Help me figure out this vlan config?

Microsoft Windows server 2008 standard
February 3, 2010 at 07:52:52
Specs: Windows XP
Okay, as of the first of the year, I've taken over
IT operations at this small office. They
cancelled an IT contract that they've had for
several years, so not much help from them.

Here's the basic setup: Small office
environment, about 20 PCs and a bunch of
network printers. Domain controller, Exchange
server, backup DC, web filter. All of that is
working just fine. All connected with Cisco
2960s, all configured for vlan 102,

They also have this big computer lab they use
for trainings. The lab is on its own domain, has
its own DC. When I first fired up the DC (it had
been powered off for some time), it took over
DHCP and started assigning 192.168.101
addresses, which didn't work in the 102 vlan.
So I reassigned that DC's port to vlan 101. I
fired up one of the lab computers and was able
to log in just fine. But the lab computers can't
see the internet.

As far as I can see, there is no routing being
done between vlans, which I'm guessing is
why they can't get out. The main DC (on vlan
102) has its NIC configured with IPs in both
ranges, but of course, its port is set to vlan

Do you think the DC may be configured to
route between vlans? What happens if I
change its port to a trunk?

Also, the switches are configured strangely.
For each port, it's:

switchport access vlan 102
switchport trunk native vlan 102
and that's it.



See More: Help me figure out this vlan config?

Report •

February 3, 2010 at 08:13:08
No need for vlan routing. You would just assign both vlans to the port connecting to the internet.

Your issue is gateway ip. You have to have a router that converts your training room ip to that of the internet gateway ip.

student lab on internet? not a good plan.

Report •

February 3, 2010 at 09:12:51
Hey, wanderer. You must be a pretty prolific guy on these
forums. Or maybe your area of expertise is just where mine
lacks. =)

Anyway, what's with people continually telling me to disable
web access to machines? Most big software packages these
days have either moved to the web, have a web version, or
have one forthcoming. How can you use or train on these on
machines with no web access? How are people supposed to
do research? Surely you're not telling people to use the
library's 1984 edition of World Book? Disabling web access is
just really not a feasible solution in most cases.

So I have to assign both vlans to the port??? You can assign
multiple vlans to a port?

Report •

February 3, 2010 at 10:44:26
Anyway, what's with people continually telling me to disable web access to machines?

Most important are security related issues. Viruses, worms, trojans etc on your network. However, if you're using Deep Freeze for the OS on the lab computers, or something like it, it's a moot issue as once you reboot, any changes made since boot up are gone.

Then there's the time wasted issue. Instead of paying attention or doing their course work, they'll be on facebook wasting time surfing unrelated things.

Those are the reason's, since you asked. If however, it's integral that you have internet access, I highly recommend something like Deep Freeze on the lab computers.

So I have to assign both vlans to the port??? You can assign multiple vlans to a port?

Since the two VLAN's are on different subnets you will still need a router to route between the two networks to allow internet access to the lab.

For instance, if your gateway is: any/all traffic coming from the 101 network will not get out until it has a route.

Yes, you can assign multiple VLAN's to a single port. This is normally only done in the case of trunk ports and I have some trunk's that have up to 20 different VLAN's on them. We however have a large environment and many VLANs/Subnets.

Essentially, this port of yours is a trunk port since it's the trunk between your switch and your gateway.

Report •

Related Solutions

February 3, 2010 at 11:43:27
I take it you haven't worked with students before :-) They are a bunch of sneaking devils, as you will learn. You will be getting a crash course on internal security.

Report •

February 4, 2010 at 07:27:34
Actually, I've worked in IT in education for seven years. I'm
intimately familiar with Deep Freeze. =) But this lab isn't for
students, it's for staff trainings and things.

Report •

February 4, 2010 at 08:01:38
Put in a gateway router and you should be just fine bring internet into the training room.

Report •

February 4, 2010 at 08:13:45
But this lab isn't for students, it's for staff trainings and things.

Regardless, I would still use Deep Freeze or one of the other products that does the same job. Staff are as bad as students for messing around and wasting me I know. We have our own in-house training facility for staff and we keep all the desktops in there locked down tight.

Report •

February 4, 2010 at 09:01:33
Surely I can make this work without purchasing hardware, right?

Report •

February 4, 2010 at 09:10:55
Only if you put the lab in the same subnet/gateway as the rest

you would not want that lab server doing dhcp

Report •

February 4, 2010 at 10:15:48
But it was working at some point in the past, and I'm pretty sure
no hardware has gone missing in the interim.

Report •

February 4, 2010 at 10:28:19
You have to have something between two separate subnets that is capable of routing or the two can never communicate with each other.

If you have a layer 3 managed switch which is also VLAN capable then it could do the routing for you.

Is your switch an L3 switch and do you have it configured to do the routing between subnets?

Report •

February 4, 2010 at 13:18:45
No, they're 2960 switches. These are not L3, correct? I realize
there has to be routing done. I was trying to figure out how it was
being done before, with no router or L3 switch, and I was thinking
it may be the DC. But hell, maybe there used to be another
router or L3 switch I'm not aware of. I'll play with it some more
and see what I can come up with.

Report •

February 4, 2010 at 16:43:42
If the dc has no rras/ics installed it was never the router.

Report •

February 8, 2010 at 22:27:48
to jump into your conversation, are you sure that there is no router used to connect to the internet? Maybe a Cisco 1841 router or something? If you do have such a router which connects back to the 2960 switch, then you can configure the router interface with subinterfaces which will be tagged with the vlan ID's, 101 and 102. This will enable you to route between your 2 vlans.

Report •

February 9, 2010 at 08:37:27
Thanks for all the replies, guys. I figured it out, and I feel kinda
silly. Routing was being done by the ASA 5505. That thought
crossed my mind, but I couldn't log into it remotely and I never
got around to lugging a laptop to it. Finally did and saw that
port 2 was configured for vlan 101, connected that port to a
101 port on the switch and voila!

Like I said, wish I had tried that sooner. But setting up this lab
has not been at the forefront of my mind.

As for router, yes, there's a 1700 series router, but it's
provided by the ISP and I have no access to it.

Report •

Ask Question