Solved

Inter VLAN routing Cisco 3750 apparent same config not working now.

Posted on 2010-08-20
14
686 Views
Last Modified: 2012-05-10
I am so confused.  Through the console port I used the CLI to config vlan 1, vlan 10, and vlan 20 from scratch on a freshly installed/updgaded 3750.  I assigned a management IP (192.168.11.2) on vlan 1 and assigned a default gateway to the switch (192.168.11.1 our WatchGuard firewall/router).  Plugged everything in and it all worked and vlans talked to each other.  Simple as that.  To note, this worked eventhough I only assigned a management IP address to vlan 1 I never assigned a seperate subnet to vlan 10 or vlan 20.  The vlan 1 computers on my network are assigned 192.168.11 addresses, vlan 10 is on 192.168.12 and vlan 20 computers are assigned 192.168.22.  The computers on the network have default gatways that point to 11.1, 12.1, and 22.1 which are the ports on our WatchGuard Firewall.

Now the problem:  I added another 3750 and stacked them.  Because of a seperate problem I reloaded the original switch and started from scratch again but, I cofigured the stack the same way as I configured the stand-alone switch the first time.  This time around the vlans don't talk to each other.  I have researched for hours and everbody says I have to assign a seperate IP address to each vlan and then assign that as the default gateway on the corosponding computers in that vlan.

 I am confussed because I never did that the first time before the stack and it all worked just fine.  The first time I Iiteraly created vlans and added ports to them without any other configuration and it worked.  Why not now?  Is it because of the stack?  I thought they were supposed to act like on big switch in the stack.  Is it because I started using Cisco Network Assistant and it is getting it's hand involved into something?  Was it a magic router and I messed it up now?  Help Please!
0
Comment
Question by:KingPez
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I would check/verify that the port going to the Watchguard is configured as a trunk port and is defined to allow VLAN 1, 10, and 20.

If you do not want the 3570 doing the routing, you don't need to assign IP addresses to VLAN 10 or 20.

Can you clean-up any private information in the config and post it?
0
 

Author Comment

by:KingPez
Comment Utility
I will definatly look at that.  Thank you.  I am sorry if I left too much in my cut and paste but here it is.  Unfortunatly I am not sure what good it will do since I had to put everything into vlan 1 and it only has a couple of ports in the other vlans that I was using to test.  Plus I may have done some different things in my attempt to figure it out.  Hope you see something that helps.  
0
 

Author Comment

by:KingPez
Comment Utility
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
no aaa new-model
clock timezone UTC -6
clock summer-time UTC recurring
switch 2 provision ws-c3750g-24t
switch 3 provision ws-c3750g-24t
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip routing
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet2/0/1
 !
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
!
interface GigabitEthernet2/0/24
!
interface GigabitEthernet3/0/1
 switchport access vlan 30
!
interface GigabitEthernet3/0/2
!
interface GigabitEthernet3/0/3
!
interface GigabitEthernet3/0/4
 description PBX Phone
!
interface GigabitEthernet3/0/5
!
interface GigabitEthernet3/0/6
!
interface GigabitEthernet3/0/7
!
interface GigabitEthernet3/0/8
!
interface GigabitEthernet3/0/9
!
interface GigabitEthernet3/0/10
!
interface GigabitEthernet3/0/11
!
interface GigabitEthernet3/0/12
!
interface GigabitEthernet3/0/13
 description DMZ -WG Gateway P1
!
interface GigabitEthernet3/0/14
!
interface GigabitEthernet3/0/15
!
interface GigabitEthernet3/0/16
!
interface GigabitEthernet3/0/17
 switchport mode access
!
interface GigabitEthernet3/0/18
 description MPLS - WG P3
!
interface GigabitEthernet3/0/19
!
interface GigabitEthernet3/0/20
!
interface GigabitEthernet3/0/21
 description DMZ - WG P2
!
interface GigabitEthernet3/0/22
!
interface GigabitEthernet3/0/23
!
interface GigabitEthernet3/0/24
!
interface Vlan1
 ip address 192.168.11.2 255.255.255.0
!
interface Vlan10
 no ip address
!
interface Vlan20
 no ip address
!
interface Vlan30
 no ip address
!
ip default-gateway 192.168.11.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.11.1
ip http server
ip http authentication local
!
ip sla enable reaction-alerts
!
line con 0
 password ------
 login
line vty 0 4
 password -------
 login
line vty 5 15
 password -----
 login
!
end

