Cisco 3560 not routing

please post the configs of both switches indicating where the connection is.

remove any password and public ips.

show run
Building configuration...

Current configuration : 1998 bytes
!
! Last configuration change at 16:16:48 UTC Fri Apr 10 2009
! NVRAM config last updated at 16:26:44 UTC Fri Apr 10 2009
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LAYER3
!
!
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring 1 Sun Apr 2:00 last Sun Oct 2:00
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!        
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
 no switchport
 ip address 192.168.0.10 255.255.255.0
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!        
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 switchport access vlan 10
!
interface FastEthernet0/14
 switchport access vlan 20
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!        
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 192.168.10.2 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.20 255.255.255.0
!
router rip
 network 192.168.0.0
 network 192.168.10.0
 network 192.168.20.0
!
ip default-gateway 192.168.0.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
ip http secure-server
!
!
!        
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line vty 0 4
 no login
 length 0
line vty 5 15
 no login
!
end

LAYER3#

her eis the config off the layer 3

what about the 2950?

the 3560 looks good.

this sound like the VLAN 20 network is not a part of the inside NAT pool on your firewall/router or the firewall/router dont know the route back to the VLAN 20 network.

Can you post configs from your 2950 and firewall/router also?

!
interface FastEthernet0/14
 switchport access vlan 20
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
!

well if you are trunking between the 2 switches don't you need a dedicated trunk port? Not a port that is encapsulated dot1q and is also an access port ?

"Switchport mode trunk" would change it to trunk mode but as default it is access port and its in VLAN 20 so if the configuration is similar on the other switch it just mean that the switches are using the ports as access ports and only vlan 20 traffic can cross between them.

So that is a valid configuration, however a bit messy.

MarkRace, On the 3560, please  send the results of  the command:
show int  FastEthernet0/14 trunk

And the same on the 2950  port that connects to the 3560.

Please try pinging    192.168.20.20
and 192.168.0.1
from a host on the 2950  and apprise as to the results.
Are all the 2950 ports (and the hosts that can't access the internet)  designed as in VLAN20 on the 2950?
--

re, f0/14
The default on most Cisco devices was not access port, the default was dynamic-desirable, and a trunk will eventually be negotiated, if both sides can agree (which happens if certain conditions were met).

If they do agree, a trunk may form, they both speak 802.1q, and the 3560 switch sees native vlan as 20.   If they don't agree, it stays an access port, and is in access vlan 20.

That's a great convenience and , but is a security nightmare in too many ways to mention tonight.
*Best security practice is to explicitly set access or trunk mode on each port, and not place a user-accessible port in the same access VLAN number as you use for any trunk port's native VLAN number.






The first thing you should do on a device attached to the 2950 is try to ping the vlan20  interface

ping 192.168.20.20

To verify connectivity to vl20...  where the traceroute stops is potentially an ambiguous indication.

Make sure vlan20 is actually in the 2950's VLAN database,  with 'show run'  there should be a vlan20
And native VLANs match (i.e. native vlan for the port on the 2950 should match  the setting on the 3560).


Your next step should be to ping the default gateway.  192.168.0.1
from the device.

Here is the confiog off the 2950



BOTTOM#show start
Using 4216 out of 32768 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname BOTTOM
!
!
ip subnet-zero
!
no ip domain-lookup
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
 no ip address
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport trunk native vlan 20
 no ip address
!
interface FastEthernet0/3
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/4
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/5
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/6
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/7
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/8
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/9
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/10
 switchport access vlan 20
 no ip address
!        
interface FastEthernet0/11
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/12
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/13
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/14
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/15
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/16
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/17
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/18
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/19
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/20
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/21
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/22
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/23
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/24
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/25
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/26
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/27
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/28
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/29
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/30
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/31
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/32
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/33
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/34
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/35
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/36
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/37
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/38
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/39
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/40
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/41
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/42
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/43
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/44
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/45
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/46
 switchport access vlan 20
 no ip address
!
interface FastEthernet0/47
 switchport access vlan 20
 switchport trunk native vlan 20
 switchport mode trunk
 no ip address
 shutdown
!
interface FastEthernet0/48
 switchport access vlan 20
 switchport trunk native vlan 20
 switchport mode trunk
 no ip address
 shutdown
!
interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/2
 no ip address
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.20.20
ip http server
!
!        
line con 0
 exec-timeout 0 0
 logging synchronous
 length 60
line vty 0 4
 login
line vty 5 15
 login
!
end

BOTTOM#

Once again.
if you plug in to the 3560 adn on the default vlan you can surf the net
Vlan 20 is on the switch.

if you connected to the VLAN 2 on the 2950, when you trace to 4.2.2.2
the packets stop at 192.168.20.20 and go no furter

The 3560 can ping everything
it can ping
Vlan 20 (192.168.20.1) on the 2950
192.168.0.10 on fa0/1 (on the 3560)
192.168.10.2 Vlan10 on 3560
192.168.20.20 Vlan 20 on 3560

192.168.0.1 Edge router
4.2.2.2 ( easy number to remember) :-)
oce again
you plug a laptop int the layer 3 and give it an IP and
it can surf the net
if you plug into the 2950 and giveit an ip
it cant get pas 192.168.20.20

thanks

more stuff.
I decided to take a step back.

Here is what I did
I set the 2950 aside...(for now)

I took the 3560 and cut it in half
Ports 2-12 are in VLAN 1
Ports 13-24 are in VLAN20

If I connect the edge router to any port (2-12)  AND my test workstation everything works.
my test workstation surfs just fine

if I connected the edge router to FA0/1 (configured as a layer 3 port)
the test workstation cannot surf.
HOWEVER (coma space
i cant seem to ping anything on ports 2 - 12

sounds like to me the 3560 is not routing

it does not seem to want to route between vlans or subnets

Router is connected to FA0/1

If you placed ports 2 - 12 in vlan1, you wouldn't be able to assign them a default gateway based on the conf you posted earlier:

interface Vlan1
 no ip address
 shutdown
!

If you moved your router from port 2 - 12 to port 0, you need to change your workstation's  subnet and  default gateway to something specific to vlan1.

So have you given an IP to vlan1 on your 3560, and made it your workstation's default gateway, when the workstation is in ports 2 - 12?

And can it ping that vlan1 interface of the 3560 from the workstation on vlan1, and NOT ping the vlan20 interface, when that is done?

OK another update..
I have started over and blew away the config
the one thing that I omitted ( may fault) here is the 3550 was
 connected to a d link home router. and that was my
bottle neck.

I know have the 3560 connected to a cisco switch
that has a direct path to the internet.

any suggestions to get this to route between VLANS?
this is the gole

So if you had checked your firewall/router a week ago like I suggested might be the problem it would have worked.