Questions

3560 & 2 VLANs (DHCP issue)

+
0 Votes
Locked

3560 & 2 VLANs (DHCP issue)

devdevil85
I have (1) Cisco 3560 and I am wanting to create (2) port-based VLANs. IP addresses will be obtained via an external Windows 2003 DHCP Server. Port 22 is the only port in VLAN10 at the moment, while the others are in VLAN1.

DHCP Server = 192.168.1.1
Kentrox Router = 192.168.1.15

Here is my configuration thus far:

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Cisco_POE
!
enable secret 5
!
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.7 255.255.254.0
ip helper-address 192.168.1.1
!
interface Vlan10
ip address 192.168.10.1 255.255.254.0
ip helper-address 192.168.1.1
!
router rip
version 2
network 192.168.10.0
!
ip classless
ip default-network 192.168.1.0
ip route 0.0.0.0 0.0.0.0 192.168.1.15
ip http server
!
!
control-plane
!
!
!
end

Devices on VLAN1 are being issued IP addresses correctly, yet when I connect my laptop to port 22 (VLAN10) it is not obtaining an address and I am given an error.

I have created an address range (scope) for VLAN10 on the DHCP server, yet the laptop is unable to obtain an IP address via DHCP on port 22 (VLAN10). I am left unable to test whether I can get communication between the VLANs.

I am able to ping VLAN1 but not VLAN10 (if that helps).

Is there something that I am missing/doing wrong?
  • +
    0 Votes
    robo_dev

    you do not need the helper on vlan 1.

    does your new scope in your server have the giaddr field?

    do 'debug ip dhcp server packets' to see if dhcp requests are getting to the helper ip.

    +
    0 Votes
    CG IT

    VLAN 1 is also on the same subnet as all other devices connected to the switch [such as your DHCP server. I assume your DHCP server is connected to that switch.]

    When you create another VLAN, your seperating those ports assigned to the new VLAN from the default VLAN. They need a access line and a helper address to get to VLAN1.

    +
    0 Votes
    devdevil85

    interface FastEthernet0/22
    switchport access vlan 10
    switchport mode access

    interface Vlan10
    ip address 192.168.10.1 255.255.254.0
    ip helper-address 192.168.1.1

    There is only 1 port (#22) in VLAN10 so far. I put the access line on the port (22) and I put the ip helper-address on VLAN10 as shown above. The external DHCP server is (like you said) connected to the 3560. Is there something that I'm missing? because it sounds like what you have said is something that I have already done...

    Thanks for you help

    +
    0 Votes
    robo_dev

    The dhcp server does not know which subnet to use. DHCP relay is enabled by default in most Cisco devices.

    The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (option82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing option 82.

    Also, you don't need a helper address on your vlan1, but I'm not sure that this is making things fail.

    http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804412bf.html#wp1085170

    +
    0 Votes
    devdevil85

    I removed ip helper from VLAN1, but I don't know if what you are saying is that I'm missing something on my DHCP Server or if I'm missing a command on the 3560....

    +
    0 Votes
    robo_dev

    the cisco DHCP relay agent appends the helper address to the dhcp request packet on dhcp option 82 (GIADDRESS = Gateway interface address) only if DHCP snooping is enabled.

    AND

    Microsoft DHCP Server does not have default support for option 82, you have to enable it.

    While Cisco has DHCP relay enabled by default, option 82 is not enabled without dhcp snooping. It's a security feature for preventing dhcp interactions from 'untrusted' interfaces.

    Using Windows DHCP Server Management console (dhcpmgmt.msc) -> <DHCP Server> -> Right Click -> Set Predefined Options..., you can add option 82 as a customized option for DHCP Server.

    In order for Cisco to do the option 82 stuff, you need to enable DHCP snooping globally

    ip dhcp snooping

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swdhcp82.html#wp1138479
    http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB0088R0_ODVA_DHCP_Option_82v2.pdf
    https://blogs.technet.com/teamdhcp/archive/2005/09/16/411032.aspx

    So the short answer is: enable DHCP snooping globally in the Cisco and enable option 82 support in Microsoft DHCP server.

    +
    0 Votes

    Ok

    devdevil85

    Yeah we aren't using the 3560 for DHCP and I don't think we enabled option 82 on the server and I know we didn't enable snooping dhcp snooping on the 3560 either so....I will see if that helps/fixes the problem. If not I will be sure to get back w/ you ASAP.

    Thank you for all your help robo!

    +
    0 Votes
    devdevil85

    Option 82 is missing on the Win2003 DHCP Server

    Do you know how to manually add it? I read the link you sent me and I didn't find anything on the values needed...such as the Data Type and the Value....that I need to insert in the boxes

    Thanks!

    +
    0 Votes
    CG IT

    in Cisco devices meaning all ports belong to VLAN 1 until you create another VLAN and assign ports to it. That's why VLAN 1 DHCP works. It will work each and every time because the default settings in IOS allow it to work. just like dumb switches always works, a Cisco switch doesn't need an address to work when you first boot it up and load IOS.


    When you create a new VLAN, in essence are creating a new subnet. Devices in VLAN 1 can not talk to devices on VLAN 2 unless you have some method of routing packets between VLANs ["router on a stick" method].

    So for VLAN 10, you must tell clients on it to go to a particular place to obtain IP addresses which is enabling DHCP relay agent on VLAN 10. Then you must have a way for that traffic to get to the server. Something must "route" the packets there. VLAN 1 will not "route" packets from VLAN 10 to the DHCP server.

    ought to diagram it out to get a visual representation of how packets travel using subnets and routing because that's really what your doing when when creating VLANs.

    +
    0 Votes
    devdevil85

    Do you see any mistakes or commands that I missed or used incorrectly that could be causing my problem?

    You said, "VLAN 1 will not "route" packets from VLAN 10 to the DHCP server." What will "route" the packets then?

    What should the Default Gateway be for devices on VLAN10? because I have the ip helper-address on VLAN10 pointing to the DHCP server? Is this correct? Am I pointing devices to the correct gateway?

    Thanks!

    +
    0 Votes
    devdevil85

    Switch DHCP snooping is enabled
    DHCP snooping is configured on following VLANs:
    1,10
    Insertion of option 82 is enabled
    Verification of hwaddr field is enabled
    Interface Trusted Rate limit (pps)
    ------------------------ ------- ----------------
    FastEthernet0/22 yes unlimited

    This is what I have. Is this correct?

    +
    0 Votes
    Dumphrey

    what to do with the vlan info? And is the trunk set correctly between your switch and router? I saw no switchport mode trunk in your config.

    EDIT: OOPS integrated service router/layer 3 switch... still is there a static route between VLAn 1 and vlan 10?
    Edit2:Saw you added RIP.

    +
    0 Votes
    devdevil85

    Well,

    VLAN1 = 192.168.1.7
    VLAN10 = 192.168.10.1

    Where would I place this static route(s)? Would I need to use the "ip route" command? I thought the L3 Interface/Port on the 3560 knew everything that was locally connected? For example when I have something connected into the port for VLAN10 then in the Routing Table it shows both VLAN1 & 10 directly connected.....so would I still need to issue these commands. If so, what would they look like?

    +
    0 Votes
    robo_dev

    sing DHCP Server Management console (dhcpmgmt.msc) -> <DHCP Server> ->
    Right Click -> Set Predefined Options..., you can add option 82 as a
    customized option for DHCP Server. Thereon, on the DHCP Client you can use
    DhcpRequestParams API to retrieve the options for your further use.


    Show quote
    Hide quote
    "Jaycee" wrote:

    > Does anyone have instructions on how to add scope option 82 to a Windows
    > DHCP server?
    >
    > Thanks.
    >
    >
    >
    Author
    6 Oct 2005 12:19 PM
    Jaycee
    Thanks. I was missing the part of how to enter it on the DCHP server. Here
    is the configuration info:

    Name: Relay Agent Information <OPTIONAL>
    Code: 82
    Description: Custom option 82 <OPTIONAL>
    DataType: Byte
    Array: <CHECKED>

    Another post said:

    n the DHCP console expand the scope, there should be a "Scope Options"
    > icon. Right click and select Configure Options
    > The options show up in a dialog box. When you actually select an option you
    > will be able to fill in the parameters

    +
    0 Votes
    devdevil85

    Well I guess I will just have to do my best on this one and see if the values I put in are correct.

    Is this what you have on yours? I mean, so I guess Code = 82 and then DataType = Byte are the two necessary values I need to have right?

    Thanks

    +
    0 Votes
    robo_dev

    Name: Relay Agent Information <OPTIONAL>
    Code: 82
    Description: Custom option 82 <OPTIONAL>
    DataType: Byte
    Array: <CHECKED>

    +
    0 Votes

    Ok

    devdevil85

    Once I am able to get back into the server and put those values in I will be sure to let you know what happens. Thanks robo!

    +
    0 Votes
    devdevil85

    Is the value, 0x0, supposed/ok to be Value box? I didn't think I was supposed to insert anything in there. I'll see if it works.

    +
    0 Votes
    devdevil85

    Is there anything missing that would cause there to be a problem or issue w/ DHCP or communication between VLANs that you can see?


    User Access Verification

    Building configuration...

    Current configuration : 1675 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    ip subnet-zero
    ip routing
    !
    ip dhcp snooping vlan 1-10
    ip dhcp snooping
    !
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    !
    !
    !
    !
    interface FastEthernet0/1
    !
    interface FastEthernet0/2
    !
    interface FastEthernet0/3
    !
    interface FastEthernet0/4
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    !
    interface FastEthernet0/11
    !
    interface FastEthernet0/12
    !
    interface FastEthernet0/13
    !
    interface FastEthernet0/14
    !
    interface FastEthernet0/15
    !
    interface FastEthernet0/16
    !
    interface FastEthernet0/17
    !
    interface FastEthernet0/18
    !
    interface FastEthernet0/19
    !
    interface FastEthernet0/20
    !
    interface FastEthernet0/21
    !
    interface FastEthernet0/22
    description port on VLAN10
    switchport access vlan 10
    switchport mode access
    ip dhcp snooping trust
    !
    interface FastEthernet0/23
    !
    interface FastEthernet0/24
    !
    interface GigabitEthernet0/1
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    ip address 192.168.1.7 255.255.254.0
    !
    interface Vlan10
    ip address 192.168.10.1 255.255.254.0
    ip helper-address 192.168.1.1
    !
    router rip
    version 2
    network 192.168.1.0
    network 192.168.10.0
    !
    ip classless
    ip default-network 192.168.1.0
    ip route 0.0.0.0 0.0.0.0 192.168.1.15
    ip http server
    !
    !
    control-plane
    !
    !
    !
    end

    Cisco_POE#

    +
    0 Votes
    robo_dev

    now if it does not work issue:

    debug ip dhcp server packets

    to see if dhcp requests are making it all the way to the helper address and dhcp server.

    If you set a static IP address on VLAN 10, does inter-vlan routing work properly???

    +
    0 Votes
    devdevil85

    I just added every port on the 3560 as a trusted port for snooping.

