Configuring vlans with 871 and two 2950.

Configuring vlans with 871 and two 2950.

by Cyrus Lok on Thursday, April 1, 2010 at 3:30pm
871, 2950-1 and 2950-2 set up. No redundant links yet, soon this set up will be more complicated.

Configure dhcp server to ease management:

R871(config)#no ip dhcp pool Vlan10
R871(config)#ip dhcp pool vlan10
R871(dhcp-config)#lease 0 23 59
R871(dhcp-config)#network 10.10.10.8 255.255.255.248

Create vlan10 to vlan database:

R871(config)#vlan 10
R871(config-vlan)#name TestNet1
R871(config-vlan)#

R871(config)#int vlan 10
R871(config-if)#ip address pool vlan10
R871(config-if)#ip virtual-reassembly
R871(config-if)#ip nat inside

To exclude those network and broadcast address of each sub net:
ip dhcp excluded-address 10.10.10.0
ip dhcp excluded-address 10.10.10.7
ip dhcp excluded-address 10.10.10.8
ip dhcp excluded-address 10.10.10.15
ip dhcp excluded-address 10.10.10.16
ip dhcp excluded-address 10.10.10.31
ip dhcp excluded-address 10.10.10.3
ip dhcp excluded-address 10.10.10.4

10.10.10.3 and 10.10.10.4 are for switches.

Create vlan 20:
R871(config)#vlan 20
R871(config-vlan)#name TestNet2
R871(config-vlan)#exit

R871(config)#ip dhcp pool vlan20
R871(dhcp-config)#network 10.10.10.16 255.255.255.248
R871(dhcp-config)#lease 0 23 59
R871(dhcp-config)#import all
R871(dhcp-config)#exit

R871(config)#int vlan 20
R871(config-if)#ip address pool vlan20
R871(config-if)#ip virtual-reassembly
R871(config-if)#ip nat inside
R871(config-if)#exit

Verify vlans created:
R871(config)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 unassigned YES DHCP administratively down down
Vlan1 10.10.10.1 YES NVRAM up up
NVI0 unassigned YES unset administratively down down
Vlan10 10.10.10.9 YES manual up up
Vlan20 10.10.10.17 YES manual up up

Verify vlan database, trunk ports will not be shown:
R871#sh vlan-switch brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0, Fa1
10 TestNet1 active
20 TestNet2 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

Create an unused vlan for native vlan assignment:
R871(config)#vlan 100
R871(config-vlan)#exit

Assign the same native vlan to the 2 trunk ports:
R871(config)#int range fa2 – 3
R871(config-if-range)#switchport trunk native vlan 100

Verify the native vlan in vlan database:
R871(config-if-range)#do sh vlan-sw brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0, Fa1
10 TestNet1 active
20 TestNet2 active
100 VLAN0100 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

I am not sure if it is necessary or not, anyway I have created a vlan 100 interface too but I did not assign any ip address.
Trunk ports connect to each other must be the same duplex and same native vlan, otherwise a level 4 warning will appear:
*Mar 5 16:40:40.835: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet3 (100), with 2950-1 FastEthernet0/1 (1).

Side track from vlan, these are the syslog level:
R871(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
<cr>

R871 configuration has been completed. Let’s move forward to 2950-1 switch
ctrl+shift+6, then press “x” to return to term server.

Tserver#
Tserver#2950-1
Trying 2950-1 (1.1.1.1, 2001)… Open

2950-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
2950-1(config)#line con 0
2950-1(config-line)#exec-time
2950-1(config-line)#exec-timeout 0 0
2950-1(config-line)#loggin syn
2950-1(config-line)#priv
2950-1(config-line)#privilege level 15
2950-1(config-line)#
01:27:20: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (1), with R871.cyruslab.com FastEthernet3 (100).

So I will go to 2950-1 fa0/1 to configure the trunk port as native 100

2950-1(config-line)#int fa0/1
2950-1(config-if)#switchport mode trunk
2950-1(config-if)#switchport nonegotiate
2950-1(config-if)#switchport trunk native vlan 100

Well I have only configured vlan in 871, how come 2950-1 has vlan 10,20 and 100 too? That’s because of VTP. 871, 2950-1 and 2950-2 all belongs to the same vtp domain, have the same vtp password, and only 871 has the latest revision number hence all vtp servers from 2950-1 and 2950-2 get their vtp updates from 871.
Ensuring vtp status is very very important before creating vlans, vtp can be really convenient but because of this convenience it can be very destructive too. If 2950-1 has a vtp revision number higher than 871 then 2950-1 will not get update from 871, instead 871 will get its vtp update from 2950-1 which will screw up my vlan database created in 871.

