Hi,

im playing around with a WS-C2950-24 running IOS 12.1(22)EA13

i would like to separate guest clients from domain clients on the network (for a start) so that guest clients only get access to internet and i have created three vlans for this purpose. Vlan 10 - internet, vlan 20 - internal, vlan 40 - guest. I have also set up a trunk link on the internal network.

since the 2950 does not offer routing capabilities i assume i need to to the routing between these networks on another box. I am planing to do this on a linux machine. I have set up the same vlans on the linux box.

my question is how do i configure the cisco correctly so i can reach all the networks on the linux box. The cable that runs between the cisco and the linux box is connected to vlan 20 - internal and is defined as a trunk port allowing all vlans ( switchport trunk allowed vlan all ) with vlan 20 as native.

it looks like only vlan 20 is using the cable that reaches the linux machine does anyone have any tips or see anything wrong in my setup?

2950 ----- unmanaged switch (not replaced yet) ---servers

subinterfaces on the linux server nic connecting to the switch?

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

the linux server has one interface the ip on this interface is in the VLAN20 range... ive also added a subinterface and configured with vconfig for vlan 40 but i am not able to reach any machines on vlan 40. I can reach everything in vlan20.

linux won't route until you tell it to do so

_________________
www.mellowd.co.uk/ccie/

So it seems you do not need help with your 2900 series switch rather you need help with Linux config. I am not a Linux guru.

You are not going to be able to intervlan route on your 2950 unforuntely which you can most assuredly do on a 2960 with SDM Routing activated. You can have 8 static SVI based routes.

You are definitely going to have to setup a l3 device to get all your VLAN's out to the Internet. You can use vlan ACL's to block traffic between VLANs when you get to that point. Effectively making a guest network segregated from your trusted VLANs. However I would much rather have a firewall do the guest network segregation, i.e. ASA, Juniper, IOS Zone, etc... than simple ACL's which a really good hackmaster will break past in seconds.

_________________
Awesomesauce!!!!

tango, read the last few posts again...

The OP has already said that he knows the 2950 doesn't do routing and therefore he is wanting to do a 'router on a stick' kind of setup using the Linux box as the router.

_________________
---
David
CCIE R&S #38338, CCIP, CCNP

http://networkbroadcast.co.uk - My Blog
http://twitter.com/davidrothera

You say you did a "switchport trunk allowed vlan all", but did you actually put it in trunk mode (switchport mode trunk)?

Sounds like you're still in access mode in vlan 20.

Sorry missed that haha. I do not know how to do that in Linux. God luck OP!

_________________
Awesomesauce!!!!

Conf t
interface fa0/0 - or whatever it is
switchport trunk encapsulation dot1q
switchport native vlan -- whatever you want or dont use it all and it will default to 1
switchport trunk allowed all --- or switchport trunk allowed vlan 20,30,40,1050 -- etc...
switchport mode trunk
no shut
end
wr

Check your "show run interface fa0/0: --- or whatever your interface is and see if the settings are comparible.

Atleast that will help you get your trunk working on your switch.

the syntax might be different on the 2950. Havent worked with one in a loooong time. Been doing all my work on 2960 and 3700 series etc... newer stuff.

_________________
Awesomesauce!!!!

I've never actually used linux as a router yet, but it looks like this post describes pretty much exactly what you're trying to do:

http://inmynet.wordpress.com/2011/10/27 ... ntu-linux/


I would not set the native vlan to 20 for the linux box. Make it a normal trunk and tag all vlans

_________________
www.mellowd.co.uk/ccie/