Native VLAN1 "adminstratively down" when VLAN 2 enable

romantj78 · ‎11-05-2013

Hi, I am working on my CCNA. I am trying to do some basic VLAN configuration and running in to an issue. I have the following:

Cisco 2600 Router

Cisco 2950 Switch

Configured the router with sub interfaces and dot1Q for the trunking protocol. I am able to ping the sub interfaces with no problem on my router (for VLAN 1 and VLAN 2).

On my 2950 switch, I configured VLAN 1 as the native with IP address 192.168.1.99/24. VLAN 2 as 192.168.35.99/24. I also configured a port on the switch as a trunk port going to my router.

The problem I am running in to is when I enable VLAN 2, that interface comes up and my PC in that VLAN can ping the switch and through to the sub interface on the router with no problem. However, I cannot ping anything from the PC in VLAN 1 anymore. I noticed, as soon as I issue the "no shut" command for VLAN 2, VLAN 2 comes up, but immediatly VLAN 1 goes "administratively down". If I go back and issue the "no shut" command in VLAN 1 interface, it comes right back up, but then VLAN 2 goes back down. Any ideas why I can't have both VLANS running? Thanks!

Ted

Peter Paluch · ‎11-06-2013

Hi Ted,

The interface Vlan is not the VLAN itself; rather, it is a virtual network interface that connects the CPU of your switch to the particular VLAN so that it can have an IP address, netmask and default gateway from that VLAN just like any other PC. A VLAN in which you have a configured and activated interface VLAN is also called a management VLAN.

The Catalyst 2950 are limited to at most one management VLAN. This is exactly what you are experiencing - as soon as you activate one interface VLAN, other VLAN interfaces are automatically shut down. This is normal. In fact, you do not need multiple management VLANs - because either the PC that wants to access the switch remotely is in the management VLAN, or - if it is not - it can reach the management VLAN simply via inter-VLAN routing, although a router is needed in that case to perform the inter-VLAN routing.

The bottom line is: both your VLANs are active and running. However, at any time, the CPU of your switch (think of the switch simply as an end host for management purposes) can be a member of at most one VLAN, and that is the VLAN for which the interface VLAN is up and running.

Best regards,

Peter

Richard Burts · ‎11-06-2013

Ted

Peter has correctly identified and explained the issue which is the difference between a VLAN (which is a layer 2 construct and operates at layer 2) and interface vlan (which is a layer 3 construct and operates at layer 3). I would add one comment which is that your description of the problem that the PC in VLAN 1 can no longer ping. This suggests that you are configuring the PCs to have default gateway being the IP address of the switch interface. It would work much better if the PC default gateway was the IP configured on the router subinterface. When you do this all the PCs will be able to ping anything, no matter what is the active vlan interface of the switch.

HTH

Rick

HTH

Rick

glen.grant · ‎11-06-2013

Right as everyone says you can only have a single layer 3 interface active and this is to manage the switch only. The 2950 can do no routing so it doesn't need more than a single interface and gateway to get to it to manage it . All device gateways should be pointed at the router as Richard indicated. Also whenever possible you should avoid using vlan 1 for anything as best practice.

romantj78 · ‎11-06-2013

Hi, thank you all for chiming in and helping me out....I am starting to understand the world of VLANs a little better!

So I made some changes and got it partially working accept cannot ping from a PC in VLAN 2 to a PC that is on VLAN 3, or vice versa. Also cannot ping VLAN 1 interface of the switch (192.168.1.99) anymore from either PC. However, either PC can ping through to the router sub interfaces of all VLANs (1/Native, 2 or 3). Both the PCs have the windows firewall disabled. From the router I can also ping both of the PCs as well as ping the VLAN 1 interface on the switch. I think I’m missing something but can’t seem to figure out what…??? Below are my configs, appreciate any input…Thanks!

PC1 192.168.35.10/24 DG 192.168.35.100 VLAN 3 Plugged in to FastEthernet 0/17 on 2950 Switch.

PC2 192.168.45.10/24 DG 192.168.45.100 VLAN 2 Plugged in to FastEthernet 0/18 on 2950 Switch.

Partial output from 2950 Switch:

interface FastEthernet0/16

switchport mode trunk

!

interface FastEthernet0/17

switchport access vlan 3

!

interface FastEthernet0/18

switchport access vlan 2

!

interface Vlan1

ip address 192.168.1.99 255.255.255.0

no ip route-cache

!

interface Vlan2

no ip address

no ip route-cache

shutdown

!

interface Vlan3

no ip address

no ip route-cache

shutdown

!

ip default-gateway 192.168.1.100

ip http server

!

Cisco 2600 Router:

TedsRTR1>sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.1.100   YES manual up                    up
Ethernet0/0.1              unassigned      YES NVRAM deleted               down
Ethernet0/0.2              192.168.45.100 YES manual up                    up
Ethernet0/0.3              192.168.35.100 YES manual up                    up
Serial0/0                  unassigned      YES NVRAM administratively down down

TedsRTR1#sh run

Building configuration...

Current configuration : 1017 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname TedsRTR1

!

enable secret 5 $1$mYXS$Nk7l6sz2hOyFlEPc0BZmJ/

enable password cisco1

!

ip subnet-zero

no ip routing

!

ip ftp username user

ip ftp password 12345

no ip domain-lookup

!

interface Ethernet0/0

ip address 192.168.1.100 255.255.255.0

no ip route-cache

no ip mroute-cache

half-duplex

no mop enabled

!

interface Ethernet0/0.2

encapsulation dot1Q 2

ip address 192.168.45.100 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Ethernet0/0.3

encapsulation dot1Q 3

ip address 192.168.35.100 255.255.255.0

no ip route-cache

!

interface Serial0/0

no ip address

no ip route-cache

no ip mroute-cache

shutdown

no fair-queue

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

end

Richard Burts · ‎11-06-2013

Here is the source of your problem - from the router config

no ip routing

enable ip routing on the router and things will work much better.

HTH

Rick

HTH

Rick

romantj78 · ‎11-06-2013

Thanks Rick, that was it! I forgot that one simple command! lol

Ted

Richard Burts · ‎11-06-2013

Ted

I am glad that I could help you find the solution to the problem. It is quite simple and easy to forget (and I recognize the symptom because I have done the same thing myself).

HTH

Rick

HTH

Rick