Cisco 1721 w/4esw module... VLANS????

[jeffk]

Hi,

I am trying to set up 2 vlans between a 1721 router (using the 4esw 4 port switch module) and a HP 2524 switch. I am getting confused on whether or not I need trunking, spanning tree, etc. The way I have it set up now I can ping from the switch side to the router side, but not from router to switch.

Any ideas? If you need more details, it will have to wait until I can get to that site to confirm the exact setup.

Thanks,

Jeff

 

[pmesjar]

As soon as you need to carry frames from more than one VLAN across single link you need to setup trunking. On Cisco router you then divide physical Ethernet interface into subinterfaces - one subinterface per VLAN, eg:

int fa0/0
no shut
no ip address

int fa0/0.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0

int fa0/0.20
encapsulation dot1q 20
ip address 192.168.20.1 255.255.255.0

The other solution is to do it the old fashion way. Since you need only two VLANs and you have 4port switch module, plug one router port to first VLAN on the HP switch, the second router port to second VLAN on the HP switch.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[jeffk]

OK, forgive me but I am still a little confused. I have networks A (vlan1) and B (vlan2), a 1721 router with a 4esw switch module, and an HP 2524 switch. Some people on B need full access to network A, while others need just internet. Network B is coming from a hub located in a neighboring building. Should I plug B into the switch (all of A is in switch) and then send everything to the router by making the router the default gateway of the switch? If so, do I make the internet the default gateway of the router and then add the static route commands in the router pointing back at the switch?

This sounds like it will work, correct me if I am wrong.

Thanks,

Jeff

 

[pmesjar]

If I understand right, you want to connect VLAN1 and VLAN2 this way:

1721 --- HP Switch --- Hub --- NetworkB (VLAN2)
|
Network A (VLAN1)

What you need is trunk connection between your router and HP switch. Sample config:

Router 1721:
VLAN1 subnet is 192.168.1.0/24 with default gateway 192.168.1.1
VLAN2 subnet is 192.168.2.0/24 with default gateway 192.168.2.1
HP switch is connected to port 1/0

1721(config)# interface e1/0
1721(config-if)# no ip address
1721(config-if)# no shutdown
1721(config-if)# interface e1/0.1
1721(config-if)# encapsulation dot1q 1
1721(config-if)# ip address 192.168.1.1 255.255.255.0
1721(config-if)# interface e1/0.2
1721(config-if)# encapsulation dot1q 2
1721(config-if)# ip address 192.168.2.1 255.255.255.0

On HP switch:
put all ports for network A users into VLAN 1, put the port connected to hub for users of network B into VLAN 2, and configure port connected to 1721 as a trunk port with 802.1q tagging protocol.

Hope this helps

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[jeffk]

Do I assume correctly that the 1.1 gateway is the switch and the 2.1 gateway is the hub?

Thanks for your help so far,

Jeff

 

[pmesjar]

No, your assumptions about default gateways are incorrect. Default gateways are always devices with routing ability. If you look more into my sample config, you will see that both addresses, 1.1 & 2.1, are assigned to router 1721.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[jeffk]

Thanks for your help so far. I am trying what you said and when I put the default gateways in it says something about the next hop being the same device???

 

[jeffk]

Another thing I am not sure about is the tagged and untagged. My e0.1 is showing "native" on the end of the encapsulation command line. Do I set my ports on the HP switch to tagged or untagged and is the "native" setting OK on the e0.1 port of the router?

Thanks again,

Jeff

 

[pmesjar]

Native means, that frames on this VLAN are traversing the trunk links withour being tagged. Why to concern yourself with e1 interface, what don't you create subinterfaces as I showed you? Can you configure your topology using my instructions and my example config?

