Setting up Multiple VLAN's

Hi,

I am in need of a little help, I am currently re-installing a network with all new equipment and need some guidance in configuring mutliple VLANs on a switched network. I will be utilizing 4 Cisco 2960 Switches(user switches), a Cisco 3750-X Switch(Core switch), and Cisco 2921 router as the backbone devices. I already configured them with the basic information in order to test them out for connectivity, however I am still unsuccessful/unsure in properly configuring them utilizing seperate/multiple VLAN's between all the devices. I want to use the 10.17.0.0 network information, utilizing NAT of course and then use 10.17.1.0 network on one switch utilizing VLANs, x.x.2.0 on another, x.x.3.0, x.x.4.0 ect. networks, on the other switches. Can anyone assist me in the right direction? Here is the example of basic configs (minus sensitive information) that I installed for testing purposes and everything is working fine, however now I want to seperate the devices, and put them on their own networks, and then eventually segment the switches on seperate sub-vlans. I will also attach a basic diagram as a reference of the equipment. Thanks for the help.

Router:

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
service sequence-numbers
no service dhcp
!
hostname rtr
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 10
logging buffered critical
logging rate-limit 10
!
aaa new-model
!
!
aaa authentication login default local-case
aaa authorization console
aaa authorization exec default if-authenticated
!
!
!
!
!
aaa session-id common
clock timezone **omitted**
clock calendar-valid
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name **omitted**
multilink bundle-name authenticated
!
!
password encryption aes
crypto pki token default removal timeout 0
!
crypto pki trustpoint **omitted**
!
!
crypto pki certificate chain **omitted**
!
!
username **omitted**
username **omitted**
username **omitted**
!
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description THE NEW ISP INFO LIVE! $OUTSIDE$
no ip address
ip flow egress
ip nat outside
no ip virtual-reassembly in
ip virtual-reassembly out max-reassemblies 128
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description Link to CoreSW
ip address 10.17.1.1 255.255.0.0
ip flow ingress
ip nat inside
ip virtual-reassembly in max-reassemblies 128
duplex full
speed auto
!
interface GigabitEthernet0/2
description **NOT USED**
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export destination 10.17.3.250 2055
!
ip nat inside source list 117 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.17.0.0 name **omitted**
!
ip access-list extended netbios
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 136
deny udp any any eq 136
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 139
deny udp any any eq netbios-ss
deny tcp any any eq 445
deny udp any any eq 445
deny tcp any any eq 138
deny udp any any eq netbios-dgm
permit ip any any
!
logging trap warnings
logging 10.17.3.250
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
access-list 100 remark **omitted** Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 117 permit ip any any
!
!
snmp-server community **omitted**
snmp-server enable traps tty
!
!
!
control-plane
!
!
banner login ^C
LOG OFF IMMEDIATELY IF YOU DO NOT AGREE TO THE CONDITIONS STATED IN THIS WARNING
^C
banner motd ^C
NOTICE TO USERS

THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may
be intercepted, monitored, recorded, copied, audited, inspected,
and disclosed to authorized site and law enforcement personnel,
as well as authorized officials of other agencies, both domestic
and foreign. By using this system, the user consents to such
interception, monitoring, recording, copying, auditing, inspection,
and disclosure at the discretion of authorized site personnel.

Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and
consent to these terms and conditions of use.
^C
!
line con 0
exec-timeout 5 0
line aux 0
no exec
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class **omitted** in
privilege level 15
transport input ssh
line vty 5 15
access-class **omitted** in
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp server 196.43.1.9
end

Core switch:

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname **omitted**
!
boot-start-marker
boot-end-marker
!
enable secret 5 **omitted**
enable password **omitted**
!
username **omitted**
username **omitted**
username **Omitted**
no aaa new-model
clock timezone **omitted**
switch 1 provision ws-c3750x-24s
system mtu routing 1500
no ip sticky-arp
ip dhcp excluded-address 10.17.3.250
ip dhcp excluded-address 10.17.2.249 10.17.2.255
ip dhcp excluded-address 10.17.0.1
ip dhcp excluded-address 10.17.1.0 10.17.1.15
!
ip dhcp pool 1
network 10.17.0.0 255.255.0.0
default-router 10.17.1.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool jv1
host 10.17.2.250 255.255.0.0
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool jv2
host 10.17.2.249 255.255.0.0
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool console
host 10.17.3.250 255.255.0.0
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool user_bad_wifi_card
host 10.17.3.80 255.255.0.0
!
ip dhcp pool Slim
host 10.17.3.50 255.255.0.0
dns-server 8.8.8.8 8.8.4.4
!
!
ip domain-name **omitted**
!
!
crypto pki trustpoint **omitted**
!
!
crypto pki certificate chain **omitted**
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
description Link to Router
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/2
description Link to For
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/3
description Link to Class1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/4
description Link to ELibrary
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/5
description Link to Class2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/6
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/7
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/8
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/9
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/10
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/11
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/12
description **NOT USED**
switchport mode access
spanning-tree portfast
shutdown
!
interface GigabitEthernet1/0/13
switchport mode access
spanning-tree portfast
shutdown
!
interface GigabitEthernet1/0/14
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/15
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/16
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/17
description **NOT USED**
switchport mode access
shutdown
!
interface GigabitEthernet1/0/18
description **NOT USED*
switchport mode access
shutdown
!
interface GigabitEthernet1/0/19
description **NOT USED*
switchport mode access
shutdown
!
interface GigabitEthernet1/0/20
description **NOT USED*
switchport mode access
shutdown
!
interface GigabitEthernet1/0/21
description **NOT USED*
switchport mode access
!
interface GigabitEthernet1/0/22
description **NOT USED*
switchport mode access
shutdown
!
interface GigabitEthernet1/0/23
description **NOT USED*
switchport mode access
shutdown
!
interface GigabitEthernet1/0/24
description **NOT USED*
switchport mode access
shutdown
!
interface GigabitEthernet1/1/1
description **NOT USED*
shutdown
!
interface GigabitEthernet1/1/2
description **NOT USED*
shutdown
!
interface GigabitEthernet1/1/3
description **NOT USED*
shutdown
!
interface GigabitEthernet1/1/4
description **NOT USED*
shutdown
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
ip address 10.17.1.2 255.255.0.0
no ip route-cache cef
no ip route-cache
!
ip http server
ip http secure-server
!
!
logging esm config
logging trap warnings
logging 10.17.3.250
access-list 1 permit 10.17.1.1
access-list 1 permit 10.17.1.2
access-list 1 permit 10.17.1.3
access-list 1 permit 10.17.1.4
access-list 1 permit 10.17.1.5
access-list 1 permit 10.17.1.6
access-list 1 permit 10.17.2.249
access-list 1 permit 10.17.2.251
access-list 1 permit 10.17.3.250
access-list 1 permit 10.17.2.250
snmp-server community **omitted**
snmp-server enable traps tty
!
!
line con 0
login local
line vty 0 4
access-class 1 in
password **omitted**
login local
line vty 5 15
access-class 1 in
password **omitted**
login local
!
end

Have you set up VTP in server mode on the 3750 and the other switches as VTP clients?

You also need to add vlans and vlan interfaces with IP's in order to get the Inter vlan routing working.

You should also set up RSTP and make the 3750 the default bridge.


Rob

twin--turbo...sorry about that I should have gave you the other configs with the other VLANs on the swithces that I tried. I was not successful in getting the other networks (VLAN 10, 20, 30, 40, 50) with 10.17.1.0, 10.17.2.0, 10.17.3.0..... to talk to eachother. I am reading up on the VTP, server, clients now. Was that my issue? Also what is RSTP? I am not that new to networking, just as technology evolves and I get busy with other work, it seems to move faster than my time and knowledge can keep up, thus the reason why I ask for help. Thanks for the help.

