Recommended Posts

I have been provided a single copper cat6 cable from my isp with subnet 28. So they provided me 12 public ip for usage now I have a new layer 3 cisco switch. So now I want to set this switch such that when I insert this isp copper cable to one of the ports I can use all of the remaining 23 ports in a way such that if I connect any of ports to my computer this can set to use any of those 12 public ips.

 

However, when I set this cable to use in layer 2 switch this scenarion worked perfectly ok. But not in layer3 switch.

 

So can anyone tell me how can I configure this layer 3 cisco switch as all port work as bridge to the incoming port.

just put them in same layer 2..  just because you have a layer 3 switch doesn't mean it can't do just layer 2.

 

what switch do you have - and do you have need of layer 3 at the switching level?  Don't you have a normal router/firewall?

A layer 3 switch can do both layer 3 and layer 2 at the same time.  Just configure you ports to be in the layer 2 you want them to be in just like you would if only a layer 2 switch.  All the commands would be the same.

 

You mentioned that you had this working via your layer 2 switch before, so I have to assume you know how to setup vlans on a layer2.  Was it not cisco and you need the cisco commands?

 

To be honest unless your isp is doing tagging of this traffic, any dumb switch would work for what your asking.  Since your only using 1 layer 2.  Default vlan 1 which pretty much every switch I have ever seen defaults all ports to be in is all you need.  Dumb are like that they just have all ports in the same layer 2 without any way to carve out other layer 2.  A smart or managed switch just allows you to carve out other layer 2 networks.  With a layer 3 you just have the added ability to assign specific layer 3 networks to these layer 2's and then route between them, etc.

 

In your scenario plugging in your isp to 1 port, and then plugging in a device on any other port should be in the same layer 2 and get an IP from the dhcp server running on your isp.  If they are not running dhcp for you then you could either assign your IPs statically to be in the layer 3 network they gave you or run your own dhcp either on some other device connected or on the switch itself, etc.

 

If they your using /28 you really should have 13 IPs to work with.  I assume they are using one of those IPs as the gateway, ie their IP say.. Lets say they gave you 192.168.0.0/28 - most likely this is some public range but for this example doesn't really matter the network numbers in the IP.  so .0 is the wire, and .15 would be broadcast.  Their IP in this, your gateway to the rest of the internet prob .1 then you would have .2 to .14 to use for your IP..

 

Sometimes they do carve out a subnet to give to multiple users so maybe they gave you 12 IPs and some other customer has the last IP in that /28 or maybe they are using more than just the 1 IP they need?  You would think if they were doing hsrp or some sort of failover they would need 3 IPs out of this range.  But anyhoo..  Do they provide you with dhcp?  If a client just connects to this cable to you get an IP via dhcp?  If so then yeah any dumb switch would work, or just make sure the ports you want to use on your switch are all in the same layer 2.  This could be just the default vlan 1, or any other vlan you create and then assign ports to.  All your ports in this vlan could just be access.  Unless they are tagging - which not sure why they would unless they provide you some other services over this connection like voice or IPTV or something?  If that is the case then you would need to trunk the port connected to ISP cable, allow the vlans they are using or you want and then put your other ports in the vlan you want them to be in.

Hi,

What they are providing me with this scenario as they provided me say 192.169.0.1/28 with 16 ip so 192.168.0.0,1 and 15 are used as network, gateway and broadcast id. Now they they are using 192.168.0.2 as ip to a switch they provided and so made 12 remaining ips to get out from one of port in static mode. So, now when i connect that single port directly to a pc and assign one of those 12 ip to my machine statically, the internet works. Now what I did is connected output port to a layer 2 non connfigurable layer 2 dlink switch so now if I connect my pc to other ports internet still works.

Now I connected that same out port from isp switch to my cisco 3650 one of the port as on default vlan1 which is by default configured so when I connect my pc to any other ports with static ip on my pc the internet does not work as the state of in port in cisco 3650 connected from isp switch does not goes up ie. id does not goes green. So internet does not work on my pc.

So now I tried putting in port to trunk mode so the state went up but internet was still not working on pc.

SO, please let me know the exact commands for configuring cisco 3650 switch so it will act same as that layer2 switch. :|

can you post the config of this switch so we have something to work with.  I know what ports are set to what.

 

"id does not goes green"

 

Does it go to a different color meaning.. What is the lights on the port doing?

 

Seeing your config would be most helpful..  do a show run on the switch and post that up or PM it to me.

