cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30354
Views
5
Helpful
5
Replies

Configure an IP address for that VLAN interface

tie
Level 1
Level 1

Hello everyone,

I am hoping that someone can point in the right direction. I just got my geeky hands on a two 3750G switches and went, "Yuppie no more router on a stick for me, inter vlan routing here I come!!!"

I happily started to move my VLAN's off my good and trusty 2950 on to the 3750G. Now I know that the default gateway for my VLAN's are the SVI interfaces that I built on the 3750. This is where I come into the problem.

According to this URL http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

Everything is good to go up to Step 6. This is where I got stuck untill I saw this this note at the end....

"Note:  This step can be omitted if the  switch reaches the default router through a VLAN. In its place,  configure an IP address for that VLAN interface."

The statement of "...default router through a VLAN." is ture in my case. Which brings me to my question: Can some please give me example of what Cisco means by this. I thought SVI was the "IP address for that VLAN interface."

One thing I should add is every works like a champ if I go back to router on a stick, trying to get this inter vlan routing is proving to be a bit tougher.

If it helps here is my network layout, switch, and router configs.

VLAN 10 management

VLAN 70 is a /28 that is framed to me by my ISP. Port-channel1.70 has to 70.57.155.254

VLAN 192 is a /24 that is all things DHCP and WiFi

VLAN 193 is a /24 that is all things static IP's like servers, WiFi access points, basicly anything that supports VLAN 192

-- Switch config --

!

version 12.2

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service dhcp

!

hostname Stack

!

enable secret 5 <PASSWORD>

enable password 7 <PASSWORD>

!

no aaa new-model

switch 1 provision ws-c3750g-24t

switch 2 provision ws-c3750g-24t

system mtu routing 1500

ip subnet-zero

ip routing

no ip gratuitous-arps

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!

interface Loopback0

ip address 10.0.1.1 255.255.255.0

!

interface Port-channel1

description To 2901

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Port-channel2

switchport access vlan 70

switchport mode access

!

interface Port-channel3

switchport access vlan 70

switchport mode access

!

interface Port-channel4

switchport access vlan 70

switchport mode access

!

interface Port-channel5

switchport access vlan 70

switchport mode access

!

interface Port-channel6

switchport access vlan 192

switchport mode access

!

interface Port-channel7

switchport access vlan 193

switchport mode access

!

interface GigabitEthernet1/0/1

switchport access vlan 70

switchport mode access

channel-protocol lacp

channel-group 2 mode active

!

interface GigabitEthernet1/0/2

switchport access vlan 70

switchport mode access

!

interface GigabitEthernet1/0/3

switchport access vlan 70

switchport mode access

channel-protocol lacp

channel-group 4 mode active

!

interface GigabitEthernet1/0/4

switchport access vlan 70

switchport mode access

channel-protocol lacp

channel-group 5 mode active

!

interface GigabitEthernet1/0/5

no switchport

no ip address

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

description To 2901

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

switchport access vlan 192

switchport mode access

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

!

interface GigabitEthernet1/0/18

!

interface GigabitEthernet1/0/19

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

switchport access vlan 193

switchport mode access

!

interface GigabitEthernet1/0/22

switchport access vlan 193

switchport mode access

!

interface GigabitEthernet1/0/23

switchport access vlan 193

switchport mode access

channel-protocol lacp

channel-group 7 mode active

!

interface GigabitEthernet1/0/24

switchport access vlan 192

switchport mode access

channel-protocol lacp

channel-group 6 mode active

!

interface GigabitEthernet2/0/1

switchport access vlan 70

switchport mode access

channel-protocol lacp

channel-group 2 mode active

!

interface GigabitEthernet2/0/2

switchport access vlan 70

switchport mode access

!

interface GigabitEthernet2/0/3

switchport access vlan 70

switchport mode access

channel-protocol lacp

channel-group 4 mode active

!

interface GigabitEthernet2/0/4

switchport access vlan 70

switchport mode access

channel-protocol lacp

channel-group 5 mode active

!

interface GigabitEthernet2/0/5

!

interface GigabitEthernet2/0/6

!

interface GigabitEthernet2/0/7

!

