Configuring a cisco switch for ip division

[Jason.White]

I have been provided a single copper cat6 cable from my isp with subnet 28. So they provided me 12 public ip for usage now I have a new layer 3 cisco switch. So now I want to set this switch such that when I insert this isp copper cable to one of the ports I can use all of the remaining 23 ports in a way such that if I connect any of ports to my computer this can set to use any of those 12 public ips.

 

However, when I set this cable to use in layer 2 switch this scenarion worked perfectly ok. But not in layer3 switch.

 

So can anyone tell me how can I configure this layer 3 cisco switch as all port work as bridge to the incoming port.

[+BudMan MVC]

just put them in same layer 2..  just because you have a layer 3 switch doesn't mean it can't do just layer 2.

 

what switch do you have - and do you have need of layer 3 at the switching level?  Don't you have a normal router/firewall?

[Jason.White]

I am having a cisco 3650 switch. And no I don't have need of layer 3  at switching level presently. So please let me know how can I configure it up to do layer 2.

[+BudMan MVC]

A layer 3 switch can do both layer 3 and layer 2 at the same time.  Just configure you ports to be in the layer 2 you want them to be in just like you would if only a layer 2 switch.  All the commands would be the same.

 

You mentioned that you had this working via your layer 2 switch before, so I have to assume you know how to setup vlans on a layer2.  Was it not cisco and you need the cisco commands?

 

To be honest unless your isp is doing tagging of this traffic, any dumb switch would work for what your asking.  Since your only using 1 layer 2.  Default vlan 1 which pretty much every switch I have ever seen defaults all ports to be in is all you need.  Dumb are like that they just have all ports in the same layer 2 without any way to carve out other layer 2.  A smart or managed switch just allows you to carve out other layer 2 networks.  With a layer 3 you just have the added ability to assign specific layer 3 networks to these layer 2's and then route between them, etc.

 

In your scenario plugging in your isp to 1 port, and then plugging in a device on any other port should be in the same layer 2 and get an IP from the dhcp server running on your isp.  If they are not running dhcp for you then you could either assign your IPs statically to be in the layer 3 network they gave you or run your own dhcp either on some other device connected or on the switch itself, etc.

 

If they your using /28 you really should have 13 IPs to work with.  I assume they are using one of those IPs as the gateway, ie their IP say.. Lets say they gave you 192.168.0.0/28 - most likely this is some public range but for this example doesn't really matter the network numbers in the IP.  so .0 is the wire, and .15 would be broadcast.  Their IP in this, your gateway to the rest of the internet prob .1 then you would have .2 to .14 to use for your IP..

 

Sometimes they do carve out a subnet to give to multiple users so maybe they gave you 12 IPs and some other customer has the last IP in that /28 or maybe they are using more than just the 1 IP they need?  You would think if they were doing hsrp or some sort of failover they would need 3 IPs out of this range.  But anyhoo..  Do they provide you with dhcp?  If a client just connects to this cable to you get an IP via dhcp?  If so then yeah any dumb switch would work, or just make sure the ports you want to use on your switch are all in the same layer 2.  This could be just the default vlan 1, or any other vlan you create and then assign ports to.  All your ports in this vlan could just be access.  Unless they are tagging - which not sure why they would unless they provide you some other services over this connection like voice or IPTV or something?  If that is the case then you would need to trunk the port connected to ISP cable, allow the vlans they are using or you want and then put your other ports in the vlan you want them to be in.

[Jason.White]

Hi,

What they are providing me with this scenario as they provided me say 192.169.0.1/28 with 16 ip so 192.168.0.0,1 and 15 are used as network, gateway and broadcast id. Now they they are using 192.168.0.2 as ip to a switch they provided and so made 12 remaining ips to get out from one of port in static mode. So, now when i connect that single port directly to a pc and assign one of those 12 ip to my machine statically, the internet works. Now what I did is connected output port to a layer 2 non connfigurable layer 2 dlink switch so now if I connect my pc to other ports internet still works.

Now I connected that same out port from isp switch to my cisco 3650 one of the port as on default vlan1 which is by default configured so when I connect my pc to any other ports with static ip on my pc the internet does not work as the state of in port in cisco 3650 connected from isp switch does not goes up ie. id does not goes green. So internet does not work on my pc.

So now I tried putting in port to trunk mode so the state went up but internet was still not working on pc.

SO, please let me know the exact commands for configuring cisco 3650 switch so it will act same as that layer2 switch.

[+BudMan MVC]

can you post the config of this switch so we have something to work with.  I know what ports are set to what.

