Bananaskin
asked on
Inter Vlan Routing 2811 and NM-16ESW
Hi Guys,
I am sure that this is probably simple for someone, but I can't seem to get my head around it. The scenario is thus.
I have a Cisco 2811 ISR complete with a NM-16ESW 16 port switch module. I am in the process of migrating from a 2 router setup to single router, dual ISP PBR setup. I have configured 3 Vlans,
Vlan2 - 192.168.1.253/24 (ISP1)
Vlan3 - 192.168.2.253/24 (ISP2 + VOIP)
Vlan4 - 192.168.3.253/24 (WLAN users)
And assigned the appropriate vlans to the ports on the switch module. None of the router ports Fas0/0 and 1 have been configured or sub interfaces.
When ssh'd into the router I can ping all Vlan IPs and hosts connected to the Vlans, however when I am on a host on Vlan2, I can ping Vlan 3 and Vlan 4 but none of the hosts on those Vlans.
I have tried RIP v1 and 2 and EIGRP with no success..
I have googled until my eyes have watered and can't seem to find the solution.
Any help would be appreciated, thanks.
I am sure that this is probably simple for someone, but I can't seem to get my head around it. The scenario is thus.
I have a Cisco 2811 ISR complete with a NM-16ESW 16 port switch module. I am in the process of migrating from a 2 router setup to single router, dual ISP PBR setup. I have configured 3 Vlans,
Vlan2 - 192.168.1.253/24 (ISP1)
Vlan3 - 192.168.2.253/24 (ISP2 + VOIP)
Vlan4 - 192.168.3.253/24 (WLAN users)
And assigned the appropriate vlans to the ports on the switch module. None of the router ports Fas0/0 and 1 have been configured or sub interfaces.
When ssh'd into the router I can ping all Vlan IPs and hosts connected to the Vlans, however when I am on a host on Vlan2, I can ping Vlan 3 and Vlan 4 but none of the hosts on those Vlans.
I have tried RIP v1 and 2 and EIGRP with no success..
I have googled until my eyes have watered and can't seem to find the solution.
Any help would be appreciated, thanks.
Don Johnston
Verify that the firewall feature on the hosts is disabled or configured to allow ICMP echo-requests.
Also, make sure the hosts on VLAN 3 and 4 have their default gateway set to the appropriate VLAN interface on the router.
u need to connect a cable from one of the router ports to the switch and make the switchport a trunk port. on the router port u need to configure subinterfaces with dot1q tagging to the right vlan.
the vlans them selves shouldn't have ip addresses since the 2800 switch is a layer 2 device, only the subinterfaces of the router port should have ip
the vlans them selves shouldn't have ip addresses since the 2800 switch is a layer 2 device, only the subinterfaces of the router port should have ip
ASKER
To answer all the questions,
donjohnston: The host I was pinging was a GSM Gateway which doesn't have a firewall and the fect that I could ping it from the router and not another host negated a firewall issue.
sidetracked: I thought the option of sub interfaces on one of the routed ports was only used if using an external switch, so hence me not going down that particular route. I will try that this evening.
I have also pulled my 2950 out of mothballs just in case the above doesn't work and I have to go to a router-on-a-stick setup.
Thanks for the advice guys, appreciated, will keep you posted on my progress.
Regards
donjohnston: The host I was pinging was a GSM Gateway which doesn't have a firewall and the fect that I could ping it from the router and not another host negated a firewall issue.
sidetracked: I thought the option of sub interfaces on one of the routed ports was only used if using an external switch, so hence me not going down that particular route. I will try that this evening.
I have also pulled my 2950 out of mothballs just in case the above doesn't work and I have to go to a router-on-a-stick setup.
Thanks for the advice guys, appreciated, will keep you posted on my progress.
Regards
I was operating on the assumption that all hosts were connected to the 2811.
Please post the config and indicate which ports the hosts are connected to.
Please post the config and indicate which ports the hosts are connected to.
ASKER
donjohnston:
All hosts are connected to the 2811/switch module I haven't employed the use of an external switch. What I meant to say regarding your possible solution was that all the other router fas/0/0 sub interface configuration options refer to 'Router-on a-Stick' configuration 2811 and an external switch. Whereas my prefered setup is use only the 2811 with the 16 port switch module.