I am curious too as to what in the world you are doing.  You should have a firewall doing that or multiple firewalls attached to a switch.  While a layer 3 switch could do it, it just doesn't have what is needed to secure the environment as a firewall would.

hi,

this is the conf run content:

 

Current configuration : 4127 bytes
!
! Last configuration change at 04:42:53 UTC Fri Oct 28 e pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
switch 1 provision ws-c3650-24ts
!
ip device tracking
!
!
!
       quit
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
 mode sso
!
!
!
class-map match-any non-client-nrt-class
  match non-client-nrt
!
policy-map port_child_policy
 class non-client-nrt-class
    bandwidth remaining ratio 10
!
!
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 negotiation auto
!
interface GigabitEthernet1/0/1
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport mode access
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
 no ip address
 shutdown
!
ip http server
ip http authentication local
ip http secure-server
!
!
!
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
line vty 5 15
 login
!
wsma agent exec
 profile httplistener
 profile httpslistener
wsma agent config
 profile httplistener
 profile httpslistener
wsma agent filesys
 profile httplistener
 profile httpslistener
wsma agent notify
 profile httplistener
 profile httpslistener
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
ap group default-group
end

so looks like your 4 ports there would be in vlan 1, any of those ports should work.

 

Looks like you have vlan 1 shutdown, but that should only be for the svi, which you have none setup anyway

 

interface Vlan1
 no ip address
 shutdown

 

You not getting a light on the port is what interface?  Your 4 ports is just like any dumb switch..  Connecting things to those ports would put them all in the same layer 2.  So if device is on 1 and another devices is on port 2 they would be able to talk to each other.  You not getting a light on the port points to bad cable, bad port, bad nic on the device.  So you get NO Lights?  What happens with the lights.  What does the device connected to it say.  Does it say its up 100M, Gig? 10Mbit what?  What exactly do the lights on the interface say.

 

Now you do not have portfast on - so ports could take a bit to come up sure.

 

when connnecting to port 1 to port 4 one isp cable for in and other for out to pc, then even the internet does not work. BUT IT WORK IN NON MANAGABLE DLINK layer 2 switch. Normally the lights if light is orange it is: "port in error disable, spanning-tree negotiation, Trunk to access port mismatch or switch may have a faulty port. Port is shutdown." any of these, and flashing green it show port is working fine. So the light gets solid ornage when connected to isp cable on any port presently while the one connected to pc turns green. And also the conf t shows port with orange light still up.

I tried putting the port in trunk mode and the lights of port went green but still nop internet on pc :|

2 questions, why hasn't this switch been defaulted....why do you have the switch in a controller mode when you probably don't have a second switch to manage?

 

Here is your config that you should use.

 

at an enable prompt:


 

  Quote

 

conf t

int vlan 2

description vlan for everything

exit

int range gi1/0/1-24

switchport mode access

switchport access vlan 2

spanning-tree portfast

exit

exit

wr

 

Expand  

 

Your stuff will work now, regardless what port you plug it into. 

 

vlan 1 is shutdown...leave it shutdown.

 

 

 

at an enable prompt, if he ran the following it would show you if it were shutdown or not.

  Quote

 sh int vlan1

Expand  

 

For what it is worth, on all of my switches vlan 1 is shutdown just like his.  No comm is going to happen on that vlan.  Administratively down and line protocol down = not going to work, no matter how hard you want it to.  I don't know what you mean by being shutdown doesn't mean it is shutdown...but shutdown means no comm, so not sure exactly what you mean by that.  But if you mean shutdown /= deleted or removed, you are correct it isn't deleted or removed and the default vlan is still vlan 1 even though it is in a shutdown state.

 

  Quote

#sh int vlan 1
Vlan1 is administratively down, line protocol is down
  Hardware is EtherSVI, address is 64e9.50e8.c540 (bia 64e9.50e8.c540)
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 1 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Expand  

vlan 1 would have to be in an up state to function, correct?  line protocol would also have to be in an up state to be able to pass traffic, correct?  That has been my experience anyway.

 

That is the SVI interface, not layer 2. I am like 98% sure that just shutting down the vlan 1 only shuts down the layer 3, ie the svi.  It will still pass layer 2.  This is why you move all ports out of vlan 1 if your not going to use vlan 1.  And change the management vlan from the default 1

 

Simple enough to validate.  Let me console into my switch and shut vlan 1.  And see if interfaces in vlan 1 still pass traffic.

let me know how that works out for you.

 

layer 2 doesn't route so this should be a layer 2 function so administratively down should be a layer 2 function (I believe)...line protocol is a layer 1 function if I am not mistaken (physical link or association to a physical port). 

