Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Vlan Problem between cisco 1841, catalyst 2960g and linksys switches

Status
Not open for further replies.

gmanzo

Vendor
Jan 21, 2010
10
MX
Hello,



I would like you to please help me undestand what am I doing wrong with the following scenario.



I created a 3 VLAN network with a Cisco Router 1841, a Catalyst 2960G with PoE and linksys 48 port PoE switches, because the data traffic was dropping connection from the voice IP phones to the IP PBX.



Vlan 1 as native data network with 192.168.123.0 /24

Vlan 2 for notebooks, wireless AP, mobiles and desktop computers with no restrinction Internet access, 192.168.124.0 /24

Vlan 5 for IP phones only and the IP PBX giving and handling DHCP IP addresses to the phones, 192.168.127.0 /24.



The router has all three subinterfaces created, DHCP server for the Vlan 2 and access to Internet with a ADSL Pots WIC card for Vlan 2 users. The Catalyst is the Core Switch and it has trunk ports for connecting the Linksys switches and a Catalyst 2950. The linksys switches are connected to the SFP ports and their SFP ports has trunk configuration.



Now, every computer, wireless or mobile has an static IP from the Vlan 1 network and they access to internet not yet through the ADLS WIC or the FA 0/1 port, they ADLS routers are connected to Vlan 1 with static IP and they are the outbound gateways for internet. This is what I need to change right away.



Everything works fine at Vlan 1 and Vlan5, no problems there, at the cisco or linksys switches, but when I try to start using the Vlan2 at any linksys switch port, I can't access to it, I tried all port configurations available, accesss, general or trunk, and neither gives me access to Vlan2 network and without this, I can't enable the internet access through the ADLS WIC.



At the catalyst, if I configure the switchport as access vlan2, It sends me right away to the Vlan2, but if I configure it as a trunk port, I need to change my NIC configuration to vlan2, in order to be able to connect, and of course I can't do that, because not all the computers has the option to move their NICs to a certain Vlan.



Router configuration:

ipepac#sh run
Building configuration...

Current configuration : 5921 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ipepac
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$kSN4$zBuvxtplls9ruHPJtj7jb.
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.124.1 192.168.124.50
!
ip dhcp pool 0
network 192.168.124.0 255.255.255.0
default-router 192.168.124.254
dns-server 200.33.146.249 200.33.146.241
!
!
no ip bootp server
ip domain name ipepac
ip name-server 200.33.146.249
ip name-server 200.33.146.241
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-289562205
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-289562205
revocation-check none
rsakeypair TP-self-signed-289562205
!
!
crypto pki certificate chain TP-self-signed-289562205
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383935 36323230 35301E17 0D303931 32313032 30353234
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3238 39353632
32303530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AEE817C8 878C5DE6 E4780339 0180677B 3D394438 52FDB541 97E78C2B 6A82EB69
D7668EC5 EB4BBB49 D387D6C6 87379FDC 5CEFA0A0 E0C742D5 97E6143B 97EB7947
3DA38F73 249F53BE 33E1000B 3DC44589 24C5355C 62E67E5E 814F60F3 81876CB8
12258E84 C253F60C 5BCE0FCC 1CB0F0C9 524F1C8C 89135C73 4D8BB024 677CD3C7
02030100 01A36D30 6B300F06 03551D13 0101FF04 05300301 01FF3018 0603551D
11041130 0F820D69 70657061 632E6970 65706163 301F0603 551D2304 18301680
141EEBCC F28051FE 5D4CB337 7B9A6807 FCF844C0 22301D06 03551D0E 04160414
1EEBCCF2 8051FE5D 4CB3377B 9A6807FC F844C022 300D0609 2A864886 F70D0101
04050003 8181005F 165AC17D EC95DA1E 19BEE12B 35EACEFF 065793EE C6C560FA
552318E8 4105BB9F 7A2B9619 50372E8D 75F4A280 8C221896 17081B8C 763F160D
AA6FD4CF 77DE5224 E9D0269E CF944395 E10D2C81 48671FA1 F0AEDB3C 0B449D43
B976B5FB 3F5F9A05 6A187490 F9D248C7 8E7ABAC4 42EE985B 9FB183D0 E0DD1C99
5E5B0CBC 98A1EC
quit
!
!
username admin privilege 15 secret 5 $1$jJmL$Ysv3pMrJT8HaTk0Lu2u5N/
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.123.254 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0.2
description $ETH-LAN$
encapsulation dot1Q 2
ip address 192.168.124.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.5
encapsulation dot1Q 5
ip address 192.168.127.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.9 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer9
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ieey1
ppp chap password 7 05080901354D4C00150C13130F
ppp pap sent-username ieey1 password 7 03075405120E234542001D0413
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer9
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer9 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0.2
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.124.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the

