I am new to VLAN concepts. I would like to configure my 8 2950 series switches with the latest IOS version installed, to incorperate multiple VLANS to isolate different departments. I am comming to the conclusion that internet traffic generated from each VLAN will require separate trunk ports connected to !!their own interface on the router!!. Is there a way around this using only C2950C24 series switches and C2811 series router. I've seen posts refering to PBR but don't believe this is supported on C2950 being layer2 device. How is this typically configered. Currently running 130 + on Native VLAN1.
In article , Mark St Laurent wrote: :I am new to VLAN concepts. I would like to configure my 8 2950 series :switches with the latest IOS version installed, to incorperate multiple :VLANS to isolate different departments.
OK.
:I am comming to the conclusion that :internet traffic generated from each VLAN will require separate trunk ports :connected to !!their own interface on the router!!.
No, that's not the case at all. When you designate a port as a trunk port, you can add multiple VLANs to it, and all the VLAN traffic will be multiplexed over the one interface. The method for adding multiple VLANs to a port varies a bit, but typically in IOS it involves creating "subinterfaces" and telling the subinterface that it is part of the VLAN.
You could home 7 of the 2950 to a "master" 2950 and then connect the master 2950 to the 2811 router. To have more than one VLAN on a particular 2950, you would need to enable trunking between the 2950 and the master 2950. The master 2950 would also have trunking enabled between iot and the 2811 router. Do not use VLAN 1 when and if you move to multiple VLANs.
I have created for instance on C2950C24 running 12.1(22)EA4 a VLAN 5 and enabled 802.1q trunking on fa 0/1 which is the port for 2811 router.On the same switch in fa 0/17 which is configured for VLAN 5, when I plug my laptop into this port and manually configure IP address to 192.168.1.212 I cannot ping the gateway at 192.168.1.253 I realize that once working I should configure VLAN5 to 192.168.2.xxx then create another NAT overload on external router interface but can't get anything from VLAN 5 FA 0/17 to forward to router. Note if I do( no shut )on INT VLAN5 I can then at least access the switch (telnet)
! interface Vlan1 ip address 192.168.1.249 255.255.255.0 no ip route-cache ! interface Vlan5 no ip address no ip route-cache shutdown ! ip default-gateway 192.168.1.253
C2950Cs1#sh vtp status VTP Version : 2 Configuration Revision : 2 Maximum VLANs supported locally : 250 Number of existing VLANs : 6 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Enabled MD5 digest : 0x0C 0x12 0xEB 0x17 0xC7 0xF6 0x63 0x87 Configuration last modified by 192.224.60.249 at 10-6-05 20:53:29 Local updater ID is 192.168.1.249 on interface Vl1 (lowest numbered VLAN interf ace found)
As you can see from above "RE Walter" I believe I have done this but it does not work maybe I am missing something quite simple? don't know please advise.
! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname ************* ! boot-start-marker boot system flash c2800nm-advsecurityk9-mz.124-3.bin boot system flash c2800nm-advsecurityk9-mz.123-8.T6.bin boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 4096 debugging logging console critical enable secret 5 *************************** ! no aaa new-model ! resource policy ! memory-size iomem 20 clock timezone Pacific -8 clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route ip tcp synwait-time 10 ! ! ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ! ! ip ips sdf location flash://256MB.sdf ip ips notify SDEE ip ips name sdm_ips_rule_102 list 102 no ip bootp server ip domain name ***************.COM ip name-server 206.13.29.12 ip name-server 206.13.30.12 ip sla monitor 1 type echo protocol ipIcmpEcho ***.***.***.*** ip sla monitor schedule 1 life forever start-time now ! ! !
! ! track 123 rtr 1 reachability ! class-map match-any p2p match protocol fasttrack match protocol gnutella match protocol napster match protocol http url "\\.hash=*" match protocol http url "/.hash=*" match protocol kazaa2 ! ! policy-map p2p class p2p police cir 8000 bc 1500 be 1500 conform-action drop exceed-action drop ! ! ! bridge irb ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$FW_INSIDE$ ip address 192.168.1.251 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat inside ip virtual-reassembly ip route-cache flow ip policy route-map FAILOVER duplex auto speed auto vrrp 1 ip 192.168.1.253 vrrp 1 priority 254 vrrp 1 authentication md5 key-string 7 ***************** timeout 30 no mop enabled service-policy input p2p service-policy output p2p ! interface FastEthernet0/1 description $FW_INSIDE$ ip address 172.18.0.1 255.255.255.252 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface Serial0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown ! interface ATM0/2/0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/2/0.1 point-to-point bridge-group 1 pvc 0/35 encapsulation aal5snap ! ! interface BVI1 description $FW_OUTSIDE$ mac-address 0000.****.**** ip address ***.***.***.177 255.255.255.248 ip access-group 102 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip ips sdm_ips_rule_102 in ip nat outside ip virtual-reassembly ip route-cache flow ! ip classless ip route 0.0.0.0 0.0.0.0 ***.***.***.182 ip route 0.0.0.0 0.0.0.0 192.168.1.252 20 ip route ***.***.***.125 255.255.255.255 192.168.1.252 permanent ip flow-export version 5 ip flow-export destination 192.168.1.14 2055 ip flow-top-talkers top 10 sort-by bytes cache-timeout 2000 ! no ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 1 interface BVI1 overload ip nat inside source static 172.18.0.2 ***.***.***.178 ! logging trap debugging logging 192.168.1.7 access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 permit 192.168.1.14 log access-list 2 remark SDM_ACL Category=1 access-list 2 remark HTTP Access-class list access-list 2 permit 192.168.1.6 log access-list 2 remark HTTP Access-class list access-list 2 permit 192.168.1.7 log access-list 2 deny any access-list 10 permit 192.168.1.14 access-list 10 permit 192.168.1.6 access-list 10 permit 192.168.1.7 access-list 10 deny any access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 remark ISPrime (Porn) access-list 100 deny ip any 66.230.128.0 0.0.63.255 access-list 100 deny ip ***.***.***.176 0.0.0.7 any access-list 100 deny ip 172.18.0.0 0.0.0.3 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip ***.***.***.176 0.0.0.7 any access-list 101 deny ip 192.168.1.0 0.0.0.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 permit ip any any access-list 102 remark auto generated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 permit icmp any host ***.***.***.177 echo access-list 102 remark Auto generated by SDM for NTP (123) time-a.timefreq.bldrd oc.gov access-list 102 permit udp host 132.163.4.101 eq ntp host ***.***.***.177 eq ntp access-list 102 remark SBCGlobal DNS access-list 102 permit udp host 206.13.30.12 eq domain host ***.***.***.177 access-list 102 permit udp host 206.13.29.12 eq domain host ***.***.***.177 access-list 102 deny ip 172.18.0.0 0.0.0.3 any access-list 102 deny ip 192.168.1.0 0.0.0.255 any access-list 102 permit icmp any host ***.***.***.177 time-exceeded access-list 102 permit icmp any host ***.***.***.177 unreachable access-list 102 deny ip 10.0.0.0 0.255.255.255 any access-list 102 deny ip 172.16.0.0 0.15.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 deny ip host 255.255.255.255 any access-list 102 deny ip host 0.0.0.0 any access-list 102 deny ip any any log access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 103 remark VTY Access-class list access-list 103 permit tcp host 192.168.1.6 any eq 22 log access-list 103 remark VTY Access-class list access-list 103 permit tcp host 192.168.1.6 any eq 22 log access-list 103 remark VTY Access-class list access-list 103 permit tcp host 192.168.1.14 any range 22 telnet log access-list 103 deny ip any any log access-list 199 permit ip 192.168.1.0 0.0.0.255 host 206.13.29.12 access-list 199 permit ip 192.168.1.0 0.0.0.255 host 206.13.30.12 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.255.255 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.31.255 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.255 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.15 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.31 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.0.15 access-list 199 permit ip 192.168.1.0 0.0.0.255 ***.***.***.*** 0.0.15.255 access-list 199 permit ip host 192.168.1.1 any access-list 199 permit ip host 192.168.1.2 any access-list 199 permit ip host 1192.168.1.145 any access-list 199 permit ip host 192.168.1.146 any access-list compiled snmp-server community ******** RO 10 snmp-server enable traps tty snmp-server host 192.168.1.7 ******* route-map FAILOVER permit 10 match ip address 199 set ip next-hop verify-availability 192.168.1.252 10 track 123 ! route-map FAILOVER permit 20 match ip address 199 set ip next-hop ***.***.***.182 ! ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! banner exec ^C
----------------------------------------------------------------------- UNAUTHORIZED access is a Federal Offense Punishable by fines and/or imprisonment. UNAUTHORIZED users must disconnect immediately. Network traffic may be logged or monitored without further notice, the resulting logs may be used as evidence in court.