I will check.  But from security practice you don't just shutdown vlan 1 you move all ports out of it and make sure you change the management vlan..  Trying to change the headlight in my car currently, so have to play with this after. Freaking hood is stuck.. arrghhh.

Well, I don't use the management port to manage my switches even though I have a management vlan.  It is all virtual, vlan1 is the default vlan...but everything is defined, there is no port that is part of that vlan.

 

I do have a test switch on my desk I could play with and see if they pass between those ports.  I have a couple of flukes that I could ip real quick and dirty to see if they will ping or do anything to each other.  take me about 15 min to setup.

Ok, vlan 1 is the default vlan by default

 

 

anything you plug in, unless you specify otherwise, will be on vlan 1. If you use vlan 1 for anything and you plug in a device you don't want or shouldn't have access to that vlan you have just put a desktop on the server vlan or the switch management vlan or whatever.  You have given that device access to something it shouldn't touch. 

 

It is a security thing. 

tried this conf:

 

conf t

int vlan 2

description vlan for everything

exit

int range gi1/0/1-24

switchport mode access

switchport access vlan 2

spanning-tree portfast

exit

exit

wr

 

Shows this message when running spanning-tree portfast:

 

%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc... to this

interface when portfast is enabled, can cause temporary bridging loops.

Use with CAUTION

 

%Portfast will be configured in 24 interfaces due to the range command

but will only have effect when the interfaces are in a non-trunking mode.

Switch(config-if-range)#

*Nov 1 11:28:25.796: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/1 on VLAN0002. Port consistency restored.

*Nov 1 11:28:26.131: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk GigabitEthernet1/0/1 VLAN2.

*Nov 1 11:28:26.132: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking GigabitEthernet1/0/1 on VLAN0002. Inconsistent port type.

 

GigabitEthernet1/0/1 is port connected to isp switch.

 

 

 

 

 

Yeah I was pretty sure shut vlan 1 doesn't really do anything at layer 2.  Which is why you are suppose to move all the ports out of it, etc.  And change your management, etc. etc..

 

Thanks for the validation.. Got the headlight replaced, but then it was time to head down to go tricker treating with my grandkids..  Now I have to get on a plane in a few hours freaking travel for work been killing me lately..

 

Keep in mind if you are talking a home network, there really is little reason to do this..  Its just common practice in production work/commercial networks to move everything out of vlan 1 so there is no mistakes and something gets on network its not suppose to, etc.  But I use vlan 1 here at my house, it is my normal lan network.  While I do have multiple other vlans.  I just didn't really see the need remove vlan 1 from use.  Now I do keep meaning to get around to doing it..  But I am not worried about someone plugging into the wrong port here and being on wrong network ;)

 

edit: yeah the port fast warning is normal... You got something wrong on gi1/0/1.. What is this connected into??  A modem, another switch.. What did you isp tell you this port should be configured as?  Did you set it as trunk? What does the config look like?  Move your isp port to another port..  Didn't you say you changed a port to trunk?  If what your connected to is not trunk then yeah your going to get such errors.  Or if they are both trunk and one side is doing 802.1q and the other is doing ISL, etc..

with the following config:

 

conf t

int vlan 2

description vlan for everything

exit

int range gi1/0/1-24

switchport mode access

switchport access vlan 2

exit

exit

wr

 

 

 

I am able to ping gateway ip but not able to access the internet.

