Srinivas, 

As you know that 2960 is a Layer 2 switch so routing through intervlan communication would not be possible, To perform routing in such cases requires a layer 3 router like 3750 which has the capability to perform intervlan routing using the concept of "Router on a stick"  where you can configure ip to the sub interface instead of physical interface with trunking encapsulation enabled for those respective vlan's. Ensuring the port that is connected to the router on the other end is set to switchport mode trunk. 

Once done the traffic between different vlan's can pass through the single physical interface and the communication to the respective vlan's happen accordingly over the sub-interfaces which would be gateway for the hosts over the lan end. 

Hi Srinivas,

Your current setup with a cross cable connecting two ports, one in VLAN 1, the other in VLAN 2, is not a proper solution and should be corrected as soon as possible. By having these ports connected together, you have basically removed the isolation between VLAN 1 and VLAN 2 and merged them together. With such a setup, you would be better off using a single VLAN for all hosts.

I am, however, surprised that you say that this setup actually works for you. Are you perhaps using the same IP network in both VLANs? If not, is there a router that connects to both VLANs? What default gateway IP address is configured on hosts in VLAN 1 and VLAN 2? Are the hosts in VLAN 1 truly able to talk to hosts in VLAN 2, and vice versa?

Before I can provide you with an example configuration of the 2960 for basic inter-VLAN routing, I will need to know at least the addresses of IP networks used in VLAN 1 and VLAN 2, respectively. Can you please provide this info along with the answers to my questions above? Thanks!

Best regards,
Peter

Hi Peter Paluch

The following are the IP Ranges:

172.16.0.xxx,172.16.1.xxx,172.16.2.xxx----> Vlan-1(Servers and Clients)

172.16.4.xxx----> Vlan-2 (DCS Controllers)

Subnet:255.255.248.0

Default Gateway:  0.0.0.0.

No default gateway configured in Hosts(servers and clients).

If we remove the cross cable between Vlan-1 interface and Vlan-2 interface,communication between Vlan-1 and Vlan-2 is not taking place.

Have u gone through the attached config file?

Recently we have purchased 2 nos of 24 port and 1 no of 48 port CISCO Catalyst 2960 Plus series SI switches,but we could not configure the switches exactly similar to the switches which are running at present .

It is not accepting some commands like:"mls qos","policy-map",srr-queue bandwidth share" etc

I had gone through the internet but could not able to configure the switch.

Kindly suggest which model switch will suit for the attached running configuration. 

Also Kindly  let me know how the packets are routed between the Vlan-1&2 in catalyst 2960 series switch.

Hope you understand my concerns.

Thanks and Regards

B Srinivas

Hello,

The following are the IP Ranges:

172.16.0.xxx,172.16.1.xxx,172.16.2.xxx----> Vlan-1(Servers and Clients)

172.16.4.xxx----> Vlan-2 (DCS Controllers)

Subnet:255.255.248.0

Hmmm, you have a serious problem here. All these ranges belong to the same network 172.16.0.0/21 that covers the entire range of addresses starting with 172.16.0.0 and ending at 172.16.7.255, inclusive. In other words, you have used the same IP network in two different VLANs. The communication works because and only because you have cross-connected these two VLANs together (and thereby rendering the use of two separate VLANs entirely useless). There is no inter-VLAN routing involved here because the hosts in both these VLANs consider themselves to be in the same IP network and so they attempt to talk to each other directly, without a gateway inbetween.

Proper design requires a 1:1 mapping between a VLAN and the IP subnet assigned for that VLAN - each VLAN should be assigned its own unique IP subnet. Any other design (multiple IP subnets in a single VLAN; one IP subnet across multiple VLANs) is beyond normal use and has to be extremely well justified.

There is no easy solution for your current setup. As far as I can see, you have only two alternatives, each of them requiring potentially extensive configuration changes:

• If you want to keep your hosts divided in two separate VLANs and use inter-VLAN routing, you will need to reconfigure the addressing so that each VLAN uses a distinct, non-overlapping address space. This would mean reconfiguring the IP settings on all hosts in at least one of these VLANs. Inter-VLAN routing is not possible if two or more VLANs use overlapping IP spaces.
• If you cannot change the addressing plan then the only solution is to migrate all hosts to a single VLAN, ideally VLAN 2. This would mean reconfiguring your switches.

I suppose that the first question you should be asking is: "Do I need two separate VLANs?"

Under these circumstances, I am still not going to provide a configuration example for inter-VLAN routing as it is not clear whether it is going to be applicable at all. In the current situation with the same IP subnet in two VLANs, it is definitely inapplicable.

It is not accepting some commands like:"mls qos","policy-map",srr-queue bandwidth share" etc

What exact IOS version are you running on those switches please? Ideally, please post the entire output of the show version command.

