cwtang
asked on
InterVlan Routing
Hi,
I have a cisco catalyst 6509, I have created 5 vlans; vlan 2,10,20,30,40. All the vlan are able to communicated with each other. The problem which I am facing is vlan 10,20,30,40 are not able to access internet as the uplink is connected to vlan 1 on one of the ports. PCs in Vlan 2 are able to access internet and communciate with the other vlans without any problem. I am not sure what is the problem preventing vlan 10,20,30,40 from accessing internet, while pc connected to vlan2 has not problem. The switch is using catos 6.4(21). The routing is done on the msfc2 in the switch. Can anyone suggest what would be causing the problem. Thanks.
I have a cisco catalyst 6509, I have created 5 vlans; vlan 2,10,20,30,40. All the vlan are able to communicated with each other. The problem which I am facing is vlan 10,20,30,40 are not able to access internet as the uplink is connected to vlan 1 on one of the ports. PCs in Vlan 2 are able to access internet and communciate with the other vlans without any problem. I am not sure what is the problem preventing vlan 10,20,30,40 from accessing internet, while pc connected to vlan2 has not problem. The switch is using catos 6.4(21). The routing is done on the msfc2 in the switch. Can anyone suggest what would be causing the problem. Thanks.
plemieux72
Can you post the MSFC config?
ASKER
Hi,
I have attached the config below:
>>>>>>>>>>>>>>>>>>>
sh run
Building configuration...
Current configuration : 1405 bytes
!
! Last configuration change at 08:10:06 Sat Jan 1 2000
! NVRAM config last updated at 08:10:20 Sat Jan 1 2000
!
version 12.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot system bootflash:c6msfc2-pk2sv-mz
boot system flash:c6msfc2-pk2sv-mz.121
enable secret 5 $1$.Aht$VTOInOlQSEATBZ16By
!
clock calendar-valid
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface Vlan2
ip address 172.16.50.217 255.255.255.0
!
interface Vlan10
description ***Vlan 10 Network***
ip address 10.0.0.1 255.255.255.240
!
interface Vlan20
ip address 10.0.0.17 255.255.255.240
!
interface Vlan30
ip address 10.0.0.33 255.255.255.240
!
interface Vlan40
ip address 10.0.0.49 255.255.255.240
!
interface Vlan140
description HSRP * Standby * Gateway for Vlan140
ip address 172.16.140.3 255.255.255.0
ip helper-address 172.16.110.11
no ip redirects
no ip route-cache
no ip mroute-cache
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.50.1
no ip http server
!
!
!
line con 0
password 7 14141B180F0B7B7977
line vty 0 4
password 7 14141B180F0B
login
!
end
<<<<<<<<<<<<<<<<<<<<
Thanks.
I have attached the config below:
>>>>>>>>>>>>>>>>>>>
sh run
Building configuration...
Current configuration : 1405 bytes
!
! Last configuration change at 08:10:06 Sat Jan 1 2000
! NVRAM config last updated at 08:10:20 Sat Jan 1 2000
!
version 12.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot system bootflash:c6msfc2-pk2sv-mz
boot system flash:c6msfc2-pk2sv-mz.121
enable secret 5 $1$.Aht$VTOInOlQSEATBZ16By
!
clock calendar-valid
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface Vlan2
ip address 172.16.50.217 255.255.255.0
!
interface Vlan10
description ***Vlan 10 Network***
ip address 10.0.0.1 255.255.255.240
!
interface Vlan20
ip address 10.0.0.17 255.255.255.240
!
interface Vlan30
ip address 10.0.0.33 255.255.255.240
!
interface Vlan40
ip address 10.0.0.49 255.255.255.240
!
interface Vlan140
description HSRP * Standby * Gateway for Vlan140
ip address 172.16.140.3 255.255.255.0
ip helper-address 172.16.110.11
no ip redirects
no ip route-cache
no ip mroute-cache
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.50.1
no ip http server
!
!
!
line con 0
password 7 14141B180F0B7B7977
line vty 0 4
password 7 14141B180F0B
login
!
end
<<<<<<<<<<<<<<<<<<<<
Thanks.
You are missing VLAN 1 in the MSFC...
That's why it's not routing.
conf t
int vlan1
ip addr x.x.x.x y.y.y.y
no shut
That's why it's not routing.
conf t
int vlan1
ip addr x.x.x.x y.y.y.y
no shut
ASKER
I made a mistake, the uplink is on vlan 2.