And what device do you mean by
"when I put the default gateways in it says something about the next hop being the same device"
the switch or router? I haven't seen such message on Cisco routers so far, so I assume it is the HP switch, but then for routing packets from user VLANs you don't need to setup default gateways on the switch.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[jeffk]

Sorry for the confusion. I did set up FastEthernet 0 with subinterfaces 0.1 and 0.2 how you suggested. I get the error message when I add the routes on the router, which I assumed (again, wrong probably!!) was what was needed to do the following from your directions:

Router 1721:
VLAN1 subnet is 192.168.1.0/24 with default gateway 192.168.1.1
VLAN2 subnet is 192.168.2.0/24 with default gateway 192.168.2.1

I was trying to add the below to the router to accomplish the above:
ip route 192.168.1.0 255.255.255.0 192.168.1.1
ip route 192.168.2.0 255.255.255.0 192.168.2.1

So, is VLAN1 on the router subinterfaces supposed to be native and therefore all VLAN1 ports on the switch should be untagged?

VLAN2 is not native and therefore VLAN2 ports on the swtich should be tagged?

The port going from the switch to the router is trunked, so it doesn't concern itself with tagged and untagged?

Thanks for your time and patience. If you were getting an hourly wage you could take a vacation after this project!!

Jeff

 

[pmesjar]

Your static routes are all wrong. You don't need to create any routes, because your subinterfaces are directly connected and therefore router will automatically add them to its routing table. I din't put any commands regarding route configuration, did I? If there will be any further need of configuring static routes, I would give example commands

The point about VLANs, I see it is now clear to you. Now that you understand, one more point - from the security standpoint, you never want user traffic to go via native VLAN, because it is untagged. And because of this fact, rather configure eg. VLAN3 instead of VLAN1 and put your original VLAN1 hosts into VLAN3.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[jeffk]

Yes, I am starting to understand VLANS, much too slow for your liking probably!!

What commands are necessary, and where do I put them, to do what you posted here:

Router 1721:
VLAN1 subnet is 192.168.1.0/24 with default gateway 192.168.1.1
VLAN2 subnet is 192.168.2.0/24 with default gateway 192.168.2.1

Right now, I can ping from the router to the 1 network but not the 2. Is this because the 1 network is in native mode?

I will change the VLAN1 ports to VLAN3 next time I am there. Once I do this, will I want all switch ports to be tagged??

Thanks again,

Jeff

 

[pmesjar]

Well you might think you are slower, but the important thing is you understand them now. Also you have tons of other things to do. However, because one of my hobbies and jobs is instructor in Cisco Networking Academy program, I am trained by my students to be as much patient as possible

Let's go back to your problem.
VLAN3 (not VLAN1) subnet is 192.168.1.0/24 with default gateway 192.168.1.1
VLAN2 subnet is 192.168.2.0/24 with default gateway 192.168.2.1

on router 1721 go to interface where the link connects you to HP switch (I assume interface e1):
1721(config)# interface e1
1721(config-if)# no ip address
1721(config-if)# no shutdown
1721(config-if)# interface e1.3
1721(config-if)# encapsulation dot1q 3
1721(config-if)# ip address 192.168.1.1 255.255.255.0
1721(config-if)# interface e1.2
1721(config-if)# encapsulation dot1q 2
1721(config-if)# ip address 192.168.2.1 255.255.255.0

Now go to HP switch. The port connected to router needs to be set up as dot1.q trunk, switchports for computers from subnet 192.168.1.0/24 need to be assigned to VLAN3, switchports for computers from subnet 192.168.2.0/24 need to be assigned to VLAN2.

When you do this (don't setup any static routes or dynamic routing), you network starts working.

Reason for your pings not working are because of untagged frames from native vlan, so you are right on this one

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[jeffk]

I'm back!!!

OK, I tried what you said and still had some difficulties. I added a 3rd VLAN, and once I did this I had the trunk port on the HP switch show up so I can tag or untag it for all 3 vlans. When it was just the 2 VLANS, the trunk port wasn't showing up in the VLAN port configuration screen so I could choose tag or untag. So, do I untag on VLAN1, and tag on the other 2 VLANS for the trunk port?

Also, for all the other switch ports, do you tag for the VLAN they are on and untag for the other VLAN?

Another item. On the 1721 router the serial port goes outside to another local agency. Do I need to set up some routing for that? When I am in the router I can ping the other end of this serial port but when I am on a PC I can only hit our side of the serial port. Only VLAN3 will need to hit the serial port.