 

"id does not goes green"

 

Does it go to a different color meaning.. What is the lights on the port doing?

 

Seeing your config would be most helpful..  do a show run on the switch and post that up or PM it to me.

[sc302 Veteran]

I am curious too as to what in the world you are doing.  You should have a firewall doing that or multiple firewalls attached to a switch.  While a layer 3 switch could do it, it just doesn't have what is needed to secure the environment as a firewall would.

[Jason.White]

hi,

this is the conf run content:

 

Current configuration : 4127 bytes
!
! Last configuration change at 04:42:53 UTC Fri Oct 28 e pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
switch 1 provision ws-c3650-24ts
!
ip device tracking
!
!
!
       quit
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
 mode sso
!
!
!
class-map match-any non-client-nrt-class
  match non-client-nrt
!
policy-map port_child_policy
 class non-client-nrt-class
    bandwidth remaining ratio 10
!
!
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 negotiation auto
!
interface GigabitEthernet1/0/1
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport mode access
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
 no ip address
 shutdown
!
ip http server
ip http authentication local
ip http secure-server
!
!
!
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
line vty 5 15
 login
!
wsma agent exec
 profile httplistener
 profile httpslistener
wsma agent config
 profile httplistener
 profile httpslistener
wsma agent filesys
 profile httplistener
 profile httpslistener
wsma agent notify
 profile httplistener
 profile httpslistener
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
ap group default-group
end

[+BudMan MVC]

so looks like your 4 ports there would be in vlan 1, any of those ports should work.

 

Looks like you have vlan 1 shutdown, but that should only be for the svi, which you have none setup anyway

 

interface Vlan1
 no ip address
 shutdown

 

You not getting a light on the port is what interface?  Your 4 ports is just like any dumb switch..  Connecting things to those ports would put them all in the same layer 2.  So if device is on 1 and another devices is on port 2 they would be able to talk to each other.  You not getting a light on the port points to bad cable, bad port, bad nic on the device.  So you get NO Lights?  What happens with the lights.  What does the device connected to it say.  Does it say its up 100M, Gig? 10Mbit what?  What exactly do the lights on the interface say.

 

Now you do not have portfast on - so ports could take a bit to come up sure.

 

[Jason.White]

when connnecting to port 1 to port 4 one isp cable for in and other for out to pc, then even the internet does not work. BUT IT WORK IN NON MANAGABLE DLINK layer 2 switch. Normally the lights if light is orange it is: "port in error disable, spanning-tree negotiation, Trunk to access port mismatch or switch may have a faulty port. Port is shutdown." any of these, and flashing green it show port is working fine. So the light gets solid ornage when connected to isp cable on any port presently while the one connected to pc turns green. And also the conf t shows port with orange light still up.

I tried putting the port in trunk mode and the lights of port went green but still nop internet on pc

[+BudMan MVC]

Well then use the dlink switch.. 

 

Lets take the internet out of the scenario..  If you connect a pc to one of the first 4 ports..  Do you get a green light??

[sc302 Veteran]

2 questions, why hasn't this switch been defaulted....why do you have the switch in a controller mode when you probably don't have a second switch to manage?

 

Here is your config that you should use.

 

at an enable prompt:

 

Quote

 

conf t

int vlan 2

description vlan for everything

exit

int range gi1/0/1-24

switchport mode access

switchport access vlan 2

spanning-tree portfast

exit

exit

wr

 

 

Your stuff will work now, regardless what port you plug it into. 

 

vlan 1 is shutdown...leave it shutdown.

 

 

 

[+BudMan MVC]

yeah that would do it for sure..

 

But vlan1 being shutdown does not actually shut it down, it just shuts down any svi on that vlan is all.

[sc302 Veteran]

at an enable prompt, if he ran the following it would show you if it were shutdown or not.

Quote

 sh int vlan1

 

For what it is worth, on all of my switches vlan 1 is shutdown just like his.  No comm is going to happen on that vlan.  Administratively down and line protocol down = not going to work, no matter how hard you want it to.  I don't know what you mean by being shutdown doesn't mean it is shutdown...but shutdown means no comm, so not sure exactly what you mean by that.  But if you mean shutdown /= deleted or removed, you are correct it isn't deleted or removed and the default vlan is still vlan 1 even though it is in a shutdown state.

 

Quote

#sh int vlan 1
Vlan1 is administratively down, line protocol is down
  Hardware is EtherSVI, address is 64e9.50e8.c540 (bia 64e9.50e8.c540)
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 1 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

vlan 1 would have to be in an up state to function, correct?  line protocol would also have to be in an up state to be able to pass traffic, correct?  That has been my experience anyway.