interface GigabitEthernet2/0/8

!

interface GigabitEthernet2/0/9

!

interface GigabitEthernet2/0/10

!

interface GigabitEthernet2/0/11

!

interface GigabitEthernet2/0/12

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

!

interface GigabitEthernet2/0/13

!

interface GigabitEthernet2/0/14

switchport access vlan 192

switchport mode access

!

interface GigabitEthernet2/0/15

!

interface GigabitEthernet2/0/16

!

interface GigabitEthernet2/0/17

!

interface GigabitEthernet2/0/18

!

interface GigabitEthernet2/0/19

!

interface GigabitEthernet2/0/20

!

interface GigabitEthernet2/0/21

switchport access vlan 193

switchport mode access

!

interface GigabitEthernet2/0/22

switchport access vlan 193

switchport mode access

!

interface GigabitEthernet2/0/23

switchport access vlan 193

switchport mode access

channel-protocol lacp

channel-group 7 mode active

!

interface GigabitEthernet2/0/24

switchport access vlan 192

switchport mode access

channel-protocol lacp

channel-group 6 mode active

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 10.0.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan70

ip address 70.57.155.241 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan192

ip address 192.168.3.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan193

ip address 192.168.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

ip default-gateway 10.0.0.254

ip classless

no ip http server

no ip http secure-server

!

!

no cdp run

!

control-plane

!

!   

line con 0

line vty 0 4

password 7 <PASSWORD>

login

line vty 5 15

password 7 <PASSWORD>

login

!

scheduler process-watchdog reload

end

-- Router Config --

version 15.3

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service dhcp

!

hostname 2901

!

boot-start-marker

boot system flash1 c2900-universalk9-mz.SPA.153-1.T.bin

boot-end-marker

!

!

enable secret 4 <PASSWORD>

enable password 7 <PASSWORD>

!

no aaa new-model

clock timezone CST -6 0

clock summer-time CST recurring

!

no ip gratuitous-arps

ip cef

!

!

!

!

!

!

ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

ipv6 multicast rpf use-bgp

no ipv6 cef

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

!

!

!

!

license udi pid CISCO2901/K9 sn FTX1539817B

!

!

!

!

controller VDSL 0/0/0

!

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

!

!

!

interface Loopback0

ip address 10.0.1.254 255.255.255.0

!

interface Null0

no ip unreachables

!

interface Port-channel1

ip address 172.31.1.254 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip tcp adjust-mss 1452

hold-queue 150 in

!

interface Port-channel1.10

encapsulation dot1Q 10 native

ip address 10.0.0.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Port-channel1.70

encapsulation dot1Q 70

ip address 70.57.155.254 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip tcp adjust-mss 1452

!

interface Port-channel1.192

encapsulation dot1Q 192

ip address 192.168.3.254 255.255.255.0

ip helper-address 192.168.5.5

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Port-channel1.193

encapsulation dot1Q 193

ip address 192.168.5.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip tcp adjust-mss 1452

duplex auto

speed auto

channel-group 1

no cdp enable

no mop enabled

!

interface GigabitEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip tcp adjust-mss 1452

duplex auto

speed auto

channel-group 1

no cdp enable

no mop enabled

!

interface ATM0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

load-interval 30

shutdown

no atm ilmi-keepalive

ntp disable

no snmp trap link-status

hold-queue 224 in

!

interface Ethernet0/0/0

no ip address

!

interface Ethernet0/0/0.201

encapsulation dot1Q 201

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Dialer0

mtu 1492

ip unnumbered Port-channel1.70

ip access-group from_internet in

ip access-group to_internet out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ntp disable

no snmp trap link-status

ppp authentication chap pap callin

ppp chap hostname <USERNAME>

ppp chap password 7 <PASSWORD>

ppp pap sent-username <USERNAME> password 7 <PASSWORD>

ppp ipcp route default

no cdp enable

!

no ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list NAT interface Port-channel1.70 overload

!