Thanks again for all your help,

Jeff

 

[pmesjar]

The question about tagging - only port that should say "Tagged" is your trunk port. I looked at the HP2524 user guide and I think you will configure the switch this way, with assumption your trunk port (the port connected to router) is port 12:

HP2524(config)# vlan 2 tagged 12
HP2524(config)# vlan 3 tagged 12

Then let's say ports 1-11 are for hosts in VLAN2, ports 13-24 are for hosts in VLAN3. Ports should be configured this way:
Port VLAN2 VLAN3
1-11 Untagged No*
13-24 No* Untagged

*No means port does not belong to that VLAN

If you can't ping from PC to other side of serial connection, you need to set up routing. The problem is that the router on the other side has no way of knowing how to return the traffic to your PC if your 1721 will not tell him. Let's say your network is like this:

Agency LAN --- e0 RTA s0 --- s0 1721 e0.2 --- VLAN2 subnet
e0.3 --- VLAN3 subnet

serial link is in 192.168.15.0/24 subnet
Cisco router config will look like:

RTA(config)# router rip
RTA(config-if)# network 192.168.15.0
RTA(config-if)# network <AGENCY LAN SUBNET>

1721(config)# router rip
1721(config-if)# network 192.168.15.0
1721(config-if)# network <VLAN3 SUBNET>

When setting up the routing, command "network" tells the router which of its directly connected networks to advertise to the other routers on which interfraces.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[jeffk]

OK, I haven't gotten the above to work so I am going another route (no pun intended), hopefully. I will keep all PC's on the 192.168 network along with the Win2k server. All are attached to the HP 2524 Switch. I just want to be able to get to the other agency (10.200).

I went there tonight and from the router I can ping the destination IP, which is off the Serial 0. I can also ping another address (192.9) that goes through the 10.200 when I do a trace. But, this is all with IP routing turned off. As soon as I turn IP routing on I can't hit the 192.9 address but I can the 10.200. Does this make sense?

So, if you don't mind another round of help, here goes?

a) Do I hang the router (FA0) off the switch with a 192.168 addy?

b) Does IP routing need to be turned on? If so, what do I do about the above (192.9) not working when it's turned on?

c) I have a second NIC in the server and the 4 port switch on the 1721. Can I do something using these with routing on the server?

I actually did a combination of A/B tonight and could ping my side of the serial from my network but not the other side. Does this have to do with the router rip that you mentioned in your last post?

All for now, thanks again for your help.

Jeff

 

[pmesjar]

I am sorry, but I just can't understand a word from your last post. Please define what you need to do in clear words - don't use english short words like "addy", I am not native english speaker. Sketch or logical diagram of the network with IP addressing + subnet masks would help, but don't use shorts like 192.168, 192.9, 10.200, that is of no use for me.

For C - you have "switch"ing module, you can't route on Layer2 switch, but I still can't quite understand what you want to do... you want to have server on its own subnet or what?

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[jeffk]

Sorry about the previous post and assuming your could understand my words. Let's start over.

I went back to the site today and decided to give the VLANS one more shot. All ports on my switch are set to VLAN3 (192.168.1.0) except for one which is set to VLAN2 (192.168.220.0). From the PC on VLAN2 I can ping the necessary addresses at the other agency. I can also ping the Win2k server(on VLAN3) from the VLAN2 PC.

My only problem left is I can't get out to the internet from the VLAN2 PC. The cable modem is on VLAN3. From the 1721 router I can ping the modem, just not from VLAN2 PC.

Any ideas?

Thanks again,

Jeff

 

[pmesjar]

You are saying all ports on a switch are in VLAN3 except one that is in VLAN2... however I don't see you talking about trunked port, but since you can get from VLAN2 to VLAN3 I assume you have this set up correctly. Only thing I can see the problem in is your cable modem. Is this router+cable modem? If yes, probably it has no route in its routing table to get back to your VLAN2 or there is some misconfiguration in the device config. If this will not work, to further troubleshoot I would need configs of both your cable modem and 1721 router.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.