----------------------------------------------------------------------- || || || || |||| |||| ..:||||||:..:||||||:.. c i s c o S y s t e m s
----------------------------------------------------------------------- ^C banner login ^C Property of **************** Authorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local transport output telnet line aux 0 login local transport output telnet line vty 0 4 access-class 103 in privilege level 15 login local transport input telnet ssh line vty 5 15 access-class 103 in privilege level 15 login local transport input telnet ssh ! scheduler allocate 20000 1000 ntp clock-period 17179685 ntp update-calendar ntp server 192.168.1.252 source FastEthernet0/0 ntp server 132.163.4.101 source BVI1 prefer ! end
"Merv" wrote in message news: snipped-for-privacy@g49g2000cwa.googlegroups.com...
You would need to enable trunking on the router fast ethernet interface that faces the 2950. Given this router is in production you would want to save the current config and do this out of hours.
int fa 0/0.1 description trunk VLAN 1 encap dot1q 1 native ip address 192.168.1.251 255.255.255.0 exit
int fa 0/0.5 description trunk VLAN 5 encap dot1q 5 ip address 192.168.5.251 255.255.255.0 exit
You might also want to renumber the BVI interface from 1 to something else (ie. not any of the VLAN numbers you plan to use including VLAN 1.
When I go into CNA Cisco Network Assistant it says that FA0/1 is configured for ALL VLAN access," I also found the sh vlan output strange"
CNA Interface List
FA0/1 802.1Q Trunk- Nonnegiotate VLAN ALL
If there is a way via CLI to add VLAN 5 implicitly to FA0/1 what is the syntax and is this not redundant. The literature implies that creating 802.1 trunk allows ALL by definition you can however exclude via cli entries
Does this apply to what I am doing, It wouldn't be the first time I found info that looked right but was'nt applicable to my case FYI enhanced image is installed
Defining the Allowed VLANs on a Trunk By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4094 when the EI is installed, and 1 to 1005 when the SI is installed, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk. To restrict the traffic a trunk carries, use the switchport trunk allowed vlan remove vlan-list interface configuration command to remove specific VLANs from the allowed list.
Thank you, I was wondering why a link in the literature did not point to the corresponding config on the router if there was one, as obviously there is. I searched for 2 days for something like this, will try this tomorrow.
I am seeing this kind of hardware available for VLAN configs
VLAN Interface Support · Support for VLAN interface configuration for Cisco EtherSwitch® ports
Is the above method superior to creating sub interfaces on one interface as below and if not would it be safe to create 6 or more sub interfaces as detailed below.
Thanks Merv this was precisely the problem. Modified the BVI bridge group to
9 then created sub if's for fa0/0 and moved route-maps and other config lines accordingly, worked like a charm. Ethereal packet scans (VLAN5) showed CDP, (easily remedied) STP and LOOP replies, I'm not certain if the latter 2 are a problem or not. Angry PingScan hit entire LAN remedied with ACL deny VLAN5 network LAN network. I remember in earlier post you spoke of PBR to Internet only (not this topic, in WEP Bsest Practices) that is what I am using port 17 VLAN5 for. Hung wireless "router", WAN to Int fa0/17 also PAT'd to different wireless client range. Ethereal scan from wireless adapter, no Corp LAN traffic. Still would like your thoughts on advantages of PBR vs ACL to prevent wireless access to Corp LAN.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.