Inter VLAN routing problem

kuzack2004 · ‎12-28-2006

Hi!

In our company we have small campus LAN cosisting of two building which are connected with one optical link. In the main building (building 1 on picture) is situated main router (Cisco 3825 for communication with branch offices), Cisco 3560 24T L3 switch and 2 stacks of 2950 switches (one with 2 and the other with 4 switches). In the second building is one stack of 2950s with 3 switches.

In the main building stacks are connected with L3 switch via uplink ports and on the L3 switch are defined two routed interfaces. Stack in building 2 is connected with gigabit optical link on L3 routed port (SX - GBIC).

Problem is that in recent reorganisation new department in building 2 is created which must be separated from the rest of the building and there is only one link between buildings. I tried to create two vlans on 2950 stack and configured uplink port as trunk port (802.1q), changed port on L3 switch from routed to trunk port (switchport mode trunk) and used same 802.1q encapsulation.

I created same two vlans on L3 switch as on 2950 stack (vlan 10 & 11), created virtual interfaces for both vlans and added ip addresses.

Problem is that SVIs (virtual interfaces) are not active until there are ports which are associated with vlans...

As far as I know trunk port can't have IP address (like on routers, where you can crete subinterface and change encapsulation to dot1q)...

Please help...

glen.grant · ‎12-28-2006

If those vlans are in a active trunk and allowed across the trunk I believe the SVI should be up/up whether or not there are any active users on the other side . What exactly is the problem though ??? I would check to make sure the trunk is working correctly . check to see if the vlans are active on both sides with the "show vlan" command . Also do a sho int trunk command to make sure both vlans are allowed across trunk unless you specifically pruned them off with the switchport trunk allowed " command all vlans are allowed . You may have to post configs for the 3560 and 2950 build. 2 switches . On the 2 connecting links try using the "switchport mode dynamic desirable" command on both sides , this will negotiate a trunk link without forcing on a trunk .

kuzack2004 · ‎12-28-2006

Problem is that show interfaces gives me that vlan interfaces are up but protocol is down and I can't even ping them from L3 switch. I have done that before but with router and that worked withoyt any problem (as I mentioned create two or more subinterfaces and than change encapsulation to dot1q). As I can see in Configuration manual for 3560 Cisco claims that 3560 doesn't support that (L3 trunking) but combination of L2 trunking and L3 VLAN interface is subtitute for above... But that is not explained anywhere...

I also found in config guide that VLAN interfaces (SVIs) are not working unless there are ports associated with them. Is that meaning that I must "spent" at least one physical port for each SVI?

Problem is that there is one link to L2 stack (or switched network) with multiple VLANs and that link MUST be trunk and how to route between them with trunk port on L3 and VLAN L3 interfaces.

fmshea · ‎12-28-2006

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12235se/scg1/3560scg.pdf

PAGE 3-10 (88 per the pdf)

It shows how to set up the SVI for the 3560.

mine:

from config t

!

interface vlan10

ip address 130.227.13.254 255.255.255.255.0

!

Ctrl+z

#wr

#show run(check out the changes)

then on the on both ends of the trunk page 12-22 (310 per the pdf) show how to configure the trunk.

mine:

config t

interface GigabitEthernet4/1

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 10,11

Ctrl+z

#wr

#show run(check out the changes)

Then pick your ports on the 2950s'

page 12-11 (299 in the same pdf)

mine:

interface FastEthernet 0/16

switchport access vlan 10

switchport mode access

!

interface FastEthernet 0/17

switchport access vlan 11

switchport mode access

!

Ctrl+z

#wr

#show run(check out the changes)

Anything else is extra!

kuzack2004 · ‎12-28-2006

That's OK with me I have done the same. Strictly by the book, but I can't ping damn SVIs from L3 switch. Interface is up but protocol is down. Do you have assigned any port on L3 switch to VLANs which are in trunk port?

Excerpt from Catalyst 3560 Switch Configuration Guide - 12.2:

Page 10.5 - note on the top of the page (Switch Virtual Interfaces):

"When you create an SVI, it does not become active until it is associated with a physical port."

Page 12-18 - note on the bottom of the page (Encapsulation Types):

"The switch does not support Layer 3 trunks; you cannot configure subinterfaces or use the encapsulation

keyword on Layer 3 interfaces. The switch does support Layer 2 trunks and Layer 3 VLAN interfaces,

which provide equivalent capabilities."

fmshea · ‎12-28-2006

I could be reading this wrong "I created same two vlans on L3 switch as on 2950 stack (vlan 10 & 11), created virtual interfaces for both vlans and added ip addresses. "

but is this what you are saying:

3560:

interface vlan 10

ip address A.B.C.D. a.b.c.d.

!

interface vlan 11

ip address A.B.C.D. a.b.c.d.

2950:

interface vlan 10

ip address A.B.C.D. a.b.c.d.

!

interface vlan 11

ip address A.B.C.D. a.b.c.d.

You don't need or want and SVI on the 2950

You only want the layer 2 entry.

when you type config t

int vlan 10 it will create the only other vlan entry you need beside assigning a switch port to a vlan.

kuzack2004 · ‎12-28-2006

Sorry my mistake, I didn't write correct. I created VLANs 10 & 11 on 3560 L3 and configured SVIs and on 2950 created only VLANs 10 & 11 not SVIs 'cause 2950 is L2 switch and doesn't support SVIs :). Between switches is one trunk link.

kuzack2004 · ‎12-28-2006

"cause 2950 is L2 switch and doesn't support SVIs :)"

P.S. Except for management purposes...

glen.grant · ‎12-28-2006

Please post the show vlans, show ip int brief, and show int trunk,show vtp status commands for both sides . Make sure the vtp domain names match on both sides and that both sides are transparent if that is the way you prefer over the client server method .

kuzack2004 · ‎12-29-2006

I am not using VTP because there is 8 non-Cisco switches connected to L3 switch in the main building (they are not shown on picture). I have manually added vlans on 3560 and 2950...

Here are outputs from:

Cisco3560#sho vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- ------------------------------

1 default active Fa0/3, Fa0/4, Fa0/6, Fa0/7

Fa0/8, Fa0/9, Fa0/10, Fa0/11

Fa0/12, Fa0/19, Fa0/20, Fa0/21

Fa0/22, Fa0/23, Fa0/24, Gi0/1

Gi0/2

10 VLAN0010 active

11 VLAN0011 active

200 VLAN0200 active Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18

. . . .

Cisco3560#sho vlan id 10

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

10 VLAN0010 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

10 enet 100010 1500 - - - - - 0 0

Remote SPAN VLAN

----------------

Disabled

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

Same output is for vlan 11 (status active, no assigned ports)

And sho interfaces brief gives all interfaces up but protocol for both vlan 10 and 11 interfaces are down and I can't ping them not even from L3 switch......

But what really worries me is that:

Cisco3560#sho interfaces trunk

Cisco3560#

gives no output. Is that normal? Maybe is problem that Gi0/1 was previously configured as routed port and that configuring it as trunk port wasn't successful (sho run gives output that port is working as trunk)

It seems to me that something went wrong during changing role of Gi0/1 from routed to trunk port...

Here are excerpts from configuration of 3560:

glen.grant · ‎12-30-2006

No its not correct means the trunk is not up and active . Also why SVI's are not up , if the trunk was active the SVI would be up . Do following on both switches , encapsulation command not needed on the 2950. Verify trunk on both sides with the "show int trunk" command .

switchport (not needed on the 2950)

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

switchport mode access vlan 10

switchport trunk native vlan 10

switchport trunk allowed 10,11