All hosts are connected to the 2811/switch module I haven't employed the use of an external switch. What I meant to say regarding your possible solution was that all the other router fas/0/0 sub interface configuration options refer to 'Router-on a-Stick' configuration 2811 and an external switch. Whereas my prefered setup is use only the 2811 with the 16 port switch module.
Sub-interfaces would not be used in your scenario.
ASKER
donjohnston:
I assume I therefore am going to have to implement 2811 and 2950 switch and use sub interfaces to accomodate the vlans on the 2950?
I assume I therefore am going to have to implement 2811 and 2950 switch and use sub interfaces to accomodate the vlans on the 2950?
Not at all. The switch module can accomplish the same thing as a 2950.
Why do you want to use sub-interfaces?
Why do you want to use sub-interfaces?
ASKER
I don't, SIDETRACKED suggested sub interfaces and cabling between the interface and the switch module.
That would be unnecessary. You create an SVI (VLAN interface) for each VLAN that you want to route between.
Have you created your vlans in the database?
vlan 2
name ISP1
vlan 3
name ISP2+VOIP
vlan 4
name WLAN
Then create your vlan interfaces... I added the nat statement also because I would assume you would want these networks access to the internet.
interface Vlan2
ip address 192.168.1.253 255.255.255.0
ip nat inside
interface Vlan3
ip address 192.168.2.253 255.255.255.0
ip nat inside
interface Vlan4
ip address 192.168.3.253 255.255.255.0
ip nat inside
and then last have you assigned your ports to the vlans?
interface FastEthernet1/2
switchport access vlan 1
spanning-tree portfast
Once you have it working you can go in and add port security and bpdu guards and things like that if you prefer.
vlan 2
name ISP1
vlan 3
name ISP2+VOIP
vlan 4
name WLAN
Then create your vlan interfaces... I added the nat statement also because I would assume you would want these networks access to the internet.
interface Vlan2
ip address 192.168.1.253 255.255.255.0
ip nat inside
interface Vlan3
ip address 192.168.2.253 255.255.255.0
ip nat inside
interface Vlan4
ip address 192.168.3.253 255.255.255.0
ip nat inside
and then last have you assigned your ports to the vlans?
interface FastEthernet1/2
switchport access vlan 1
spanning-tree portfast
Once you have it working you can go in and add port security and bpdu guards and things like that if you prefer.
ASKER
alewis977 I have created the Vlans yes and assigned the IP addresses (with nat inside etc) to the vlans. The ports on the switch module have been allocated the vlans as well. Which is where I sit at the moment, only able to route within each vlan and not outside from hosts.
donjohnston: "You create an SVI (VLAN interface) for each VLAN that you want to route between."
Can you give me a bit more info on this, URL or sample command set please would be really appreciated.
donjohnston: "You create an SVI (VLAN interface) for each VLAN that you want to route between."
Can you give me a bit more info on this, URL or sample command set please would be really appreciated.
ASKER
My running-config - relevant portion
!
interface FastEthernet0/0
description Pipex DSL - Ethernet Modem
ip address X.X.X.X 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex half
speed 10
no mop enabled
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
no cdp enable
!
interface FastEthernet0/1.3
encapsulation dot1Q 3
no cdp enable
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet1/0
description Uplink to Gigabit Switch
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/1
description Cisco 7970 - Office
switchport access vlan 2
duplex half
speed 10
power inline never
spanning-tree portfast
!
interface FastEthernet1/2
description Linksys WIFI Access Point
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/3
description Siemens DP450 Dect base
switchport access vlan 2
duplex half
speed 10
power inline never
spanning-tree portfast
!
interface FastEthernet1/4
description Asterisk PBX
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/5
description Dreambox DM500S
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/6
description HP Laserjet 4250 Printer
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/7
description Spare - Shutdown
switchport access vlan 4
shutdown
power inline never
spanning-tree portfast
!
interface FastEthernet1/8
description Uplink to Cisco 1760 Router
switchport access vlan 2
duplex half
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/9
description Spare - Shutdown
switchport access vlan 4
shutdown
power inline never
spanning-tree portfast
!
interface FastEthernet1/10
description Cisco ATA186
switchport access vlan 2
duplex half
speed 10
power inline never
spanning-tree portfast
!