"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 4000 1000
end

ipepac#


Switch configuration:




ipepac_core_switch#sh run
Building configuration...

Current configuration : 4820 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ipepac_core_switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$1SB5$DgCKYQcxGQU6U8xJUT2MR1
enable password ipepac1
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
mls qos
!
crypto pki trustpoint TP-self-signed-515095296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-515095296
revocation-check none
rsakeypair TP-self-signed-515095296
!
!
crypto pki certificate chain TP-self-signed-515095296
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35313530 39353239 36301E17 0D393330 33303130 30303131
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 35303935
32393630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B4B4C4AD BD416317 09D31775 5F15A843 9EADE486 5032394B CAF37FD5 CD539304
70044FCC FC8718C3 9C3F250C 37E25110 CA6DE91E 00375D86 54263BCD B0F81AC0
D119C62B 0E9DE257 F4749714 69E3553B 5611904F 07F0FB83 154FD10B 7CC91C65
EBF4D9CC 7D230B26 F100451D A7636245 0B7871D2 B992E43E 5F914158 E36C4D8D
02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D
11041730 15821369 70657061 635F636F 72655F73 77697463 682E301F 0603551D
23041830 168014B3 48BD9958 12E9E3F5 34E11866 01E053FA EB270830 1D060355
1D0E0416 0414B348 BD995812 E9E3F534 E1186601 E053FAEB 2708300D 06092A86
4886F70D 01010405 00038181 0046F947 B7E7FC8D 4C3A81E2 F7D44993 8CB6AA42
A1A4AFA4 22438364 07A24C67 B770872A 4C7FE50A 53CE8B91 68976088 A0F21220
1D08213F 811910E2 5680C613 482066FD 74492F88 211BB34E 828291AE FA3699A8
8087480D D007E6D1 61F9CDCC EC85D1D7 8A319D56 8C1A2F14 54607722 0E50766F
A790BB1C 4CF210BE B9C59B50 CA
quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/1
switchport mode trunk
switchport voice vlan 5
switchport priority extend cos 3
spanning-tree portfast
!
interface GigabitEthernet0/2
switchport mode access
switchport voice vlan 5
spanning-tree portfast
!
interface GigabitEthernet0/3
switchport mode trunk
switchport voice vlan 5
switchport priority extend cos 3
spanning-tree portfast
!
interface GigabitEthernet0/4
switchport access vlan 5
switchport mode access
switchport voice vlan 5
spanning-tree portfast
!
interface GigabitEthernet0/5
switchport mode access
switchport voice vlan 5
priority-queue out
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/6
switchport access vlan 2
switchport mode access
switchport voice vlan 5
switchport priority extend cos 3
spanning-tree portfast
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
switchport mode access
switchport voice vlan 5
priority-queue out
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 2
switchport mode trunk
switchport voice vlan 5
spanning-tree portfast
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
switchport mode trunk
switchport voice vlan 5
priority-queue out
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/17
switchport mode access
switchport voice vlan 5
priority-queue out
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/18
switchport mode access
switchport voice vlan 5
priority-queue out
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
switchport mode trunk
switchport voice vlan 5
priority-queue out
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/22
switchport mode trunk
switchport voice vlan 5
priority-queue out
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/23
switchport mode trunk
switchport voice vlan 5
priority-queue out
mls qos trust cos
spanning-tree portfast
!
interface GigabitEthernet0/24
switchport mode trunk
switchport voice vlan 5
priority-queue out
mls qos trust cos
spanning-tree portfast
!
interface Vlan1
ip address 192.168.123.2 255.255.255.0
!
interface Vlan2
ip address 192.168.124.2 255.255.255.0
no ip route-cache
!
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 0 4
password ipepac2
login
line vty 5 15
password ipepac2
login
!
end