Your MSFC config is correct.
Can you now post the layer 2 config?
Can you now post the layer 2 config?
Like plemieux72 said, probably its L2 configuration error.
Is the 6509 facing directly to the Internet, or is it any other routing doing nat?
In the first case, it can be nat configuration on the 6509, you have to allow hosts on vlans 10, 20, etc to be natted out throught vlan 2,
In the second case, it the same but you have to configure nat in the router at the border.
Is the 6509 facing directly to the Internet, or is it any other routing doing nat?
In the first case, it can be nat configuration on the 6509, you have to allow hosts on vlans 10, 20, etc to be natted out throught vlan 2,
In the second case, it the same but you have to configure nat in the router at the border.
ASKER
I have attached the switch config.
>>>>>>>>>>>>>>>>>>>>>>.
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
...............
..................
..................
....................
...............
..
begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
!
#time: Wed Feb 28 2007, 17:19:00
!
#version 6.4(21)
!
set password $2$R52v$B/6tz1EFxF4yIt.8C3
set enablepass $2$VPiO$gEqeeaCNUmj7TLdKpU
set config mode text nvram
!
#system
set system name Rad
!
#!
#authentication
set authentication enable attempt 5 console
set authentication enable attempt 5 telnet
!
#stp mode
set spantree mode pvst+
!
#vtp
set vtp domain Rad
set vtp mode transparent
set vlan 1 name default type ethernet mtu 1500 said 100001 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state activ
e stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active st
p ibm
set vlan 2-3,10,20,30,40,60,100
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve mode srb aremaxhop 7 stemaxhop 7 backupcrf off
set dot1q-all-tagged enable
!
#ip
set interface sc0 1 172.16.50.215/255.255.255.
set ip route 0.0.0.0/0.0.0.0 172.16.50.1
set ip route 10.0.0.0/255.255.255.240 172.16.50.217
set ip route 10.0.0.0/255.255.255.240 172.16.50.216
set ip route 10.0.0.16/255.255.255.240 172.16.50.216
set ip route 10.0.0.16/255.255.255.240 172.16.50.217
set ip alias default 0.0.0.0
!
#dns
set ip dns server 190.10.20.11 primary
set ip dns enable
!
#ntp
set ntp server 207.46.130.100
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat6000-sup.6-4-
set boot system flash bootflash:cat6000-supk9.7-
!
#qos
set qos enable
!
# default port status is enable
!
!
#module 1 : 2-port 1000BaseX Supervisor
!
#module 2 : 2-port 1000BaseX Supervisor
!
#module 3 empty
!
#module 4 : 48-port 10/100BaseTX Ethernet
set vlan 2 4/1-6
set vlan 10 4/7-12
set vlan 20 4/13-24
set vlan 30 4/25-36
set vlan 40 4/41-48
set vlan 100 4/37-40
set port qos 4/41 cos-ext 3
set port qos 4/42 cos-ext 3
set port qos 4/43 cos-ext 3
set port qos 4/44 cos-ext 3
set port qos 4/45 cos-ext 3
set port qos 4/46 cos-ext 3
set port qos 4/47 cos-ext 3
set port qos 4/48 cos-ext 3
set trunk 4/6 auto dot1q 1-1005,1025-4094
set trunk 4/48 off negotiate 1-1005,1025-4094
set spantree portfast 4/41-48 enable
!
#module 5 empty
!
#module 6 empty
!
#module 7 : 8-port E1
set port voice interface 7/1 dhcp enable vlan 10
set port voice interface 7/2 dhcp enable vlan 20
set port voice interface 7/3 dhcp enable vlan 30
set port voice interface 7/4 dhcp enable vlan 40
set port voice interface 7/5 dhcp enable vlan 3
set port voice interface 7/6 dhcp enable vlan 3
set port voice interface 7/7 dhcp enable vlan 3
set port voice interface 7/8 dhcp enable vlan 60
!
#module 8 empty
!
#module 9 empty
!
#module 15 : 1-port Multilayer Switch Feature Card
!
#module 16 : 1-port Multilayer Switch Feature Card
end
<<<<<<<<<<<<<<<<<<<<<<<<<<
From my config, I have not implemented any nat on the switch. Can your provide a example of performing nat on the switch? Thanks.
>>>>>>>>>>>>>>>>>>>>>>.
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
...............
..................
..................
....................
...............
..
begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
!
#time: Wed Feb 28 2007, 17:19:00
!
