full
spanning-tree portfast
!
interface FastEthernet0/18
duplex full
spanning-tree portfast
!
interface FastEthernet0/19
duplex full
spanning-tree portfast
!
interface FastEthernet0/20
duplex full
spanning-tree portfast
!
interface FastEthernet0/21
duplex full
spanning-tree portfast
!
interface FastEthernet0/22
duplex full
spanning-tree portfast
!
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
spanning-tree portfast
!
interface VLAN1
description Firewall
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN2
description Servers
ip address 192.168.10.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN3
description Workstations
ip address 192.168.100.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 10.199.199.2
banner motd 
Access to this Device is for Authorized Users Only! 
!
line con 0
login
transport input none
stopbits 1
line vty 0 4
login local
transport input telnet
line vty 5 15
no login
!
end

 

[burtsbees]

Try taking out the ip default-gateway, and bring vlan1 up, and set the switchports to auto-negotiate duplex.

Burt

 

[goosed]

Thanks Burt, I'll give it a shot tonight.

 

[goosed]

Also everything look alright in the config? Here is the Router config as well:

!
version 12.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C3640-01
!
logging buffered 51200 warnings
!
!
!
!
!
ip subnet-zero
no ip source-route
no ip domain-lookup
!
ip cef
cns event-service server
!
!
interface FastEthernet0/0
description Connection to m0n0wall LAN
ip address 10.199.199.2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clockrate 2000000
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1.1
description Connection to VLAN2
encapsulation dot1Q 2
ip address 192.168.10.3 255.255.255.0
!
interface FastEthernet0/1.2
description Connection to VLAN3
encapsulation dot1Q 3
ip address 192.168.100.1 255.255.255.0
!
ip default-gateway 10.199.199.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.199.199.1
no ip http server
!
banner motd 
Device Access is Restricted to Authorized Users Only!
!
line con 0
login
transport input none
line aux 0
line vty 0 4
password 7 082A4542050D04144341
login local
transport input telnet
!
end

 

[DallasBPF]

Did you create the vlans on the switch using the vlan database command since your IOS version on the switch is a 12.1?


#vlan database

(vlan)#vlan 2 active
(vlan)#vlan 3 active
(vlan)#exit

See if that will help.

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[goosed]

Well unfortunately nothing has worked thus far. I even tried wiping the config and starting from scratch. I didn't know you had to create the VLAN first in the VLAN database, so I did it in global configuration. So when I wiped the config I tried it first by creating it in the database and then in global config. No dice.

I know it's not the trunk port. I changed the encapsulation to ISL and could no longer ping the subinterfaces on the router. Changed it back to Dot1Q and I could resume pings.

The thing is I cannot seem to have more than 1 VLAN active at a time! My laptop is plugged into a port on VLAN 2, and I cannot active VLAN 1 or 3. If I shutdown VLAN 2, I can then active 1 or 3. What is up?

Thanks again for the replies guys.

 

[burtsbees]

Strange that two of you are having the same problem, and I have NEVER seen that before---where one goes up, the other goes administratively down...strange...are you two in the same building???lol

Here's the other person's post...same day!

http://www.tek-tips.com/viewthread.cfm?qid=1484204&page=1

Burt

 

[goosed]

hehe I guess I'm not the only lucky one!

Here's a strange update...

After some researching, I enabled "ip routing" on the Router. From there I could then ping laptop to laptop (VLAN 2 to VLAN 3). I could also then ping both subinterfaces on the Router. Seemingly, inter-VLAN routing is working.

Oh and the strange part. If I do a "show run" on the Switch VLAN3 is still "shutdown".

One laptop is set to "switchport access vlan 2" and the other is set to "switchport access vlan 3". They can both ping each other. Why is my Switch saying VLAN 3 is down?

 

[burtsbees]

How did you enable ip routing? When it's disabled, it would show "no ip routing" in the show run...

Try and power cycle or shut the interfaces in the router down and then bring them back up, and power cycle the switch.

Burt

 

[goosed]

I just typed "ip routing" on the Router and it shows "ip routing" when I do a show run.

I'll try your tips tomorrow and post results.

Thanks for the help Burt.

 

[DallasBPF]

Try just putting an IP address on one VLAN for management, and no shut all of the vlans to see if that might fix the problem. Because if you are routing between the VLANs you really only need 1 IP address for management.

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[vipergg]

If you are talking about the SVI's on the switch going down you can only have 1 active SVI on a layer 2 switch . This is to manage the switch only so there is no need to have more than 1 active . The routing is done by the router. think you are getting confused between the layer 2 vlan and the layer 3 SVI that is used to manage the switch only . You only need one address to manage the switch , get rid of the other 2 addresses on the switch. Assign your ports to the vlans you want the users in "switchport access vlan X" . The users default gateway will be the router subinterface address for that vlan .

 

[burtsbees]

Crap---I was thinking that was the router!lol
Viper is right---get rid of the vlan2 and vlan3 ip addresses and all will be fine.

Burt

 

[burtsbees]

Viper---I was looking at this thread

http://www.tek-tips.com/viewthread.cfm?qid=1484204&page=1

thinking that the two had the same problem. But the link has the problem with layer 2 vlans having only one up at a time...

Burt

 

[vipergg]

It is basically the same problem , he is trying to create layer 3 SVI's , "interface vlan X". doesn't need to do that . the layer 2 vlans are already created because they show up with the show vlan command . If he is creating a layer 3 SVI it will go up and down even without an ip address on it but it basically doing nothing because the only reason to have an address on any layer 2 switch is to manage it so you only need one single SVI created with an address assigned to it to manage it .

 

[goosed]

Hey fellas, thanks for the great tips. That turned out to be the problem. With Layer 2 switches (like the 2924) you can only have 1 active VLAN at a time. I configured a new VLAN for management purposes, and removed the IP addresses from the other VLANs. This resolved the issue, and inter-VLAN routing is possible!

Thanks again for all the help.