Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
5
Helpful
7
Replies

VLAN's on cisco switches

Go to solution
dajohnso
Level 1
Level 1

‎02-24-2021 06:50 PM

Maybe this is a silly question but I want to verify before I make any changes. I have several vlans configured in a domain on a bunch of 2960 switches. We had a device that was routing between a few vlans that is no longer operational. I am introduucing a 4948 configured with the vlans that need to route between. I beleive the core switch has 3 vlans configured with IP addresses as follows

 

int Vlan2

ip address 10.1.2.1 255.255.255.0

int Vlan3

ip address 10.1.3.1 255.255.255.0

int Vlan4

ip address 10.1.4.1 255.255.255.0

 

I suspect this is only on the core switch? I added the 4948 configured with the same IP's and added "ip routing" command. I tested locally standalone that I can router between all the vlans without issue. I dont control the 2960 switches but they did configure vlan2, 3, and 4 on a few ports so I could plug my switch in and route for them (yes I know a trunk is better but they wanted it this way) Here are my questions

 

1) They suggested they would just shut down their vlan 2, 3, and 4 interface with int vlan and shut commands for each vlan. If they do that will those vlans still route packets over the vlans on their switches to get to my 4948 switch for routing? Does a vlan that was admin down still pass packets?

2) can only one interface in a vlan have an ip address on it? (i.e. the domain master and all others just have int vlan without an ip address command?)

3) if I am not a member of the domain, and I create my own domain and vlan list but we both configure our ports for the respective subnets on a vlan and connect them together they should pass traffic between them right? I did disable cdp on these ports hoping they wouldnt report vlan id's? (vlan mismatch issues?)

 

Thoughts?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎02-27-2021 03:15 PM

Glad that you have found a solution that should work. Sorry that you did not understand the suggested answers to your questions. Your questions do deal with important concepts and I would like to propose some different answers in hope that you might understand them better.

1)  "Does a vlan that was admin down still pass packets?"

I believe that first we need to clarify the relationship (and the differences) between a vlan and a vlan interface. A vlan is a layer 2 entity which comprises a broadcast domain. Any device in a particular vlan should be able to arp for another device in that vlan, receive a response, and the 2 devices can communicate. Forwarding within the vlan is based on mac address. A vlan interface is a layer 3 entity. As a layer 3 entity it can have an IP address and can forward traffic based on IP address rather than based on mac address. 

If we understand that point then we can understand that while it is possible to shut down a vlan interface it is not possible to shut down a vlan.

So if they shut down the vlan interfaces on their switches they will not do any layer 3 forwarding, but they will still be doing layer 2 forwarding. The layer 2 forwarding from their switches would still forward traffic to your 4948 and it would be able to do IP forwarding for the entire vlan (no matter whether the other switch vlan interfaces are shut or not).

I would also make the point that generally there is a one to one relationship between a vlan and a subnet. A vlan generally contains a single subnet. And a single subnet should belong in only one vlan.

2) "can only one interface in a vlan have an ip address on it?"

I would start by emphasizing the difference between layer 2 interfaces (switch ports that are members of the vlan and do not have IP addresses) and layer 3 interfaces (vlan interface for the vlan which do have IP addresses). If you want to be able to route for the subnet associated with the vlan there must be at least one layer 3 vlan interface for the vlan with an IP address that belongs to that subnet. If a vlan is present on several switches it is quite possible that multiple switches might each have a vlan interface in that vlan. ) That would enable multiple switches to do routing for the subnet in that vlan. (Whether that is a good thing or not depends on the architecture of a particular network.)

3) "if I am not a member of the domain, and I create my own domain and vlan list"

I agree with Jon that the context of this question is not clear. When you talk about domain are you talking about VTP domain, or some other type of domain (Administrative Domain, or some type of routing domain, or policy enforcement domain). I would think that the answer would be that your new 4948 should have the same domain membership as the device did that you are replacing.

 

I would make another point which is that if your 4948 is to do routing for the subnets in those vlan then the hosts connected in those vlans/subnets need to have their default gateway be the IP address of the vlan interface of your 4948. We do not know anything about the device that was doing routing but is no longer operational. If you configure the vlan interfaces of the new 4948 with the same IP addresses that were used on the old device then I would expect routing to work. If you use addresses on the 4948 different from the old device then routing for those vlans would not work until they make changes on the hosts in those vlans.

HTH

Rick

View solution in original post

7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-25-2021 03:02 AM 

1) They suggested they would just shut down their vlan 2, 3, and 4 interface with int vlan and shut commands for each vlan. If they do that will those vlans still route packets over the vlans on their switches to get to my 4948 switch for routing? Does a vlan that was admin down still pass packets?

Are you having same IP address of other device, these are new IP address ?

I am in guess you have OLD Switch which is connected to Cat 2900 switch and your OLD switch conencted new Cat4K Trunk allowed VLAN.

 

There is no conflict of VLAN IP address, and end device point to same VLAN IP address as gateway it should work as expected.

 

To confirm all good state, Make a Small network digram for reference, so it will clear up all the doubts you have and share here to Look any other concern we can see here ?

 

is this make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-25-2021 05:02 AM

 

1) if a switch does not have a L3 interface for a vlan then it does not route traffic for that vlan but that does not mean traffic in those vlans cannot be sent to your 4948 as long as there is a L2 path for the vlans between the switches and your 4948 (access ports or trunks). 

 

2) No you can have multiple interfaces in a vlan on different switches with an IP from the subnet assigned to that vlan but what you don't usually do is have every switch with an IP for client vlans, only the switch(es) that are responsible for routing between vlans. 

