Layer 3 switching problem

I just bought a Cisco 3560 and want to move my routing to it since it can do the layer 3 switching. Currently in my network I have a Cisco 2821 as the main router, a new Cisco 3560, and 8 3Com 4500g's. I was planning on doing the installation yesterday morning. I did research on the configurations and what I wanted to do. But it failed. So i had to go back to the original.

Currently I have all 9 switches having link aggregations between them. What I would like to do is terminate all 8 3com's into the 3560 and remove the sub-interfaces from the router have have the 3560 do all the layer 3 switching.

After applying the configs below I started having problems. From the 3560 I was able to access the outside internet, but nothing internal. Like if i was trying to access our exchange server which was on a different swtich I could ping that. I couldn't even ping any of the 3com switches. From the 3com switches i think i was able to ping the vlan interfaces that resides on the 3560 (i think, i dont remember for sure, it was early sunday morning). I permitted all vlan's on the switchport trunks. The interfaces on the 3560 showed that it was up and up and passing traffic. But i couldn't access anything.

Below is the configurations that i had built and i dont know why it failed.


Main 2821 Router

int g0/0
 descrip ------ CONNECTS TO SEVSW09, PORT G0/1
 ip add 192.168.1.5 255.255.255.252

no int g0/0.2
no int g0/0.3
no int g0/0.6
no int g0/0.7
no int g0/0.9
no int g0/0.100

ip route 192.168.2.0 255.255.255.0 192.168.1.6
ip route 192.168.3.0 255.255.255.0 192.168.1.6
ip route 192.168.6.0 255.255.255.0 192.168.1.6
ip route 192.168.7.0 255.255.255.0 192.168.1.6
ip route 192.168.9.0 255.255.255.0 192.168.1.6



3Com switches  (all 8 of these had the same config).
interface GigabitEthernet1/0/48
 port link-type trunk
 port trunk permit vlan all
 description ------ TRUNK TO SEVSW09, PORT 41        



Cisco 3560 (layer 3 switch)

ip routing

interface g0/1
 no switchport
 ip add 192.168.1.6 255.255.255.252

interface GigabitEthernet0/41
 switchport mode trunk
 switchport trunk encap dot1q
 speed 1000
 duplex full
 descrip ------ TRUNK TO SEVSW01, PORT 24


interface GigabitEthernet0/42
 switchport mode trunk
 switchport trunk encap dot1q
 speed 1000
 duplex full
 descrip ------ TRUNK TO SEVSW02, PORT 24


interface GigabitEthernet0/43
 switchport mode trunk
 switchport trunk encap dot1q
 speed 1000
 duplex full
 descrip ------ TRUNK TO SEVSW03, PORT 24


interface GigabitEthernet0/44
 switchport mode trunk
 switchport trunk encap dot1q
 speed 1000
 duplex full
 descrip ------ TRUNK TO SEVSW04, PORT 24

interface GigabitEthernet0/45
 switchport mode trunk
 switchport trunk encap dot1q
 speed 1000
 duplex full
 descrip ------ TRUNK TO SEVSW05, PORT 24


interface GigabitEthernet0/46
 switchport mode trunk
 switchport trunk encap dot1q
 speed 1000
 duplex full
 descrip ------ TRUNK TO SEVSW06, PORT 24


interface GigabitEthernet0/47
 switchport mode trunk
 switchport trunk encap dot1q
 speed 1000
 duplex full
 descrip ------ TRUNK TO SEVSW07, PORT 24


interface GigabitEthernet0/48
 switchport mode trunk
 switchport trunk encap dot1q
 speed 1000
 duplex full
 descrip ------ TRUNK TO SEVSW08, PORT 24

int vlan1  (NOT SURE ABOUT THIS. I THINK I MAY HAVE TAKEN IT OUT AND IT STILL DIDNT WORK. BUT COULD THIS BE PROBLEM?)
 ip add 192.168.1.6 255.255.255.252
 descrip ------ CONNECTS TO SEVRT01, PORT G0/0