    I am now going to see if my laptop gets an address. If not then I will statically set one and see if inter-vlan routing works or not.

    Thanks robo; the movie's not over yet!

    +
    0 Votes
    devdevil85

    FYI: We changed DHCP servers and the address is now 192.168.1.225 instead of the old one.

    Ok here's the scenario:

    1) DHCP is NOT working. I debugged the switch and we watched DHCP traffic on the server and didn't see anything happening on either one.

    but

    2) I statically assigned my Laptop (connected to port #22) like you said to (192.168.10.15) and it could ping my PC (192.168.1.64), but my PC could not ping the Laptop.

    3) I kept my PC's addressing the same, but changed its gateway to VLAN1 as 192.168.1.7 (previously it was our router 192.168.1.15), and the PC can now ping the Laptop and the Laptop can ping the PC. The PC can get to the Internet (after I manually enter DNS), but the Laptop cannot (after I manually enter DNS as well). The PC (192.168.1.64) is able ping our Router (192.168.1.15), but the Laptop (192.168.10.15) cannot. When I did a traceroute from the Laptop to 134.84.84.84 (Outside Time Server) it got to VLAN10 (192.168.10.1) and then just timed out as if it didn't know where else to go. My default route on the switch is to our Router (192.168.1.15).

    Any suggestions?

    Atleast inter-Vlan Routing works between devices, but I don't know what to do about getting outside of the network on VLAN10 (since I can't the Laptop to the Internet)

    Here's my config file so far:

    User Access Verification

    Building configuration...

    Current configuration : 2229 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    !
    ip subnet-zero
    ip routing
    !
    ip dhcp snooping vlan 1-10
    ip dhcp snooping
    !
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    !
    !
    interface FastEthernet0/1
    ip dhcp snooping trust
    !
    interface FastEthernet0/2
    ip dhcp snooping trust
    !
    interface FastEthernet0/3
    ip dhcp snooping trust
    !
    interface FastEthernet0/4
    ip dhcp snooping trust
    !
    interface FastEthernet0/5
    ip dhcp snooping trust
    !
    interface FastEthernet0/6
    ip dhcp snooping trust
    !
    interface FastEthernet0/7
    ip dhcp snooping trust
    !
    interface FastEthernet0/8
    ip dhcp snooping trust
    !
    interface FastEthernet0/9
    ip dhcp snooping trust
    !
    interface FastEthernet0/10
    ip dhcp snooping trust
    !
    interface FastEthernet0/11
    ip dhcp snooping trust
    !
    interface FastEthernet0/12
    ip dhcp snooping trust
    !
    interface FastEthernet0/13
    ip dhcp snooping trust
    !
    interface FastEthernet0/14
    ip dhcp snooping trust
    !
    interface FastEthernet0/15
    ip dhcp snooping trust
    !
    interface FastEthernet0/16
    ip dhcp snooping trust
    !
    interface FastEthernet0/17
    ip dhcp snooping trust
    !
    interface FastEthernet0/18
    ip dhcp snooping trust
    !
    interface FastEthernet0/19
    ip dhcp snooping trust
    !
    interface FastEthernet0/20
    ip dhcp snooping trust
    !
    interface FastEthernet0/21
    ip dhcp snooping trust
    !
    interface FastEthernet0/22
    description port on VLAN10
    switchport access vlan 10
    switchport mode access
    ip dhcp snooping trust
    !
    interface FastEthernet0/23
    ip dhcp snooping trust
    !
    interface FastEthernet0/24
    ip dhcp snooping trust
    !
    interface GigabitEthernet0/1
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    ip address 192.168.1.7 255.255.254.0
    !
    interface Vlan10
    ip address 192.168.10.1 255.255.254.0
    ip helper-address 192.168.1.225
    !
    router rip
    version 2
    network 192.168.1.0
    network 192.168.10.0
    !
    ip classless
    ip default-network 192.168.1.0
    ip route 0.0.0.0 0.0.0.0 192.168.1.15
    ip http server
    !
    !
    control-plane
    !
    !
    end

    Cisco_POE#

    +
    0 Votes
    robo_dev

    The helper address on VLAN1 is not needed since the DHCP server is on the same VLAN

    should the 'network' line be?

    network 192.168.1.0
    network 192.168.10.0

    +
    0 Votes
    devdevil85

    I removed helper address on VLAN1 and left it on VLAN10 as (ip helper-address 192.168.1.225), which our new DHCP server address.

    I also have RIP V2 running advertising the 192.168.1.0 & 192.168.10.0 networks.

    Is there something wrong that I'm missing?

    +
    0 Votes
    CG IT

    Note: you don't mention anything abour your routing tables, which is what I was trying to prod you into providing by referring to "router on a stick".

    So for routing packets between VLANs, Here's the Cisco article on inter-vlan routing.

    Network devices in different VLANs cannot communicate with one another without a router to route traffic between the VLANs. In most network environments, VLANs are associated with individual networks or subnetworks.

    For example, in an IP network, each subnetwork is mapped to an individual VLAN. In a Novell IPX network, each VLAN is mapped to an IPX network number. In an AppleTalk network, each VLAN is associated with a cable range and AppleTalk zone name.

    Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local. However, when an end station in one VLAN needs to communicate with an end station in another VLAN, interVLAN communication is required. This communication is supported by interVLAN routing. You configure one or more routers to route traffic to the appropriate destination VLAN.

    shows a basic interVLAN routing topology. Switch A is in VLAN 10 and Switch B is in VLAN 20. The router has an interface in each VLAN.

    Figure 3-1 Basic InterVLAN Routing Topology


    When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed to that host. Switch A forwards the packet directly to Host B, without sending it to the router.

    When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which receives the traffic on the VLAN 10 interface. The router checks the routing table, determines the correct outgoing interface, and forwards the packet out the VLAN 20 interface to Switch B. Switch B receives the packet and forwards it to Host C.

    shows another common scenario, interVLAN routing over a single trunk connection to the router. The switch has ports in multiple VLANs. InterVLAN routing is performed by a Cisco 7505 router connected to the switch through a full-duplex Fast Ethernet trunk link.

    Figure 3-2 InterVLAN Routing Over a Single Trunk Link

    your 3500 is a layer 3 switch which means it can route packets [depending upon the IOS version and feature packs you have ]. So make sure your routing table has all the information to "route" packets between VLANs.

    here's a link to the article:

    http://www.cisco.com/en/US/docs/switches/lan/catalyst5000/hybrid/routing.html#wp13354

    +
    0 Votes
    devdevil85

    Well I am able to communicate between VLANs 1 & 10 and devices on VLAN1 can get to the net, but my device on VLAN10 cannot. I posted my configuration (so far), so if you could just take a quick look at it and see if everything looks good I would greatly appreciate it. Thanks!

    +
    0 Votes
    devdevil85

    Gateway of last resort is 192.168.1.15 to network 0.0.0.0

    S* 0.0.0.0/0 [1/0] via 192.168.1.15
    C 192.168.0.0/23 is directly connected, Vlan1
    Cisco_POE#


    I'm not seeing VLAN10. Is this a problem?

    +
    0 Votes
    CG IT

    how are packets from VLAN10 going to get to the router interface which will forward packets to the internet?

    The router already knows packets from 1 to 10 and 10 to 1 are routed on the LAN interface [intervlan routing]. Packets from 1 not destined for 1 or 10 are sent to the gateway. But the router doesn't know to send packets from 10 not destined for 1 to the gateway.

    So for VLAN 10 what's the gateway address? The next question is if clients obtain addressing and DNS server information from DHCP, how are they going to get gateway/router information? [which I believe was part of this problem as you were trying to setup clients in VLAN 10 to get addresses from a DHCP server on VLAN1].

    VLAN10 >>>>> ???? >>>> internet
    VLAN10 >>> router >>>VLAN1
    VLAN1 >>>>> router either VLAN10 or[LAN interface/gateway] >>> internet

    can't do the diagram using Cisco symbols but if you diagram out what you want to achieve, it makes figuring out what's needed easier.

    note: unlike Windows operating system, there's no Internet connection sharing in Cisco equipment. You can't tell packets to go to VLAN1 then expect VLAN1 to forward packets to the Internet. Packets have to go to a router and the router has to know what to do with the packets. The router uses the routing table to determine what to do with packets. So it needs information on what to do with packets from VLAN10.

    Should be apparent now what you need to configure.

    Note: don't want to tell you what to do because what if you want to create another VLAN on your switch OR you have to add another switch and you setup VLANs on that? How do you trunk VLAN1 on switch 2 to VLAN1 on switch 1 and also provide internet access on VLAN1 switch 2 through router 1. What if you have 2 routers on the network before the interne?

    Cisco CCNA/CCNP Prep Center has a CCTV video series which I highly recommend. The instructors are CCNP or CCIE and they go through the process of VLANs and inter-connect routing.

    http://forums.cisco.com/eforum/servlet/PrepCenter?page=ccna_tv2007

    +
    0 Votes
    devdevil85

    When you refer to

    VLAN10 --> router --> VLAN1

    is "router" the routed interface/SVI on the 3560 or are you talking about our physical L3 Kentrox Router/Firewall that we have connected to it? We want to eliminate the Kentrox btw and just use the 3560 for routing traffic other than traffic meant for the internet (which I figured the 3560 would just forward to the Kentrox which it would then forward to our Nuvox Box).

    +
    0 Votes
    Dumphrey

    turn on vlan 10 in conf t
    int vlan10 enable
    ?

    +
    0 Votes
    devdevil85

    as directly connected in the routing table if I didn't, right? Again, I'm not 100% on anything right now re: VLANs being sandboxed to only a 3560 & no external L3 Router.....

    Basically I don't see the point of a L3 Switch if you don't use it for what it was meant to be used for.....if that makes sense....I know it's something that a lot of people brag about, but if it's this hard to get things working then I have to disagree w/ them.....

    +
    0 Votes
    Dumphrey

    I prefer a layer 2 switch and a router... I know how to set that up....
    Recap:
    Vlan1 and Valn 10 both have ip addresses.
    Vlan1 (default) works fine
    Vlan10 does not work? Works partly?
    Both Vlans are in the routing table, and are they showing when you do a show RIP? (this is now our "trunk" or more acurately, vlan 10 in now a new interface on our router, and port 22 is its only member. The problem is getting dhcp to vlan10 from vlan1. The iphelpher dhcp command (pointing to your dhcp server) should ahve fixed this. Now is there a dhcp port range for the vlan10 subnet?

    +
    0 Votes
    CG IT

    whether you call it a switch or L3 it's still a router because it routes traffic.

    VLANs can't talk to each other unless a Layer 3 device is used to route traffic between them because VLANs are different subnets.

    Layer 2 devices, switches, can't route packets.

    So VLAN10 --> router --> VLAN1


    Also the layer 3 device has to know what to do with packets not destine for VLAN10 or VLAN1. That would be to send them to the gateway.