#version 6.4(21)
!
set password $2$R52v$B/6tz1EFxF4yIt.8C3
set enablepass $2$VPiO$gEqeeaCNUmj7TLdKpU
set config mode text nvram
!
#system
set system name Rad
!
#!
#authentication
set authentication enable attempt 5 console
set authentication enable attempt 5 telnet
!
#stp mode
set spantree mode pvst+
!
#vtp
set vtp domain Rad
set vtp mode transparent
set vlan 1 name default type ethernet mtu 1500 said 100001 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state activ
e stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active st
p ibm
set vlan 2-3,10,20,30,40,60,100
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve mode srb aremaxhop 7 stemaxhop 7 backupcrf off
set dot1q-all-tagged enable
!
#ip
set interface sc0 1 172.16.50.215/255.255.255.
set ip route 0.0.0.0/0.0.0.0 172.16.50.1
set ip route 10.0.0.0/255.255.255.240 172.16.50.217
set ip route 10.0.0.0/255.255.255.240 172.16.50.216
set ip route 10.0.0.16/255.255.255.240 172.16.50.216
set ip route 10.0.0.16/255.255.255.240 172.16.50.217
set ip alias default 0.0.0.0
!
#dns
set ip dns server 190.10.20.11 primary
set ip dns enable
!
#ntp
set ntp server 207.46.130.100
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat6000-sup.6-4-
set boot system flash bootflash:cat6000-supk9.7-
!
#qos
set qos enable
!
# default port status is enable
!
!
#module 1 : 2-port 1000BaseX Supervisor
!
#module 2 : 2-port 1000BaseX Supervisor
!
#module 3 empty
!
#module 4 : 48-port 10/100BaseTX Ethernet
set vlan 2 4/1-6
set vlan 10 4/7-12
set vlan 20 4/13-24
set vlan 30 4/25-36
set vlan 40 4/41-48
set vlan 100 4/37-40
set port qos 4/41 cos-ext 3
set port qos 4/42 cos-ext 3
set port qos 4/43 cos-ext 3
set port qos 4/44 cos-ext 3
set port qos 4/45 cos-ext 3
set port qos 4/46 cos-ext 3
set port qos 4/47 cos-ext 3
set port qos 4/48 cos-ext 3
set trunk 4/6 auto dot1q 1-1005,1025-4094
set trunk 4/48 off negotiate 1-1005,1025-4094
set spantree portfast 4/41-48 enable
!
#module 5 empty
!
#module 6 empty
!
#module 7 : 8-port E1
set port voice interface 7/1 dhcp enable vlan 10
set port voice interface 7/2 dhcp enable vlan 20
set port voice interface 7/3 dhcp enable vlan 30
set port voice interface 7/4 dhcp enable vlan 40
set port voice interface 7/5 dhcp enable vlan 3
set port voice interface 7/6 dhcp enable vlan 3
set port voice interface 7/7 dhcp enable vlan 3
set port voice interface 7/8 dhcp enable vlan 60
!
#module 8 empty
!
#module 9 empty
!
#module 15 : 1-port Multilayer Switch Feature Card
!
#module 16 : 1-port Multilayer Switch Feature Card
end
<<<<<<<<<<<<<<<<<<<<<<<<<<
From my config, I have not implemented any nat on the switch. Can your provide a example of performing nat on the switch? Thanks.
I assume one of the ports in 4/1 through 6 has the Internet connection? But that's set for VLAN 2 172.16.50.0/24... which is a private RFC 1918 range. So, to have access to the Internet, the hosts on that VLAN must go through a NAT router of some kind since it works already. Based on that, NAT would not be the problem since it's done by another device plugged into 4/1-6.
Based on your layer 2 config, I don't think the switch is the problem. Do you have all the clients in VLANs 10,20,30,40 configured with the correct default gateway? Their default gateway should be the IP address of the VLAN IP address on the MSFC.
Based on your layer 2 config, I don't think the switch is the problem. Do you have all the clients in VLANs 10,20,30,40 configured with the correct default gateway? Their default gateway should be the IP address of the VLAN IP address on the MSFC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Plemieux72, Thanks for all the help! I got it fixed by performing a nat on the layer 3 msfc and all the vlans are able to access internet. As I do not have access to the NAT router, I can only assume that it only allows 172.16.50.0 subnet since it does not know how to route other networks in the lan.
Once again, thanks for the guide!
Once again, thanks for the guide!
I already said that, you should split the points