Tim_Jr
asked on
Inter Vlan routing Cisco 3550
This is embarassing because I've been studying Cisco for a few years now, but we need some desperate help. We installed a new Catalyst 3550 switch split into 3 Vlans.
vlan 101 - office
vlan 102 - test lab
vlan 103 - it dept
The problem is that I can't seem to communicate properly between the Vlans. I have very sporadic problems that are difficult to explain.
For example, I am on Vlan103. I cannot ping my firewall on Vlan101. Also, when I log into the switch I can ping my workstation, but I cannot trace route my workstation. When I try I just get continuous * . I don't know. Here's my config, I thought maybe someone could point out a mistake.
In my day, I'm used to doing the router on a stick config, using a router to route between Vlans, with a trunk, and encapsulation. Here, I just have a L3 switch and I'm just trying to route between the Vlans through the one deviceThanks.
Building-configuration.doc
vlan 101 - office
vlan 102 - test lab
vlan 103 - it dept
The problem is that I can't seem to communicate properly between the Vlans. I have very sporadic problems that are difficult to explain.
For example, I am on Vlan103. I cannot ping my firewall on Vlan101. Also, when I log into the switch I can ping my workstation, but I cannot trace route my workstation. When I try I just get continuous * . I don't know. Here's my config, I thought maybe someone could point out a mistake.
In my day, I'm used to doing the router on a stick config, using a router to route between Vlans, with a trunk, and encapsulation. Here, I just have a L3 switch and I'm just trying to route between the Vlans through the one deviceThanks.
Building-configuration.doc
Do the workstations have their default-gateway set to the IP address of the corresponding VLAN interface IP address?
As for the firewall, if it's not running EIGRP, you'll need a route on it to the non-connected networks.
As for the firewall, if it's not running EIGRP, you'll need a route on it to the non-connected networks.
ASKER
Yes. All pcs get DHCP info from the DHCP server. I verified that the info was correct. Vlan 101 gateway is 1.232, Vlan 102 is 2.254, and Vlan 103 gateway is 3.1
Have all VLANs been created on layer 2? And are all VLANs up/up in 'show ip int brie' ?
ASKER
I'm not sure what you mean by "have they all been created on Layer 2", but they all have been created. I use the same routine to create them:
config t
interface vlan#
ip address . . . .
I don't use Vlan database mode, I heard that wasn't the best way to create Vlans anymore.
All Vlans are up/up.
config t
interface vlan#
ip address . . . .
I don't use Vlan database mode, I heard that wasn't the best way to create Vlans anymore.
All Vlans are up/up.
no, but you need to create these vlans also on L2.
In an L3 switch, you need to have the VLANs created on both L2 and L3
the L3 part is correctly done in your config, but I cannot see the L2 part. That's why I asked you to perform a show VLAN. with that command you can see the VLANS that are created on L2.
te create VLANs on L2 you can either use the VLAN database, or gon into config mode, ans type :
vlan 2
name
exit
vlan 3
name < name of VLAN3>
exit
etc...
In an L3 switch, you need to have the VLANs created on both L2 and L3
the L3 part is correctly done in your config, but I cannot see the L2 part. That's why I asked you to perform a show VLAN. with that command you can see the VLANS that are created on L2.
te create VLANs on L2 you can either use the VLAN database, or gon into config mode, ans type :
vlan 2
name
exit
vlan 3
name < name of VLAN3>
exit
etc...
ASKER
Wow. I didn't know that it had to be on both layers. I'll check to see what is shows now and display the output, but that def. could be an issue.
ASKER
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Sorry I meant :
Also, from that same PC, can you ping 172.16.2.254 and 172.16.1.232 ?
Also, from that same PC, can you ping 172.16.2.254 and 172.16.1.232 ?
Vlans have always been tricky for me also. I know from your workstation you should not be able to ping your firewall on a different Vlan. The L3 switch/router should be able to, but Vlans where setup to segment a network and keep them from seeing each other. I would find the interface you have your computer on and do this.
interface GigabitEthernet0/46
switchport access vlan 101, 103
switchport mode access
This will give it access to Vlan 101 and 103 which should be able to get you to the firewall.
Also if you are just doing regular pings and traceroutes, I would suggest doing extended from the Vlan interfaces. If not it just sends it out the default route/interface.
interface GigabitEthernet0/46
switchport access vlan 101, 103
switchport mode access
This will give it access to Vlan 101 and 103 which should be able to get you to the firewall.
Also if you are just doing regular pings and traceroutes, I would suggest doing extended from the Vlan interfaces. If not it just sends it out the default route/interface.
@ outlaw87 :How exactly would you put an access port in multiple VLANs ?
interface GigabitEthernet0/46
switchport access vlan 101, 103
switchport mode access
@ Tim_Jr : The above would definately not be the solution to your problem. I'm pretty sure this will not even be possible on the switch.
Please check first if you can ping each VLAN interface from a PC in VLAN 103. If that is possible, your switch setup is correct. Once this is confirmed, check if your FW has a route back to the VLAN interface on the switch where is has its connection to. If this is a Cisco FW , and the switch is connected to the inside interface, and you don't block ICMP, it will respond if it has the correct routing in place.
interface GigabitEthernet0/46
switchport access vlan 101, 103
switchport mode access
@ Tim_Jr : The above would definately not be the solution to your problem. I'm pretty sure this will not even be possible on the switch.