ipepac_core_switch#



Please help me to undestand what's wrong so I can serve right my customer.



Thanks,



Guillermo Manzo

 
Which port goes to the linksys? Also you should change the vtp mode to transparent so you can see the layer 2 vlans in the config itself . If you set the port going to the linksys as access and then set the port into vlan 2 then you set the linksys port as vlan 2 untagged you should have connectivity. I really can't help with the linksys much ,never have dealt with those , strictly a cisco guy.
 
The ports going to the linksys are the 21, 23 and 24. Where should I need to change the vtp to transparent? at the Catalyst 2960G? I need to send the three vlans to the linksys, because there will be users connected to the linksys using vlan1 as untagged. I'll try tomorrow and let you know.

Thanks
 
I'm confused why is there 3 links going to the linksys ? Is the linksys a manageable switch that can do trunking and vlans ? It would have to be manageable and be able to trunk and set individual ports in to specific vlans in order to work . Can't imagine why there is 3 links to the linksys . I would go to the linksys site and look for config info for that model linksys switch and see how to config trunking for the port that goes to the 2960 . When trunking make sure the native (untagged vlan ) matches on each side of the link in your config.
 
Yes the linksys are managable. Each linksys switch port connecting to the catalyst is trunk mode. Vlan 1 is for later access to a firewalled internet conection and all the computers are at vlan1 with static ip, the vlan 2 was created to give access in dhcp mode with manual binding to certain computers which will access to internet with non restricted access and vlan 5 is for voIP only. At the linksys there will be connected vlan1 and vlan2 computers so, that's why I need to know if there is something I'm doing wrong at the router and catalyst or if the problem I have is at the linksys port configuration.

What do you think?

Thanks for all your support.
 
I haven't played with one for a long time, but I'm pretty sure the Cisco 2960 is a Layer-2 switch. So why does yours have two IP interfaces configured on it?

When you talk about configuring interfaces as Access/Trunk on your catalyst, you seem to not understand what you should be doing. If you want a device in VLAN 2, then you configure its switchport either as:

With a Cisco phone:
- sw mode access
- sw access vlan 2
- voice vlan 5
- spanning-tree portfast

For non-Cisco phones, it should look like:
- sw tr encap dot1q
- sw mo tr
- sw nat vlan 2
- spanning-tree portfast trunk

With no phone at all, either as above or simply:
- sw mo acc
- sw acc vlan 2

And in either case, a trunk to the router or to another switch should look like:
- sw tr encap dot1q
- sw mo tr
- sw nat vlan 1
- no spanning-tree

You should put "Description ..." on your switch interfaces so we can see which ones link to what.
 
Ok you shouldn't need 3 links . If the 2960 has all vlan1 and 2 defined then all you need is a single trunk link going to the linksys carrying those 2 vlans . Then on the linksys you assign the ports to whatever vlan you want them in .
 
Viper, he has 3 Linksys switches, with one connection to each, not 3 connections to one Linksys switch!
 
Thanks a lot,the misconfiguration was at the linksys switchces not the cisco router or catalyst. At linksys all the ports belong to VLAN1 as untagged, I needed to change the port into VLAN2 as untagged and exclude the VLAN1 for the port. With this, everything works fine.

Thanks a lot for all your help.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top