interface FastEthernet1/11
description Protech GSM Gateway
switchport access vlan 3
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet1/12
description I-Catcher CCTV (Windows 7)
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/13
description Apple Mac Mini
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/14
description Xbox 360
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/15
description Test Port on VLAN1
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface Vlan1
description Administrative VLan
no ip address
!
interface Vlan2
description PBR VLAN for Sky DSL
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map SKY
!
interface Vlan3
description PBR VLAN for Pipex DSL
ip address 192.168.2.253 255.255.255.0
ip helper-address 192.168.1.30
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map PIPEX
!
interface Vlan4
description PBR VLAN for WIFI Connections
ip address 192.168.3.253 255.255.255.0
ip helper-address 192.168.1.30
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map WLAN
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username
ppp chap password 0 passw0rd
!
router rip
version 2
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map PIPEX interface FastEthernet0/0 overload
ip nat inside source route-map SKY interface Dialer0 overload
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community com2sec RO
no cdp run
!
!
route-map SKY permit 5
match ip address 1
set interface Dialer0
!
route-map PIPEX permit 10
match ip address 2 3
set interface FastEthernet0/0
!
!
!
control-plane
!
interface FastEthernet0/0
description Pipex DSL - Ethernet Modem
ip address X.X.X.X 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex half
speed 10
no mop enabled
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
no cdp enable
!
interface FastEthernet0/1.3
encapsulation dot1Q 3
no cdp enable
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet1/0
description Uplink to Gigabit Switch
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/1
description Cisco 7970 - Office
switchport access vlan 2
duplex half
speed 10
power inline never
spanning-tree portfast
!
interface FastEthernet1/2
description Linksys WIFI Access Point
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/3
description Siemens DP450 Dect base
switchport access vlan 2
duplex half
speed 10
power inline never
spanning-tree portfast
!
interface FastEthernet1/4
description Asterisk PBX
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/5
description Dreambox DM500S
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/6
description HP Laserjet 4250 Printer
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/7
description Spare - Shutdown
switchport access vlan 4
shutdown
power inline never
spanning-tree portfast
!
interface FastEthernet1/8
description Uplink to Cisco 1760 Router
switchport access vlan 2
duplex half
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/9
description Spare - Shutdown
switchport access vlan 4
shutdown
power inline never
spanning-tree portfast
!
interface FastEthernet1/10
description Cisco ATA186
switchport access vlan 2
duplex half
speed 10
power inline never
spanning-tree portfast
!
interface FastEthernet1/11
description Protech GSM Gateway
switchport access vlan 3
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet1/12
description I-Catcher CCTV (Windows 7)
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/13
description Apple Mac Mini
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/14
description Xbox 360
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface FastEthernet1/15
description Test Port on VLAN1
switchport access vlan 2
duplex full
speed 100
power inline never
spanning-tree portfast
!
interface Vlan1
description Administrative VLan
no ip address
!
interface Vlan2
description PBR VLAN for Sky DSL
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map SKY
!
interface Vlan3
description PBR VLAN for Pipex DSL
ip address 192.168.2.253 255.255.255.0
ip helper-address 192.168.1.30
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map PIPEX
!
interface Vlan4
description PBR VLAN for WIFI Connections
ip address 192.168.3.253 255.255.255.0
ip helper-address 192.168.1.30
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map WLAN
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username
ppp chap password 0 passw0rd
!
router rip
version 2
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map PIPEX interface FastEthernet0/0 overload
ip nat inside source route-map SKY interface Dialer0 overload
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community com2sec RO
no cdp run
!
!
route-map SKY permit 5
match ip address 1
set interface Dialer0
!
route-map PIPEX permit 10
match ip address 2 3
set interface FastEthernet0/0
!
!
!
control-plane
>The host I was pinging was a GSM Gateway
Does the GSM Gateway have a route to the 192.168.1.0/24 network with 192.168.2.253 as the next hop address?
Does the GSM Gateway have a route to the 192.168.1.0/24 network with 192.168.2.253 as the next hop address?
ASKER
The GSM gateway is only configurable for IP, Subnet Mask and Def GW, Def GW was set as 192.168.2.253 ip of Vlan2
Can the GSM Gateway ping 192.168.2.253? Can it ping 192.168.1.253? Can it ping 192.168.3.253?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for the update Bananaskin. Glad you got it working.
my solution with a cable from one of the router ports would have worked, although maybe not a very pretty solution. i am glad u found another solution.