    So your 3560 has a routing table which it uses to determine what to do with packets. You need an entry in the routing table that says packets from VLAN10 not destined for VLAN1 are sent to the gateway.

    The LAN interface [routed interface]on your 3500 is the gateway out for all traffic behind it .

    +
    0 Votes

    Ok

    devdevil85

    So the "Layer 3 Device" you refer to in:

    VLAN10 >>>Layer 3 device to route to VLAN1.

    is a port on the 3560 that I have configured to be a L3 (routed) port, right?

    If so, don't I have to assign an IP address to that port and also the cmd "no switchport"? because I don't remember doing that.

    Which VLAN would I assign that port to be it's GW?

    Last question: What would the route statement look like that says "packets from VLAN10 not destined for VLAN1 are sent to the gateway"? What is VLAN10's GW?

    ip route (Destination prefix) (Sub Mask) (Forwarding Router's address)

    Thanks CG

    +
    0 Votes
    CG IT

    are you using SVI on that switch port for L3 routing functions?

    How are you getting traffic from VLAN1 to your non L3 switch firewall router?

    The basics of VLANs are that you need a router to have interVLAN communications. Now, Cisco has a couple of different ways of accomplishing this. One is the "router on a stick" method where you setup an access line both VLANs use to get to the router. In your case the SVI interface. Your SVI interface allows VLANs to talk to each.

    So here's the question, how does VLAN1 traffic get to your firewall router to have internet services? your VLAN10 must also have a route.


    The route for IP traffic from VLAN10 to the internet is what? VLAN10 to ??? to ???


    do a show IP route command and then post

    +
    0 Votes
    devdevil85

    I did configure an SVI interface, but tbh I really don't remember issuing the "no switchport" cmd along w/ an ip address. I don't ever remember pointing any devices to that IP address, but somehow when I changed the GW on my PC on VLAN1 I was able to get to communicate w/ my PC in VLAN10.

    There is only 1 switch at the moment (3560) and it is connected to a L3 Kentrox Router/Firewall (which we want to only use to get to the internet for devices connected to the switch). Essentially we want to use the "Router on a stick" configuration w/ the 3560.

    In regard to your question on how VLAN10 gets to the internet these are the step by step hops:

    PC on VLAN10 --> 3560 --> Kentrox Router/Firewall --> Nuvox Box

    That's the physical route. Now how it's supposed to work logically (and from what I know) I think it should work like this:

    PC on VLAN10 --> L2 port on 3560 --> SVI on 3560 --> Kentrox --> Nuvox Box

    Now how I am supposed to do that idk, meaning like I don't know what the GW's should be on the VLANs and also if I point devices &/or VLANs to the SVI interface.

    We actually reset the settings on the 3560 because DHCP was messed up on VLAN1, so.....I can't get you the Route information

    +
    0 Votes
    CG IT

    Think "Router on a stick"


    VLAN10 >>> router LAN interface >>> VLAN1

    where the router routes traffic from 10 to 1 and vice versa. the router LAN interface is also the gateway where the router has a LAN and WAN interface.


    commands to create an access port for VLAN10

    Router# configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)# interface fastethernet 5/6
    Router(config-if)# shutdown
    Router(config-if)# switchport
    Router(config-if)# switchport mode access
    Router(config-if)# switchport access vlan 10
    Router(config-if)# no shutdown
    Router(config-if)# end
    Router# exit

    verify config =


    Router# show running-config interface fastethernet 5/6
    Building configuration...
    !
    Current configuration:
    interface FastEthernet5/6
    no ip address
    switchport access vlan 10
    switchport mode access
    end
    Router# show interfaces fastethernet 5/6 switchport
    Name: Fa5/6
    Switchport: Enabled
    Administrative Mode: static access
    Operational Mode: static access
    Administrative Trunking Encapsulation: negotiate
    Operational Trunking Encapsulation: native
    Negotiation of Trunking: Enabled
    Access Mode VLAN: 200 (VLAN0200)
    Trunking Native Mode VLAN: 1 (default)
    Trunking VLANs Enabled: ALL
    Pruning VLANs Enabled: ALL
    Router#


    are you tagging on the VLANs?

    and what are the static routes you created?

    +
    0 Votes
    devdevil85

    to tell the router interface that any traffic coming from VLAN10 not intended for VLAN1 to go to the Kentrox?

    VLAN1 = 192.168.1.7
    VLAN10 = 192.168.10.1
    Kentrox = 192.168.1.15

    Where does the SVI (routed port) on the 3560 play into all of this? Do I point any VLAN to this?

    +
    0 Votes
    devdevil85

    "VLAN10 >>> router LAN interface >>> VLAN1"

    Question: is the "router LAN interface" the SVI (routed port) on the 3560 or a fastethernet port on our Kentrox?


    "the router LAN interface is also the gateway where the router has a LAN and WAN interface."

    I'm confused on what device you are referring to. The only box I can think of that has a WAN connection & a LAN is our Nuvox Box. Maybe that's the Gateway that you are referring to.

    The Kentrox (which of course connects to the Nuvox and then to the 3560) sits behind it and acts as a Firewall and then the 3560 sits behind it.

    So what is the gateway supposed to be for VLAN10? I never setup a GW for it. For devices on VLAN10 I had their GW's set as VLAN10.

    +
    0 Votes
    devdevil85

    We are not tagging. The only Static routes that we had was the Gateway of Last Resort which we configured to be the Kentrox (192.168.1.15).

    So whose GW is supposed to be the Kentrox? Of course, the 3560's GW is the Kentrox, but I'm confused on what the GW's are supposed to be on VLAN1 & VLAN10. I figured if I created a L3 routed port on the 3560, something's GW would have to be set to it.

    +
    0 Votes
    CG IT

    do you use Access Ports?

    you have 1 port on VLAN10 so what does it use to get to VLAN1? you have 23 ports on VLAN1 what port do you use for Access to your Kentrix router?

    If it was me, I'd create static routes all to the Kentrix router.

    +
    0 Votes
    devdevil85

    My coworker's laptop was plugged into port 22 (VLAN10) and it was configured as an access port. All other 23 ports were nonconfigured, sitting in VLAN1. I know the Kentrox connects to the 3560, so I would guess that one of the ports could have been trunked, right?

    CG, what would the route entry be for "VLAN10 traffic not destined to VLAN1 go to the Kentrox (for the internet/an outside network)"? that you said previously that you think I should enter...

    You said, "If it was me, I'd create static routes all to the Kentrix router."

    Do I create them for VLAN1 & 10?

    Thanks

    +
    0 Votes
    CG IT

    You use 802.1Q trunking to route between VLANs using "router on a stick". you need to divide the L3 device's interface into multiple addressable interfaces, 1 for each VLAN.

    here's the command for the default route:

    ip route 0.0.0.0 0.0.0.0 192.168.X.X where 192.168.X.X is the ip address of the next hop router.

    if you use IP Classless, a packet with a destination on an unknown subnet or not on the directly connected subnet, the packet is sent to the default route to the next hop router. you already do ip classless [on by default] . without going through all posts, what is your 192.168.1.15 address? the L3 switch or your router?

    Given that, your L3 device needs subinterfaces with addresses for both VLANs 1 and 10. the L3 device then can route packets between VLANs. your L3 device also needs ip classless and the default route to the next hop.

    Do you need the commands for that?

    +
    0 Votes
    devdevil85

    192.168.1.15

    The 3560 is 192.168.1.7

    Hmm....so I need to use 802.1Q trunking on a Routed Port on the 3560, right?

    And then I need to divide the "Routed Port" into multiple subinterfaces, right?

    I remember how to do it on the Router itself, but as you already know we want this to be a "router on a stick" and to eliminate any Kentrox activity except for getting us to the net.

    +
    0 Votes
    CG IT

    you should be able to configure sub interfaces on the 3500 for VLANs if it's a layer 3 device [Cisco layer 3 device]

    you should also be able to configure the default route on the 3500 which says, send all traffic not destined for VLAN1 or VLAN10 hosts to the Kentrox. that's the ip classless / ip route commands

    Typically, I don't design infrastructure with a layer 3 switch doing routing functions but I'm old school where we used layer 2 devices for all switching and layer 3 for routing. I know Cisco created layer 3 switches to cut down on infrastructure hardware but.... if it was me, I'd have a 1800 in there doing routing between VLANs on the 3500 and leave the 3500 to just do switching. Waste of the 3500 capabilities but it does make configuration simpler.

    +
    0 Votes
    devdevil85

    is disappointed that we aren't utilizing the extra horsepower and really wants to see if we can get the 3560 to be used as both a L2 switch AND a layer 3 router (for the inter-vlan routing). That way if we implement this solution to other parts of the company or for other clients we will have something to go by.

    CG, what would the default route look like that says "send all traffic not destined for VLAN1 or VLAN10 hosts to the Kentrox". I'm kind of new to writing statements like that so...., but I know how to write direct statements that says specific traffic needs to go To something From something...but not as general as this....

    +
    0 Votes
    Dumphrey

    ip route 0.0.0.0 0.0.0.0 (ipaddress of the kentronics iface connected to the 3560)

    The 3560 and kentronics need to be on a seperate subnet (/30) then either vlan1 or vlan10.

    to simplify, vlan1 is 192.168.1.0/24
    vlan10 is 192.168.10.0/24

    +
    0 Votes
    Dumphrey

    we have a catalyst 4008 with 3 10/100 banks and 8 fiber ports (7 unused) doing nothing but passive switching...

    +
    0 Votes
    Dumphrey

    needs to bee on a seperate subnet then vlan1 or vlan10, you have 2 networks on your device and you need 3. 1 for vlan1, 1 for vlan10, and 1 to connect to your router/firewall.

    +
    0 Votes
    devdevil85

    Why would I need to create a 3rd subnet? I figured that it had to be bad configuration for VLAN10 as the reason for why it can't reach the internet/receive DHCP information, and that I just need to change the GW on VLAN1 devices to the 3560 itself and not the Kentrox and that I need to create an SVI/L3 port on the 3560 and then have to point the L3 SVI port on the 3560 to the Kentrox....I feel like I just need to point the correct devices to their next respective hops w/o pointing them to devices that are 1 hop too far.....

    but I honestly am new to this just like you (read you bio) so maybe I'm totally wrong....but I just don't see why I'd need to create a 3rd sub-network.....

    +
    0 Votes
    Dumphrey

    and a "logical" or virtual interface on a router. The switchports are just that, layer 2 ports. Its the vlan interfaces that take care of the routing. So, you have 2 vlans on 2 subnets, they should both be able to ping back and forth if configured correctly. Now, for both to reach the internet, they need a gateway. Each host on the vlan is going to use the vlan address as its gateway. The vlans on the other hand, need an address they can use as a gateway, usually the next hop router. now lets say the kentronix LAN interface connected to your 3500 is in the same subnet as vlan1. Vlan10 would have no access to the internet except by going through vlan1, which does not work so well, if at all, because vlan10 now has no gateway for traffic other then for vlan1. by creating a seperate subnet between the router and the kentronix (should test this with a subinterface really, as well as create vlan20, so as to use vlan20 and vlan10 for testing and leave the current setup in place unaffected untill you know it will work) you createa default network for BOTH vlans to use. Until you do this, vlan10 will not really be able to get to vlan1 well or to the internet.