int vlan2
 ip add 192.168.2.200 255.255.255.0
 ip helper-address 192.168.2.225

int vlan3
 ip add 192.168.3.1 255.255.255.0
 ip helper-address 192.168.2.225

int vlan6
 ip add 192.168.6.1 255.255.255.0
 ip helper-address 192.168.2.225

int vlan7
 ip add 192.168.7.1 255.255.255.0
 ip helper-address 192.168.2.225

int vlan9
 ip add 192.168.9.200 255.255.255.0
 ip helper-address 192.168.2.225

int vlan100
 ip add 192.168.100.1 255.255.255.0
 ip helper-address 192.168.2.225

ip route 0.0.0.0 0.0.0.0 192.168.1.5
LVL 2
ngabaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
> speed 1000
> duplex full

First off, I would leave them at auto, especially if the 3Com's are not also hard-set to 1000/full
Did you define the vlans on the 3560? Not just the L3 interfaces, but the vlans themselves?
 vlan 2
 vlan 3
 vlan 4
<etc>
Then, did you do "sho ip int brief" and make sure the vlan interfaces were not "administratively down"
Did you disconnect the router if you used the same vlan IP addresses that you had on the router sub-interfaces?
You might have to add "nonegotiate" command to the trunk port config when connecting to non-cisco switches.
0
Don JohnstonInstructorCommented:
The config for the 3560 looks okay.

It would help to see the working config from the 2821 router.


0
ngabaAuthor Commented:
I did eventually put auto/auto on the 3com and 3560 ports for speed and duplex. In the vlan database on the 3560 all the vlans where in there. In the sh ip int b, everything showed it was up/up. I deleted the sub interfaces on the router that had those ip address. Afterwards i did a sh ip int b and it showed that they were deleted.

working config from 2821:
SEVRTR01#sh run
Building configuration...