Have you set up the VLANS or VLAN interfaces yet on the devices? VTP will do the Vlans in one go from the core.

Do youi NEED dhcp to be done by the CISCO gear, is there an AD server that could do it instead?

RSTP is Rapid Spanning Tree, allows for network loops to be Managed should they be needed or occur by accident (or maliciously )

I am guessing the majority of the configs have been generated automaticaly.

Rob

You should also change this

"no service password-encryption"

Rob

And your running a trunk on the 3750 pointing at the router but the router does not have a trunk port.

Rob

This is all fairly ancient stuff BTW..

Who's the ISP and what equipment are they providing, A 2921 aint a cheap bit of kit.. The APC 2200's on the core and 2921 are overkill too.

Rob

Where do you want your internal network routing to happen on the 2921, or on the 3750

if the latter..
Get VTP on and confirm that the clients update their Vlandatabases.
Set up Vlan Interfaces on the core with an IP address.
Assign switchport access vlans to ports on the switches.
Change G0/1 to a access port, remove the IP address and assign it to vlan1
set up default route on the 3750 as the 2921, and set static routes on the 2921 for the internal networks.


IS the Internet link really an E1???????


Rob

Yes I have I tired to set up the VLAN's, but I could not get them to talk to eachother, I will send you the configs that I tried. Also I am going to (wanting to) run the DHCP Services by the Core Switch, I DO NOT have a DHCP Server at this time. I figured that until the funding comes in that the Core switch could handle the servcies.

Thanks...

1st get VTP working, settign the 3750 as the server and the 2960's as the clients. You will need to specify a domain and a password.

Then create the vlans ( do "sh vlans" in enable mode to confirm)


client siwtches should update automaticaly.

Set a trunk port from core to trunk port on each edge.

on core create vlan interfaces.

conf t>interface vlan 10
conf t>Description our vlan 10
conf t>ip address 172.x.x.x 255.255.255.0

Rob

Quote:

---

Originally Posted by twin--turbo

Where do you want your internal network routing to happen on the 2921, or on the 3750

if the latter..
Get VTP on and confirm that the clients update their Vlandatabases.
Set up Vlan Interfaces on the core with an IP address.
Assign switchport access vlans to ports on the switches.
Change G0/1 to a access port, remove the IP address and assign it to vlan1
set up default route on the 3750 as the 2921, and set static routes on the 2921 for the internal networks.


IS the Internet link really an E1???????


Rob

---

I want the "internal networking" to happen from the Core switch and just the routing functions to happen from the 2921 router for now (until I expand the Network). Yes I have a dedicated Fiber Line already terminated to my building, from the ISP. I know that it might seem a little overkill, however I am looking into the futre and want to expand the network soon.

Quote:

---

Originally Posted by twin--turbo

This is all fairly ancient stuff BTW..

Who's the ISP and what equipment are they providing, A 2921 aint a cheap bit of kit.. The APC 2200's on the core and 2921 are overkill too.

Rob

---

The ISP is very...let's just say not very informative, however they give me enough infformation to set up the external (WAN) link. As far as the equipment, all I get from them is the modem, the external link (fiber...as an agreement) and the fiber converter to my switch (which should be insiginficant in this matter for now). As far as the rest of the equipment, I flipped the bill for this and I know it might seem a little overkill, however, I want to make sure that the network, equipment, and services are running without any problems.

Quote:

---

Originally Posted by TZ112

I want the "internal networking" to happen from the Core switch and just the routing functions to happen from the 2921 router for now (until I expand the Network). Yes I have a dedicated Fiber Line already terminated to my building, from the ISP. I know that it might seem a little overkill, however I am looking into the futre and want to expand the network soon.

---

You need layer 3 routing somewhere for your vlans to talk. Either the 3750 must do the routing or the 2921 must do the vlan routing.

Rob

Why are you going with a multi vlan for this?

Rob