JessicaNo problem, glad it

jessica jestol · ‎03-02-2015

Vlan questions... I'm still having a little trouble figuring out how they work. I have a 3750. I added a new vlan 11 with ip 10.10.11.1. it already has a vlan 2 with ip 10.10.2.3 and a vlan 5 with 10.10.5.129.

I have a 2960. all Fa ports are on vlan 5 or 11 with the Ge ports on vlan 2. I can ping from the 2960 to vlan 2 and 5 on the 3750 but not vlan 11. What did I do wrong?

p.s. if anyone wants to link to a VLANs for dummies page, that would be awesome. :)

3750

interface GigabitEthernet1/0/5
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,3,5-4094
switchport mode trunk

interface Vlan2
ip address 10.10.2.3 255.255.255.192

interface Vlan6
ip address 10.10.5.129 255.255.255.128

interface Vlan11
ip address 10.10.11.1 255.255.255.224

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi2/1/1, Gi2/1/2, Gi2/1/3, Gi2/1/4, Te2/1/1, Te2/1/2, Gi3/1/1, Gi3/1/2
                                                Gi3/1/3, Gi3/1/4, Te3/1/1, Te3/1/2
2    VLAN0002                         active    Gi1/0/1, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi2/0/1
                                                Gi2/0/2, Gi2/0/3, Gi2/0/4, Gi2/0/5, Gi2/0/6, Gi2/0/7, Gi2/0/8, Gi3/0/1
                                                Gi3/0/2, Gi3/0/3, Gi3/0/4, Gi3/0/5, Gi3/0/6, Gi3/0/7, Gi3/0/8, Gi3/0/9
3    VLAN0003                         active    Gi1/0/12, Gi2/0/10, Gi2/0/12, Gi3/0/10, Gi3/0/12, Po2
6    VLAN0006                         active
7    VLAN0007                         active    Gi2/0/9
8    VLAN0008                         active
9    VLAN0009                         active
10   VLAN0010                         active
11   VLAN0011                         active

2960

interface GigabitEthernet0/1
switchport trunk native vlan 2
switchport mode trunk

interface Vlan2
ip address 10.10.2.5 255.255.255.192

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
2    VLAN0002                         active    Gi0/2
3    VLAN0003                         active
6    VLAN0006                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
7    VLAN0007                         active
8    VLAN0008                         active
9    VLAN0009                         active
10   VLAN0010                         active
11   VLAN0011                         active    Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19
                                                Fa0/20

chinpohpang851 · ‎03-02-2015

checking

Terry Cheema · ‎03-02-2015

on 3750 run the command:

Your SVI may be down as you don't have a port in VLAN 11. Assign a layer 2 port to vlan 11 and this SVI should be up and try again.

Run - Sh ip int brief to confirm the SVI status.

-Terry

jessica jestol · ‎03-03-2015

I checked and it's showing up up.

Vlan11 10.10.11.1 YES manual up up

Jon Marshall · ‎03-03-2015

Jessica

Your vlan 11 interface (SVI) on the 3750 should be up because vlan 11 is allowed on the trunk port.

Are you pinging from the actual 2960 or a client connected to the 2960 ?

When you created vlan 11 did you do a "no shut" under the vlan interface ?

In terms of confusion is there anything in particular you are struggling with as we may be able to help clarify the concepts for you.

Jon

jessica jestol · ‎03-03-2015

Hi Jon,

Thanks for the response. I'm pinging from the 2960. I can ping the other vlan ip addresses just not the one I created. I can ping it from the 3750. I did a shut/no shut just to be safe.

As to confusion, I don't have any formal training just what I've learned along the way. I guess I'm trying to figure out the vlan basics so I can do my job a little better. :) I'm not really sure how stuff from one vlan talks to another. I think I remember reading that it's layer 2. I'd also like to know a little more about how the tagging works. I really don't know anything about it other than it's basically like making a fake separate network inside a physical network.

Jon Marshall · ‎03-03-2015

Hi Jessica

Okay firstly with your current issue can you do a "sh ip int brief | include Vlan" on your 3750 and see if the vlan 11 interface is up.

So just for reference when I refer to an SVI (Switched Virtual Interface) I am talking about the "interface vlan <x>" in your configuration.

A vlan is a L2 concept and you can extend vlans across switches. It is a broadcast domain meaning if a broadcast is sent from one device every other device in that vlan sees it.

If you have multiple vlans on multiple switches as you do then you need to be able to pass vlan traffic between the switches so you create a trunk link. A trunk link carries multiple vlan traffic and the sending switch adds tags to the frames. These tags identify to the receiving switch which vlan the frame is in so it can be delivered properly.

When you do a "sh vlan brief" you are looking at the L2 vlans on your switch.

A device in a vlan can communicate with any other device in the same vlan at L2 ie. there is no need to route traffic.

So if a device on the 2960 sends a frame to a device on the 3750 in the same vlan the 2960 will add a tag to the frame and send it on the trunk link to the 3750. The 3750 receives the frame, removes the tag to work out which vlan the device is in, and sends it to that device on the 3750.

The tag by the way has few things in it but the key one is the vlan ID.

All that happens at L2.

However if a device in one vlan wants to talk to a device in another vlan then you need to route between vlans. This won't happen until you create the SVIs for those vlans. So if a device in vlan 5 on the 2960 wants to talk to a device in vlan 2 on the 3750 the device in vlan 5 needs to send the packet to it's default gateway which is the SVI for vlan 5 on the 3750.

Again the 2960 would send the frame across the trunk link tagged with vlan 5 to the 3750, the frame would be untagged and then sent to the SVI for vlan 5 which would route it via the SVI for vlan 2 to the device in vlan 2.

So vlans exist at L2 but for communication between vlans you need L3 interfaces for those vlans and these are your SVIs on the 3750.

Note I have used the terms packet and frames somewhat interchangeably. Strictly speaking frames are L2 and packets are L3.

Hope some of that has helped and if you want clarification or have more queries then please feel free as that's what these forums are for.

As to your issue, can you check the SVI for vlan 11 is up and can you also post a "sh ip route" from the 2960.

Jon

jessica jestol · ‎03-03-2015

wow. that is possibly the best answer anyone could have given. I can't even begin to thank you enough for taking the time to write that. It helped IMMENSELY and cleared up most of my questions. (My only ones left are for the way tags are treated over a l2l VPN but, I'll post that in another sub forum. :) ) thanks so much for your help!

Jon Marshall · ‎03-03-2015

Jessica

No problem, glad it helped.

In terms of L2L with a standard IPSEC L2L there would be no tags because vlan tags are a L2 concept not L3 ie. in the previous example the SVI on the 3750 never sees the vlan tag because it was removed by the receiving switch when it arrived on the trunk link.

There are ways of extending a L2 vlan across a L3 network and whether this could include a trunk link with an IPSEC tunnel I have never really considered to be honest and don't know if it possible.

By all means though post into a different forum to see if you can get a definitive answer.

Jon

jessica jestol · ‎03-03-2015

So I got tired of messing with it last night and went home. I come back in this morning and... IT'S WORKING. WHAT HAPPENED?

Jon Marshall · ‎03-03-2015

No idea but at least it is working :-)

So no need to carry out those commands I posted.

Jon

vlan confusion