Best regards,
Peter

Hi Peter Paluch

Existing switch Model and IOS Version:

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(44)SE1, RELEASE SOFTWARE (fc1)

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(44)SE1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 06-Mar-08 21:11 by weiliu
Image text-base: 0x00003000, data-base: 0x01000000

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE1, RELEASE SOFTWARE (fc1)

CS2_ES1(Y) uptime is 1 year, 28 weeks, 10 hours, 51 minutes
System returned to ROM by power-on
System image file is "flash:/c2960-lanbase-mz.122-44.SE1.bin"

cisco WS-C2960-24TC-L (PowerPC405) processor (revision E0) with 61440K/4088K bytes of memory.
Processor board ID FOC1204Z20J
Last reset from power-on
2 Virtual Ethernet interfaces
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:1F:6D:61:52:80
Motherboard assembly number     : 73-9832-07
Power supply part number        : 341-0097-02
Motherboard serial number       : FOC12023LN2
Power supply serial number      : AZS120219UK
Model revision number           : E0
Motherboard revision number     : A0
Model number                    : WS-C2960-24TC-L
System serial number            : FOC1204Z20J
Top Assembly Part Number        : 800-26671-03
Top Assembly Revision Number    : B0
Version ID                      : V03
CLEI Code Number                : COM3K00BRB
Hardware Board Revision Number  : 0x01


Switch Ports Model              SW Version            SW Image                 
------ ----- -----              ----------            ----------               
*    1 26    WS-C2960-24TC-L    12.2(44)SE1           C2960-LANBASE-M          

New Switch Model and IOS Version:

Switch#SHOW VERSION
Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 09-Apr-14 03:40 by prod_rel_team

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 15.0(2r)EZ1, RELEASE SOFTWARE (fc2)

Switch uptime is 1 minute
System returned to ROM by power-on
System image file is "flash:/c2960-lanlitek9-mz.150-2.SE6/c2960-lanlitek9-mz.150-2.SE6.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
 --More--         to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C2960+24TC-S (PowerPC405) processor (revision B0) with 131072K bytes of memory.
Processor board ID FOC1929W309
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 80:E8:6F:CE:FF:80
Motherboard assembly number     : 73-15624-01
Power supply part number        : 341-0097-03
Motherboard serial number       : FOC192944X2
Power supply serial number      : DCA192683BU
 --More--         Model revision number           : B0
Motherboard revision number     : B0
Model number                    : WS-C2960+24TC-S
System serial number            : FOC1929W309
Top Assembly Part Number        : 800-40265-01
Top Assembly Revision Number    : C0
Version ID                      : V01
CLEI Code Number                : CMMKY00ARA
Hardware Board Revision Number  : 0x0B


Switch Ports Model              SW Version            SW Image                 
------ ----- -----              ----------            ----------               
*    1 26    WS-C2960+24TC-S    15.0(2)SE6            C2960-LANLITEK9-M        

Kindly support  to make the new switch compatible for old switch config..

Best Regards

B Sriinivas

Hi Joe,

he's also assuming hosts are configured with a gateway IP (as they often are).  If not, host will ARP for destination IP, even when its destination IP is not on host's network.

This would be the behavior observed with Cisco Catalyst switches running with IP routing disabled. However, host operating systems appear to work differently. Even without a default gateway configured, neither Windows nor Linux operating systems are going to ARP for the destination IP address (I do not know about MacOS). This is most probably given by the fact that the network stack of these operating systems is operating as a router with a fully functional routing table, with the possibility of having multiple interfaces toward different destinations, etc. Packet routing is done in the usual manner of finding the longest prefix match in the routing table, and if no match is found, the packet is dropped. This is the case with unconfigured default gateway, as configuring the default gateway in these operating systems is equivalent to configuring a default route 0.0.0.0/0 with the default gateway as its next hop address. If no default gateway is configured, the routing table simply lacks the default route.

So I find it unlikely that without configuring the default gateway, hosts in different networks (even though on the same wire) would be able to communicate. Neither Windows nor Linux seem to resort to ProxyARP.

Best regards,
Peter

Peter, that's interesting!  So then a gateway with proxy ARP wouldn't work for a Windows or Linux host, w/o a gateway configured, as either would just drop the packet, correct?

Hi Joe,

So then a gateway with proxy ARP wouldn't work for a Windows or Linux host, w/o a gateway configured, as either would just drop the packet, correct?

Correct. Pinging a remote IP address from a Windows host produces "General failure" errors on the command line; trying to access it by the telnet command produces "Connection failed" errors. GUI-based programs produce their own set of error messages. No ARP Request for the remote IP address is ever generated.

Linux is more coherent in the error messages: Pinging, telnetting, FTP-ing, etc. into a remote IP address without a default gateway will consistently produce a "Network is unreachable" message.

In both these cases, these operating systems behave perfectly according to the logic of using a routing table: If the destination network can be found there, send the packet along the proper route, otherwise drop it.

In my opinion, the fallback to ProxyARP operation is a mechanism from times long past when the TCP/IP stack in host operating systems was fairly simplified when it came to routing operations. However, with today's operating systems that implement a fully-fledged routing table, ProxyARP does not even make sense: In case of two or more interfaces, which one should be sending out the ARP Requests?

The bottom line is: Modern host operating systems do not fall back to ARP-ing for the destination IP address if the default gateway is unconfigured. Instead, they drop the packet right away.

Best regards,
Peter

Thank you, Peter!