    +
    0 Votes
    devdevil85

    or do I need to leave it "open" w/o a device connected to it?

    Also, the way I understood your explanation I have written down:

    switchports = L2 ports
    ? = L3 ports/interfaces
    GW for Vlan1 Devices = 192.168.1.7 (Vlan1 Net ID)
    GW for Vlan10 Devices = 192.168.10.1 (Vlan 10 Net ID)
    GW for Vlan1 = 192.168.1.15 (Kentrox LAN intf)

    are these correct and is there anything else that I am missing/need to know?

    +
    0 Votes
    CG IT

    Router(config)#interface Fastethernet 0/0
    Router(config-ip)#no ip address
    Router(config-ip)#exit
    Router(config)#interface Fastethernet 0/0.1
    Router(config-ip)#encapsulation ISL 1
    Router(config-ip)#ip address {VLAN1 with mask}
    router(config-ip)exit
    router(config)#interface fastethernet 0/0.2
    router(config-ip)#encapsulation ISL 2
    router(config-ip)ip address {vlan 10 with mask}


    router(config)#ip classless
    router(config)# ip route 0.0.0.0. 0.0.0.0 192.168.1.15


    RIP for dynamic routing
    router(config-router)#router rip
    router(config-router)#network {network#}

    +
    0 Votes
    devdevil85

    the Kentrox as the L3 Device to Inter-Vlan Route and not a L3 Port/SVI on the 3560, right? I mean, wouldn't I essentially be doing the same kind of thing to the L3 port on the 3560?

    For example: (ping VLAN10 from VLAN1) VLAN1 --> L3 port/SVI on 3560 --> VLAN10

    (ping yahoo.com from VLAN10) VLAN10 --> L3 port/SVI --> Kentrox --> Nuvox Box --> (Internet)

    Are these diagrams even correct in terms of how it should/could work?

    So the route entry (0.0.0.0 0.0.0.0 192.168.1.15) translates to "Any traffic not destined for a known internal network go to the Kentrox", right?

    If that's so then where does this L3 Routed Port (on the 3560) come into play? I figured the Kentrox would be the GW for the L3 Port on the 3560 (if traffic wasn't intended for known networks on the switch)....

    +
    0 Votes
    CG IT

    your configuring your 3560 with subinterfaces so that it can "route" traffic between VLANs.

    you can create a static route from the 3560 interface to the Kentrox or you can enable RIP or IGRP on both so they can learn about each other.

    I'm not telling you use these commands and it should work. but the commands I gave you are the commands for setting up routing between VLANs using your L3 device.

    you can also use your L3 device to route traffic not destined for VLANs 1 or 10 by using the ip classless and static route OR you could just turn on RIP or IGRP and let the routers work it out.

    +
    0 Votes
    devdevil85

    but if there are L3 Interfaces/Ports on the 3560 would it then start noticing RIP advertisements?

    +
    0 Votes
    CG IT

    L2 devices are "just switches".

    the 3500 series allows a lot of flexibility depending upon what modules and IOS features you have [which I don't know what you have].

    If your playing around with it trying to get it to work, then try making subinterfaces on it to get inter-vlan communications going then try a static route from the 3560 interface [not sub] to your actual L3 router. see if that works.

    try a show ip protocols command and see what's up. RIP should be there if you run the router ip command and the associated direct connected network. enable RIP on your Kentrix.

    +
    0 Votes
    devdevil85

    you're saying.

    The IOS version we have on it is:

    12.2(20)SE4 w/ no added modules (there are 2 Gig/Ethernets)

    So on the 3560 L3 Interface, itself, you are saying to put a:

    0.0.0.0 0.0.0.0 192.168.1.15 static route on it, right?

    RIP should be running on the Kentrox. If that's true then shouldn't I receive/see a RIP route in the 3560's routing table?

    +
    0 Votes
    devdevil85

    it's configured? Basically what I mean is: Can I still plug a device into the L3 Port or do I have to leave it open and without a device plugged into it?

    +
    0 Votes
    CG IT

    has 2 fast ethernet ports

    1 you use for inter-vlan routing by creating subinterfaces ??? and one you use as an "uplink" to your Kentrex "router" ?

    +
    0 Votes
    CG IT

    the default route is a static route when you don't let routers "discover" and exchange routing information by using RIP or IGRP

    so if your 3560 has the RIP or IGRP protocol you can turn it on, turn on RIP/IGRP at the Kentrix and let the 2 exchange routing information.

    OR you can just specify a static route if you don't want the overhead RIP/IGRP has on the network.

    +
    0 Votes
    CG IT

    router(config)#interface fastethernet 0/0
    router(config-ip)# ip address {address & mask}
    router(config-ip)#exit
    router(config)#interface fasethernet 0/0.1
    router(config-ip)#encapsulation dot1q 1
    router(config-ip)#ip address {address & mask}

    repeat for subinterface 2 using do1q 2

    +
    0 Votes
    devdevil85

    thanks....I'll be anxiously waiting a response....

    +
    0 Votes
    devdevil85

    because the static routes are a little intimidating to me at the moment...

    but do you know if I can still plug a device into the L3 Interface/Routed Port on the 3560 after I configure it or will the device/interface get confused?

    +
    0 Votes
    CG IT

    Doesn't that thing come with Cisco Network Assistant? it should.

    using that would really simplfy your configuration process.


    another note: is all this just an acedemic exercise?

    +
    0 Votes
    devdevil85

    Honestly Idk if it comes w/ that or not. I will have to check into that.

    As for academic excercise: Yes & No. It's something that my boss wanted to try and implement since it IS L3-capable, why go the lazy route (yes it's easier, but he spent more money on it for this reason) and use an external router that he wants to get rid of and implement this same sort of thing in other parts of the business or w/ clients.

    I know I keep asking this, but after I configure the port on the 3560 to be Layer 3 can I still plug in a PC and use it as L2 as well? Can they both live in harmony or do I have to leave it "open" w/o a device on it?

    +
    0 Votes
    CG IT

    you have 2 SPF ports and I assumed your using GBICs on em. you use 1 to uplink to your Kentrox router and the other one is bare?

    The switch ports are the 24 ports. Normally the uplink port goes to the router. The router interface is subed to allow inter-vlan communications which utilize the uplink port.

    +
    0 Votes
    Dumphrey

    I assume that 192.168.1.5 is the kentronix?

    +
    0 Votes
    devdevil85

    Sorry for the confusion, but 192.168.1.15 is the Kentrox's LAN FastEthernet Interface

    +
    0 Votes
    devdevil85

    Sorry for the confusion, but we didn't buy the adapters to run Gigabit Eth or Fibre on the Switch. We're just using a FastEthernet port to connect to the Kentrox.

    Hope this helps....

    Can I plug a device into a L3 Port and get the device to work on it? or do I need to leave the L3 port open? I really need to know this...

    +
    0 Votes
    CG IT

    as your "quasi trunk" line to your Kentrox router, then I'm not sure. Never configured a switch port as an interface port with subinterfaces on a 3560.

    if you looped a switch port to use as an access port for VLANs that would be very bad.

    what about creating subinterfaces on the one switch port you use as an uplink port? you configured it with an address, then you might be able to do subinterfaces and achieve inter-vlan communications AND then the route would be the switchport interface to the Kentrox router.

    Best I can offer with what limited knowledge I have.

    Dave Davis or George Ou here are both the Cisco Gurus. Might find them and send em a PM.

    +
    0 Votes
    devdevil85

    on the 3560 Routed Port/SVI and then point their GW's to the Kentrox's LAN Interface....

    As for using the same L3 port as a L2 port that a device could connect into, I will stray away from that as what I got out of what you said, probably very bad, right?

    You said, "Never configured a switch port as an interface port with subinterfaces on a 3560."

    >My teacher said the same thing to me. That he's never done it and if he did (which he couldn't remember) he used different commands and was using a different version switch w/ a differnt IOS version....

    Honestly, I don't really want to repeat the scenario to those guys, but if I don't get this running I will be sure to PM them....but CG you have been a huge confidence booster and have taught me a few many things and I really want to thank you for that. With L3 becoming a big part of network infrastructures people are going to have to know how to do this sometime or another. Of course I would rather just use the Kentrox's LAN interface and trunk the switch to it and create sub-interfaces for each VLAN, but I really want to show my boss that it is possible to do this and that his investment was worthwhile....

    +
    0 Votes
    CG IT

    well try to create subinterfaces on your routed port. see if it works. That's all I can suggest.

    +
    0 Votes

    Ok

    devdevil85

    What would the GW be for these interfaces? The next hop? If so, that would mean the Kentrox LAN Interface would need to be it, right?

    Should I do what Dumphrey said and put the Switch and Kentrox LAN Interface on their own subnet? I really don't see why that matters....

    +
    0 Votes
    CG IT

    the switch from the kentrox router?

    your creating VLANs to seperate out a computer from others rather than buying a router to do it.

    +
    0 Votes
    devdevil85

    in other parts of the business and possibly w/ other clients, so we are trying to get away from using the Kentrox.

    Is it possible to use this scenario:

    PC --> L3 3560 Switch --> Nuvox Box --> Internet!

    or does there have to be a Kentrox between the 3560 & Nuvox Box?

    +
    0 Votes
    Dumphrey

    all the routing, but you will need a firewall, unless your nuvox box has one built in.

    +
    0 Votes
    anil.beharry

    Hello All,

    Reading through this thread i have not seen a definite solution to DevDevil's issue. Was a solution eventually reached upon. Mind sharing it?

    My issue is a bit similar. I have a Cisco 3560 that is configured on all ports for VLAN 5 (192.168.63.x) with Port 1 being a Trunk port interface to a 3com Layer 3 switch that is interfacing to another VLAN (10.100.x.x)

    The solution was working fine and then on Friday morning VLAN 5 users whilst getting an 192.168.63 IP was unable to access resources on the 10.100.x.x network.

    No changes were made on switches or DHCP servers or anything.

    Full PING and Traceroute between hosts, switches, VLANs' and servers is possible. Yet access to resources was nil ie. email, internet, application.

    see attached code and comments would be most welcome

    thanks...Anil

    ***
    sh runn
    Building configuration...

    Current configuration : 2636 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Switch
    !
    !
    no aaa new-model
    system mtu routing 1500
    ip subnet-zero
    ip routing
    !
    !
    !
    !
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    --More--  !
    vlan internal allocation policy ascending
    !
    interface FastEthernet0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    !
    interface FastEthernet0/2
    switchport mode access
    !
    interface FastEthernet0/3
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/4
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/5
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/6
    --More--   switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/7
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/8
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/9
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/10
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/11
    switchport access vlan 5
    switchport mode access
    !
    --More--  interface FastEthernet0/12
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/13
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/14
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/15
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/16
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/17
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/18
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/19
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/20
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/21
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/22
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/23
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/24
    switchport access vlan 5
    switchport mode access
    !
    interface GigabitEthernet0/1
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    ip address 10.100.0.45 255.255.0.0
    !
    interface Vlan5
    ip address 192.168.63.1 255.255.255.0
    ip helper-address 10.100.0.6
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.100.0.3
    ip route 10.100.0.0 255.255.0.0 10.100.5.36
    ip http server
    !
    snmp-server community sectt RW
    --More--  !
    control-plane
    !
    !
    line con 0
    line vty 0 4
    login
    line vty 5 15
    login
    !
    end

    Switch#

  • +
    0 Votes
    robo_dev

    you do not need the helper on vlan 1.

    does your new scope in your server have the giaddr field?

    do 'debug ip dhcp server packets' to see if dhcp requests are getting to the helper ip.

    +
    0 Votes
    CG IT

    VLAN 1 is also on the same subnet as all other devices connected to the switch [such as your DHCP server. I assume your DHCP server is connected to that switch.]

    When you create another VLAN, your seperating those ports assigned to the new VLAN from the default VLAN. They need a access line and a helper address to get to VLAN1.

    +
    0 Votes
    devdevil85

    interface FastEthernet0/22
    switchport access vlan 10
    switchport mode access

    interface Vlan10
    ip address 192.168.10.1 255.255.254.0
    ip helper-address 192.168.1.1

    There is only 1 port (#22) in VLAN10 so far. I put the access line on the port (22) and I put the ip helper-address on VLAN10 as shown above. The external DHCP server is (like you said) connected to the 3560. Is there something that I'm missing? because it sounds like what you have said is something that I have already done...

    Thanks for you help

    +
    0 Votes
    robo_dev

    The dhcp server does not know which subnet to use. DHCP relay is enabled by default in most Cisco devices.

    The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (option82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing option 82.

    Also, you don't need a helper address on your vlan1, but I'm not sure that this is making things fail.

    http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804412bf.html#wp1085170

    +
    0 Votes
    devdevil85

    I removed ip helper from VLAN1, but I don't know if what you are saying is that I'm missing something on my DHCP Server or if I'm missing a command on the 3560....

    +
    0 Votes
    robo_dev

    the cisco DHCP relay agent appends the helper address to the dhcp request packet on dhcp option 82 (GIADDRESS = Gateway interface address) only if DHCP snooping is enabled.

    AND

    Microsoft DHCP Server does not have default support for option 82, you have to enable it.

    While Cisco has DHCP relay enabled by default, option 82 is not enabled without dhcp snooping. It's a security feature for preventing dhcp interactions from 'untrusted' interfaces.

    Using Windows DHCP Server Management console (dhcpmgmt.msc) -> <DHCP Server> -> Right Click -> Set Predefined Options..., you can add option 82 as a customized option for DHCP Server.

    In order for Cisco to do the option 82 stuff, you need to enable DHCP snooping globally

    ip dhcp snooping

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swdhcp82.html#wp1138479
    http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB0088R0_ODVA_DHCP_Option_82v2.pdf
    https://blogs.technet.com/teamdhcp/archive/2005/09/16/411032.aspx

    So the short answer is: enable DHCP snooping globally in the Cisco and enable option 82 support in Microsoft DHCP server.

    +
    0 Votes

    Ok

    devdevil85

    Yeah we aren't using the 3560 for DHCP and I don't think we enabled option 82 on the server and I know we didn't enable snooping dhcp snooping on the 3560 either so....I will see if that helps/fixes the problem. If not I will be sure to get back w/ you ASAP.

    Thank you for all your help robo!

    +
    0 Votes
    devdevil85

    Option 82 is missing on the Win2003 DHCP Server

    Do you know how to manually add it? I read the link you sent me and I didn't find anything on the values needed...such as the Data Type and the Value....that I need to insert in the boxes

    Thanks!

    +
    0 Votes
    CG IT

    in Cisco devices meaning all ports belong to VLAN 1 until you create another VLAN and assign ports to it. That's why VLAN 1 DHCP works. It will work each and every time because the default settings in IOS allow it to work. just like dumb switches always works, a Cisco switch doesn't need an address to work when you first boot it up and load IOS.


    When you create a new VLAN, in essence are creating a new subnet. Devices in VLAN 1 can not talk to devices on VLAN 2 unless you have some method of routing packets between VLANs ["router on a stick" method].

    So for VLAN 10, you must tell clients on it to go to a particular place to obtain IP addresses which is enabling DHCP relay agent on VLAN 10. Then you must have a way for that traffic to get to the server. Something must "route" the packets there. VLAN 1 will not "route" packets from VLAN 10 to the DHCP server.

    ought to diagram it out to get a visual representation of how packets travel using subnets and routing because that's really what your doing when when creating VLANs.

    +
    0 Votes
    devdevil85

    Do you see any mistakes or commands that I missed or used incorrectly that could be causing my problem?

    You said, "VLAN 1 will not "route" packets from VLAN 10 to the DHCP server." What will "route" the packets then?

    What should the Default Gateway be for devices on VLAN10? because I have the ip helper-address on VLAN10 pointing to the DHCP server? Is this correct? Am I pointing devices to the correct gateway?

    Thanks!

    +
    0 Votes
    devdevil85

    Switch DHCP snooping is enabled
    DHCP snooping is configured on following VLANs:
    1,10
    Insertion of option 82 is enabled
    Verification of hwaddr field is enabled
    Interface Trusted Rate limit (pps)
    ------------------------ ------- ----------------
    FastEthernet0/22 yes unlimited

    This is what I have. Is this correct?

    +
    0 Votes
    Dumphrey

    what to do with the vlan info? And is the trunk set correctly between your switch and router? I saw no switchport mode trunk in your config.

    EDIT: OOPS integrated service router/layer 3 switch... still is there a static route between VLAn 1 and vlan 10?
    Edit2:Saw you added RIP.

    +
    0 Votes
    devdevil85

    Well,

    VLAN1 = 192.168.1.7
    VLAN10 = 192.168.10.1

    Where would I place this static route(s)? Would I need to use the "ip route" command? I thought the L3 Interface/Port on the 3560 knew everything that was locally connected? For example when I have something connected into the port for VLAN10 then in the Routing Table it shows both VLAN1 & 10 directly connected.....so would I still need to issue these commands. If so, what would they look like?

    +
    0 Votes
    robo_dev

    sing DHCP Server Management console (dhcpmgmt.msc) -> <DHCP Server> ->
    Right Click -> Set Predefined Options..., you can add option 82 as a
    customized option for DHCP Server. Thereon, on the DHCP Client you can use
    DhcpRequestParams API to retrieve the options for your further use.


    Show quote
    Hide quote
    "Jaycee" wrote:

    > Does anyone have instructions on how to add scope option 82 to a Windows
    > DHCP server?
    >
    > Thanks.
    >
    >
    >
    Author
    6 Oct 2005 12:19 PM
    Jaycee
    Thanks. I was missing the part of how to enter it on the DCHP server. Here
    is the configuration info:

    Name: Relay Agent Information <OPTIONAL>
    Code: 82
    Description: Custom option 82 <OPTIONAL>
    DataType: Byte
    Array: <CHECKED>

    Another post said:

    n the DHCP console expand the scope, there should be a "Scope Options"
    > icon. Right click and select Configure Options
    > The options show up in a dialog box. When you actually select an option you
    > will be able to fill in the parameters

    +
    0 Votes
    devdevil85

    Well I guess I will just have to do my best on this one and see if the values I put in are correct.

    Is this what you have on yours? I mean, so I guess Code = 82 and then DataType = Byte are the two necessary values I need to have right?

    Thanks

    +
    0 Votes
    robo_dev

    Name: Relay Agent Information <OPTIONAL>
    Code: 82
    Description: Custom option 82 <OPTIONAL>
    DataType: Byte
    Array: <CHECKED>

    +
    0 Votes

    Ok

    devdevil85

    Once I am able to get back into the server and put those values in I will be sure to let you know what happens. Thanks robo!

    +
    0 Votes
    devdevil85

    Is the value, 0x0, supposed/ok to be Value box? I didn't think I was supposed to insert anything in there. I'll see if it works.

    +
    0 Votes
    devdevil85

    Is there anything missing that would cause there to be a problem or issue w/ DHCP or communication between VLANs that you can see?


    User Access Verification

    Building configuration...

    Current configuration : 1675 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    ip subnet-zero
    ip routing
    !
    ip dhcp snooping vlan 1-10
    ip dhcp snooping
    !
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    !
    !
    !
    !
    interface FastEthernet0/1
    !
    interface FastEthernet0/2
    !
    interface FastEthernet0/3
    !
    interface FastEthernet0/4
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    !
    interface FastEthernet0/11
    !
    interface FastEthernet0/12
    !
    interface FastEthernet0/13
    !
    interface FastEthernet0/14
    !
    interface FastEthernet0/15
    !
    interface FastEthernet0/16
    !
    interface FastEthernet0/17
    !
    interface FastEthernet0/18
    !
    interface FastEthernet0/19
    !
    interface FastEthernet0/20
    !
    interface FastEthernet0/21
    !
    interface FastEthernet0/22
    description port on VLAN10
    switchport access vlan 10
    switchport mode access
    ip dhcp snooping trust
    !
    interface FastEthernet0/23
    !
    interface FastEthernet0/24
    !
    interface GigabitEthernet0/1
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    ip address 192.168.1.7 255.255.254.0
    !
    interface Vlan10
    ip address 192.168.10.1 255.255.254.0
    ip helper-address 192.168.1.1
    !
    router rip
    version 2
    network 192.168.1.0
    network 192.168.10.0
    !
    ip classless
    ip default-network 192.168.1.0
    ip route 0.0.0.0 0.0.0.0 192.168.1.15
    ip http server
    !
    !
    control-plane
    !
    !
    !
    end

    Cisco_POE#

    +
    0 Votes
    robo_dev

    now if it does not work issue:

    debug ip dhcp server packets

    to see if dhcp requests are making it all the way to the helper address and dhcp server.

    If you set a static IP address on VLAN 10, does inter-vlan routing work properly???

    +
    0 Votes
    devdevil85

    I just added every port on the 3560 as a trusted port for snooping.

    I am now going to see if my laptop gets an address. If not then I will statically set one and see if inter-vlan routing works or not.

    Thanks robo; the movie's not over yet!

    +
    0 Votes
    devdevil85

    FYI: We changed DHCP servers and the address is now 192.168.1.225 instead of the old one.

    Ok here's the scenario:

    1) DHCP is NOT working. I debugged the switch and we watched DHCP traffic on the server and didn't see anything happening on either one.

    but

    2) I statically assigned my Laptop (connected to port #22) like you said to (192.168.10.15) and it could ping my PC (192.168.1.64), but my PC could not ping the Laptop.