This topic is now closed to further replies.
  • Posts

    • Arlo Essential 2K Indoor Camera: Unpacking the features and value of this home security cam by Paul Hill Are you in the UK and looking for internal cameras to keep an eye on your pets or property? If so, the Arlo Essential 2K indoor security camera (2-pack) is now discounted by 26% from its £159.99 RRP to just £119.00. As usual, the product is available with free delivery and free returns, which is helpful if the product turns out to be defective. In addition to the discounted product, the listing also notes there’s a £10-off voucher available until Monday and a £10 Morrisons on Amazon voucher. Arlo is a reputable brand for home security cameras so this deal marks a great opportunity if you’ve been looking for this type of device. Do note that it is a wired camera so it’ll have to be plugged in somewhere. Deep dive into camera features and capabilities The Arlo Essential 2K indoor security camera comes with a very good 2K (up to 2,560x1,440) resolution that provides you with clear, detailed video, great if you want to keep an eye on smaller pets such as kittens. Not only is the camera high-quality, but the camera is equipped with black and white night vision (it can see up to 7 metres), so you can see any events that occur at night. This Arlo security cam features two-way audio with noise reduction and echo cancellation allowing you to chat with anyone coming to feed your pets. There’s also an automatic privacy lens cover that physically blocks the lens when disarmed, providing you with more privacy when at home. There is also passive infrared motion detection that has a range of 7 metres. You can use motion detection in combination with the 80 dB smart siren to scare away intruders. The siren can also be activated manually. The Arlo Essential 2K features a 130-degree wide-angle diagonal view, which is sufficient for most rooms, to capture more of what’s going on in the room and there is 12x digital zoom to take a closer look at objects. It’s compatible with pretty much all Wi-Fi devices with its 2.4GHz Wi-Fi support and it integrates with your smart home via Amazon Alexa, Google Assistant, and IFTTT. Leveraging the Arlo Secure subscription for enhanced security When you buy the Arlo Essential 2K, you get a 30-day free trial of the Arlo Secure subscription, and if you want to continue it, it costs from £11.99 per month or £119.90 per year. This subscription isn’t necessary for basic functionality, but it does unlock the full potential of the camera. When you subscribe you get secure cloud storage for video history (30 to 60 days depending on plan); AI-powered identification of people, animals, vehicles, and packages, reducing false alerts; custom activity zones that let you define areas for motion detection, minimising unwanted notifications; and interactive notifications that can be interacted with from the lock screen like view animated previews, activate siren, and call emergency services. My biggest issue with this camera is that there is no local storage for recordings, necessitating the need to buy the subscription if you want to save any footage. If you’re thinking of using this camera to protect your home from theft and want footage to give to the police, you’ll need a subscription. An alternative to a subscription is buying the Arlo SmartHub (VMB5000) which is compatible with the Arlo Essential 2K indoor camera, according to Arlo’s website. The savings on this camera twin-pack are significant and it’s the lowest price they’ve been at on Amazon UK so they’re definitely worth considering for your home. If you don’t mind the subscription or have the Arlo SmartHub already, then this camera makes sense. If not, then you may be better off with a camera that comes with an SD card slot and recording capabilities. Arlo Essential 2K Indoor Pet Security Camera (2-pack): £119 + £10-off voucher + £10 for Morrisons on Amazon (Amazon UK) / MSRP £159.99 This Amazon deal is U.K. specific, and not available in other regions unless specified. If you don't like it or want to look at more options, check out the Amazon UK deals page here. Get Prime, Prime Video, Music Unlimited, Audible or Kindle Unlimited, free for the first 30 days As an Amazon Associate we earn from qualifying purchases.
    • The Nokia Lumias? Or the third-party HTC One8's? I had HTC's hardware cuz it was slick and reliable... but, yeah, the software left me wanting more and I just couldn't allocate personal time to develop all of the software I would have wanted to see (overworked in other capacities @ MSFT at the time, heh).
    • Microsoft's mobile strategy had great future vision and UX research, but mediocre engineering and inadequate support (third-party and internal business alike). The death knell for WinMo was Google's (mostly YouTube's) incessant API blocking and purposeful release of buggy WinMo builds to force consumers to stay away -- and this was conducted via sabotage of whatever partnerships they were supposed to play nice in. I still yearn for that UI on a modern smartphone...
    • Linux has always been an option but never adopted by the masses despite being free. The reasons are limited usability and features. Despite everything we all complaint about with MS , the overall experience for the general public is much better than what Linux can deliver.
    • If nothing works automatically for you, I'd say pick a better/different distro. Granted, it's trickier with laptops because they use all kinds of weird hardware, but still. I actually just did a fresh Arch Linux install on my netbook, and given that Arch is certainly not an "automagical" distro, I had to do very little manual tweaking, everything but the audio worked out of the box (including plasma and Wayland) and the audio was simply an issue of installing an additional firmware package that wasn't included in the default selection. Which is equivalent of installing additional drivers in Windows. Surely a more user-oriented distro would be even less troublesome (but granted, I haven't used/tested anything outside of Arch for quite some time). And let's not forget that a fair bit of issues that get blamed on Linux (though it also applies to Windows issues) are actually caused by hardware vendors not giving a damn.
  • Recent Achievements

    • One Month Later
      POR2GAL4EVER earned a badge
      One Month Later
    • One Year In
      Orpheus13 earned a badge
      One Year In
    • One Month Later
      Orpheus13 earned a badge
      One Month Later
    • Week One Done
      Orpheus13 earned a badge
      Week One Done
    • Week One Done
      serfegyed earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      563
    2. 2
      ATLien_0
      256
    3. 3
      +Edouard
      163
    4. 4
      +FloatingFatMan
      157
    5. 5
      Michael Scrip
      109
  • Tell a friend

    Love Neowin? Tell a friend!