Please check first if you can ping each VLAN interface from a PC in VLAN 103. If that is possible, your switch setup is correct. Once this is confirmed, check if your FW has a route back to the VLAN interface on the switch where is has its connection to. If this is a Cisco FW , and the switch is connected to the inside interface, and you don't block ICMP, it will respond if it has the correct routing in place.
ASKER
I'll check today guys and post my answers, thank you for continuing support...
ASKER
Yes I can ping from Vlan103 to the interfaces of the other Vlan. So I can or cannot put my interface into multiple Vlans?
Ok, so that proves that your switch config is fine. Normally you should be able to connect anywhere as long as you make sure the the other devices have correct gateways, and that ip routes have been added to the devices connecting to this L3 switch.
You cannot put an access port in multiple VLANs. also, there is no need to do so, because the routing process on the L3 switch will take care of connectivity between the VLANs.
Can you send the ipconfig or routing table of a device that you have difficulties with reaching from VLAN 103.
You cannot put an access port in multiple VLANs. also, there is no need to do so, because the routing process on the L3 switch will take care of connectivity between the VLANs.
Can you send the ipconfig or routing table of a device that you have difficulties with reaching from VLAN 103.
Yes you can put an interface into more than one Vlan. ck459 was right that I couldn't do it the way I first said, however.
Here is a config to one of my swithes. I was a little off on the code, but I guess that is what happens with a 12 day old son who keeps you up all night. Sorry about that.
My understanding of Vlans could be off, but to have access to more than one Vlan on a port you have to trunk it. I would set the native Vlan to 103, but if I want to get to 101 I would put in a switchport trunk allowed vlan and the vlans that I want to let through. However, if you trunk it and put the Vlans you want to allow will only allow thoughts certain ones though on that port so it is not opened to all the Vlans. This will provide connectivity between the Vlans.
*example from one of my L2 in the field that is directly connectioned to my L3.*
interface FastEthernet0/4
switchport access vlan 32
switchport trunk native vlan 32
switchport trunk allowed vlan 1,32,64,1002-1005
switchport mode trunk
no ip address
I would do this for your switch
interface GigabitEthernet0/46
switchport access vlan 103
switchport trunk native vlan 103
switchport trunk allowed vlan 101, 103
switchport mode trunk
no ip address
See if that helps. I am better at explaining in person.
Here is a config to one of my swithes. I was a little off on the code, but I guess that is what happens with a 12 day old son who keeps you up all night. Sorry about that.
My understanding of Vlans could be off, but to have access to more than one Vlan on a port you have to trunk it. I would set the native Vlan to 103, but if I want to get to 101 I would put in a switchport trunk allowed vlan and the vlans that I want to let through. However, if you trunk it and put the Vlans you want to allow will only allow thoughts certain ones though on that port so it is not opened to all the Vlans. This will provide connectivity between the Vlans.
*example from one of my L2 in the field that is directly connectioned to my L3.*
interface FastEthernet0/4
switchport access vlan 32
switchport trunk native vlan 32
switchport trunk allowed vlan 1,32,64,1002-1005
switchport mode trunk
no ip address
I would do this for your switch
interface GigabitEthernet0/46
switchport access vlan 103
switchport trunk native vlan 103
switchport trunk allowed vlan 101, 103
switchport mode trunk
no ip address
See if that helps. I am better at explaining in person.
ASKER
Do I need to be doing any type of trunking if I'm only using Vlans on the one device?
I did not say you could not put an interface in multiple VLANs ! I said you cannot put an ACCESS PORT in multiple VLANs.
What your are saying about trunking is correct, but that is not what Tim_Jr is trying to achieve here. He just wants to route between VLANs on the same switch (Catalyst 3550). Trunks are out of the question here! where would he trunk to? Certainly not to his PC, because a PC cannot deal with tagged packets.
The config you are proposing is correct when using a router on a stick, but that's not what is asked here.
What your are saying about trunking is correct, but that is not what Tim_Jr is trying to achieve here. He just wants to route between VLANs on the same switch (Catalyst 3550). Trunks are out of the question here! where would he trunk to? Certainly not to his PC, because a PC cannot deal with tagged packets.
The config you are proposing is correct when using a router on a stick, but that's not what is asked here.
If you are trying to allow that port to more than one vlan you have to trunk it. Try the following on the port you want to have access to vlan 101.
interface GigabitEthernet0/**
switchport access vlan 103
switchport trunk native vlan 103
switchport trunk allowed vlan 101, 103
switchport mode trunk
no ip address
interface GigabitEthernet0/**
switchport access vlan 103
switchport trunk native vlan 103
switchport trunk allowed vlan 101, 103
switchport mode trunk
no ip address
Tim, Can you send me the output of the routes on your FW? I would like to know if the returning path to the L3 switch is correct.
Also, can you tell me on which port your firewall is connected ?
Also, can you tell me on which port your firewall is connected ?
Look, I will abandon this thread.
apparently OUTLAW87 knows things better than a CCIE
good luck
apparently OUTLAW87 knows things better than a CCIE
good luck
ASKER
Seems like the firewall was the issue. I had to install some routes into it to recognize the new networks of 2.0 and 3.0.
;-) You can see. Config was all right.
Kurt