    3) I kept my PC's addressing the same, but changed its gateway to VLAN1 as 192.168.1.7 (previously it was our router 192.168.1.15), and the PC can now ping the Laptop and the Laptop can ping the PC. The PC can get to the Internet (after I manually enter DNS), but the Laptop cannot (after I manually enter DNS as well). The PC (192.168.1.64) is able ping our Router (192.168.1.15), but the Laptop (192.168.10.15) cannot. When I did a traceroute from the Laptop to 134.84.84.84 (Outside Time Server) it got to VLAN10 (192.168.10.1) and then just timed out as if it didn't know where else to go. My default route on the switch is to our Router (192.168.1.15).

    Any suggestions?

    Atleast inter-Vlan Routing works between devices, but I don't know what to do about getting outside of the network on VLAN10 (since I can't the Laptop to the Internet)

    Here's my config file so far:

    User Access Verification

    Building configuration...

    Current configuration : 2229 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    !
    ip subnet-zero
    ip routing
    !
    ip dhcp snooping vlan 1-10
    ip dhcp snooping
    !
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    !
    !
    interface FastEthernet0/1
    ip dhcp snooping trust
    !
    interface FastEthernet0/2
    ip dhcp snooping trust
    !
    interface FastEthernet0/3
    ip dhcp snooping trust
    !
    interface FastEthernet0/4
    ip dhcp snooping trust
    !
    interface FastEthernet0/5
    ip dhcp snooping trust
    !
    interface FastEthernet0/6
    ip dhcp snooping trust
    !
    interface FastEthernet0/7
    ip dhcp snooping trust
    !
    interface FastEthernet0/8
    ip dhcp snooping trust
    !
    interface FastEthernet0/9
    ip dhcp snooping trust
    !
    interface FastEthernet0/10
    ip dhcp snooping trust
    !
    interface FastEthernet0/11
    ip dhcp snooping trust
    !
    interface FastEthernet0/12
    ip dhcp snooping trust
    !
    interface FastEthernet0/13
    ip dhcp snooping trust
    !
    interface FastEthernet0/14
    ip dhcp snooping trust
    !
    interface FastEthernet0/15
    ip dhcp snooping trust
    !
    interface FastEthernet0/16
    ip dhcp snooping trust
    !
    interface FastEthernet0/17
    ip dhcp snooping trust
    !
    interface FastEthernet0/18
    ip dhcp snooping trust
    !
    interface FastEthernet0/19
    ip dhcp snooping trust
    !
    interface FastEthernet0/20
    ip dhcp snooping trust
    !
    interface FastEthernet0/21
    ip dhcp snooping trust
    !
    interface FastEthernet0/22
    description port on VLAN10
    switchport access vlan 10
    switchport mode access
    ip dhcp snooping trust
    !
    interface FastEthernet0/23
    ip dhcp snooping trust
    !
    interface FastEthernet0/24
    ip dhcp snooping trust
    !
    interface GigabitEthernet0/1
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    ip address 192.168.1.7 255.255.254.0
    !
    interface Vlan10
    ip address 192.168.10.1 255.255.254.0
    ip helper-address 192.168.1.225
    !
    router rip
    version 2
    network 192.168.1.0
    network 192.168.10.0
    !
    ip classless
    ip default-network 192.168.1.0
    ip route 0.0.0.0 0.0.0.0 192.168.1.15
    ip http server
    !
    !
    control-plane
    !
    !
    end

    Cisco_POE#

    +
    0 Votes
    robo_dev

    The helper address on VLAN1 is not needed since the DHCP server is on the same VLAN

    should the 'network' line be?

    network 192.168.1.0
    network 192.168.10.0

    +
    0 Votes
    devdevil85

    I removed helper address on VLAN1 and left it on VLAN10 as (ip helper-address 192.168.1.225), which our new DHCP server address.

    I also have RIP V2 running advertising the 192.168.1.0 & 192.168.10.0 networks.

    Is there something wrong that I'm missing?

    +
    0 Votes
    CG IT

    Note: you don't mention anything abour your routing tables, which is what I was trying to prod you into providing by referring to "router on a stick".

    So for routing packets between VLANs, Here's the Cisco article on inter-vlan routing.

    Network devices in different VLANs cannot communicate with one another without a router to route traffic between the VLANs. In most network environments, VLANs are associated with individual networks or subnetworks.

    For example, in an IP network, each subnetwork is mapped to an individual VLAN. In a Novell IPX network, each VLAN is mapped to an IPX network number. In an AppleTalk network, each VLAN is associated with a cable range and AppleTalk zone name.

    Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local. However, when an end station in one VLAN needs to communicate with an end station in another VLAN, interVLAN communication is required. This communication is supported by interVLAN routing. You configure one or more routers to route traffic to the appropriate destination VLAN.

    shows a basic interVLAN routing topology. Switch A is in VLAN 10 and Switch B is in VLAN 20. The router has an interface in each VLAN.

    Figure 3-1 Basic InterVLAN Routing Topology


    When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed to that host. Switch A forwards the packet directly to Host B, without sending it to the router.

    When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which receives the traffic on the VLAN 10 interface. The router checks the routing table, determines the correct outgoing interface, and forwards the packet out the VLAN 20 interface to Switch B. Switch B receives the packet and forwards it to Host C.

    shows another common scenario, interVLAN routing over a single trunk connection to the router. The switch has ports in multiple VLANs. InterVLAN routing is performed by a Cisco 7505 router connected to the switch through a full-duplex Fast Ethernet trunk link.

    Figure 3-2 InterVLAN Routing Over a Single Trunk Link

    your 3500 is a layer 3 switch which means it can route packets [depending upon the IOS version and feature packs you have ]. So make sure your routing table has all the information to "route" packets between VLANs.

    here's a link to the article:

    http://www.cisco.com/en/US/docs/switches/lan/catalyst5000/hybrid/routing.html#wp13354

    +
    0 Votes
    devdevil85

    Well I am able to communicate between VLANs 1 & 10 and devices on VLAN1 can get to the net, but my device on VLAN10 cannot. I posted my configuration (so far), so if you could just take a quick look at it and see if everything looks good I would greatly appreciate it. Thanks!

    +
    0 Votes
    devdevil85

    Gateway of last resort is 192.168.1.15 to network 0.0.0.0

    S* 0.0.0.0/0 [1/0] via 192.168.1.15
    C 192.168.0.0/23 is directly connected, Vlan1
    Cisco_POE#


    I'm not seeing VLAN10. Is this a problem?

    +
    0 Votes
    CG IT

    how are packets from VLAN10 going to get to the router interface which will forward packets to the internet?

    The router already knows packets from 1 to 10 and 10 to 1 are routed on the LAN interface [intervlan routing]. Packets from 1 not destined for 1 or 10 are sent to the gateway. But the router doesn't know to send packets from 10 not destined for 1 to the gateway.

    So for VLAN 10 what's the gateway address? The next question is if clients obtain addressing and DNS server information from DHCP, how are they going to get gateway/router information? [which I believe was part of this problem as you were trying to setup clients in VLAN 10 to get addresses from a DHCP server on VLAN1].

    VLAN10 >>>>> ???? >>>> internet
    VLAN10 >>> router >>>VLAN1
    VLAN1 >>>>> router either VLAN10 or[LAN interface/gateway] >>> internet

    can't do the diagram using Cisco symbols but if you diagram out what you want to achieve, it makes figuring out what's needed easier.

    note: unlike Windows operating system, there's no Internet connection sharing in Cisco equipment. You can't tell packets to go to VLAN1 then expect VLAN1 to forward packets to the Internet. Packets have to go to a router and the router has to know what to do with the packets. The router uses the routing table to determine what to do with packets. So it needs information on what to do with packets from VLAN10.

    Should be apparent now what you need to configure.

    Note: don't want to tell you what to do because what if you want to create another VLAN on your switch OR you have to add another switch and you setup VLANs on that? How do you trunk VLAN1 on switch 2 to VLAN1 on switch 1 and also provide internet access on VLAN1 switch 2 through router 1. What if you have 2 routers on the network before the interne?

    Cisco CCNA/CCNP Prep Center has a CCTV video series which I highly recommend. The instructors are CCNP or CCIE and they go through the process of VLANs and inter-connect routing.

    http://forums.cisco.com/eforum/servlet/PrepCenter?page=ccna_tv2007

    +
    0 Votes
    devdevil85

    When you refer to

    VLAN10 --> router --> VLAN1

    is "router" the routed interface/SVI on the 3560 or are you talking about our physical L3 Kentrox Router/Firewall that we have connected to it? We want to eliminate the Kentrox btw and just use the 3560 for routing traffic other than traffic meant for the internet (which I figured the 3560 would just forward to the Kentrox which it would then forward to our Nuvox Box).

    +
    0 Votes
    Dumphrey

    turn on vlan 10 in conf t
    int vlan10 enable
    ?

    +
    0 Votes
    devdevil85

    as directly connected in the routing table if I didn't, right? Again, I'm not 100% on anything right now re: VLANs being sandboxed to only a 3560 & no external L3 Router.....

    Basically I don't see the point of a L3 Switch if you don't use it for what it was meant to be used for.....if that makes sense....I know it's something that a lot of people brag about, but if it's this hard to get things working then I have to disagree w/ them.....

    +
    0 Votes
    Dumphrey

    I prefer a layer 2 switch and a router... I know how to set that up....
    Recap:
    Vlan1 and Valn 10 both have ip addresses.
    Vlan1 (default) works fine
    Vlan10 does not work? Works partly?
    Both Vlans are in the routing table, and are they showing when you do a show RIP? (this is now our "trunk" or more acurately, vlan 10 in now a new interface on our router, and port 22 is its only member. The problem is getting dhcp to vlan10 from vlan1. The iphelpher dhcp command (pointing to your dhcp server) should ahve fixed this. Now is there a dhcp port range for the vlan10 subnet?

    +
    0 Votes
    CG IT

    whether you call it a switch or L3 it's still a router because it routes traffic.

    VLANs can't talk to each other unless a Layer 3 device is used to route traffic between them because VLANs are different subnets.

    Layer 2 devices, switches, can't route packets.

    So VLAN10 --> router --> VLAN1


    Also the layer 3 device has to know what to do with packets not destine for VLAN10 or VLAN1. That would be to send them to the gateway.


    So your 3560 has a routing table which it uses to determine what to do with packets. You need an entry in the routing table that says packets from VLAN10 not destined for VLAN1 are sent to the gateway.

    The LAN interface [routed interface]on your 3500 is the gateway out for all traffic behind it .

    +
    0 Votes

    Ok

    devdevil85

    So the "Layer 3 Device" you refer to in:

    VLAN10 >>>Layer 3 device to route to VLAN1.

    is a port on the 3560 that I have configured to be a L3 (routed) port, right?

    If so, don't I have to assign an IP address to that port and also the cmd "no switchport"? because I don't remember doing that.

    Which VLAN would I assign that port to be it's GW?