Current configuration : 11799 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname SEVRTR01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 4096
no logging rate-limit
logging console errors
logging monitor warnings
!
no aaa new-model
memory-size iomem 20
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 0:00
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain name xxxx
ip name-server 192.168.2.225
!
multilink bundle-name authenticated
!
!
ip tcp synwait-time 10
ip ssh version 2
!
class-map match-all TADIRAN-MEDIA
 match access-group name TADIRAN-MEDIA
class-map match-all TADIRAN-SIG
 match access-group name TADIRAN-SIG
!
!
policy-map TADIRAN_RANCHO
 class TADIRAN-MEDIA
    priority 256
 class TADIRAN-SIG
    priority 64
 class class-default
    fair-queue
policy-map TADIRAN
 class TADIRAN-MEDIA
    priority 512
 class TADIRAN-SIG
    priority 64
 class class-default
    fair-queue
policy-map TADIRAN_CHICAGO
 class TADIRAN-MEDIA
    priority 528
 class TADIRAN-SIG
    priority 64
 class class-default
    fair-queue
!
!
!
interface GigabitEthernet0/0
 description Connects to SEVSW05
 no ip address
 ip accounting output-packets
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed 1000
 no mop enabled
!
interface GigabitEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.200 255.255.255.0
 ip helper-address 192.168.2.225
 ip accounting output-packets
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.3
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0
 ip helper-address 192.168.2.225
 ip accounting output-packets
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.6
 encapsulation dot1Q 6
 ip address 192.168.6.1 255.255.255.0
 ip helper-address 192.168.2.225
 ip accounting output-packets
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.7
 encapsulation dot1Q 7
 ip address 192.168.7.1 255.255.255.0
 ip helper-address 192.168.2.225
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.9
 encapsulation dot1Q 9
 ip address 192.168.9.200 255.255.255.0
 ip helper-address 192.168.2.225
 ip accounting output-packets
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.100
 description Vlan for Medical
 encapsulation dot1Q 100
 ip address 192.168.100.1 255.255.255.0
 ip access-group 150 in
 ip helper-address 192.168.2.225
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/1
 description connects to SEVFW01 (Outside)
 ip address 192.168.1.1 255.255.255.252
 ip accounting output-packets
 ip flow ingress
 ip flow egress
 ip virtual-reassembly
 duplex full
 speed 1000
 no mop enabled
!
interface FastEthernet0/0/0
 description Connects to SEVASYNC
 switchport access vlan 20
!
interface FastEthernet0/0/1
 description connects to QUALCOMM
 switchport access vlan 2
!
interface FastEthernet0/0/2
 shutdown
!
interface FastEthernet0/0/3
 description Connects to SEVACE01
 switchport access vlan 20
!
interface Serial0/1/0
 description connects to Chicago -
 bandwidth 1500
 ip address 192.168.90.13 255.255.255.252
 ip helper-address 192.168.2.225
 ip flow ingress
 ip flow egress
 ip virtual-reassembly
 ip tcp header-compression iphc-format
 service-policy output TADIRAN_CHICAGO
 ip rtp header-compression iphc-format
!
interface Serial0/2/0
 no ip address
 shutdown
!
interface Serial0/3/0
 description connects to Gold River -
 bandwidth 1500
 ip address 192.168.80.1 255.255.255.252
 ip helper-address 192.168.2.225
 ip flow ingress
 ip flow egress
 ip virtual-reassembly
 ip tcp header-compression iphc-format
 service-module t1 clock source internal
 service-policy output TADIRAN_RANCHO
 ip rtp header-compression iphc-format
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 ip address 10.200.23.140 255.255.255.248
 ip nat outside
 no ip virtual-reassembly
!
router eigrp 1
 redistribute static
 network 10.200.23.136 0.0.0.7
 no auto-summary
 no eigrp log-neighbor-changes
 no eigrp log-neighbor-warnings
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 10.220.0.0 255.255.0.0 FastEthernet0/0/1
ip route 10.236.0.0 255.255.0.0 FastEthernet0/0/1
ip route 63.100.176.149 255.255.255.255 FastEthernet0/0/1
ip route 172.22.0.0 255.255.0.0 FastEthernet0/0/1
ip route 172.23.0.0 255.255.0.0 FastEthernet0/0/1
ip route 192.168.5.0 255.255.255.0 Serial0/1/0
ip route 192.168.12.0 255.255.255.0 Serial0/3/0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.6.249 2055
ip flow-top-talkers
 top 50
 sort-by bytes
!
ip nat pool QUALCOMM 10.200.23.140 10.200.23.140 netmask 255.255.255.0
ip nat inside source list 100 pool QUALCOMM overload
!
ip access-list extended TADIRAN-MEDIA
 permit udp any any range 3000 3600
 permit udp any any range 16400 17000
 permit udp any range 3000 3600 any
 permit udp any range 16400 17000 any
ip access-list extended TADIRAN-SIG
 permit udp any any eq 2427
 permit udp any any eq 2727
 permit udp any eq 2427 any
 permit udp any eq 2727 any
!
ip access-list logging interval 10
logging trap warnings
logging 192.168.6.249
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 10.220.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 10.236.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 172.23.0.0 0.0.255.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 10.220.0.0 0.0.255.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 10.236.0.0 0.0.255.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.23.0.0 0.0.255.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 10.220.0.0 0.0.255.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 10.236.0.0 0.0.255.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 172.23.0.0 0.0.255.255
access-list 100 permit ip 192.168.9.0 0.0.0.255 10.220.0.0 0.0.255.255
access-list 100 permit ip 192.168.9.0 0.0.0.255 10.236.0.0 0.0.255.255
access-list 100 permit ip 192.168.9.0 0.0.0.255 172.22.0.0 0.0.255.255
access-list 100 permit ip 192.168.9.0 0.0.0.255 172.23.0.0 0.0.255.255
access-list 150 deny   tcp any any eq 3389
access-list 150 permit tcp any any eq www
access-list 150 permit tcp any any eq 443
access-list 150 permit tcp any any eq smtp
access-list 150 permit tcp 192.168.1.0 0.0.0.255 host 192.168.9.250
access-list 150 permit tcp any any eq pop3
access-list 150 permit udp any any eq bootps
access-list 150 permit udp any any eq bootpc
access-list 150 deny   icmp any 192.168.2.0 0.0.0.255
access-list 150 deny   icmp any 192.168.3.0 0.0.0.255
access-list 150 deny   icmp any 192.168.5.0 0.0.0.255
access-list 150 deny   icmp any 192.168.6.0 0.0.0.255
access-list 150 deny   icmp any 192.168.7.0 0.0.0.255
access-list 150 deny   icmp any 192.168.8.0 0.0.0.255
access-list 150 deny   icmp any 192.168.9.0 0.0.0.255
access-list 150 deny   icmp any 192.168.12.0 0.0.0.255
access-list 150 permit tcp host 216.207.216.200 host 192.168.100.254
access-list 150 permit udp any host 4.2.2.2 eq domain
access-list 150 permit icmp any any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
snmp-server community panther RO 20
snmp-server community 3xp3d1t3 RW
snmp-server trap-source Loopback0
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps ds1
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server host 192.168.6.249 SNMPv1
snmp-server host 192.168.6.249 panther
!
!
!        
!
!
control-plane
!
banner login ^CC
^C
!
line con 0
 exec-timeout 0 0
 login local
line aux 0
 exec-timeout 5 0
 login local
 modem InOut
 modem autoconfigure type usr_sportster
 transport input all
 stopbits 1
 speed 57600
 flowcontrol hardware
line vty 0 4
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 login local
 transport input telnet ssh
line vty 5 15
 exec-timeout 0 5
 privilege level 15
 logging synchronous
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 192.168.2.225
end

