Cisco Router/Switch Configuration Trouble

That’s exactly why I am looking to others for help with the configs. I haven’t a clue how to do anything you mentioned.

Subnetting is difficult for me, but I can do it if each VLAN needs to have its own subnet. That shouldn’t be a big deal. But everything else you mentioned, I am clueless on.

Here is my new design with subnets and different VLANs that do not use VLAN1.

Now all I gotta do is figure out how to correctly program this and enable the Layer 3 to easy the load off the actual router.

Cisco 2911 Gigabit Router
Cisco WS-3750E Gigabit Layer 2/3 Switch (S1)
Cisco ws-c3560 8-port Layer 2/3 Switch (S2)
Cisco WAP371 Access Point

IP Range 10.0.0.1-10.0.0.4 are reserved for Router and Switches/WAP (Network Hardware)
VLAN 21: 10.0.1.1/24
VLAN22: 10.0.2.1/24
VLAN23: 10.0.3.1/24
VLAN24: 10.0.4.1/24
VLAN25: 10.0.5.1/24
VLAN26: 10.0.6.1/24

Cable Modem: DHCP IP Assigned by Comcast
Router (R1): G0/1 10.0.0.1/24
Switch (S1): IP 10.0.0.2/24
Switch (S2): IP 10.0.0.3/24
WAP (WAP1): IP 10.0.0.4/24


VLAN21 (Admin) 10.0.1.1/24
Aramis Server: Static IP 10.0.0.5 (S1 port 1)
Elisia Server: Static IP 10.0.0.6 (S1 Port 2)
Arwin-Laptop: Static IP 10.0.0.10 (S1 Port 12)
S1 Ports 20-24 are all Network Devices such as switches, router connection, WAP Connection, Etc.
Sapphira-Laptop: DHCP IP (Wireless VLAN1 connection to WIFI SSID Admin)
VLAN22 (Entertainment) 10.0.2.1/24
S1 Ports 13-15 are Entertainment DHCP Devices
S2 Ports 1-3 to S1 Port 21 are Entertainment DHCP VLAN2
WIFI SSID: Aramis-Ent is VLAN2 Entertainment Devices that do not allow Ethernet Connections
VLAN23 (Apple Media Network) 10.0.3.1/24
S1 Port 16 to AppleTV is VLAN3 DHCP
S2 Port 4 to AppleTV is VLAN3 DHCP
VLAN24 (Printers) 10.0.4.1/24
S1 Ports 4-8 to Printers is VLAN4 DHCP
VLAN25 (General Use) 10.0.5.1/24
No Hardwire Ports are assigned to VLAN5. Only WIFI Traffic is Assigned to VLAN5
VLAN26 (Guest) 10.0.6.1/24
No Hardwire Ports are assigned to VLAN6. Only WIFI Traffic is Assigned to VLAN6

Switchports NOT in use:
S1 Ports 3, 9-11, 17-19
S2 Ports 5-8
VLAN DESCRIPTIONS

VLAN21 (Admin): This VLAN is reserved for the two servers and my two laptops. No other device should be assigned to this VLAN, however, any computer on VLAN 3, VLAN4 and VLAN5 can communicate with the Servers and laptops. Only 4 devices assigned to this VLAN.
VLAN22 (Entertainment):This VLAN is for Entertainment Devices such as TVs, HD Devices, Streaming Devices, BluRay Players, etc. No Computers or phones should access this VLAN and this VLAN does NOT have access to internal network resources such as servers or printers. Only internet access is allowed.
VLAN23 (Apple Media Network)- This is reserved for AppleTVs and any other Apple device requiring the Apple Network. This VLAN should have access to other VLANs on the network (Excuding VLAN2 and VLAN6) so that iphones and computers can stream to AppleTVs and AppleTV can access the Apple Network and iTunes Server on VLAN1.
VLAN24 (Printers)-This is a DHCP VLAN for the 4 Printers. The printers are Hardwired and any device on the network, whether wireless or hardwired, should be able to communicate to this VLAN and print to the Printers when needed. This excludes VLAN2 as Entertainment Devices do NOT need access to printers. This also excludes VLAN6 as no guests will be allowed to Print on the Network.
VLAN25 (WIFI-General Access)-This VLAN is for all other network traffic. VLAN5 should be able to access network resources such as printers and servers. All Wifi SSID’s and Devices are DHCP.
VLAN26 (Guest)-Internet Access ONLY. No Access to Network Resources or any device on the network. Cannot see other devices connected to WiFi. Completely restricted to Internet Only. LOCKED DOWN. All Devices are DHCP