    Last question: What would the route statement look like that says "packets from VLAN10 not destined for VLAN1 are sent to the gateway"? What is VLAN10's GW?

    ip route (Destination prefix) (Sub Mask) (Forwarding Router's address)

    Thanks CG

    +
    0 Votes
    CG IT

    are you using SVI on that switch port for L3 routing functions?

    How are you getting traffic from VLAN1 to your non L3 switch firewall router?

    The basics of VLANs are that you need a router to have interVLAN communications. Now, Cisco has a couple of different ways of accomplishing this. One is the "router on a stick" method where you setup an access line both VLANs use to get to the router. In your case the SVI interface. Your SVI interface allows VLANs to talk to each.

    So here's the question, how does VLAN1 traffic get to your firewall router to have internet services? your VLAN10 must also have a route.


    The route for IP traffic from VLAN10 to the internet is what? VLAN10 to ??? to ???


    do a show IP route command and then post

    +
    0 Votes
    devdevil85

    I did configure an SVI interface, but tbh I really don't remember issuing the "no switchport" cmd along w/ an ip address. I don't ever remember pointing any devices to that IP address, but somehow when I changed the GW on my PC on VLAN1 I was able to get to communicate w/ my PC in VLAN10.

    There is only 1 switch at the moment (3560) and it is connected to a L3 Kentrox Router/Firewall (which we want to only use to get to the internet for devices connected to the switch). Essentially we want to use the "Router on a stick" configuration w/ the 3560.

    In regard to your question on how VLAN10 gets to the internet these are the step by step hops:

    PC on VLAN10 --> 3560 --> Kentrox Router/Firewall --> Nuvox Box

    That's the physical route. Now how it's supposed to work logically (and from what I know) I think it should work like this:

    PC on VLAN10 --> L2 port on 3560 --> SVI on 3560 --> Kentrox --> Nuvox Box

    Now how I am supposed to do that idk, meaning like I don't know what the GW's should be on the VLANs and also if I point devices &/or VLANs to the SVI interface.

    We actually reset the settings on the 3560 because DHCP was messed up on VLAN1, so.....I can't get you the Route information

    +
    0 Votes
    CG IT

    Think "Router on a stick"


    VLAN10 >>> router LAN interface >>> VLAN1

    where the router routes traffic from 10 to 1 and vice versa. the router LAN interface is also the gateway where the router has a LAN and WAN interface.


    commands to create an access port for VLAN10

    Router# configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)# interface fastethernet 5/6
    Router(config-if)# shutdown
    Router(config-if)# switchport
    Router(config-if)# switchport mode access
    Router(config-if)# switchport access vlan 10
    Router(config-if)# no shutdown
    Router(config-if)# end
    Router# exit

    verify config =


    Router# show running-config interface fastethernet 5/6
    Building configuration...
    !
    Current configuration:
    interface FastEthernet5/6
    no ip address
    switchport access vlan 10
    switchport mode access
    end
    Router# show interfaces fastethernet 5/6 switchport
    Name: Fa5/6
    Switchport: Enabled
    Administrative Mode: static access
    Operational Mode: static access
    Administrative Trunking Encapsulation: negotiate
    Operational Trunking Encapsulation: native
    Negotiation of Trunking: Enabled
    Access Mode VLAN: 200 (VLAN0200)
    Trunking Native Mode VLAN: 1 (default)
    Trunking VLANs Enabled: ALL
    Pruning VLANs Enabled: ALL
    Router#


    are you tagging on the VLANs?

    and what are the static routes you created?

    +
    0 Votes
    devdevil85

    to tell the router interface that any traffic coming from VLAN10 not intended for VLAN1 to go to the Kentrox?

    VLAN1 = 192.168.1.7
    VLAN10 = 192.168.10.1
    Kentrox = 192.168.1.15

    Where does the SVI (routed port) on the 3560 play into all of this? Do I point any VLAN to this?

    +
    0 Votes
    devdevil85

    "VLAN10 >>> router LAN interface >>> VLAN1"

    Question: is the "router LAN interface" the SVI (routed port) on the 3560 or a fastethernet port on our Kentrox?


    "the router LAN interface is also the gateway where the router has a LAN and WAN interface."

    I'm confused on what device you are referring to. The only box I can think of that has a WAN connection & a LAN is our Nuvox Box. Maybe that's the Gateway that you are referring to.

    The Kentrox (which of course connects to the Nuvox and then to the 3560) sits behind it and acts as a Firewall and then the 3560 sits behind it.

    So what is the gateway supposed to be for VLAN10? I never setup a GW for it. For devices on VLAN10 I had their GW's set as VLAN10.

    +
    0 Votes
    devdevil85

    We are not tagging. The only Static routes that we had was the Gateway of Last Resort which we configured to be the Kentrox (192.168.1.15).

    So whose GW is supposed to be the Kentrox? Of course, the 3560's GW is the Kentrox, but I'm confused on what the GW's are supposed to be on VLAN1 & VLAN10. I figured if I created a L3 routed port on the 3560, something's GW would have to be set to it.

    +
    0 Votes
    CG IT

    do you use Access Ports?

    you have 1 port on VLAN10 so what does it use to get to VLAN1? you have 23 ports on VLAN1 what port do you use for Access to your Kentrix router?

    If it was me, I'd create static routes all to the Kentrix router.

    +
    0 Votes
    devdevil85

    My coworker's laptop was plugged into port 22 (VLAN10) and it was configured as an access port. All other 23 ports were nonconfigured, sitting in VLAN1. I know the Kentrox connects to the 3560, so I would guess that one of the ports could have been trunked, right?

    CG, what would the route entry be for "VLAN10 traffic not destined to VLAN1 go to the Kentrox (for the internet/an outside network)"? that you said previously that you think I should enter...

    You said, "If it was me, I'd create static routes all to the Kentrix router."

    Do I create them for VLAN1 & 10?

    Thanks

    +
    0 Votes
    CG IT

    You use 802.1Q trunking to route between VLANs using "router on a stick". you need to divide the L3 device's interface into multiple addressable interfaces, 1 for each VLAN.

    here's the command for the default route:

    ip route 0.0.0.0 0.0.0.0 192.168.X.X where 192.168.X.X is the ip address of the next hop router.

    if you use IP Classless, a packet with a destination on an unknown subnet or not on the directly connected subnet, the packet is sent to the default route to the next hop router. you already do ip classless [on by default] . without going through all posts, what is your 192.168.1.15 address? the L3 switch or your router?

    Given that, your L3 device needs subinterfaces with addresses for both VLANs 1 and 10. the L3 device then can route packets between VLANs. your L3 device also needs ip classless and the default route to the next hop.

    Do you need the commands for that?

    +
    0 Votes
    devdevil85

    192.168.1.15

    The 3560 is 192.168.1.7

    Hmm....so I need to use 802.1Q trunking on a Routed Port on the 3560, right?

    And then I need to divide the "Routed Port" into multiple subinterfaces, right?

    I remember how to do it on the Router itself, but as you already know we want this to be a "router on a stick" and to eliminate any Kentrox activity except for getting us to the net.

    +
    0 Votes
    CG IT

    you should be able to configure sub interfaces on the 3500 for VLANs if it's a layer 3 device [Cisco layer 3 device]

    you should also be able to configure the default route on the 3500 which says, send all traffic not destined for VLAN1 or VLAN10 hosts to the Kentrox. that's the ip classless / ip route commands

    Typically, I don't design infrastructure with a layer 3 switch doing routing functions but I'm old school where we used layer 2 devices for all switching and layer 3 for routing. I know Cisco created layer 3 switches to cut down on infrastructure hardware but.... if it was me, I'd have a 1800 in there doing routing between VLANs on the 3500 and leave the 3500 to just do switching. Waste of the 3500 capabilities but it does make configuration simpler.

    +
    0 Votes
    devdevil85

    is disappointed that we aren't utilizing the extra horsepower and really wants to see if we can get the 3560 to be used as both a L2 switch AND a layer 3 router (for the inter-vlan routing). That way if we implement this solution to other parts of the company or for other clients we will have something to go by.

    CG, what would the default route look like that says "send all traffic not destined for VLAN1 or VLAN10 hosts to the Kentrox". I'm kind of new to writing statements like that so...., but I know how to write direct statements that says specific traffic needs to go To something From something...but not as general as this....

    +
    0 Votes
    Dumphrey

    ip route 0.0.0.0 0.0.0.0 (ipaddress of the kentronics iface connected to the 3560)

    The 3560 and kentronics need to be on a seperate subnet (/30) then either vlan1 or vlan10.

    to simplify, vlan1 is 192.168.1.0/24
    vlan10 is 192.168.10.0/24

    +
    0 Votes
    Dumphrey

    we have a catalyst 4008 with 3 10/100 banks and 8 fiber ports (7 unused) doing nothing but passive switching...

    +
    0 Votes
    Dumphrey

    needs to bee on a seperate subnet then vlan1 or vlan10, you have 2 networks on your device and you need 3. 1 for vlan1, 1 for vlan10, and 1 to connect to your router/firewall.

    +
    0 Votes
    devdevil85

    Why would I need to create a 3rd subnet? I figured that it had to be bad configuration for VLAN10 as the reason for why it can't reach the internet/receive DHCP information, and that I just need to change the GW on VLAN1 devices to the 3560 itself and not the Kentrox and that I need to create an SVI/L3 port on the 3560 and then have to point the L3 SVI port on the 3560 to the Kentrox....I feel like I just need to point the correct devices to their next respective hops w/o pointing them to devices that are 1 hop too far.....

    but I honestly am new to this just like you (read you bio) so maybe I'm totally wrong....but I just don't see why I'd need to create a 3rd sub-network.....

    +
    0 Votes
    Dumphrey

    and a "logical" or virtual interface on a router. The switchports are just that, layer 2 ports. Its the vlan interfaces that take care of the routing. So, you have 2 vlans on 2 subnets, they should both be able to ping back and forth if configured correctly. Now, for both to reach the internet, they need a gateway. Each host on the vlan is going to use the vlan address as its gateway. The vlans on the other hand, need an address they can use as a gateway, usually the next hop router. now lets say the kentronix LAN interface connected to your 3500 is in the same subnet as vlan1. Vlan10 would have no access to the internet except by going through vlan1, which does not work so well, if at all, because vlan10 now has no gateway for traffic other then for vlan1. by creating a seperate subnet between the router and the kentronix (should test this with a subinterface really, as well as create vlan20, so as to use vlan20 and vlan10 for testing and leave the current setup in place unaffected untill you know it will work) you createa default network for BOTH vlans to use. Until you do this, vlan10 will not really be able to get to vlan1 well or to the internet.

    +
    0 Votes
    devdevil85

    or do I need to leave it "open" w/o a device connected to it?

    Also, the way I understood your explanation I have written down:

    switchports = L2 ports
    ? = L3 ports/interfaces
    GW for Vlan1 Devices = 192.168.1.7 (Vlan1 Net ID)
    GW for Vlan10 Devices = 192.168.10.1 (Vlan 10 Net ID)
    GW for Vlan1 = 192.168.1.15 (Kentrox LAN intf)

    are these correct and is there anything else that I am missing/need to know?