ip access-list extended NAT

permit ip 192.168.3.0 0.0.0.255 any

permit ip 192.168.5.0 0.0.0.255 any

deny   ip any any

ip access-list extended from_internet

evaluate reflexive-temporary-list

deny   tcp any any fragments

deny   udp any any fragments

deny   icmp any any fragments

deny   ip any any fragments

deny   udp any any eq netbios-ns

deny   udp any any eq netbios-dgm

deny   udp any any eq netbios-ss

deny   ip 0.0.0.0 0.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 224.0.0.0 15.255.255.255 any

deny   ip any 0.0.0.0 0.255.255.255

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 127.0.0.0 0.255.255.255

deny   ip any 169.254.0.0 0.0.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 192.168.0.0 0.0.255.255

deny   ip any 224.0.0.0 15.255.255.255

deny   ip host 0.0.0.0 any

permit tcp any host 70.57.155.242 eq 22

permit udp any host 70.57.155.242 eq domain

permit udp any host 70.57.155.242 eq ntp

permit tcp any host 70.57.155.242 eq smtp

permit tcp any host 70.57.155.242 eq 3128

permit tcp any host 70.57.155.234 gt 1024

permit udp any host 70.57.155.234 gt 1024

permit tcp any host 70.57.155.245 eq www

permit tcp any host 70.57.155.245 eq 443

permit udp any host 70.57.155.243 eq domain

permit udp any host 70.57.155.243 eq ntp

permit tcp any host 70.57.155.243 eq www

permit tcp any host 70.57.155.243 eq smtp

permit tcp any host 70.57.155.243 eq 995

permit tcp any host 70.57.155.243 eq 443

permit tcp any host 70.57.155.243 eq 7071

permit tcp any host 70.57.155.243 eq pop3

permit tcp any host 70.57.155.243 eq 143

permit tcp any host 70.57.155.243 eq 465

permit tcp any host 70.57.155.243 eq 993

permit icmp any any administratively-prohibited

permit icmp any any echo-reply

permit icmp any any echo

permit icmp any any packet-too-big

permit icmp any any time-exceeded

permit icmp any any traceroute

permit icmp any any unreachable

deny   ip any any

ip access-list extended to_internet

deny   udp any any eq netbios-ns

deny   udp any any eq netbios-dgm

deny   udp any any eq netbios-ss

deny   ip 0.0.0.0 0.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 224.0.0.0 15.255.255.255 any

deny   ip any 0.0.0.0 0.255.255.255

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 127.0.0.0 0.255.255.255

deny   ip any 169.254.0.0 0.0.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 192.168.0.0 0.0.255.255

deny   ip any 224.0.0.0 15.255.255.255

permit ip 70.57.155.240 0.0.0.15 any reflect reflexive-temporary-list timeout 300

deny   ip any any

!

dialer-list 1 protocol ip permit

no cdp run

!

!

access-list 1 permit any

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password 7 <PASSWORD>

login

transport input all

!

scheduler allocate 20000 1000

ntp server 70.57.xxx.yyy

ntp server 70.57.xxx,yyy

!

end

5 Replies 5

John Blakley
VIP Alumni
VIP Alumni

I believe what they're stating is that you don't need to configure a L3 interface if you're going to be using a L3 svi in its place. In other words, if your router had an address of 192.168.1.1/30 and it was connected to port 1 on the switch, you could configure port 1 on the switch like:

int fa0/1

no switchport

ip address 192.168.1.2 255.255.255.252

That would be sufficient to get routing working between the switch and router. But since you're using L3 svi's, you can skip that step.

A L3 svi is the:

int vlan10

ip address 10.10.10.1 255.255.255.0

The gateway for the host would be vlan 10's IP. If your router was also in vlan 10, then your default route would point to the router's interface that connects to the switch.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

glen.grant
VIP Alumni
VIP Alumni

  Whats not working, unclear from your posting.

I agree with John that the assumption in the article is that the connection from switch to router was in a subnet that was different from any of the VLANs on the switch. So they did no switchport and treated the switch interface as a layer 3 interface. In the case of the original poster the VLANs on the switch do have corresponding subnets on the router. And so there is no need to configure no switchport.

One thing I notice is that the original poster did not do step 7 in the article which is to configure a default route. If you are going to do the routing on the switch then a default route is important.

