VLANS

[gregworcester]

Hi Guys,

I have a bit of a problem with vlans. Experimenting with them
here at home to see how they work. I am working with cisco
equipment, A 2621 router, a 2950 switch, a 2900 swith. I have
created 4 vlans as subs on the 2621 on the fa0/1 interface.
I put one of my printers in the .10 vlan, it is on port 4
of the 2900. Put the port in the vlan with the appropiate
switchport commands and I am able to print. This is ok. I then
put one of my pc's in vlan 20. Put its port in vlan 20. Re-booted the
PC and it picked up a 192.168.20.2 address from the scopes i added
on the 2621. From the PC i can ping any where and from all the cisco
stuff i can ping the pc. On the PC i cant ping outside to the internet
and do not have any connectivity at all.
The FA0/1 on the router is trunked to port 12 on the 2950.
The 2950 is the VTP server, the 2900 is a client.
The vlans are propagating.
All seems to work ok, except the no connectivity when i put a
machine in a vlan.
IP routing is enabled on the 2621.
On the sub-interfaces i do have a IP helper statement.

Cisco config are as follows.

2621 router

Current configuration : 7939 bytes
!
! Last configuration change at 22:24:00 EST Wed Dec 9 2009 by gregw
! NVRAM config last updated at 11:18:56 EST Wed Dec 9 2009 by gregw
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname WP2621
!
boot-start-marker
boot-end-marker
!
logging rate-limit all 10
no logging console
enable secret 5 $1$kuy8$ed/RH1eDfnUjeUeVNX3be.
enable password 7 105D0C170216
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no ip source-route
ip cef
!
!
ip inspect name email pop3
ip inspect name smtp smtp
ip inspect name

http://www http

ip inspect name cu cuseeme
ip inspect name ftp ftp
ip inspect name dns dns
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.2 192.168.0.101
ip dhcp excluded-address 192.168.0.249 192.168.0.254
!
ip dhcp pool whitepine
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.101
!
ip dhcp pool Vlan10
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
ip dhcp pool Vlan20
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
!
ip dhcp pool Vlan30
import all
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
!
ip dhcp pool Vlan40
import all
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
!
!
no ip bootp server
ip domain name whitepine.local
ip name-server 69.24.0.2
ip name-server 69.24.8.2
ip ssh rsa keypair-name WP2621.whitepine.local
ip ssh version 2
!

interface ATM0/0
mac-address 0007.eb78.10c0
bandwidth 3000
no ip address
no ip redirects
no ip unreachables
no atm ilmi-keepalive
atm ilmi-pvc-discovery
dsl operating-mode auto
dsl enable-training-log
!
interface ATM0/0.35 point-to-point
ip address dhcp client-id FastEthernet0/0
no ip redirects
no ip unreachables
ip accounting output-packets
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
ip address dhcp
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
ntp disable
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.0.101 255.255.255.0
ip access-group 105 in
ip access-group 101 out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/1.10
description Printers
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group 105 in
ip access-group 101 out
no cdp enable
!
interface FastEthernet0/1.20
description PC
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group 105 in
ip access-group 101 out
ip helper-address 192.168.20.1
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1.30
description Mac
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip access-group 105 in
ip access-group 101 out
no cdp enable
!
interface FastEthernet0/1.40
description Observatory
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip access-group 105 in
ip access-group 101 out
no cdp enable
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface ATM0/0.35 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp any any eq pop3 log-input
access-list 101 permit tcp any any eq smtp log-input
access-list 101 permit tcp any any eq

http://www log-input

access-list 101 permit tcp any any eq ftp log-input
access-list 101 permit udp any any eq tftp log-input
access-list 101 permit udp any eq domain any log-input
access-list 101 permit tcp any any established log-input
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any log-input
access-list 101 permit tcp 192.168.20.0 0.0.0.255 any log-input
access-list 101 permit tcp 192.168.30.0 0.0.0.255 any log-input
access-list 101 permit tcp 192.168.40.0 0.0.0.255 any log-input
access-list 101 permit tcp 192.168.10.0 0.0.0.255 any log-input
access-list 105 deny ip host 216.92.217.52 any log-input
access-list 105 deny ip host 207.251.97.35 any log-input
access-list 105 deny ip host 174.132.93.148 any log-input
access-list 105 permit ip any any
no cdp run

privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 1 show ip
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show
!
line con 0
access-class 1 in
exec-timeout 5 0
password 7 060B0639584719150C0F
line aux 0
exec-timeout 0 1
password 7 00091A1E10521B0A0639
no exec
line vty 0 3
access-class 1 in
exec-timeout 5 0
password 7 00091A1E10521B0A0639
transport input ssh
line vty 4
access-class 1 in
exec-timeout 5 0
password 7 03095213120631404711
transport input ssh
line vty 5 15
password 7 12140C0F06021C082333
!
ntp clock-period 17180484
ntp source FastEthernet0/0
ntp master
ntp max-associations 20
ntp server 64.247.17.253
ntp server 67.106.77.184
ntp server 198.200.182.10
ntp server 66.70.29.130



2950 switch

Current configuration : 4552 bytes
!
! No configuration change since last restart
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname WP2950
!
aaa new-model
aaa authentication login default local
enable secret 5 $1$W3s4$y7rUzYTg5Q/IzfdgFkN2S0
enable password 7 141615050917
!
ip subnet-zero
no ip source-route
!
vtp interface fa0/1
cluster enable Whitepine 0
cluster member 1 mac-address 00b0.642c.d880
!
cluster order 0,1
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
switchport mode trunk
duplex full
!
interface FastEthernet0/2
duplex full
!
interface FastEthernet0/3
duplex full
!
interface FastEthernet0/4
duplex full
!
interface FastEthernet0/5
duplex full
!
interface FastEthernet0/6
duplex full
!
interface FastEthernet0/7
duplex full
!
interface FastEthernet0/8
duplex full
!
interface FastEthernet0/9
duplex full
!
interface FastEthernet0/10
duplex full
!
interface FastEthernet0/11
duplex full
!
interface FastEthernet0/12
switchport mode trunk
duplex full
!
interface Vlan1
ip address 192.168.0.2 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
no ip route-cache
shutdown
!
ip default-gateway 192.168.0.101
no ip http server
!
ip access-list extended CMP-NAT-ACL
dynamic Cluster-HSRP deny ip any any
dynamic Cluster-NAT permit ip any any
access-list 1 permit 192.168.0.0 0.0.0.255
no cdp run

!
line con 0
access-class 1 in
exec-timeout 5 0
password 7 060B0639584719150C0F
line vty 0 4
access-class 1 in
exec-timeout 5 0
password 7 03095213120631404711
transport input telnet
line vty 5 15
password 7 060B0639584719150C0F
!
ntp clock-period 17179904
ntp peer 192.168.0.10



2900 switch

Current configuration:

!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname WP2900
!
aaa new-model
aaa authentication login default local
enable secret 5 $1$W3s4$y7rUzYTg5Q/IzfdgFkN2S0

ip subnet-zero
no ip source-route
no ip finger
ip domain-name whitepine
!
cluster commander-address 000a.4136.3600 member 1 name Whitepine
!
!
interface FastEthernet0/1
duplex full
switchport trunk encapsulation dot1q
switchport mode trunk
no cdp enable
!
interface FastEthernet0/2
duplex full
no cdp enable
!
interface FastEthernet0/3
duplex full
no cdp enable
!
interface FastEthernet0/4
duplex full
switchport access vlan 10
no cdp enable
!
interface FastEthernet0/5
duplex full
no cdp enable
!
interface FastEthernet0/6
duplex full
no cdp enable
!
interface FastEthernet0/7
duplex full
no cdp enable
!
interface FastEthernet0/8
duplex full
no cdp enable
!
interface FastEthernet0/9
duplex full
no cdp enable
!
interface FastEthernet0/10
duplex full
switchport access vlan 20
no cdp enable
!
interface FastEthernet0/11
duplex full
no cdp enable
!
interface FastEthernet0/12
duplex full
no cdp enable
!
interface FastEthernet0/13
duplex full
no cdp enable
!
interface FastEthernet0/14
duplex full
no cdp enable
!
interface FastEthernet0/15
duplex full
no cdp enable
!
interface FastEthernet0/16
duplex full
no cdp enable
!
interface FastEthernet0/17
duplex full
no cdp enable
!
interface FastEthernet0/18
duplex full
no cdp enable
!
interface FastEthernet0/19
duplex full
no cdp enable
!
interface FastEthernet0/20
duplex full
no cdp enable
!
interface FastEthernet0/21
duplex full
no cdp enable
!
interface FastEthernet0/22
duplex full
no cdp enable
!
interface FastEthernet0/23
duplex full
no cdp enable
!
interface FastEthernet0/24
duplex full
no cdp enable
!
interface VLAN1
ip address 192.168.0.3 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
ip default-gateway 192.168.0.101
no ip http server
access-list 1 permit 192.168.0.0 0.0.0.255
no cdp run

!
line con 0
access-class 1 in
exec-timeout 5 0
password 7 082C45561D10151B1B13
transport input none
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 5 0
password 7 13081E0A1F051426223C
transport input telnet
line vty 5 15
password 7 060B0639584719150C0F
!
ntp clock-period 22518162
ntp peer 192.168.0.101
end

 

[VinceWhirlwind]

Greg, have a look on your switch which connects to the router on f0/1.
- check the int config "show run int f?/?"
- do a "show logg" (you may need to actually enable logging "info" first).

Switch config to match your router config for this port would be something like

interface 0/1
switchport mode trunk
switchport trunk encap dot1q
switchport trunk native vlan 101

interface range f0/2 -24
switchport mode access
switchport access vlan 101

So my hypothesis is this:
If you say you have connectivity with "encapsulation dot1Q 101 native" on your router, and no connectivity without it, that means you have either a misconfigured trunk on the switch (not seeing dot1q), OR, all the Access ports on your switch are misconfigured (not access vlan 101).

The reason it's working now should be visible in your switch logs: your router's VLAN101 is being bridged to VLAN 1 on your switch.

 

[gregworcester]

Hi vince.

I have not made any changes as of yet. I think I understand what you are driving at.
I wanted to supply complete info before I proceed.
As follows:

from router fa0/0 to port fa0/1 on 2950, nothing configured on switchport.
from router fa0/1 to port fa0/12 on 2950, configured as trunk.

Ports 0/1 on both switches connected with a crossover cable and configured as trunks
to link switches together.

no ip on router 0/1, has sub of .101

Perhaps I am over-thinking this whole deal.

Did a show log on the 2950. at the bottom.
I appreciate your help.



Router interfaces

interface FastEthernet0/0
ip address dhcp
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
ntp disable
no cdp enable
!
interface FastEthernet0/1
no ip address
ip access-group 105 in
ip access-group 101 out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
interface FastEthernet0/1.101
description Gateway
encapsulation dot1Q 101 native
ip address 192.168.0.101 255.255.255.0
ip nat inside
ip virtual-reassembly



2950 switch

interface FastEthernet0/1
description Crossover trunk to 2900 fa0/1
switchport mode trunk
duplex full

interface FastEthernet0/12
description Internal trunk to fa0/1 on 2621
switchport mode trunk
duplex full



2900 switch

interface FastEthernet0/1
description Crossover trunk to 2950 fa0/1
duplex full
switchport trunk encapsulation dot1q
switchport mode trunk


sh log on 2950

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 26 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 26 messages logged
Exception Logging: size (4096 bytes)
File logging: disabled
Trap logging: level informational, 30 message lines logged

Log Buffer (4096 bytes):

00:00:15: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:17: %SYS-5-CONFIG_I: Configured from memory by console
00:00:17: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 01:59 by yenanh
00:00:17: %SNMP-5-COLDSTART: SNMP agent on host WP2950 is undergoing a cold start
00:00:19: %LINK-5-CHANGED: Interface Vlan170, changed state to administratively down
00:00:21: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to up
00:00:21: %LINK-3-UPDOWN: Interface FastEthernet0/12, changed state to up
00:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
00:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to up
00:00:27: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:00:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
00:00:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
00:00:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
00:01:51: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
00:01:51: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to down
00:02:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
00:02:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to up
00:02:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
00:02:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to down
00:02:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
00:02:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to up
00:02:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
00:02:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to down
00:02:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
00:02:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12, changed state to up
WP2950#