Vlans question

[said07]

I have about 20 switches scattered around 3 plants. Connected in a circle kind of.

--One 3750
--Six Ce500-12 Ports (No Cli-Just web access)
--Twelve Ce500-24 Ports(No Cli-Just web access)
--One Dell Powerconnect 5324.
--Windows 2008 r2 acting as Dhcp server.

I am running out of Ips on my one and only subnet.
I would like to set up Vlans to separate traffic and also solve my ip issue.

How can this be done?

Thank you

 

[unclerico]

easily.
1) make sure your 3750 has at least ip services image installed. enter the command ip routing
2) on the 3750, create another vlan and establish a SVI. add ip helper-address under the new SVI config.

3750(config)# vlan 2
3750(config)# int vlan 2
3750(config-if)# ip add x.x.x.x y.y.y.y
3750(config-if)# ip helper-address <ip_of_dhcp_server>

3) on the uplinks between each switch, be sure to convert them to trunks in order to pass multiple vlan traffic (you'll of course need to use the web interface for those that don't have a CLI. the dell will use different syntax)

3750(config)# int g0/24
3750(config-if)# desc link to a downlevel switch
3750(config-if)# switchport mode trunk
3750(config-if)# switchport nonegotiate

4) on every other switch be sure to create this new vlan. establish vlan membership for each switch port that will have a host attached that should be communicating on this new vlan.
5) if the hosts on this new vlan should be able to get to the internet, be sure your perimeter device has a route back to the 3750 for this new subnet

this should be pretty much it.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[said07]

unclerico, I am not very savy at switches and routers. I will review your input for which I thank you by the way, and get back to you for more clarifications.
Thanks again

 

[said07]

I am not sure about what you meant by:
1- "ip services image installed"
2- "and establish a SVI

 

[Quadratic]

The first part is the feature set on the IOS image. That is, the operating system of the switch. It has to support IP routing as a feature.

For the second part, an "SVI" is a virtual interface on a switch for a virtual LAN. The first part of the code he posted first creates the vlan, then it creates an "interface vlan" or "SVI", gives it an IP address on that subnet and creates an "IP Helper address", which will redirect DHCP discovers and requests to the IP address in that command (so, the DHCP server).

CCNP, CCDP

 

[said07]

Ok, I see.
I checked the 3750 switch and from the Sh run I got "Version 12.2"
From the web interface I got: Software: 12.2(35)SE5 (IPBASE).

How do I find out if it support IP routing?

 

[imbadatthis]

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

search by image
pick Product CAT3750
Pick Release: 12.2(35)SE5
pick Feature Set: IPBASE

and you shall see the commands its supports



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[said07]

Thanks, Ip routing is among the supported commands.
I have done some reading about Intervlans. It is mosltly clear to me dealing with a router rather than a swicth when it comes to fa 0/0 sub interfaces configuration.
when I think about the 3750 I have 6 ports configured as trunks (23,24,25,26,27,28). And only 2 of them are connected right now to other switches ( 24 and 27).

Port 24 is copper connected to Dell swicth.
Port 27 is Fiber connected to another Ce 500 series switch.

which port should I configure my subinterfaces on?

This is from my Sh run.
--------------------------------------------------
interface GigabitEthernet1/0/23
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/24
description Dell Switch
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/25
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/26
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/27
description Fiber
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/28
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface Vlan1
ip address X.X.X.X X.X.X.X
!
ip default-gateway X.X.X.X
ip classless
ip http server
---------------------------------------

Thanks for your time.

 

[said07]

unclerico:
I did the following:
3750(config)# int vlan 10
3750(config-if)# ip add x.x.x.x y.y.y.y
3750(config-if)# ip helper-address <ip_of_dhcp_server>
3750(config)# int vlan 11
3750(config-if)# ip add x.x.x.x y.y.y.y
3750(config-if)# ip helper-address <ip_of_dhcp_server>
I created 2 new scopes on my dhcp server for these vlans.
The ports on the 3750 were set as trunks from the web interface.
On the switch to which the test workstation is connected:
1- I created a vlan 10
2- I made the port to which the workstation connected a member of vlan 10

But I got not connectivity yet.
I cannot get an ip and cannot ping the the gateway even if i plug in a static ip.

Any ideas to why I have no connectivity?

here a screenshot showing vlans active on the 3750.
3750#sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/19, Gi1/0/20, Gi1/0/21
Gi1/0/22, Gi1/0/23, Gi1/0/25
Gi1/0/26, Gi1/0/28
10 VLAN0010 active
11 VLAN0011 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

And also a sh ip route:
3750#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C x.x.x.x/24 is directly connected, Vlan10
C x.x.x.x/24 is directly connected, Vlan11
C x.x.x.x/24 is directly connected, Vlan1

 

[Quadratic]

For the port connected to the test machine, you said you put it on vlan 10, but the port isn't showing up in your "sh vlan brief". Can you post the config of the access port facing the test machine? Usually when you see a vlan active with no ports, it's because it's been created in the vlan database but not added to any switchports.

Also, to answer your question about subinterfaces, you don't make them anywhere. With multi-layer switching, router-on-a-stick is pretty much a thing of the past. That "SVI" is like the subinterface of the future.

CCNP, CCDP

 

[said07]

How do I get the config of the access port facing the test machine?

 

[Quadratic]

Should support "show run interface Gi1/0/23" for example, to pull config from that interface. Some cases where you might just have to "show run" and scroll though.

Also, what I want to confirm is whether or not the port is indeed an access port for vlan 10. If it's not, then the test machine won't be able to reach the switch's SVI for that vlan.

"switchport mode access" and "switchport access vlan 10" would be the required commands from interface config mode on the port facing the test machine.

CCNP, CCDP

 

[said07]

Here is a result from Sh run:

Dc1#sh run
Building configuration...

Current configuration : 3230 bytes
!
! Last configuration change at 17:40:40 UTC Tue Oct 19 2010
! NVRAM config last updated at 17:02:09 UTC Tue Oct 19 2010 by assalihin
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Dc1
!
enable secret
!
no aaa new-model
clock timezone UTC -6
clock summer-time UTC recurring
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip subnet-zero
ip routing
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
description Esx Server
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
description Ibm Eblade center
!
interface GigabitEthernet1/0/8
description Ibm Eblade center
!
interface GigabitEthernet1/0/9
description Ibm Eblade center
!
interface GigabitEthernet1/0/10
description Ibm Eblade center
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
description Link-Surf
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/24
description Dell Switch
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/25
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/26
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/27
description Fiber
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/28
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface Vlan1
ip address x.x.x.x x.x.x.x
!
interface Vlan10
ip address x.x.x.x x.x.x.x
ip helper-address x.x.x.x
!
interface Vlan11
ip address x.x.x.x x.x.x.x
!
ip default-gateway x.x.x.x
ip classless
ip http server
!
control-plane
!
end

 

[said07]

Dc1#sh run interface g1/0/27
Building configuration...

Current configuration : 213 bytes
!
interface GigabitEthernet1/0/27
description Fiber
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
end

 

[said07]

I did add this command to that interface:
Dc1(config)#interface Gigabit1/0/27
Dc1(config-if)#switchport trunk allowed vlan 1,10,11

And this is now the result of the sh run on that interface:

Dc1#sh run interface g1/0/27
Building configuration...
Current configuration : 252 bytes
!
interface GigabitEthernet1/0/27
description Fiber
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,11
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
end

 

[Quadratic]

You can't just connect the PC directly to a trunk port. On the switch port directly connecting to that test PC, you need to configure the port as an access port, and assign it to vlan 10. If it's on the same switch as that "interface vlan" config, then that should work. If it's on another switch then you'll have to add vlan 10 to the trunk(s) leading to the switch with the "interface vlan" config.

So, on the access port facing the PC, do "switchport mode access" and "switchport access vlan 10". That would make it an access port for vlan 10. Otherwise the switch will tag all the frames it sends to the PC, and it will expect the PC to return tagged frames, so it won't work. There's another workaround if you want to change native vlan status and get cute with it, but making it an access port for that vlan is the simplest way to test this.

CCNP, CCDP

 

[said07]

Quadratic,
My client is connected to a switch port configured as an access port assgned to vlan 10 not to a trunk port
Since the switch is ce 500, no cli, I was told to create a vlan 10 on all the switches I have (ce 500) to make them aware of it.
Righ now after I plug in a static ip, I am able to ping from the client (on vlan 10) the 3750's vlan10 and vlan 1 interfaces but not vice-versa.
Also, the client cannot ping anything beyond those two interfaces on the 3750. I tried to ping the dhcp on vlan 1 but no luck. So my client is still without dhcp.The client is connected to a switch which is connected to another switch...to another switch.., then the 3750..and the company's firewall is the default gateway for everything.
I was told to add a route on the firewall to vlan10, I have not doine it yet.

 

[unclerico]

since you have ip routing enabled on the 3750 I would designate it as the default gateway on the LAN so that it will perform inter-vlan routing. from the 3750 you would have a default route to the firewall in order to get to the internet. double and triple check that each uplink between switches is set as a trunk.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[said07]

will test it on the vlan 10 client and another pc on vlan 1 and see what it does.
Thanks

 

[said07]

we finally got it to work.
we repalced: ip default-gateway x.x.x.x (x being the firewall)
to:ip route 0.0.0.0 0.0.0.0 x.x.x.x (x being the firewall)

we also added in the sonicwall 2 routes for the new vlans.

Thanks to everyone who contributed.