I’m trying. Problem is, the entire time I’m “experimenting”, trying to get this right and working, my entire network is down. So, down time is waaaay too much.

I’ll try to write up the config commands and post. Hopefully it actually freaking works.

This is my current configuration of my router. WOuld it be easier to reset to default and start fresh and new?

R1#show config
Using 11154 out of 262136 bytes
!
! Last configuration change at 00:14:59 UTC Fri Mar 24 2017 by administrator
! NVRAM config last updated at 00:15:03 UTC Fri Mar 24 2017 by administrator
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-3.M4.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$aaoO$tBn4OvFzUeOsDMPJrbc.n0
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
clock timezone UTC -8 0
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.211 10.0.255.254
!
ip dhcp pool ARAMISDOMAIN
network 10.0.0.0 255.255.0.0
default-router 10.0.0.1
dns-server 8.8.8.8 10.0.0.5
domain-name Aramis.Local
option 150 ip 10.0.0.6
lease 0 4
!
!
!
no ip bootp server
ip domain name Aramis.local
ip name-server 10.0.0.5
ip name-server 8.8.8.8
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name CCP_LOW appfw CCP_LOW
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip cef
login block-for 240 attempts 2 within 60
no ipv6 cef
!
appfw policy-name CCP_LOW
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application http
strict-http action allow alarm
port-misuse p2p action reset alarm
port-misuse im action reset alarm
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-924340807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-924340807
revocation-check none
rsakeypair TP-self-signed-924340807
!
!
crypto pki certificate chain TP-self-signed-924340807
license udi pid CISCO2911/K9 sn FTX1443AHBX
!
!
username administrator privilege 15 secret 5 $1$vnvs$ZDKnAu4VgsIzZOK7FI6eB/
username CCP privilege 15 secret 5 $1$KUo1$d3p8mEqXtBtjrWWptPc14/
!
redundancy
!
!
!
!
no cdp run
!
ip tcp synwait-time 10
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
policy-map sdmappfwp2p_CCP_LOW
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description WAN$FW_OUTSIDE$
ip address dhcp
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 102
duplex auto
speed auto
no mop enabled
service-policy input sdmappfwp2p_CCP_LOW
service-policy output sdmappfwp2p_CCP_LOW
!
interface GigabitEthernet0/1
description LAN$FW_INSIDE$
ip address 10.0.0.1 255.255.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 99 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.0.5 443 interface GigabitEthernet0/0 443
ip ssh time-out 60
ip ssh authentication-retries 2
!
ip access-list extended OUTSIDE-IN
remark CCP_ACL Category=16
deny ip 23.32.0.0 0.31.255.255 any
deny ip 23.64.0.0 0.3.255.255 any
deny ip 104.0.0.0 0.0.0.255 any
permit ip any any
ip access-list extended autosec_firewall_acl
remark CCP_ACL Category=17
deny ip 10.0.0.0 0.0.255.255 any log
permit udp any eq bootps any eq bootpc log
permit icmp any any log unreachable
permit tcp any any eq 443 log
remark Auto generated by CCP for NTP (123) 10.0.0.5
permit udp host 10.0.0.5 eq ntp any eq ntp log
permit udp any any eq bootpc log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip any any log
!
logging trap notifications
logging facility local2
logging host 10.0.0.5
!
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.255.255 log
access-list 2 deny 23.32.0.0 0.31.255.255 log
access-list 2 deny 23.64.0.0 0.3.255.255 log
access-list 99 permit 10.0.0.0 0.0.255.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=0
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.0.0.0 0.0.255.255 any log
access-list 102 permit udp any any eq bootpc
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip 10.0.0.0 0.0.255.255 any log
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit udp host 8.8.8.8 eq domain any
access-list 104 permit tcp any any eq 443
access-list 104 deny ip 10.0.0.0 0.0.255.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any log
access-list 105 remark auto generated by CCP firewall configuration
access-list 105 remark CCP_ACL Category=1
access-list 105 permit udp host 8.8.8.8 eq domain any
access-list 105 permit tcp any any eq 443
access-list 105 deny ip 10.0.0.0 0.0.255.255 any
access-list 105 permit udp any eq bootps any eq bootpc
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip any any log
!
!
!
control-plane
!
!
banner exec ^C
^[[36;1m
HOSTNAME: R1.AramisDomain
Administrator: Chris Shinneman ^[[37;1m
+----------------------------------------------------------------------+
| |
| ^[[34;1m| |^[[37;1m |
| ^[[34;1m||| |||^[[37;1m |
| ^[[34;1m.|||||. .|||||.^[[37;1m |
| ^[[34;1m.:|||||||||:..:|||||||||:.^[[37;1m |
| ^[[31;1mC i s c o S y s t e m s^[[37;1m |
| |
| |
| ^[[31;1mSite:^[[37;1m Aramis Domain |
| ^[[31;1mModel:^[[37;1m Cisco 2911 2900 Series |
| ^[[31;1mInstalled:^[[37;1m 01/09/2016 |
| |
+----------------------------------------------------------------------+
^[[37;1m
^C
banner login ^C
!
^[[31;1m
+----------------------------------------------------------------------+
| |
| ^[[32;1mTHIS DEVICE IS MONITORED!^[[31;1m |
| |
| ^[[36;1mThis Device is managed by Aramis Domain^[[31;1m |
| |
| ** Access to this system is PROHIBITED unless AUTHORIZED ** |
| All activities are monitored and recorded. |
| Unauthorized Users will be prosecuted to the fullest |
| extent of the Law. |
| |
+----------------------------------------------------------------------+
^[[37;1m
^C
banner motd ^C
^C