It is not clear in the original post whether the end stations are being configured to have their default gateway point to an address on the switch (which is step 8 in the article) or whether the end stations still have their default gateway pointing to the router. If the end stations do have their default gateway pointing to the switch then the default route is important and inter vlan routing is really being done. If the end stations still point to the router as their default gateway then the default route on the switch is not important - and inter vlan routing is really not being done on the switch.

HTH

Rick

HTH

Rick

tie
Level 1
Level 1

Thanks everyone.

But in the end I gave up, for now.

Mr. Blakley thank you sir, Your post was very helpful, however I don't think I have all the hardware I need to make this happen. I clearly don't have the "know how".  Time to order a book me thinks.

glen.grant, My fault, sorry if I was not clear. It was a question of understanding and looking of an example of the "NOTE: ...." in step 6 in the URL in my first post. Not a matter of what is not working. Mr. Blakley example helped in that reguard.

Mr. Burts, you are right. I never did make it to step 7, as in step 6 was talking about "configure an IP address for that VLAN interface", that is what I could not get my head around.

Let me explain (or try to) what's is/was going on in my old man head.

History:

I have 3 VLANS, and 1 Management VLAN. My ISP "upgraded" the area I live in from ADSL to VDSL. This obsoleted my Cisco 2811. So I jumped to a Cisco 2901. I also choose to upgrade my 2950 switch to two 3750G's with Stackwise and build LACP port-channels into each server, one server NIC in to one switch, the other server NIC in to the second switch.

Problem:

In "old" setup the Cisco 2811 was trunked to a 2950, router on a stick. Now I know that SVI interfaces become the new default gateway for any device that assigned to that VLAN via switchport access vlan . Easy and it worked great. If I was on a host in any VLAN, and ping'ed, SSH, https, whatever to a host in the other two all worked great. This where things fell apart, the problem was getting traffic to and from 3750G stack to the 2901 and keeping their VLAN IDs (I hope I said that right) as the router is the default gateway to the internet for all three VLANs.

VLAN 70 is /28 of internet routed IP.

VLAN192 and VLAN193 are both nat'ed.

It was at that point I found in the URL above

"Note: This step can be omitted if the switch reaches the default router through a VLAN." I thought Hey that's me, I think....Ok how do I do it? No example of this is listed. I will ask.

Things that I have tried:

Static routes on the 3750 based on what Mr. Blakley if I understood it.

On the 3750G (Yes, ip routing is on)

!

ip route 70.57.155.240 255.255.255.240 70.57.155.254

ip route 192.168.3.0 255.255.255.0 192.168.3.254

ip route 192.168.5.0 255.255.255.0 192.168.5.254

!

Where all of the .254 addresses are IP addresses on the Cisco 2901 however they are dot1q encapsulated.

No go...

OSPF/EIGRP (Both router and switch)

!

router 111

  network 70.57.155.240 255.255.255.240 area 0

  network 192.168.0.0 255.255.0.0 area 0

!

No dice. And it was right over my head. Learned a good amount but did not help.

Oddly in a last act of desperation...this kinda worked...

!

ip route 0.0.0.0 0.0.0.0 70.57.155.254

ip route 0.0.0.0 0.0.0.0 192.168.3.254

ip route 0.0.0.0 0.0.0.0 192.168.5.254

!

The problem with it was is was unreliable and painfully slow. To be point blank I don't think it was working right.

So as Mom and Dad always put it "If it ain't broke don't fix it". Router on a stick it is. Yeah, I never listened to Mom and Dad aways. 

As I attempted to explain in my previous post, the major issue in your config of the 3750 was the lack of default route for the switch.  As long as the end stations continue to have their default gateway using the addresses on the router then the network worked. And your 3750 would operate mostly as a layer 2 switch. You may have deployed a layer 3 switch (and enabled routing on it) but it was operating mostly as a layer 2 switch and forwarding traffic to the router for routing.

If you really want to get into inter vlan routing then the hosts on the vlans need to have their default gateway as addresses on the 3750. And if you are going to do this then I would suggest that you change the connectivity between the 3750 and the router from a trunk (where the vlans have subinterfaces on the router that are dot1q encapsulated to a routed subnet. And the 3750 must have a default route pointing to the router.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco