Look at this L3 config of vlan interfaces?

itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
You guys see where it says interface vlan### and then shut down.
Question. This is a layer 3 switch used as a gateway and lan switch.
but I guess my question is if someone created vlans is this one way to create a vlan
is by using vlan interfaces and then shutting them down because the shut down vlans
are actually used on our network but why would someone create all these vlan interfaces and then shut them down? is that a way to create vlans? vs the other normal way?
(this is code from our L3 gateway but IPs have been changed to bogus ips but the meaning is still here.) thanks guys...
interface Vlan141
 description FourthAveData2
 ip address 192.168.61.1 255.255.255.0
!
interface Vlan151
 description FourthAveVPNClients - no ip address - shutdown
 no ip address
 shutdown
!
interface Vlan231
 description FourthAveCore1Firewall1InternetP2P
 ip address 192.168.231.1 255.255.255.252
!
interface Vlan232
 description FourthAveCore1Gateway1P2P
 ip address 192.168.231.5 255.255.255.252
!
interface Vlan233
 description FourthAveFirewall1FRBGatewayP2P - no ip address - shutdown
 no ip address
 shutdown
!
interface Vlan234
 description FourthAveFirewall1ORCCGatewayP2P - no ip address - shutdown
 no ip address
 shutdown
!
interface Vlan235
 description FourthAveFirewall1DebitATMGatewayP2P - no ip address - shutdown
 no ip address
 shutdown
!
interface Vlan236
 description FourthAveCore1Firewall1PrivateP2P
 ip address 192.168.231.33 255.255.255.252
!
interface Vlan237
 description FourthAveFirewall1VPNGateway1P2P - no ip address - shutdown
 no ip address
 shutdown
!
interface Vlan238
 description FourthAveFirewall1CavionGatewayP2P - no ip address - shutdown
 no ip address
 shutdown
!
interface Vlan239
 description FourthAveFirewallELANGatewayP2P
 ip address 192.168.239.1 255.255.255.0
!
interface Vlan900
 description FourthAveDMZ  ***** Do not activate this interface - outside access *****
 no ip address
 shutdown
!
interface Vlan950
 description WebSenseMonitor - no ip address - shutdown
 no ip address
 shutdown


Comments

  • pham0329pham0329 Member Posts: 556
    Not sure if I understood your question, but creating a vlan interface does not create the vlan.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    thanks pham0329.
    that is what I thought but why are there so many of the interface vlans created and then shutdown? what kind of method is that? Unless he created them and then was going to use them as gateways and then didn't want to (changed his mind) and didn't remove them because it is a bugger to remove them from the what is the vlan.dat file? you think? we just have so many interface vlans every where and then he shuts them down wasn't sure if this was some CCNP method of creating vlans.in exchange for the normal method we all use...thanks bud that was the question I had..
  • shodownshodown Member Posts: 2,271
    In my Designs I usually create severfarms, DMZ, PC, and possibly 2 others. I like to to have them in my design in case they are needed.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    itdaddy wrote: »
    thanks pham0329.
    that is what I thought but why are there so many of the interface vlans created and then shutdown? what kind of method is that? Unless he created them and then was going to use them as gateways and then didn't want to (changed his mind) and didn't remove them because it is a bugger to remove them from the what is the vlan.dat file? you think? we just have so many interface vlans every where and then he shuts them down wasn't sure if this was some CCNP method of creating vlans.in exchange for the normal method we all use...thanks bud that was the question I had..

    If I had to guess, he did that so he could add the description field. It would allow him to get information about what each vlan is for when he issues show interface description

    Pretty good idea. I've never thought of actually setting up no shut vlan interfaces to do that before, but I think I will now.
  • vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    Just curious what kind of hardware this is? Kind of a shot in the dark but ive seen some switches that will allow you to create multiple interface vlans but only one can be active at a time which keeps the others shutdown. Can't remember what kind of switch it was though.
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • pham0329pham0329 Member Posts: 556
    Just curious what kind of hardware this is? Kind of a shot in the dark but ive seen some switches that will allow you to create multiple interface vlans but only one can be active at a time which keeps the others shutdown. Can't remember what kind of switch it was though.