Here is the configuration of Switch2 so far. Its NOT complete. I just want to make sure I am on the right track with configuring the switch2 to access Switch1 and have Ports 1-4 access the correct VLANs.



Any insight, advice?



S2#show config

Using 1708 out of 524288 bytes

!

! Last configuration change at 00:31:16 UTC Mon Mar 1 1993

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname S2

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$XMcE$eD.hXyE4zaThN63JybKif0

!

no aaa new-model

system mtu routing 1500

ip routing

no ip domain-lookup

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/1

description Entertainment VLAN

no switchport

no ip address

!

interface FastEthernet0/2

description Entertainment VLAN

no switchport

no ip address

!

interface FastEthernet0/3

description Entertainment VLAN

no switchport

no ip address

!

interface FastEthernet0/4

description Apple Network VLAN

switchport access vlan 23

switchport mode access

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface GigabitEthernet0/1

switchport access vlan 21

switchport mode access

!

interface Vlan1

no ip address

!

interface Vlan21

ip address 10.0.1.1 255.255.255.0

!

interface Vlan22

ip address 10.0.2.1 255.255.255.0

!

interface Vlan23

ip address 10.0.3.1 255.255.255.0

!

interface Vlan24

ip address 10.0.4.1 255.255.255.0

!

interface Vlan25

ip address 10.0.5.1 255.255.255.0

!

interface Vlan26

ip address 10.0.6.1 255.255.255.0

!

ip default-gateway 10.0.0.1

ip http server

ip http secure-server

!

!

!

!

!