SEVRTR01#
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Justin EllenbeckerIT DirectorCommented:
Ther eis a problem with your 3650 you ahve the IP addressed assigned to the interface and the VLAN.  Leave it on the vlan and make the switchport gi0/1 switchport access vlan 1 with no IP since that connects to the router.  A general rule of thumb I follow when using VLANs is always assign IPs to the Vlan no interfaces on a switch the switch will capture and act as that IP when a packet comes to it that needs to be routed.  Also make sure on all of your devices that the gateway is the VLAN IP address.  Since you are using the same IPs that were on the router you may also want to fluch your ARP caches and mac-address tables to make sure they are clean.
0
ngabaAuthor Commented:
Cisco has this on their website.

Configure the interface to the default router. In this scenario you have a Layer 3 FastEthernet port.

    Switch(config)#interface FastEthernet 0/1
    Switch(config-if)#no switchport
    Switch(config-if)#ip address 200.1.1.1 255.255.255.0
    Switch(config-if)#no shutdown

The no switchport command makes the interface Layer 3 capable. The IP address is in the same subnet as the default router.

So do i still need this as the interface to the router?  Like i said I'm not 100% sure if i tried the ip address of VLAN1.
But lets so i didn't. Would i still be able to get to an outside connection. Like if i plugged a laptop into the 3560 switch i could get to google, or ping 4.2.2.2.
0
Don JohnstonInstructorCommented:
Can you provide a diagram of your topology?

There's no problem having layer 2 and layer 3 interfaces on the same switch. In your case, you were using the same address on two separate layer 3 interfaces:

interface g0/1
 no switchport
 ip add 192.168.1.6 255.255.255.252

int vlan1
 ip add 192.168.1.6 255.255.255.252


0
ngabaAuthor Commented:
Here is a quick visio i just made of what i'm looking to do.
Drawing1.jpg
0
Don JohnstonInstructorCommented:
Your config (at least on the Cisco side) looks fine. Lose the VLAN1 interface though. You don't need it since you've got an L-3 port going to the 2821.

Don't forget to "no shut" the VLAN interfaces on the 3560.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ngabaAuthor Commented:
Yes, i did the no shut command. the sh ip int b showed that all of the vlan interfaces were up and up. Like I said i'm not 100% sure if i tried taking vlan1 out or shutting it down. But if it was up, would i still even have any kind of access from that switch to the internet?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.