    +
    0 Votes
    CG IT

    Router(config)#interface Fastethernet 0/0
    Router(config-ip)#no ip address
    Router(config-ip)#exit
    Router(config)#interface Fastethernet 0/0.1
    Router(config-ip)#encapsulation ISL 1
    Router(config-ip)#ip address {VLAN1 with mask}
    router(config-ip)exit
    router(config)#interface fastethernet 0/0.2
    router(config-ip)#encapsulation ISL 2
    router(config-ip)ip address {vlan 10 with mask}


    router(config)#ip classless
    router(config)# ip route 0.0.0.0. 0.0.0.0 192.168.1.15


    RIP for dynamic routing
    router(config-router)#router rip
    router(config-router)#network {network#}

    +
    0 Votes
    devdevil85

    the Kentrox as the L3 Device to Inter-Vlan Route and not a L3 Port/SVI on the 3560, right? I mean, wouldn't I essentially be doing the same kind of thing to the L3 port on the 3560?

    For example: (ping VLAN10 from VLAN1) VLAN1 --> L3 port/SVI on 3560 --> VLAN10

    (ping yahoo.com from VLAN10) VLAN10 --> L3 port/SVI --> Kentrox --> Nuvox Box --> (Internet)

    Are these diagrams even correct in terms of how it should/could work?

    So the route entry (0.0.0.0 0.0.0.0 192.168.1.15) translates to "Any traffic not destined for a known internal network go to the Kentrox", right?

    If that's so then where does this L3 Routed Port (on the 3560) come into play? I figured the Kentrox would be the GW for the L3 Port on the 3560 (if traffic wasn't intended for known networks on the switch)....

    +
    0 Votes
    CG IT

    your configuring your 3560 with subinterfaces so that it can "route" traffic between VLANs.

    you can create a static route from the 3560 interface to the Kentrox or you can enable RIP or IGRP on both so they can learn about each other.

    I'm not telling you use these commands and it should work. but the commands I gave you are the commands for setting up routing between VLANs using your L3 device.

    you can also use your L3 device to route traffic not destined for VLANs 1 or 10 by using the ip classless and static route OR you could just turn on RIP or IGRP and let the routers work it out.

    +
    0 Votes
    devdevil85

    but if there are L3 Interfaces/Ports on the 3560 would it then start noticing RIP advertisements?

    +
    0 Votes
    CG IT

    L2 devices are "just switches".

    the 3500 series allows a lot of flexibility depending upon what modules and IOS features you have [which I don't know what you have].

    If your playing around with it trying to get it to work, then try making subinterfaces on it to get inter-vlan communications going then try a static route from the 3560 interface [not sub] to your actual L3 router. see if that works.

    try a show ip protocols command and see what's up. RIP should be there if you run the router ip command and the associated direct connected network. enable RIP on your Kentrix.

    +
    0 Votes
    devdevil85

    you're saying.

    The IOS version we have on it is:

    12.2(20)SE4 w/ no added modules (there are 2 Gig/Ethernets)

    So on the 3560 L3 Interface, itself, you are saying to put a:

    0.0.0.0 0.0.0.0 192.168.1.15 static route on it, right?

    RIP should be running on the Kentrox. If that's true then shouldn't I receive/see a RIP route in the 3560's routing table?

    +
    0 Votes
    devdevil85

    it's configured? Basically what I mean is: Can I still plug a device into the L3 Port or do I have to leave it open and without a device plugged into it?

    +
    0 Votes
    CG IT

    has 2 fast ethernet ports

    1 you use for inter-vlan routing by creating subinterfaces ??? and one you use as an "uplink" to your Kentrex "router" ?

    +
    0 Votes
    CG IT

    the default route is a static route when you don't let routers "discover" and exchange routing information by using RIP or IGRP

    so if your 3560 has the RIP or IGRP protocol you can turn it on, turn on RIP/IGRP at the Kentrix and let the 2 exchange routing information.

    OR you can just specify a static route if you don't want the overhead RIP/IGRP has on the network.

    +
    0 Votes
    CG IT

    router(config)#interface fastethernet 0/0
    router(config-ip)# ip address {address & mask}
    router(config-ip)#exit
    router(config)#interface fasethernet 0/0.1
    router(config-ip)#encapsulation dot1q 1
    router(config-ip)#ip address {address & mask}

    repeat for subinterface 2 using do1q 2

    +
    0 Votes
    devdevil85

    thanks....I'll be anxiously waiting a response....

    +
    0 Votes
    devdevil85

    because the static routes are a little intimidating to me at the moment...

    but do you know if I can still plug a device into the L3 Interface/Routed Port on the 3560 after I configure it or will the device/interface get confused?

    +
    0 Votes
    CG IT

    Doesn't that thing come with Cisco Network Assistant? it should.

    using that would really simplfy your configuration process.


    another note: is all this just an acedemic exercise?

    +
    0 Votes
    devdevil85

    Honestly Idk if it comes w/ that or not. I will have to check into that.

    As for academic excercise: Yes & No. It's something that my boss wanted to try and implement since it IS L3-capable, why go the lazy route (yes it's easier, but he spent more money on it for this reason) and use an external router that he wants to get rid of and implement this same sort of thing in other parts of the business or w/ clients.

    I know I keep asking this, but after I configure the port on the 3560 to be Layer 3 can I still plug in a PC and use it as L2 as well? Can they both live in harmony or do I have to leave it "open" w/o a device on it?

    +
    0 Votes
    CG IT

    you have 2 SPF ports and I assumed your using GBICs on em. you use 1 to uplink to your Kentrox router and the other one is bare?

    The switch ports are the 24 ports. Normally the uplink port goes to the router. The router interface is subed to allow inter-vlan communications which utilize the uplink port.

    +
    0 Votes
    Dumphrey

    I assume that 192.168.1.5 is the kentronix?

    +
    0 Votes
    devdevil85

    Sorry for the confusion, but 192.168.1.15 is the Kentrox's LAN FastEthernet Interface

    +
    0 Votes
    devdevil85

    Sorry for the confusion, but we didn't buy the adapters to run Gigabit Eth or Fibre on the Switch. We're just using a FastEthernet port to connect to the Kentrox.

    Hope this helps....

    Can I plug a device into a L3 Port and get the device to work on it? or do I need to leave the L3 port open? I really need to know this...

    +
    0 Votes
    CG IT

    as your "quasi trunk" line to your Kentrox router, then I'm not sure. Never configured a switch port as an interface port with subinterfaces on a 3560.

    if you looped a switch port to use as an access port for VLANs that would be very bad.

    what about creating subinterfaces on the one switch port you use as an uplink port? you configured it with an address, then you might be able to do subinterfaces and achieve inter-vlan communications AND then the route would be the switchport interface to the Kentrox router.

    Best I can offer with what limited knowledge I have.

    Dave Davis or George Ou here are both the Cisco Gurus. Might find them and send em a PM.

    +
    0 Votes
    devdevil85

    on the 3560 Routed Port/SVI and then point their GW's to the Kentrox's LAN Interface....

    As for using the same L3 port as a L2 port that a device could connect into, I will stray away from that as what I got out of what you said, probably very bad, right?

    You said, "Never configured a switch port as an interface port with subinterfaces on a 3560."

    >My teacher said the same thing to me. That he's never done it and if he did (which he couldn't remember) he used different commands and was using a different version switch w/ a differnt IOS version....

    Honestly, I don't really want to repeat the scenario to those guys, but if I don't get this running I will be sure to PM them....but CG you have been a huge confidence booster and have taught me a few many things and I really want to thank you for that. With L3 becoming a big part of network infrastructures people are going to have to know how to do this sometime or another. Of course I would rather just use the Kentrox's LAN interface and trunk the switch to it and create sub-interfaces for each VLAN, but I really want to show my boss that it is possible to do this and that his investment was worthwhile....

    +
    0 Votes
    CG IT

    well try to create subinterfaces on your routed port. see if it works. That's all I can suggest.

    +
    0 Votes

    Ok

    devdevil85

    What would the GW be for these interfaces? The next hop? If so, that would mean the Kentrox LAN Interface would need to be it, right?

    Should I do what Dumphrey said and put the Switch and Kentrox LAN Interface on their own subnet? I really don't see why that matters....

    +
    0 Votes
    CG IT

    the switch from the kentrox router?

    your creating VLANs to seperate out a computer from others rather than buying a router to do it.

    +
    0 Votes
    devdevil85

    in other parts of the business and possibly w/ other clients, so we are trying to get away from using the Kentrox.

    Is it possible to use this scenario:

    PC --> L3 3560 Switch --> Nuvox Box --> Internet!

    or does there have to be a Kentrox between the 3560 & Nuvox Box?

    +
    0 Votes
    Dumphrey

    all the routing, but you will need a firewall, unless your nuvox box has one built in.

    +
    0 Votes
    anil.beharry

    Hello All,

    Reading through this thread i have not seen a definite solution to DevDevil's issue. Was a solution eventually reached upon. Mind sharing it?

    My issue is a bit similar. I have a Cisco 3560 that is configured on all ports for VLAN 5 (192.168.63.x) with Port 1 being a Trunk port interface to a 3com Layer 3 switch that is interfacing to another VLAN (10.100.x.x)

    The solution was working fine and then on Friday morning VLAN 5 users whilst getting an 192.168.63 IP was unable to access resources on the 10.100.x.x network.

    No changes were made on switches or DHCP servers or anything.

    Full PING and Traceroute between hosts, switches, VLANs' and servers is possible. Yet access to resources was nil ie. email, internet, application.

    see attached code and comments would be most welcome

    thanks...Anil

    ***
    sh runn
    Building configuration...

    Current configuration : 2636 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Switch
    !
    !
    no aaa new-model
    system mtu routing 1500
    ip subnet-zero
    ip routing
    !
    !
    !
    !
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    --More--  !
    vlan internal allocation policy ascending
    !
    interface FastEthernet0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    !
    interface FastEthernet0/2
    switchport mode access
    !
    interface FastEthernet0/3
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/4
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/5
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/6
    --More--   switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/7
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/8
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/9
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/10
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/11
    switchport access vlan 5
    switchport mode access
    !
    --More--  interface FastEthernet0/12
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/13
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/14
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/15
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/16
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/17
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/18
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/19
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/20
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/21
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/22
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/23
    switchport access vlan 5
    switchport mode access
    !
    interface FastEthernet0/24
    switchport access vlan 5
    switchport mode access
    !
    interface GigabitEthernet0/1
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    ip address 10.100.0.45 255.255.0.0
    !
    interface Vlan5
    ip address 192.168.63.1 255.255.255.0
    ip helper-address 10.100.0.6
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.100.0.3
    ip route 10.100.0.0 255.255.0.0 10.100.5.36
    ip http server
    !
    snmp-server community sectt RW
    --More--  !
    control-plane
    !
    !
    line con 0
    line vty 0 4
    login
    line vty 5 15
    login
    !
    end

    Switch#