    You're referring to a L2 switch. On an L2 switch, you can create multiple VLAN interface, but when you try to activate the 2nd one, the first one will shutdown
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    could be yep could be for notes like you said..I see alot but it is a L3 3560 switch CORE switch
    it is used as a gateway for many things but I guess I have to get use to configs that may not do anything but
    be used for notes thanks guys
  • DPGDPG Member Posts: 780 ■■■■■□□□□□
    pham0329 wrote: »
    Not sure if I understood your question, but creating a vlan interface does not create the vlan.

    Actually, creating a VLAN interface will create the VLAN if it doesn't already exist.
  • pham0329pham0329 Member Posts: 556
    Not from what I've seen...what ios are you using?
  • ColbyGColbyG Member Posts: 1,264
    DPG wrote: »
    Actually, creating a VLAN interface will create the VLAN if it doesn't already exist.

    No it won't. Adding a port to a non-existent VLAN will typically create the VLAN (depending on OS and platform).
  • DPGDPG Member Posts: 780 ■■■■■□□□□□
    ColbyG wrote: »
    No it won't. Adding a port to a non-existent VLAN will typically create the VLAN (depending on OS and platform).

    Whoops, that is what I meant. icon_redface.gif
  • *BB**BB* Member Posts: 95 ■■□□□□□□□□
    pham0329 wrote: »
    You're referring to a L2 switch. On an L2 switch, you can create multiple VLAN interface, but when you try to activate the 2nd one, the first one will shutdown

    I will disagree to an extent. My older 2950's will only allow a single VLAN to be up at any one time, but the 3750's I use at work are predominately L2 and all have multiple VLANS active and in an up/up state.
    Procrastinator extraordinaire
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    *BB* wrote: »
    I will disagree to an extent. My older 2950's will only allow a single VLAN to be up at any one time, but the 3750's I use at work are predominately L2 and all have multiple VLANS active and in an up/up state.

    3750's are layer 3 switches. Whether or not you use them as such is up to you of course, but I don't believe there's such a thing as a 3750 that can't do layer 3, as layer 3 capability is a requirement in Cisco land for having multiple SVI's active.
  • pham0329pham0329 Member Posts: 556
    mmm...aren't 3750s L3 switches?

    Edit: Looks like Forsaken beat me to it.
  • *BB**BB* Member Posts: 95 ■■□□□□□□□□
    My bad, you guys are right. I read it in the wrong context.
    Procrastinator extraordinaire
  • ColbyGColbyG Member Posts: 1,264
    as layer 3 capability is a requirement in Cisco land for having multiple SVI's active.

    Not exactly true. The 2960s (before they could route) supported multiple active SVIs. I believe even the LANBase versions, which cannot route, support it. An odd feature, but it's there.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    itdaddy wrote: »
    You guys see where it says interface vlan### and then shut down.
    Question. This is a layer 3 switch used as a gateway and lan switch.
    but I guess my question is if someone created vlans is this one way to create a vlan
    is by using vlan interfaces and then shutting them down because the shut down vlans
    are actually used on our network but why would someone create all these vlan interfaces and then shut them down? is that a way to create vlans? vs the other normal way?
    (this is code from our L3 gateway but IPs have been changed to bogus ips but the meaning is still here.) thanks guys...
    interface Vlan141
     description FourthAveData2
     ip address 192.168.61.1 255.255.255.0
    !
    interface Vlan151
     description FourthAveVPNClients - no ip address - shutdown
     no ip address
     shutdown
    !
    interface Vlan231
     description FourthAveCore1Firewall1InternetP2P
     ip address 192.168.231.1 255.255.255.252
    !
    interface Vlan232
     description FourthAveCore1Gateway1P2P
     ip address 192.168.231.5 255.255.255.252
    !
    interface Vlan233
     description FourthAveFirewall1FRBGatewayP2P - no ip address - shutdown
     no ip address
     shutdown
    !
    interface Vlan234
     description FourthAveFirewall1ORCCGatewayP2P - no ip address - shutdown
     no ip address
     shutdown
    !
    interface Vlan235
     description FourthAveFirewall1DebitATMGatewayP2P - no ip address - shutdown
     no ip address
     shutdown
    !
    interface Vlan236
     description FourthAveCore1Firewall1PrivateP2P
     ip address 192.168.231.33 255.255.255.252
    !
    interface Vlan237
     description FourthAveFirewall1VPNGateway1P2P - no ip address - shutdown
     no ip address
     shutdown
    !
    interface Vlan238
     description FourthAveFirewall1CavionGatewayP2P - no ip address - shutdown
     no ip address
     shutdown
    !
    interface Vlan239
     description FourthAveFirewallELANGatewayP2P
     ip address 192.168.239.1 255.255.255.0
    !
    interface Vlan900
     description FourthAveDMZ  ***** Do not activate this interface - outside access *****
     no ip address
     shutdown
    !
    interface Vlan950
     description WebSenseMonitor - no ip address - shutdown
     no ip address
     shutdown
    
    
    

    The previous admin of the switches may have created these just for the sake of figuring out which interface is which in netflow exports. In some platforms you can export layer 3 stats that cross the SVIs, but you can also export L2 stats for traffic that stays within the VLAN. Those exports can be hard to line up if you don't have interfaces labled. Just a guess, and I don't know if that applies to the 3560 as I don't actually have a 3560.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    They could also be leftovers from legacy configurations that were not completely cleaned up. The ip address was removed and the SVI shut, but the SVI was never removed. Always a possibility as some people have a greater degree of OCD than others. Personally this would drive me insane if it did not have a purpose.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    They could also be leftovers from legacy configurations that were not completely cleaned up. The ip address was removed and the SVI shut, but the SVI was never removed. Always a possibility as some people have a greater degree of OCD than others. Personally this would drive me insane if it did not have a purpose.

    It's much more likely that it's there for reference. I do the same thing with my interface configurations, stopping what I'm doing to go reference documentation when I can just look at the routers configuration is much more efficient. I normally only tend to do that kind of thing on layer3 interfaces, though. It had never occurred to me to standup SVI's which are shutdown just so I can use the description field to label the vlan (the vlan description field in the vlan commands are somewhat limited), but in retrospect, it seems obvious, and I'm kind of kicking myself for not thinking of it on my own.

    What makes me draw this conclusion is the description on the DMZ interface. It specifically says never to bring this interface up, which tells me that the interface exists for a reason, and it's never intended to be activated, and from there, I can infer that the other shutdown SVI's are serving the same purpose.
  • Panzer919Panzer919 Member Posts: 462
    Just curious what kind of hardware this is? Kind of a shot in the dark but ive seen some switches that will allow you to create multiple interface vlans but only one can be active at a time which keeps the others shutdown. Can't remember what kind of switch it was though.

    Cisco 2950 was the model
    Cisco Brat Blog

    I think “very senior” gets stuck in there because the last six yahoos that applied for the position couldn’t tell a packet from a Snickers bar.

    Luck is where opportunity and proper planning meet

    I have not failed. I've just found 10,000 ways that won't work.
    Thomas A. Edison
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    Finally I think I figured it out. These are old configs and I think he used them as notes. Everything is trunked together. We have a gateway to the ISP with bridging done for public internet to firewall. A L3 core switch, ASA 5510 with 2 contexts Internet and Private. The Private context is specifically used for vlan interfaces called P2P gateways
    and he allows on the DMZ IPSEC tunnel to VPN public side of vpn device like permit esp, gre etc so the vpn tunnel can work. Then with the LAN side gateways he uses the private context and creates ACL rules and gateway interfaces on the return with ip route commands on return traffic. Kind of crazy but I think I finally got it. I initially thought he had the IPSE tunnels going thru the firewall but I was initially wrong. He does terminate them at the DMZ/or outside interface and uses ACLs to permit IPSEC to public side of the vpn interface and creates P2P gateways to theLAN side of the vpn devices to further restrict what they can actually do if need be. I have had numerous ccvp and cisco types look at it and has taken much study to see the flow...but very cool nonetheless..icon_cheers.gif
Sign In or Register to comment.