!

line con 0

password 7 1511030325297E723D706470

login

line vty 0 4

password 7 1511030325297E723D706470

login

line vty 5 15

password 7 1511030325297E723D706470

login

!

end

My router config that I posted is the current configuration with Firewall ACLs. Now that I am redoing my entire network with VLANs and maybe InterVLAN Routing, the Router Config will most likely change. I still need to have DHCP Servers/Pools for each VLAN/Subnet. WOuld I do the DHCP Pools on the Switches or on the router?

Also, Intervlan routing has me turning off Switchport access on the ports. So, how would I assign a specific port or ports to a specific VLAN if Switchport access is disabled?

Would I have Intervlan Routing enabled on both switches or just the Main S1 Switch?

I would rather the router or the S1 (Main Switch) assign all IP Addresses to the end devices. My servers have enough to do as it is. LOL. So would I use the Switch to do the IP Assignments (DHCP Server) or continue using the router? Which would be easier on the network itself and help increase performance?

If I am understanding correctly,

The router would be the WAN Access (Gateway), S1 would be set to Layer 3 Routing between VLANs, and S2 would just be trunked to S1 and each port assigned their specific VLAN access (remaining Layer 2)??

I am still confused though. Once I enable IP Routing on the S1, how would I assign ports on S1 to specific VLANs?

It’s “into range f0/1-3” to erect a range. Lol.

Now, if I do seitchport access and assign the VLAN, will that disable the interVlan routing that was just enabled since enabling and configuring it has me turn it off?

That’s why I’m confused on how this is gonna work.

I’m gonna try it tonight when my spouse leaves for work. That way the network can be down and not many people will complain.

I’m in deep doodoo. I am trying to implement the inter VLAN routing on the L3 switch and completely crashed my entire network. Nothing is communicating and I have no internet. Switch can ping the router still. But nothing else can work.

Okay, after hours and hours and hours of fighting, I got network connectivity back with internet. I think i finally got intervlan routing up and running with DHCP coming from the switch and not the router.

However, I have noticed that when host devices connect to the network, the network description no longer says "Aramis.com Domain". It just lists "Network 4". That makes me wonder if all the host devices are able to communicate with the Active Directory Domain Server properly....or is it a setting in the switch that I need to configure? It used to be that whenever a computer connected to the network, when you hover the mouse over the network connection (whether wired or wireless), it would say the Domain Name of my network, which is "Aramis.com Domain". It no longer does that.

Also, I will need help creating ACLs so that VLAN 22 and VLAN 26 CANNOT access any other VLAN or Network Resource....BUT.....VLANs 20, 21 and 25 can access VLANs 22 and 26 so that the hosts on those VLANs can be seen and managed (via servers).

Any help with the ACLs would be awesome. I have never done ACLs before.

Attached is my configuration of my switch. Hopefully I did everything right....

