Re: L3 as L2

ohassairi · ‎12-26-2007

hello

suppose:

- i'am using L3 switches (such as 3560) as an access switch. and i need to use only L2 features. so i consider it as a L2 switch.

- my management vlan is not vlan1 but vlan50 for example

- uplinks to distribution layer are configured as 802.1q trunks.

what should i do for vlan1? put it in shutdown mode and give IP to vlan 50?

is there any command to change management vlan?

Fraser Reid · ‎12-26-2007

yes - here is an example from my Lab on a 3750

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 10.129.28.35 255.255.255.0

so I manage that over vlan 2

on an L2 switch the

interface vlan x

ip address a.b.c.d

is enough to make vlan x the management VLAN

also the command

no ip routing

will switch off its L3 capabilities so all of the processor will be doing only L2 work.

ankbhasi · ‎12-27-2007

Hi Friend,

You can configure any vlan with an ip address and shut default vlan 1. For management purpose that vlan will be active and you can manage your switch with that ip address.

But all layer 2 management traffic like CDP, STP, VTP etc traffic will still flow via vlan 1 to other switches in the network and you should not be concern with the same.

make sure you disable "ip routing" in global config mode so this switch can work only as layer 2 switch and add a default gateway to this switch so this can be managed from some remote network also.

HTH

Ankur

*Pls rate all helpfull post

ohassairi · ‎12-27-2007

ok i did like you said, but i'm not able to ping devices in vlan1 (connected to access sw) from distr/core sw.

in dist/core the trunk is ok:

C4507-CORE-SW01#sho int gigabitEthernet 4/2 switchport

Name: Gi4/2

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

in access sw trunk is also ok:

C3560-ACC-SW21#sho int gigabitEthernet 0/1 switchport

Name: Gi0/1

Switchport: Enabled

Administrative Mode: trunk

what could be the reason? can't even find mac address in ARP table in dist/core.

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

ankbhasi · ‎12-27-2007

Hi Friend,

Can you please confirm when you initiate ping you are doing it from the core switch itself? or from some machine which is in vlan 1? Or from some machine which is in another vlan?

If you are initiating ping from core switch itself do you have any layer 3 interface created for vlan 1 on your core switch?

Regards,

Ankur

ohassairi · ‎12-27-2007

yes i'm pinging from dist/core. of course it contains an ip address in vlan 1 in the same subnet of the pingued device.

in sho ip route the route exists as connected. i'm afraid the ARP request is not going via the uplinks.

dist/core--.1q--sw1--.1q--sw2--device.

vtp is ok. :-(

Fraser Reid · ‎12-28-2007

if you have SHUTDOWN VLAN 1 on the Switch you are trying to ping from then of course it will not work.......

ohassairi · ‎12-28-2007

that's why my question was should i shutdown vlan1 or no>

if this is really the reason, so in my senario vlan1 can't spread in many switches?

but note i shutdown interface vlan1 (L3) and not vlan1(L2).

so i am not sure this is the reason of my problem.

any comment?

ankbhasi · ‎12-28-2007

Hi Friend,

You mentioned you are not able to ping devices in vlan 1 so even if you interface vlan 1 is hut on that switch it does not make any difference.

I am sure some very basic thing is missing in your config? Just check the trunk connections again between all the switches? Also check the "sh interface vlan 1" on your dist switch and make sure it is up and up?

Also can you try pinging vlan 1 interface ip address from devices which are in vlan 1 on this switch? Can you check for any firewall installed on your devices in vlan 1?

Regards,

Ankur

Fraser Reid · ‎12-29-2007

To ping a Device (another switch) in VLAN 1 you need to have a L3 address assigned to it

interface vlan 1

no shut

ip address a.b.c.d

I think I am missing your point here :-/

ohassairi · ‎12-29-2007

the device i want to ping is a computer in vlan 1 and not a switch.

all switches have ip address in vlan 50 (management vlan) and they have shutdon on interface vlan1.

Jon Marshall · ‎12-30-2007

Hi

What is the default-gateway set to on the client computer ?. Presumably it is the vlan 1 interface on the core switch - is that correct.

Is the core switch responsible for inter-vlan routing. So can you ping the vlan 1 interface on the core switch from the vlan 50 interface (or whatever management vlan you used) on your access-layer switch ?

Jon

shrikar.dange · ‎12-30-2007

A trunk port configured with IEEE 802.1Q tagging can receive both tagged and untagged traffic. By default, the switch forwards untagged traffic in the native VLAN configured for the port. The native VLAN is VLAN 1 by default.

The native VLAN can be assigned any VLAN ID.

Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an IEEE 802.1Q trunk:

Command Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Define the interface that is configured as the IEEE 802.1Q trunk, and enter interface configuration mode.

Step 3

switchport trunk native vlan vlan-id

Configure the VLAN that is sending and receiving untagged traffic on the trunk port.

For vlan-id, the range is 1 to 4094.

Step 4

end

Return to privileged EXEC mode.

Step 5

show interfaces interface-id switchport

Verify your entries in the Trunking Native Mode VLAN field.

To return to the default native VLAN, VLAN 1, use the no switchport trunk native vlan interface configuration command.

If a packet has a VLAN ID that is the same as the outgoing port native VLAN ID, the packet is sent untagged; otherwise, the switch sends the packet with a tag.

shrikar.dange · ‎12-31-2007

hi,

In my opinion as you have shut down the VLAN 1 you are not able to ping any device which is very obvious.You have to give no hsut command.

The CDP,STP,VTP uses vlan 1 to transer the info even though you have created another management VLAN.Also you can not prune VLAN 1 for the same reason.Plz do not shut the vlan 1 interface and check the ping.

Hope this helps.

Regards,

shri :)

ohassairi · ‎12-31-2007

i am sorry, i think the problem is in computers, because in other computers this problem does not occur.

but one thing is sure if we put shutdown or we don't put shutdown under interface vlan1 (that has no ip address) in access switch, computers in vlan1 can reach their gateway that is in core switch.