 

[+BudMan MVC]

That is the SVI interface, not layer 2. I am like 98% sure that just shutting down the vlan 1 only shuts down the layer 3, ie the svi.  It will still pass layer 2.  This is why you move all ports out of vlan 1 if your not going to use vlan 1.  And change the management vlan from the default 1

 

Simple enough to validate.  Let me console into my switch and shut vlan 1.  And see if interfaces in vlan 1 still pass traffic.

[sc302 Veteran]

let me know how that works out for you.

 

layer 2 doesn't route so this should be a layer 2 function so administratively down should be a layer 2 function (I believe)...line protocol is a layer 1 function if I am not mistaken (physical link or association to a physical port). 

[+BudMan MVC]

I will check.  But from security practice you don't just shutdown vlan 1 you move all ports out of it and make sure you change the management vlan..  Trying to change the headlight in my car currently, so have to play with this after. Freaking hood is stuck.. arrghhh.

[sc302 Veteran]

Well, I don't use the management port to manage my switches even though I have a management vlan.  It is all virtual, vlan1 is the default vlan...but everything is defined, there is no port that is part of that vlan.

 

I do have a test switch on my desk I could play with and see if they pass between those ports.  I have a couple of flukes that I could ip real quick and dirty to see if they will ping or do anything to each other.  take me about 15 min to setup.

[sc302 Veteran]

you are correct...even admin down and line down, as long as they are on the same vlan they can communicate across. 

 

learn something new. 

 

 

 

[AStaUK]

Slightly off topic, why disable VLAN1 and move all ports off to a new VLAN?

[sc302 Veteran]

Ok, vlan 1 is the default vlan by default

 

 

anything you plug in, unless you specify otherwise, will be on vlan 1. If you use vlan 1 for anything and you plug in a device you don't want or shouldn't have access to that vlan you have just put a desktop on the server vlan or the switch management vlan or whatever.  You have given that device access to something it shouldn't touch. 

 

It is a security thing. 

[Jason.White]

tried this conf:

 

conf t

int vlan 2

description vlan for everything

exit

int range gi1/0/1-24

switchport mode access

switchport access vlan 2

spanning-tree portfast

exit

exit

wr

 

Shows this message when running spanning-tree portfast:

 

%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc... to this

interface when portfast is enabled, can cause temporary bridging loops.

Use with CAUTION

 

%Portfast will be configured in 24 interfaces due to the range command

but will only have effect when the interfaces are in a non-trunking mode.

Switch(config-if-range)#

*Nov 1 11:28:25.796: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/1 on VLAN0002. Port consistency restored.

*Nov 1 11:28:26.131: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk GigabitEthernet1/0/1 VLAN2.

*Nov 1 11:28:26.132: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking GigabitEthernet1/0/1 on VLAN0002. Inconsistent port type.

 

GigabitEthernet1/0/1 is port connected to isp switch.

 

 

 

 

 

[+BudMan MVC]

Yeah I was pretty sure shut vlan 1 doesn't really do anything at layer 2.  Which is why you are suppose to move all the ports out of it, etc.  And change your management, etc. etc..

 

Thanks for the validation.. Got the headlight replaced, but then it was time to head down to go tricker treating with my grandkids..  Now I have to get on a plane in a few hours freaking travel for work been killing me lately..

 

Keep in mind if you are talking a home network, there really is little reason to do this..  Its just common practice in production work/commercial networks to move everything out of vlan 1 so there is no mistakes and something gets on network its not suppose to, etc.  But I use vlan 1 here at my house, it is my normal lan network.  While I do have multiple other vlans.  I just didn't really see the need remove vlan 1 from use.  Now I do keep meaning to get around to doing it..  But I am not worried about someone plugging into the wrong port here and being on wrong network

 

edit: yeah the port fast warning is normal... You got something wrong on gi1/0/1.. What is this connected into??  A modem, another switch.. What did you isp tell you this port should be configured as?  Did you set it as trunk? What does the config look like?  Move your isp port to another port..  Didn't you say you changed a port to trunk?  If what your connected to is not trunk then yeah your going to get such errors.  Or if they are both trunk and one side is doing 802.1q and the other is doing ISL, etc..

[Jason.White]

hi,

port gi1/0/1 is connected to the out port of switch setup by the isp.

[Jason.White]

with the following config:

 

conf t

int vlan 2

description vlan for everything

exit

int range gi1/0/1-24

switchport mode access

switchport access vlan 2

exit

exit

wr

 

 

 

I am able to ping gateway ip but not able to access the internet.