S1#show config
Using 7282 out of 524288 bytes
!
! Last configuration change at 04:44:03 UTC Mon Jan 2 2006
!
version 15.0
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname S1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$fXM5$QeXpmeXipHpYaExFlLOU/.
!
username administrator privilege 15 secret 5 $1$CpEQ$OvKGorrxJdg2WeT0psild/
no aaa new-model
switch 2 provision ws-c3750e-24td
system mtu routing 1500
ip routing
no ip cef optimize neighbor resolution
ip dhcp excluded-address 10.0.1.1 10.0.1.100
ip dhcp excluded-address 10.0.2.1 10.0.2.100
ip dhcp excluded-address 10.0.3.1 10.0.3.100
ip dhcp excluded-address 10.0.4.1 10.0.4.100
ip dhcp excluded-address 10.0.5.1 10.0.5.100
ip dhcp excluded-address 10.0.6.1 10.0.6.100
ip dhcp excluded-address 10.0.0.1 10.0.0.100
ip dhcp excluded-address 10.0.7.1 10.0.7.100
!
ip dhcp pool VLAN21
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8 10.0.1.5
!
ip dhcp pool VLAN22
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 10.0.1.5
!
ip dhcp pool VLAN23
network 10.0.3.0 255.255.255.0
default-router 10.0.3.1
dns-server 8.8.8.8 10.0.1.5
!
ip dhcp pool VLAN24
network 10.0.4.0 255.255.255.0
default-router 10.0.4.1
dns-server 8.8.8.8 10.0.1.5
!
ip dhcp pool VLAN25
network 10.0.5.0 255.255.255.0
default-router 10.0.5.1
dns-server 8.8.8.8 10.0.1.5
!
ip dhcp pool VLAN26
network 10.0.6.0 255.255.255.0
default-router 10.0.6.1
dns-server 8.8.8.8 10.0.1.5
!
ip dhcp pool VLAN20
network 10.0.7.0 255.255.255.0
default-router 10.0.7.1
dns-server 8.8.8.8 10.0.1.5
!
!
no ip domain-lookup
ip domain-name Aramis.Local
!
!
crypto pki trustpoint TP-self-signed-1337076096
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1337076096
revocation-check none
rsakeypair TP-self-signed-1337076096
!
!
crypto pki certificate chain TP-self-signed-1337076096
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
!
errdisable recovery cause bpduguard
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh authentication-retries 2
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet2/0/1
switchport access vlan 21
switchport trunk encapsulation dot1q
switchport mode access
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/2
switchport access vlan 21
switchport trunk encapsulation dot1q
switchport mode access
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/3
switchport access vlan 80
shutdown
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/4
switchport access vlan 24
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/5
switchport access vlan 24
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/6
switchport access vlan 24
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/7
switchport access vlan 24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/8
switchport access vlan 24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/9
switchport access vlan 80
shutdown
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/10
switchport access vlan 80
shutdown
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/11
switchport access vlan 80
shutdown
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/12
switchport access vlan 80
switchport mode access
switchport port-security mac-address sticky
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/13
switchport access vlan 22
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/14
switchport access vlan 22
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/15
switchport access vlan 22
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/16
switchport access vlan 23
switchport trunk encapsulation dot1q
switchport mode access
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/17
switchport access vlan 80
shutdown
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/18
switchport access vlan 80
shutdown
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/19
switchport access vlan 80
shutdown
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/20
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/21
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/22
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/0/23
description To Router g0/1
no switchport
ip address 10.0.0.2 255.255.255.0
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/24
switchport access vlan 20
switchport mode access
switchport port-security mac-address sticky
spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/25
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/26
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/27
switchport access vlan 80
shutdown
!
interface GigabitEthernet2/0/28
switchport access vlan 80
shutdown
!
interface TenGigabitEthernet2/0/1
shutdown
spanning-tree portfast trunk
!
interface TenGigabitEthernet2/0/2
shutdown
spanning-tree portfast trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
description Aramis-LAN
ip address 10.0.7.1 255.255.255.0
!
interface Vlan21
ip address 10.0.1.1 255.255.255.0
!
interface Vlan22
ip address 10.0.2.1 255.255.255.0
!
interface Vlan23
ip address 10.0.3.1 255.255.255.0
!
interface Vlan24
ip address 10.0.4.1 255.255.255.0
!
interface Vlan25
ip address 10.0.5.1 255.255.255.0
!
interface Vlan26
ip address 10.0.6.1 255.255.255.0
!
interface Vlan99
no ip address
shutdown
!
ip default-gateway 10.0.0.1
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
logging trap notifications
logging host 10.0.0.5
!
!
banner motd ^C
UNAUTHORIZED ACCESS IS PROHIBITED!^C
!
line con 0
password 7 02050C542A055A77590D584B
logging synchronous
login
speed 115200
line vty 0 4
privilege level 15
password 7 104D01162414475D19477B79
logging synchronous
login local
transport input telnet ssh
line vty 5 15
password 7 104D01162414475D19477B79
logging synchronous
login local
transport input ssh
!
ntp server 10.0.0.5
end

Port 23 has the IP address in the 10.0.0.0 range and it sees the router with the routes configured and all hosts on all vlans have Internet Access and are pulling IPs from the DHCP Servers on the switch.