pln-3750switchstack#
0
 

Author Comment

by:KingPez
Comment Utility
So the WatchGuard has:
Port 0 - external internet in
Port 1 - for the .11 users network (vlan1)
Port 2 - for the .12 MPLS network (vlan 20)
Port 3 - for the .22 DMZ network (vlan 10)

Is there one specific one that is supposed to be the trunk port?
0
 
LVL 21

Expert Comment

by:eeRoot
Comment Utility
Are there any other switches connected to the 3750 or did all the computers connect straight into the 3750?  If there are other switches on the network, you may have to trunk the ports.  

A good test would be to give VLAN's 10,20, and 30 IP addresses and then try to ping those IP's from the PC's connected to the switch.  You don't need IP addresses on switch VLAN interfaces, but it's a handy thing to have for troubleshooting.
0
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 200 total points
Comment Utility
In which port(s) is the watchguard connected to the 3750?

/Kvistofta
0
 

Author Comment

by:KingPez
Comment Utility
no other switches.  Just from the WatchGuard to the stack of 2 3750's and the whole network goes into that stack.  
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
How many cables do you have between the firewall and the 3750? And in which 3750-ports are they connected?

/Kvistofta
0
 

Author Comment

by:KingPez
Comment Utility
So the WatchGuard has:
Port 0 - external internet in
Port 1 - for the .11 users network (vlan1) > switchport Gi3/0/13
Port 2 - for the .12 MPLS network (vlan 20) > switchport Gi3/0/21
Port 3 - for the .22 DMZ network (vlan 10) > switchport Gi3/0/18

But these ports are all assigned to vlan 1 right now because of the problem.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 300 total points
Comment Utility
My comment about trunk to the Watchguard was under my apparently false assumption you had a single physical connection between the switch and the Wathguard.  It looks like you have 3 physical connections, so you can forget about trunking.

Gi3/0/13 needs to be as switch port mode access and switchport access vlan 1
Gi3/0/21 needs to be as switch port mode access and switchport access vlan 20
Gi3/0/18 needs to be as switch port mode access and switchport access vlan 10

If a comptuer is supposed to be in VLAN20, then the port it is connected to needs to be:

     switch port mode access and switchport access vlan 20
0
 

Author Comment

by:KingPez
Comment Utility
Well, that is how I had it the first time and how I configured it again.  Maybe I just need to start over and do all of the steps again.  I won't be able to do it until late tonight or tomorrow night since it is production.  I will let everyone know how it goes.  Thanks to everyone who gave input.
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
You are welcome.

If for some reason it doesnt work, give us the following details

"show run"
"show vlan"
and full information about how the firewall is connected to the 3750 incl switchports.

/Kvistofta
0
 

Author Comment

by:KingPez
Comment Utility
Ok, mystery solved.  I am no longer confussed.  Thank you guys.  I now understand why everything I read said to set IPs for each vlan but my previouse config was working without that having to do that.  It was because, as giltjr said, each WatchGuard port going to the switch was providing the routing for it's vlan.  

I was my worst enemy in this case because a switch loop had caused me to panic and set everything back to vlan 1 right away.  I went down the wrong path because I did not realize then that the loop had nothing to do with my vlan config.  I was so afraid of bringing the network down again that I was trying to config just a couple of random vlan test ports.  I now realize this did not work because I needed all of the WG ports on their specific vlans to provide the routing.  Last night (with the loop discovered and removed) I put all ports onto their appropriate vlans and everything worked as it was supposed to just like it did before.  It's amazing how clear things can become after a trial-by-fire.  Huge learning experience for me.  Thanks to all.
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
Cool! It is nice to help :)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now