Chuck Brown
asked on
Switch cannot ping device connected to another switc
We have the configurations that are at the end of this description. The 3750 is being used as the head end switch. There is a 3560 in a department in another building. The two are linked via a 3560 in between. I've listed the configs for the two end points.
Here is what we're trying to accomplish:
There is a watchguard firewall at 10.0.0.1 that is the default gateway for the majority of the network. On the 3560, port fa0/21 there is a sonic wall firewall at ip 192.168.215.1. For the users in the 192.168.215.x network, we want them to all be in VLAN 114, and we want their Internet access to go to the sonic wall. The rest of the network has 10.x addresses, and these 192.168.215.x users should be able to access this network. However, what is happening is that they are able to go out the sonic wall for a couple of VPN access sites they have, that are 167.198.204.x addresses, but all other Internet access fails, as does access to the 10.x.x.x addresses.
One thing that seems odd... from the 3750 (10.10.0.1) we can ping the sonic wall firewall, but we cannot from the 3560 (10.10.0.56) which is where it is actually plugged in.
Cisco 3750
========================== ========== =====
hostname AdminFiberHost
!
switch 1 provision ws-c3750g-12s
ip subnet-zero
ip routing
ip dhcp excluded-address 10.100.0.1 10.100.0.20
ip dhcp excluded-address 10.100.0.225 10.100.0.255
ip dhcp excluded-address 10.114.0.225 10.114.0.255
ip dhcp excluded-address 10.214.0.1 10.214.0.20
ip dhcp excluded-address 192.168.215.1 192.168.215.99
ip dhcp excluded-address 192.168.215.200 192.168.215.255
!
ip dhcp pool Admin_Data
network 10.100.0.0 255.255.0.0
default-router 10.100.0.1
option 156 ascii "ftpservers=10.0.0.4, country=1, language=1, layer2tagging=1, vlanid=200"
domain-name xxxx.org
dns-server 10.0.0.11 10.0.0.9
option 4 ip 10.0.0.11
netbios-name-server 172.16.1.103
netbios-node-type h-node
!
ip dhcp pool Admin_Voice
network 10.200.0.0 255.255.0.0
default-router 10.200.0.1
option 156 ascii "ftpservers=10.0.0.4, country=1, language=1, layer2tagging=1, vlanid=200"
domain-name xxxx.org
dns-server 10.0.0.11 10.0.0.9
option 4 ip 10.0.0.11
netbios-name-server 172.16.1.103
netbios-node-type h-node
!
ip dhcp pool Health_Data
network 192.168.215.0 255.255.255.0
default-router 192.168.215.1
option 156 ascii "ftpservers=10.0.0.4, country=1, language=1, layer2tagging=1, vlanid=214"
dns-server 64.192.56.20 64.192.56.22
!
ip dhcp pool Health_Voice
network 10.214.0.0 255.255.0.0
default-router 10.214.0.1
option 156 ascii "ftpservers=10.0.0.4, country=1, language=1, layer2tagging=1, vlanid=214"
domain-name EffinghamCounty.org
dns-server 10.0.0.11 10.0.0.9
option 4 ip 10.0.0.11
netbios-name-server 172.16.1.103
netbios-node-type h-node
!
ip dhcp pool HD_wic1
host 192.168.215.9 255.255.255.0
client-identifier 0100.0802.52a8.f8
client-name echdwic1
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_wic2
host 192.168.215.11 255.255.255.0
client-identifier 0100.0802.52b2.0c
client-name echdwic2
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_wic3
host 192.168.215.12 255.255.255.0
client-identifier 0100.0802.50b9.06
client-name echdwic3
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_win1
host 192.168.215.5 255.255.255.0
client-identifier 0100.6097.1e23.ae
client-name echdwin1
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_win2
host 192.168.215.6 255.255.255.0
client-identifier 0100.a0cc.54e8.4f
client-name echdwin2
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_win3
host 192.168.215.7 255.255.255.0
client-identifier 0100.508b.623c.4e
client-name echdwin3
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_win4
host 192.168.215.8 255.255.255.0
client-identifier 0100.a0cc.54d5.4b
client-name echdwin4
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_echdbill
host 192.168.215.14 255.255.255.0
client-identifier 0100.16d4.06c9.af
client-name echdbill
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_japk
host 192.168.215.13 255.255.255.0
client-identifier 0100.0f20.fa57.ba
client-name echdjapk
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_echdscot
host 192.168.215.15 255.255.255.0
client-identifier 0100.a0cc.54e8.51
client-name echdscott
default-router 192.168.215.3
dns-server 10.0.0.11 10.0.0.9
netbios-node-type h-node
!
ip dhcp pool HD_ecdscot
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
!
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls *** automatically generated qos statments omitted ***
mls qos
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
!
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface Vlan1
ip address 10.0.0.13 255.255.0.0
!
interface Vlan10
description MANAGEMENT VLAN
ip address 10.10.0.1 255.255.0.0
ip helper-address 10.0.0.11
no ip route-cache cef
no ip route-cache
!
interface Vlan114
description Health Data
ip address 192.168.215.3 255.255.255.0
!
!
interface Vlan214
description Health Voice
ip address 10.214.0.1 255.255.0.0
!
ip default-gateway 10.0.0.1
ip classless
ip default-network 10.0.0.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 167.198.204.0 255.255.255.0 192.168.215.1
ip http server
!
AdminFiberHost#
========================== ========== ========== ======
Cisco 3560
hostname Health_3560_01
!
ip subnet-zero
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
m*** Generated mls statements omitted ***
mls qos
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 114
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/21
description Sonic Wall Soho3
switchport access vlan 114
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/22
description Link to Health_3560_02
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust cos
macro description cisco-switch | cisco-switch
auto qos voip trust
!
interface FastEthernet0/23
description ShoreTel 60/12 Voice Switch
switchport access vlan 214
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/24
description Linksys EF3124 Switch
switchport access vlan 114
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch | cisco-switch
auto qos voip trust
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 10.0.0.56 255.255.0.0
shutdown
!
interface Vlan10
ip address 10.10.0.56 255.255.0.0
!
ip classless
ip http server
!
!
control-plane
!
Health_3560_01#
Here is what we're trying to accomplish:
There is a watchguard firewall at 10.0.0.1 that is the default gateway for the majority of the network. On the 3560, port fa0/21 there is a sonic wall firewall at ip 192.168.215.1. For the users in the 192.168.215.x network, we want them to all be in VLAN 114, and we want their Internet access to go to the sonic wall. The rest of the network has 10.x addresses, and these 192.168.215.x users should be able to access this network. However, what is happening is that they are able to go out the sonic wall for a couple of VPN access sites they have, that are 167.198.204.x addresses, but all other Internet access fails, as does access to the 10.x.x.x addresses.
One thing that seems odd... from the 3750 (10.10.0.1) we can ping the sonic wall firewall, but we cannot from the 3560 (10.10.0.56) which is where it is actually plugged in.
Cisco 3750
==========================
hostname AdminFiberHost
!
switch 1 provision ws-c3750g-12s
ip subnet-zero
ip routing
ip dhcp excluded-address 10.100.0.1 10.100.0.20
ip dhcp excluded-address 10.100.0.225 10.100.0.255
ip dhcp excluded-address 10.114.0.225 10.114.0.255
ip dhcp excluded-address 10.214.0.1 10.214.0.20
ip dhcp excluded-address 192.168.215.1 192.168.215.99
ip dhcp excluded-address 192.168.215.200 192.168.215.255
!
ip dhcp pool Admin_Data
network 10.100.0.0 255.255.0.0
default-router 10.100.0.1
option 156 ascii "ftpservers=10.0.0.4, country=1, language=1, layer2tagging=1, vlanid=200"
domain-name xxxx.org
dns-server 10.0.0.11 10.0.0.9
option 4 ip 10.0.0.11
netbios-name-server 172.16.1.103
netbios-node-type h-node
!
ip dhcp pool Admin_Voice
network 10.200.0.0 255.255.0.0
default-router 10.200.0.1
option 156 ascii "ftpservers=10.0.0.4, country=1, language=1, layer2tagging=1, vlanid=200"
domain-name xxxx.org
dns-server 10.0.0.11 10.0.0.9
option 4 ip 10.0.0.11
netbios-name-server 172.16.1.103
netbios-node-type h-node
!
ip dhcp pool Health_Data
network 192.168.215.0 255.255.255.0
default-router 192.168.215.1
option 156 ascii "ftpservers=10.0.0.4, country=1, language=1, layer2tagging=1, vlanid=214"
dns-server 64.192.56.20 64.192.56.22
!
ip dhcp pool Health_Voice
network 10.214.0.0 255.255.0.0
default-router 10.214.0.1
option 156 ascii "ftpservers=10.0.0.4, country=1, language=1, layer2tagging=1, vlanid=214"
domain-name EffinghamCounty.org
dns-server 10.0.0.11 10.0.0.9
option 4 ip 10.0.0.11
netbios-name-server 172.16.1.103
netbios-node-type h-node
!
ip dhcp pool HD_wic1
host 192.168.215.9 255.255.255.0
client-identifier 0100.0802.52a8.f8
client-name echdwic1
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_wic2
host 192.168.215.11 255.255.255.0
client-identifier 0100.0802.52b2.0c
client-name echdwic2
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_wic3
host 192.168.215.12 255.255.255.0
client-identifier 0100.0802.50b9.06
client-name echdwic3
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_win1
host 192.168.215.5 255.255.255.0
client-identifier 0100.6097.1e23.ae
client-name echdwin1
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_win2
host 192.168.215.6 255.255.255.0
client-identifier 0100.a0cc.54e8.4f
client-name echdwin2
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_win3
host 192.168.215.7 255.255.255.0
client-identifier 0100.508b.623c.4e
client-name echdwin3
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_win4
host 192.168.215.8 255.255.255.0
client-identifier 0100.a0cc.54d5.4b
client-name echdwin4
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_echdbill
host 192.168.215.14 255.255.255.0
client-identifier 0100.16d4.06c9.af
client-name echdbill
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_japk
host 192.168.215.13 255.255.255.0
client-identifier 0100.0f20.fa57.ba
client-name echdjapk
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
netbios-node-type h-node
!
ip dhcp pool HD_echdscot
host 192.168.215.15 255.255.255.0
client-identifier 0100.a0cc.54e8.51
client-name echdscott
default-router 192.168.215.3
dns-server 10.0.0.11 10.0.0.9
netbios-node-type h-node
!
ip dhcp pool HD_ecdscot
default-router 192.168.215.1
dns-server 64.192.56.20 64.192.56.22
!
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls *** automatically generated qos statments omitted ***
mls qos
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
!
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface Vlan1
ip address 10.0.0.13 255.255.0.0
!
interface Vlan10
description MANAGEMENT VLAN
ip address 10.10.0.1 255.255.0.0
ip helper-address 10.0.0.11
no ip route-cache cef
no ip route-cache
!
interface Vlan114
description Health Data
ip address 192.168.215.3 255.255.255.0
!
!
interface Vlan214
description Health Voice
ip address 10.214.0.1 255.255.0.0
!
ip default-gateway 10.0.0.1
ip classless
ip default-network 10.0.0.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 167.198.204.0 255.255.255.0 192.168.215.1
ip http server
!
AdminFiberHost#
==========================
Cisco 3560
hostname Health_3560_01
!
ip subnet-zero
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
m*** Generated mls statements omitted ***
mls qos
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 114
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/21
description Sonic Wall Soho3
switchport access vlan 114
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/22
description Link to Health_3560_02
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust cos
macro description cisco-switch | cisco-switch
auto qos voip trust
!
interface FastEthernet0/23
description ShoreTel 60/12 Voice Switch
switchport access vlan 214
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface FastEthernet0/24
description Linksys EF3124 Switch
switchport access vlan 114
switchport mode access
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch | cisco-switch
auto qos voip trust
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 10.0.0.56 255.255.0.0
shutdown
!
interface Vlan10
ip address 10.10.0.56 255.255.0.0
!
ip classless
ip http server
!
!
control-plane
!
Health_3560_01#
Do you have a drawing?
ASKER
It's being worked on now; not one that would help much at the time...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
frabble,
Thanks. We thought this might be the problem. However, one thing we didn't understand... originally, we tried making the dg 192.168.215.3 for all of the workstations, so it would use our 3750 to route everything. This allowed them access to the internet and our network, but not to their VPN connections. We didn't understand this, since we have the routes set up in the 3750. However, I think the problem may have been that the sonic wall still didn't know about our network, even though our network knew about the sonic wall. The design goal, however, is to have all of the internet traffic from the 192.x addresses go through the sonic wall, not through our network. We had shy'd away from this, because the sonic wall is owned/managed by a state agency, and getting them to make changes has not been the easiest. It seems that this is simply a fact of life, though; we're going to have to get a static route added to that device in order for all of this to work...
Thanks. We thought this might be the problem. However, one thing we didn't understand... originally, we tried making the dg 192.168.215.3 for all of the workstations, so it would use our 3750 to route everything. This allowed them access to the internet and our network, but not to their VPN connections. We didn't understand this, since we have the routes set up in the 3750. However, I think the problem may have been that the sonic wall still didn't know about our network, even though our network knew about the sonic wall. The design goal, however, is to have all of the internet traffic from the 192.x addresses go through the sonic wall, not through our network. We had shy'd away from this, because the sonic wall is owned/managed by a state agency, and getting them to make changes has not been the easiest. It seems that this is simply a fact of life, though; we're going to have to get a static route added to that device in order for all of this to work...