We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!
Solved
Problem with Router on a stick using port channel for logical interfaces
Posted on 2011-02-24
Hello all
Well, I'm running against a brick wall with some config issues. We have several sites that have ROAS systems using port channels that we want to connect to other switches to extend the network. We are using broadband radio links to connect sites via dot1q trunks, all switches and routers have identical configurations, IP addressing notwithstanding. Some sites have worked fine and some have not worked at all, so much so that clients cannot even ping a directly connect interface on the router but can ping the default gateway for the VLAN on the same router.
Well, I'm running against a brick wall with some config issues. We have several sites that have ROAS systems using port channels that we want to connect to other switches to extend the network. We are using broadband radio links to connect sites via dot1q trunks, all switches and routers have identical configurations, IP addressing notwithstanding. Some sites have worked fine and some have not worked at all, so much so that clients cannot even ping a directly connect interface on the router but can ping the default gateway for the VLAN on the same router.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
5
-
2
8 Comments
I would start by confirming the consistency of the configs by testing connectivity to and from all interfaces from all of the routers.
Another thing you could do is run Wireshark or Sniffer and see what is happeneing when you ping from a PC at one site and it works but another PC at another site doesn't work.
Another thing you could do is run Wireshark or Sniffer and see what is happeneing when you ping from a PC at one site and it works but another PC at another site doesn't work.
Hi
I haven't as yet gone down the packet sniffer route but I'm just running some low level NAT debugs and I cannot even see packets from a PC on one of the switches being NAT'ed.
Basically I have the ROAS (with a Port-channel as the sub-interfaces) which is connected over a dot1q trunk to a switch. Host connected to the first switch have no problems with Internet traffic and or other traffic. I then have another (second) switch connected, again over a dot1q trunk, which host cannot access the Internet from. They receive DHCP from the router without any problem, they can ping all the sub interface IP's on the port-channel group and even ping pc's on the first switch in the same VLAN but cannot ping anything on the management VLAN of another switch. As I say they are not appearing in any nat debugs so it appears there is some kind of issue in the way the port-channel is configured. That said I have EXACTLY the same configuration (one router, multiple switches connected to each other) and it works just fine. A case of not seeing the wood for the trees I think :0(.
I haven't as yet gone down the packet sniffer route but I'm just running some low level NAT debugs and I cannot even see packets from a PC on one of the switches being NAT'ed.
Basically I have the ROAS (with a Port-channel as the sub-interfaces) which is connected over a dot1q trunk to a switch. Host connected to the first switch have no problems with Internet traffic and or other traffic. I then have another (second) switch connected, again over a dot1q trunk, which host cannot access the Internet from. They receive DHCP from the router without any problem, they can ping all the sub interface IP's on the port-channel group and even ping pc's on the first switch in the same VLAN but cannot ping anything on the management VLAN of another switch. As I say they are not appearing in any nat debugs so it appears there is some kind of issue in the way the port-channel is configured. That said I have EXACTLY the same configuration (one router, multiple switches connected to each other) and it works just fine. A case of not seeing the wood for the trees I think :0(.
It sounds like something has a routing issue maybe due to an incorrect subnet mask or soemthing like that. Possibly traceroute would point you in the right direction by showing where it is dying. Maybe try it from both sides.
Hi
Tried that to. If for example I do extended ping and trace using the source interface as the WAN (ip nat outside) interface to the host on the second inline device it fails. If I do just a default (so source address would be the sub interface on the port-channel I believe) it's fine :0(. Same same from host to WAN interface and thus the reason NAT is failing from hosts on this second inline device (I am assuming). This problem is common to sites that do not function. I've checked all mask's being issued from DHCP and the NAT ACL and all are correct, as I say any host connected to the first switch at the problematic sites has no problems at all which I find the most puzzling as I would have expected those to fail as well :0(
Tried that to. If for example I do extended ping and trace using the source interface as the WAN (ip nat outside) interface to the host on the second inline device it fails. If I do just a default (so source address would be the sub interface on the port-channel I believe) it's fine :0(. Same same from host to WAN interface and thus the reason NAT is failing from hosts on this second inline device (I am assuming). This problem is common to sites that do not function. I've checked all mask's being issued from DHCP and the NAT ACL and all are correct, as I say any host connected to the first switch at the problematic sites has no problems at all which I find the most puzzling as I would have expected those to fail as well :0(
Here is something to check. Sounds like either a router or trunking issue.
Router on a stick could be done 2 ways, both using subinterfaces, and might be worth changing to see if it helps
1. you use the physical interface for the default vlan and use the subinterfaces for all other vlans
2. do not give the physical interface an ip and create subinterfaces for all vlans.
use the encapsulation dot1q 1 native command on the default vlan assuming you kep it on vlan 1
depending on IOS the way you set this up is different.
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml
When you say that you can ping the vlan you are only pinging the switch here, the vlan interface. But you are using a seperate router (Router on a stick) so not being able to ping the connected interface seems like a trunking iissue. I would start by verifing that your trunks are working
show interface trunk.
If you post problem connections( the switch and the router running configs) a more substantial
Again, I would suspect the trunk connections first and the router setup second (this is part of the trunk of course).
Router on a stick could be done 2 ways, both using subinterfaces, and might be worth changing to see if it helps
1. you use the physical interface for the default vlan and use the subinterfaces for all other vlans
2. do not give the physical interface an ip and create subinterfaces for all vlans.
use the encapsulation dot1q 1 native command on the default vlan assuming you kep it on vlan 1
depending on IOS the way you set this up is different.
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml
When you say that you can ping the vlan you are only pinging the switch here, the vlan interface. But you are using a seperate router (Router on a stick) so not being able to ping the connected interface seems like a trunking iissue. I would start by verifing that your trunks are working
show interface trunk.
If you post problem connections( the switch and the router running configs) a more substantial
Again, I would suspect the trunk connections first and the router setup second (this is part of the trunk of course).
Hi
Already done all of that as well. All VLANS are being trunked, also sh ip cef also confirms clean layer two connectivity.
I have however been able to isolate this a little more; it appears that the broadband radio links we have between sites and configured to act as a simple bridge are not doing so (the price you pay for not buying quality equipment I guess). We know this a source MAC is being stripped and replaced with the MAC of the radio link.
The sites we have working can all see the default gateway genuine MAC address in the mac table and the ones that don't see the radio interface mac adddress.
I've got engineers out today changing the configuration on this 'bridges' to hopefully put this to bed.
Thanks for all your comments, I'll post the conclusion of todays adventures later.
Already done all of that as well. All VLANS are being trunked, also sh ip cef also confirms clean layer two connectivity.
I have however been able to isolate this a little more; it appears that the broadband radio links we have between sites and configured to act as a simple bridge are not doing so (the price you pay for not buying quality equipment I guess). We know this a source MAC is being stripped and replaced with the MAC of the radio link.
The sites we have working can all see the default gateway genuine MAC address in the mac table and the ones that don't see the radio interface mac adddress.
I've got engineers out today changing the configuration on this 'bridges' to hopefully put this to bed.
Thanks for all your comments, I'll post the conclusion of todays adventures later.
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Before I go to far, let's explain HA (High Availability) and why you should consider it. High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service. As…
Tired of waiting for your show or movie to load? Are buffering issues a constant problem with your internet connection? Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month9 days, 5 hours left to enroll
721 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.