VTP status of 2950-1 switch:
2950-1(config)#do sh vtp status
VTP Version : 2
Configuration Revision : 12
Maximum VLANs supported locally : 128
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : cyrus
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x14 0xC2 0xB7 0xAC 0xFA 0xAF 0xD3 0x96
Configuration last modified by 10.10.10.1 at 3-5-02 16:35:26
Local updater ID is 0.0.0.0 (no valid interface found)

Vlan database of 2950-1
2950-1(config-if)#do sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/2, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24
10 TestNet1 active Fa0/3
20 TestNet2 active
100 VLAN0100 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

Unassigned ports belong to vlan1 by default. It is not a good idea to leave unused ports to vlan 1 and leave them all open. I will assigned 10 ports to vlan 10, and another 7 ports to vlan 20 and shutdown remaining ports. left over ports are for redundant links.

2950-1(config)#int range fa0/2 – 11
2950-1(config-if-range)#swit
2950-1(config-if-range)#switchport mode access
2950-1(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc… to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast will be configured in 10 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.

Portfast is to turn off spanning tree protocol, hence these ports will not take part in root bridge election. Because access ports are connected to hosts and not switches hence there should not be bpdu send out from these ports

A side note, never assign port fast on a trunk it will cause a loop….

2950-1(config-if-range)#spanning-tree bpduguard enable
2950-1(config-if-range)#switch access vlan 10

fa0/12 to 18 for vlan 20
2950-1(config)#int range fa0/12 – 18
2950-1(config-if-range)#switchport mode access
2950-1(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc… to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast will be configured in 7 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.

2950-1(config-if-range)#spanning-tree bpduguard enable

Shut down remaining ports:
2950-1(config)#int range fa0/19 – 24
2950-1(config-if-range)#shut

2950-1(config)#int vlan 1
2950-1(config-if)#ip address 10.10.10.3 255.255.255.248

Go to 2950-2 to do the rest of the configuration

This is great… Look at this output, 2950-2 did not receive vtp updates for the latest vlan database.

2950-2(config-if)#do sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

Verify VTP status:
2950-2(config)#do sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 128
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

The real issue is that vtp did not set vtp password, hence is not authorized to share vtp updates.
I will set the vtp password and domain, password cannot be set if there’s no domain. vtp domain is case sensitive.

2950-2(config)#vtp domain cyrus
2950-2(config)#vtp password cyrus
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 128
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : cyrus
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xC8 0x07 0xE7 0xCA 0xAF 0x40 0x1A 0x8F
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Hmm.. still not receiving updates despite password, domain and revision is 0?

Tserver#1
[Resuming connection 1 to r871 … ]

R871#sh vtp stat
VTP Version : 2
Configuration Revision : 12
Maximum VLANs supported locally : 8
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : cyrus
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x14 0xC2 0xB7 0xAC 0xFA 0xAF 0xD3 0x96
Configuration last modified by 10.10.10.1 at 3-5-02 16:35:26
Local updater ID is 10.10.10.1 on interface Vl1 (lowest numbered VLAN interface found)

Authentication failed! Why? MD5 digest of 871 and 2950-2 are different.
To solve this I change vtp mode from server to client, this kind of “resets” the vtp. Look at the output now, it receives the latest vtp update.

2950-2(config)#vtp mode client
Setting device to VTP CLIENT mode.
2950-2(config)#do sh vtp stat
VTP Version : 2
Configuration Revision : 12
Maximum VLANs supported locally : 128
Number of existing VLANs : 8
VTP Operating Mode : Client
VTP Domain Name : cyrus
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x14 0xC2 0xB7 0xAC 0xFA 0xAF 0xD3 0x96
Configuration last modified by 10.10.10.1 at 3-5-02 16:35:26

Look at the MD5 hash, it’s the same as 871. Great. I will change vtp mode back to server.

2950-2(config)#vtp mode server
Setting device to VTP SERVER mode
2950-2(config)#do sh vtp stat
VTP Version : 2
Configuration Revision : 12
Maximum VLANs supported locally : 128
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : cyrus
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x14 0xC2 0xB7 0xAC 0xFA 0xAF 0xD3 0x96
Configuration last modified by 10.10.10.1 at 3-5-02 16:35:26
Local updater ID is 0.0.0.0 (no valid interface found)

For easier management I have set the same ports to the vlans as in 2950-1
2950-2(config)#int range fa0/2 – 11
2950-2(config-if-range)#switchport mode access
2950-2(config-if-range)#switchport access vlan 10
2950-2(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc… to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast will be configured in 10 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.
2950-2(config-if-range)#spanning-tree bpduguard enable

2950-2(config-if-range)#int range fa0/12 – 18
2950-2(config-if-range)#switch mode access
2950-2(config-if-range)#switch access vlan 20
2950-2(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc… to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast will be configured in 7 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.
2950-2(config-if-range)#spann bpduguard en
2950-2(config)#int range fa0/19 – 24
2950-2(config-if-range)#shutdown
2950-2(config-if-range)#int vlan 1
2950-2(config-if)#ip address 10.10.10.4 255.255.255.248
2950-2(config-if)#no shut

Verify:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1000 ms
2950-2#ping 10.10.10.17

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1000 ms

Great this means that inter-vlan routing is in action.. lol… I love routing and switching…

Advertisements
This entry was posted in Route. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s