Cisco 3560 VLAN connecting to Linksys srw2048

I would also like to add. The default gatewayfor the 192.168.1.x network is set to 192.168.1.250 which is an ASA. I am not sure if this would be the cause of the VLAN 172.16.1.x not communicating with 192.168.1.x.

that1guy15:

c3560G#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  192.168.1.19    YES manual up                    up
Vlan2                  172.16.1.250    YES manual up                    up
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  down                  down
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet0/4     unassigned      YES unset  up                    up
GigabitEthernet0/5     unassigned      YES unset  up                    up
GigabitEthernet0/6     unassigned      YES unset  up                    up
GigabitEthernet0/7     unassigned      YES unset  up                    up
GigabitEthernet0/8     unassigned      YES unset  up                    up
GigabitEthernet0/9     unassigned      YES unset  up                    up
GigabitEthernet0/10    unassigned      YES unset  up                    up
GigabitEthernet0/11    unassigned      YES unset  up                    up
GigabitEthernet0/12    unassigned      YES unset  up                    up
GigabitEthernet0/13    unassigned      YES unset  up                    up
GigabitEthernet0/14    unassigned      YES unset  down                  down
GigabitEthernet0/15    unassigned      YES unset  down                  down
GigabitEthernet0/16    unassigned      YES unset  down                  down
GigabitEthernet0/17    unassigned      YES unset  down                  down
GigabitEthernet0/18    unassigned      YES unset  down                  down
GigabitEthernet0/19    unassigned      YES unset  down                  down
GigabitEthernet0/20    unassigned      YES unset  up                    up
GigabitEthernet0/21    unassigned      YES unset  down                  down
GigabitEthernet0/22    unassigned      YES unset  down                  down
GigabitEthernet0/23    unassigned      YES unset  up                    up
GigabitEthernet0/24    unassigned      YES unset  up                    up
GigabitEthernet0/25    unassigned      YES unset  down                  down
GigabitEthernet0/26    unassigned      YES unset  down                  down
GigabitEthernet0/27    unassigned      YES unset  down                  down
GigabitEthernet0/28    unassigned      YES unset  down                  down

from the 3560 can you ping devices on both vlans? Can the devices on each vlan ping the vlan address on the 3560.

Also make sure the devices on each vlan point their default gateway to the vlan address for that vlan on the 3560

From the 3560 can you ping devices on both vlans? Yes

Can the devices on each vlan ping the vlan address on the 3560?
I'm not qute sure i understand this question. If you mean can the devices on 192.168.1.x ping 172.16.1.250 then the answer is no. Can the devices on 172.16.1.x can ping 192.168.1.250 the answer is yes. But it cannot ping anything else on 192.168.1.x. Also the ip helper is not connecting to the dhcp server as it should.

Also from the 172.16.1.x devices i can ping 192.168.1.19 which is the 3560. And 192.168.1.250 which is the ASA.

But anything else cannot ping.

Can devices on 192.168.1.x ping 192.168.1.19 and can devices on 172.16.1.x ping 172.16.1.250?

Were do all devices point the default gateway too?

so im guessing the ASA is not allowing routing.

Can devices on 192.168.1.x ping 192.168.1.19? Yes

Can devices on 172.16.1.x ping 172.16.1.250? Yes

Were do all devices point the default gateway too?
The 172.16.1.x network is pointing to 172.16.1.250
The 192.168.1.x network is pointing to 192.168.1.250

Well from your config the switch should be providing the routing between the two subnets. The only way traffic would be going to the ASA is if the 3560 does not have a route for it.

If you run "sh ip route" you should see a route for each vlan. Could you post that as well?

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.250 to network 0.0.0.0

C    172.16.0.0/16 is directly connected, Vlan2
C    192.168.1.0/24 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 192.168.1.250

Were do all devices point the default gateway too?
The 172.16.1.x network is pointing to 172.16.1.250
The 192.168.1.x network is pointing to 192.168.1.250

What device is the 192.168.1.250 ip assigned to? All your devices are pointing to this device as a gateway and that device has no idea how to get to the 172.16.1.x network. So either change the gateway on those devices to 192.168.1.19 or add a route on the 192.168.1.250 device pointing to the 3560 for the 172.16.1.x vlan.

Changing the gateway on a PC on the 192.168.1.x network to 192.168.1.19 made no difference.

But i see your point about 192.168.1.250 not even having any idea how to get to 172.16.1.x. I suppose adding a route on the 192.168.1.250 ASA may be the solution. I will try ot out.

Thanks

I have tried everything. and its still a no go :(

Lets step back for a second.

Could you give details on how your network is layed out for these two vlans?

-were do your PCs point for a gateway?

-what all network devices are involved and how are they connected to each other.

a description of your network layout will be helpful.

I will definately try to describe everything the best i can, and i truly appreciate your help. This is a learning experience for me and its proven to be very challenging so far.

Here are the 3 routers/switches

ASA 5520 (192.168.1.250)
Cisco 3560 (192.168.1.19)
Netgear (cisco)srw2048 (172.16.1.254)

Currently only one subnet is working (192.168.1.x)
This subnet's default gateway it to 192.168.1.250

On Cisco 3560 (192.168.1.19) console, i am able to ping/telnet to 172.16.1.254. From any device plugged into Netgear (cisco)srw2048 (172.16.1.254) i am able to ping 192.168.1.19 and 192.168.1.250.

Nothing else pings or is connectable betweek subnets.


I have tried just about everything to get 172.16.1.x to work, with no luck. I must be missing something.

Could you give a layout of how your devices connect to these switches and ASA? Im wanting to know what path a device takes from one vlan to get to another vlan.

"Currently only one subnet is working "

when you say working what does that mean? able to connect to other network resources, able to surf the internet or what?

Thanks

I mean able to connect to other network resources and able to surf the net.


The ASA and the 3560 are directly connected.
The Netgear srw2048 is directly connected to the 3560.
There is also a 48port Cisco 2950 directly connected to the 3560.

Some network devices are currently on the 2950 and some are on the 3560.

i will get more detailed port info and post it as soon as possible.. again thanks

dont worry about getting port info. that shouldnt be needed yet.

What switches have what vlans on them? Do both the netgear and 2950 have all vlans?

I have not added any vlans on either the 2950 or the netgear switch.

Actually on the 2950 config i have

interface Vlan1
 ip address 192.168.1.16 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.1.250
ip http server

The netgear has no vlan config

Ok, What ports on the 3560 do those two switches connect to?

Sorry for the late response. I have been out of the poffice until now.

So what i am going to do now is get a complete inventory of what switches/routers we have in the network room. And i will need to trace how each is connected to each. Once i get a more accurate diagram i will post it. Again thanks for your help.

Ok so its sorta a mess in there.
I got the inventory of switches and i traced how they are hooked up to eachother.

Here goes the inventory

ASA5520
Cisco 3560G
Netgear GSM7324
Cisco2960g1
Cisco2960g2
Netgear? (couldnt see model)
Linksys srw2048

Now here is how things are connected:

ASA 5520 connected directly to cisco2960g2
asa port 0 and port 2 connected to 2960g2 on ports 43 and 44

Cisco 2960g2 is directly connected to 2960g1 port 48 to port 48

Cisco 3560G is directly connected to Cisco 2960g1, 3560g port 23 to 2960g1 port 47
Cisco 3560G is directly connected to GSM7324, 3560g port 24 to gsm port 1
Cisco 3560G is directly connected to Linksys srw2048, 3560g port 13 to srw2048 port 48

2960g1 is directly connected to netgear (unkown model) 2960 port 5 to netgear port 39
 
I may have possibly missed something but i think its all listed and connected.
 

Cool, thanks for getting that info. Unless you have specific reason for setting up your switches this way I would highly recommend cleaning this setup up. Changing to a hierarchy setup would allow for easier management. But that would most likely be a large project.

If you need to get this up and running now, this might get a little messy..

What switches are you wanting each VLAN on?

Are devices (servers, workstations etc..) connected to all switches?

Yea currently its a mess and all devices are connected to basically everything.

For now all i would like to get done is to have 2 vlans. one vlan which is in use now throughout the network 192.168.1.x and a new one which would be the 172.16.1.x.

Basically the new vlan would only be on the Linksys srw2048. So anything we plug into there we would like to get 172.16.1.x.

Eventually we will clean it all up and do a hierarchy system. But yea thats a whole different project :)

Edit: Yea currently its a mess and all devices are connected to basically everything except the Linksys srw2048.

(option 1)

Ok so you have port 13 on the 3560 as an access port for VLAN 2 so that will allow anything connecting to the SRW switch to be a member of VLAN 2. You will want to check the SRW switch to make sure your configuration is not set up to conflict with the 3560. I would suggest setting all ports on this switch to VLAN 2 (just like on the 3560) and make that your management VLAN as well. Sorry im not familar with the Linksys Gui or I would help more.

All devices connected to the SRW must point their default gateway to the 3560 VLAN 2 interface ip (172.16.1.250).

All devices connected to the GSM switch must point their default gateway to the 3560 VLAN 1 interface ip (192.168.1.19).  This will allow any device connected to the SRW to communicate with devices on the GSM (between vlans).

The 3560 already points its gateway to the F/W but it will only pass traffic for one vlan since your port 23 is an access port. The best way to get all devices to pass traffic between vlans is to create VLAN 2 on each switch and then set each port that connects to another switch to a trunk port. You then must point all devices to the 3560 for a gateway.

VLAN 2 traffic will now make it all the way to the f/w but the f/w will not know what to do with it since it only has a connection from vlan 1. You will need to create a trunk between 2960g2 and the asa. The 2960g2 will be configured the same as all other trunk ports but the firewall is going to get a little tricky.

For the ASA you will need to create sub-interfaces for each vlan (192 and 172 networks). Then configure each subinterface for its associated vlan. You will then remove the ip configuration from the interface. This will allow the asa to handle both vlans. next you will need to adjust any routes, firewall rules or nat statements to allow the vlan 2 traffic to pass through the asa. Google "router on a stick" for the basics on configuring the sub-interfaces

(option 2)

This option is going to be a little easier to setup but its going to complicate your network even more.

Run a new connection from your 3560 to an available  asa port. Setup the asa port up with an ip address in the 172 network. Create a route in the 3560 to point all vlan 2 traffic to the asa port you just setup. On your firewall you will still need to create routes for the new interface/network and adjust nat and firewall rules to allow traffic between the networks.

This setup will allow you to still have all devices point to the ASA for their gateway. the asa will then be able to route traffic going to vlan 2 down to the 3560. VLAN2 traffic will then use its new connection to the ASA to get to the internet.

Both of these setups are going to take some time to get them up and running. And in all honesty I would just spend the additional time to get your network setup correctly. It might take just as much time to do this.

wow i think your right.

So what i am going to do is draw out a network plan to do a hierarchy. Basically everything directly connecting to the 3560 including the asa. Then i supppose it will be cleaner and a bit simpler to set this vlan up.

Thanks so much for your help. I now know what needs to be done.

So i rewired everything to plug drectly to the 3560. Still no luck with the Vlan working as it should.

What is your network layout now?

Also post your sh run

asa5520 plugged from port 2 to 3560 port 1
srw2048 plugged from port 48 to 3560 port 13
2650g1 plugged from port 48 to 3560 port 20
2560g2 plugged from port 48 to 3560 port 21
gsm7324 plugged from port 24 to 3560 port 22
netgear plugged from port 48 to 3560 port 23

sh run from 3560:

c3560G#sh run
Building configuration...

Current configuration : 1891 bytes
!
! Last configuration change at 07:16:54 UTC Fri Sep 11 2009
! NVRAM config last updated at 07:16:54 UTC Fri Sep 11 2009
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname c3560G
!
enable secret
!
no aaa new-model
clock timezone UTC -6
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
 description test vlan
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
 ip address 192.168.1.19 255.255.255.0
!
interface Vlan2
 ip address 172.16.1.250 255.255.0.0
 ip helper-address 192.168.1.44
!
ip default-gateway 192.168.1.250
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.250
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
 password
 login
 length 0
line vty 5 15
 password
 login
 length 0
!
end

Any switch that you want to have multiple vlans on you will need to create a trunk between that switch and the 3560. Right now you have those ports configured as access ports so only one vlan (the default) will be able to communicate across the network.

on the 3560 and all cisco devices you create a trunk by using:

int f0/1
 switchport mode trunk
                                              

1:
2:

You are also wanting to pass all VLANs to the ASA so you will either need to trunk to the ASA or setup a routed interface from the 3560 to the ASA.

Does this look right?

interface GigabitEthernet0/13
 description test vlan
 switchport access vlan 2
 switchport trunk encapsulation dot1q
 switchport mode trunk

The port cannot be both an access port and a trunk port. So when you issues the switchport mode trunk command it will transition from an access port to a trunk port.

interface GigabitEthernet0/13
 description test vlan
 switchport mode trunk
 switchport trunk encapsulation dot1q
 

                                              

1:
2:
3:
4:
5:

switchport access vlan 2 is what defines the vlan isnt it?

Now after adding the switchport mode trunk i cannot ping from the 3650 to the 2048 at all. Or vice versa

Here are a few configs that may be of use?

c3560G#sh int g0/13
GigabitEthernet0/13 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 001f.261a.0d0d (bia 001f.261a.0d0d)
  Description: test vlan
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:11, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 65000 bits/sec, 25 packets/sec
     177282 packets input, 31058209 bytes, 0 no buffer
     Received 174703 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 152596 multicast, 0 pause input
     0 input packets with dribble condition detected
     1858452 packets output, 160119739 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
_____

c3560G#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                Gi0/14, Gi0/15, Gi0/16, Gi0/17
                                                Gi0/18, Gi0/19, Gi0/20, Gi0/21
                                                Gi0/22, Gi0/23, Gi0/24, Gi0/25
                                                Gi0/26, Gi0/27, Gi0/28
2    vlan-test                        active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
2    enet  100002     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

"switchport access vlan 2 is what defines the vlan isnt it?"

this specifies the port to use only vlan 2. by setting it to a trunk port you are saying all vlans can cross it.

"Now after adding the switchport mode trunk i cannot ping from the 3650 to the 2048 at all. Or vice versa"

A trunk must be configured on both ends of the connection. So you will need to configure the 2048 as a trunk port.

ok its done. So both sides are trunked.

On the 3560 port 13 config looks like:

interface GigabitEthernet0/13
 description test vlan
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport mode trunk

I will connect another device to a spare port on the 3560 and set that port to trunk, then hopefully the device can ping 172.16.1.250. Crossing my fingers!

Still no luck :( Wow this is really frustrating.

So basically what i did was trunked from the 3560 to the 2048. The devices do communicate.

Then i trunked an empty port on the 3560 (port 17) and connected a laptop to it, it connected to VLAN1 DHCP but still cannot communicate with 172.16.1.x.

here is the updates sh run

no aaa new-model
clock timezone UTC -6
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
 description test vlan
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport mode trunk
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
 ip address 192.168.1.19 255.255.255.0
!
interface Vlan2
 ip address 172.16.1.250 255.255.255.0
 ip helper-address 192.168.1.44
!
ip default-gateway 192.168.1.250
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.250
ip http server
!
!

                                              

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:

"Then i trunked an empty port on the 3560 (port 17) and connected a laptop to it, it connected to VLAN1 DHCP but still cannot communicate with 172.16.1.x."

Trunk ports are only for switch to switch communications or connections to router/firewalls in some situations.

When connecting a workstation or server they will connect via an access port. Most workstations and servers do not support trunk functionality. This is why that device is not working.

Thanks. I am indeed learning alot from this.

So what i did was trunked from 3560 to GSM7324. Then plugged a laptop into the GSM7324. The laptop connected to VLAN1 DHCP and still cannot communicate with VLAN2.