 

Note every switch will usually have at least one interface with an IP but for most switches this is used for management and not to pass client traffic. 

 

3) Do you mean VTP domain ? 

 

Jon

0 Helpful

Go to solution
dajohnso
Level 1
Level 1

‎02-26-2021 05:59 AM

I couldnt understand either of these answers but good news, I found a device on the network that was a layer 3 switch so I am adding IP Routing to that switch. It already has all the vlans so everything should work.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-26-2021 06:09 AM

Glad you able to find your own solution, let us know any assitance required.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎02-27-2021 03:15 PM

Glad that you have found a solution that should work. Sorry that you did not understand the suggested answers to your questions. Your questions do deal with important concepts and I would like to propose some different answers in hope that you might understand them better.

1)  "Does a vlan that was admin down still pass packets?"

I believe that first we need to clarify the relationship (and the differences) between a vlan and a vlan interface. A vlan is a layer 2 entity which comprises a broadcast domain. Any device in a particular vlan should be able to arp for another device in that vlan, receive a response, and the 2 devices can communicate. Forwarding within the vlan is based on mac address. A vlan interface is a layer 3 entity. As a layer 3 entity it can have an IP address and can forward traffic based on IP address rather than based on mac address. 

If we understand that point then we can understand that while it is possible to shut down a vlan interface it is not possible to shut down a vlan.

So if they shut down the vlan interfaces on their switches they will not do any layer 3 forwarding, but they will still be doing layer 2 forwarding. The layer 2 forwarding from their switches would still forward traffic to your 4948 and it would be able to do IP forwarding for the entire vlan (no matter whether the other switch vlan interfaces are shut or not).

I would also make the point that generally there is a one to one relationship between a vlan and a subnet. A vlan generally contains a single subnet. And a single subnet should belong in only one vlan.

2) "can only one interface in a vlan have an ip address on it?"

I would start by emphasizing the difference between layer 2 interfaces (switch ports that are members of the vlan and do not have IP addresses) and layer 3 interfaces (vlan interface for the vlan which do have IP addresses). If you want to be able to route for the subnet associated with the vlan there must be at least one layer 3 vlan interface for the vlan with an IP address that belongs to that subnet. If a vlan is present on several switches it is quite possible that multiple switches might each have a vlan interface in that vlan. ) That would enable multiple switches to do routing for the subnet in that vlan. (Whether that is a good thing or not depends on the architecture of a particular network.)

3) "if I am not a member of the domain, and I create my own domain and vlan list"

I agree with Jon that the context of this question is not clear. When you talk about domain are you talking about VTP domain, or some other type of domain (Administrative Domain, or some type of routing domain, or policy enforcement domain). I would think that the answer would be that your new 4948 should have the same domain membership as the device did that you are replacing.

 

I would make another point which is that if your 4948 is to do routing for the subnets in those vlan then the hosts connected in those vlans/subnets need to have their default gateway be the IP address of the vlan interface of your 4948. We do not know anything about the device that was doing routing but is no longer operational. If you configure the vlan interfaces of the new 4948 with the same IP addresses that were used on the old device then I would expect routing to work. If you use addresses on the 4948 different from the old device then routing for those vlans would not work until they make changes on the hosts in those vlans.

HTH

Rick

Go to solution
dajohnso
Level 1
Level 1
In response to Richard Burts

‎02-27-2021 06:55 PM

This answer is much clearer. I was mostly having a problem following the gist of the previous answer since the English was difficult to decipher and IMO could be interpreted in several ways and I was already a little confused. I have been working with cisco equipment since it was 2 cards in a PC, long before it was a rack mounted switch equipment with dedicated processors but I was having a mental block on the vlan the other day. My specific question was if  if you do a

int vlan4

shut

Would that stop the rest of the physical interfaces from passing traffic and I see the answer is no but it will stop the "ip routing" from routing between the vlans. That was my real question. The other question was to be more clear, can I have

int vlan4

ip address 192.168.1.1 255.255.255.0

 

on more than one switch? If several switches are trunked together what happens if you add that to several switches? The other qustion on domain was VTP domain. If a dozen switches has a VTP doman x but no routing and I add a new switch with VTP domain Y, the same list of VLANS and IP as X and I have port gi/1 on both switches configured as a trunk do the vlans clash or will it correctly route traffic for the vlan? I dont do as much confiurations as a used to and I think I am starting to forget stuff

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to dajohnso

‎02-28-2021 09:16 AM

I certainly sympathize about getting older and forgetting things that I used to know well.I am glad that we were able to help you with your questions. I have a few more comments:

 

About vtp domain - I believe that there can be problems when switches attempt to communicate but are in different vtp domains. I am not clear what the impact would be in your particular situation. The best thing is to be sure that your new switch does use the same domain name as the other switches.

 

About multiple switches having vlan interfaces for the same vlan. You certainly can configure interface vlan 4 with an IP address on multiple switches. You would want unique IP address on each switch. Having more than one switch with a vlan interface and IP address for a vlan can provide some redundancy and protect you from having a problem is the switch with the vlan interface and IP address that is routing for the vlan develops an issue. If more than one switch will have a vlan interface and IP address for a vlan then you probably would want to run HSRP on those interfaces to make the redundancy more effective.

 

To emphasize the point about shut on a vlan interface - this will impact layer 3 processing for that vlan interface. It has no impact at all on the layer 2 forwarding that the switch is doing for that vlan.

 

Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents