Cisco 3560 Routing Between Vlans
I have got a cisco 3560 which i use as my core switch, it is setup with multiple vlans and ip ranges.
i am trying to get the 10.0.10.x ip range to be able to communicate with the 192.168.4.x range, my routing table is below and shows everything as i believe it should but when i try to ping from the 10.0.10.x range it fails? anyone have any ideas? do i need to do anything different as i am using vlan tagging?
do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.16.0 is directly connected, Vlan30
C 192.168.4.0/24 is directly connected, Vlan1
10.0.0.0/24 is subnetted, 3 subnets
C 10.0.10.0 is directly connected, Vlan20
C 10.1.1.0 is directly connected, Vlan100
C 10.0.0.0 is directly connected, Vlan10
150.150.0.0/21 is subnetted, 1 subnets
C 150.150.0.0 is directly connected, Vlan40
i am trying to get the 10.0.10.x ip range to be able to communicate with the 192.168.4.x range, my routing table is below and shows everything as i believe it should but when i try to ping from the 10.0.10.x range it fails? anyone have any ideas? do i need to do anything different as i am using vlan tagging?
do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.16.0 is directly connected, Vlan30
C 192.168.4.0/24 is directly connected, Vlan1
10.0.0.0/24 is subnetted, 3 subnets
C 10.0.10.0 is directly connected, Vlan20
C 10.1.1.0 is directly connected, Vlan100
C 10.0.0.0 is directly connected, Vlan10
150.150.0.0/21 is subnetted, 1 subnets
C 150.150.0.0 is directly connected, Vlan40
ASKER
Any access-lists in place?
Anything showing in the logs?
Do the devices where you ping from/to also have the correct routes set up?
1. no there are no access-lists
2. what logs am i checking here?
3. one of the devices is an ESXi host and vmWare have recommended that we dont setup the route on the host? i dont know if this is possible or not as i have always added it to the host.
Thanks
Let's first look at the ESX.
Are you pinging from the host or from a VM on the host?
Is there a firewall running? On the host (esxcfg-firewall -q) or on the guest?
What are the routes on the host/guest?
Are you pinging from the host or from a VM on the host?
Is there a firewall running? On the host (esxcfg-firewall -q) or on the guest?
What are the routes on the host/guest?
ASKER
Are you pinging from the host or from a VM on the host? i am pinging from the host to a vm
Is there a firewall running? On the host (esxcfg-firewall -q) or on the guest? this command doesnt work on ESXi or im doing something wrong
What are the routes on the host/guest? again I cant check this as its ESXi and I don't know how as ive only used esx
Is there a firewall running? On the host (esxcfg-firewall -q) or on the guest? this command doesnt work on ESXi or im doing something wrong
What are the routes on the host/guest? again I cant check this as its ESXi and I don't know how as ive only used esx
Dear, i think your switch is with ip base image, if yes then check routing is enable or not? if possible provide running configration.
try to ping switch vlan interface from switch concole,
ping vlan 1, vlan 100 if suceed, then connect host with one port, join port with the vlan, assign host ip as per vlan subnet, make sure host gateway should be vlan ip and ping from switch.
if all fails and possible for you i would suggest save running configration of switch to your pc and configure from scratch, please see below link
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml.
cheers,
Syed
try to ping switch vlan interface from switch concole,
ping vlan 1, vlan 100 if suceed, then connect host with one port, join port with the vlan, assign host ip as per vlan subnet, make sure host gateway should be vlan ip and ping from switch.
if all fails and possible for you i would suggest save running configration of switch to your pc and configure from scratch, please see below link
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml.
cheers,
Syed
Hm, why did they make that i so small, completely overlooked that.
Indeed with ESXi it's somewhat different so I don't think the firewall is an issue there (b.t.w. you can do some managing: http://www.vmware.com/files/pdf/vmware_esxi_management_wp.pdf)
'i am pinging from the host to a vm'
I think we don't refer to the same here? I meant: the ESXi host. I assume you mean a host on another vlan?
So what do you see when you do a tracert instead of a ping?
I also think itubaf has a point. You might want to check the switch as well.
Indeed with ESXi it's somewhat different so I don't think the firewall is an issue there (b.t.w. you can do some managing: http://www.vmware.com/files/pdf/vmware_esxi_management_wp.pdf)
'i am pinging from the host to a vm'
I think we don't refer to the same here? I meant: the ESXi host. I assume you mean a host on another vlan?
So what do you see when you do a tracert instead of a ping?
I also think itubaf has a point. You might want to check the switch as well.
The routing table exists as the comment in 27019641 indicates so, furthermore, as the routes are populated as directly connected routes; this is an indication the ip routing is enabled.
>do i need to do anything different as i am using vlan tagging?
You more than likely need to trunk down to the ESX and add the vlans to the trunk and tag withing the management software of the ESX. I am not ESX administrator, so I do not know what the exact context is for the ESX side, only that if there are multiples hosts on the ESX that are in different vlans, you need to tag via a trunk to the Cisco Switch.
So on the interface where you have the ESX host on you will need to trunk (Assuming gi1/1)
int gig1/1
switchport mode trunk
switchport trunk allow vlan 1,10
>do i need to do anything different as i am using vlan tagging?
You more than likely need to trunk down to the ESX and add the vlans to the trunk and tag withing the management software of the ESX. I am not ESX administrator, so I do not know what the exact context is for the ESX side, only that if there are multiples hosts on the ESX that are in different vlans, you need to tag via a trunk to the Cisco Switch.
So on the interface where you have the ESX host on you will need to trunk (Assuming gi1/1)
int gig1/1
switchport mode trunk
switchport trunk allow vlan 1,10
ASKER
I have tried what was suggested in post 35701555 with no joy still cannot ping from the ESXi Host to the vm (our dc)
the aim of this is for the DNS and time services on ESXi
the aim of this is for the DNS and time services on ESXi
can you please explain how the physical connections are configured for the networks; 10.0.10.x and 192.168.4.x? Are the hosts physically connect via two different physial switchports or physically connected to the same physical switchport? Do you have a diagram depicting the networks? Are the VMs on the same physical ESXi? Can you pline from Vlan 30 to vlan40 or any other vlans for that matter (Is routing actually working is what we are trying to establish). Additionally, what do the ARP and MAC tables look like, do you see ARP populating and even a MAC address for the VLANs in question?
show mac-address-table
show ip arp | inc 192.168.4.x
Billy
show mac-address-table
show ip arp | inc 192.168.4.x
Billy
Are the other network devices on the various network segments trunked or set to allow the various VLAN's?
the connected route only shows that the networks are configured not that they have routes to each other. you need to configure a routing protocol (static or rip, eigrp, etc.)
i agree with MAG03, if you can share running configration your problem can be resloved.
>the connected route only shows that the networks are configured not that they have routes to each other.
you do not need static routes or a dynamic routing protocol if the networks are directly connected:
http://tools.ietf.org/html/rfc1180
Billy
you do not need static routes or a dynamic routing protocol if the networks are directly connected:
http://tools.ietf.org/html/rfc1180
Billy
Ah, I see what you mean Billy. I was thinking they were directly connected interfaces and not networks.
Make sure that ip routing is configured.
Make sure that ip routing is configured.
I also think that providing a network diagram and configuration would be best right now.
ASKER
Please see the attached file for the 3560 config puttynew.log
"ip classless
ip route 0.0.0.0 0.0.0.0 217.113.167.129
ip route 10.1.1.0 255.255.255.0 192.168.4.28
ip http server
ip http secure-server"
WHY YOU PUT " ip route 10.1.1.0 255.255.255.0 192.168.4.28 " ???
ip route 0.0.0.0 0.0.0.0 217.113.167.129
ip route 10.1.1.0 255.255.255.0 192.168.4.28
ip http server
ip http secure-server"
WHY YOU PUT " ip route 10.1.1.0 255.255.255.0 192.168.4.28 " ???
I ALSO WANT TO KNOW WHICH PORT CONNECTED TO YOUR ROUTER?
ASKER
that route is for our phone system.
our router is connected to a small business switch and not the the 3560 directly.
our router is connected to a small business switch and not the the 3560 directly.
I still think there is a routing issue even though the routing table shows the networks connected. Could you post a network diagram showing all devices and networks.
Also include the location and ip of the the VM and host you are pinging from. Are you able to ping anything else on the VM's network? perhaps put another device on the 192.168.4.x network and see if you can ping that device. It is possible that the VM is set up incorrectly.
192.168.4.28 is a host or gateway???
i think this route is wrong. can you try removing and test? if possible.
i think this route is wrong. can you try removing and test? if possible.
ASKER
i removed the IP Route which made no difference to the out come.
i will need to create a network diagram as we dont currently have one but will post it shortly.
i will need to create a network diagram as we dont currently have one but will post it shortly.
ASKER
i have done a basic diagram but our network is very complex so to do it fully would take a long time.
i dont think it is anything to do with the VM being setup incorrectly as it can access all of our networks.
the issue is getting the ESXi hosts to contact the VM without adding the route on the ESXi host as this is not recommended
Network-Diagram.vsd
i dont think it is anything to do with the VM being setup incorrectly as it can access all of our networks.
the issue is getting the ESXi hosts to contact the VM without adding the route on the ESXi host as this is not recommended
Network-Diagram.vsd
Are you able to answer my questions?
Can you ping from Vlan 30 to vlan40 or any other vlans for that matter (Is routing actually working is what we are trying to establish). Additionally, what do the ARP and MAC tables look like (on the router, ESX host and guest, do you see ARP populating and even a MAC address for the VLANs in question?
Host:
arp -a (linux or windows, the command is the same)
show mac-address-table
show ip arp | inc 192.168.4.x
Does any of this information match up with the BIA and settings of the TCP/IP properties?
This is very important, if you are not even seeing the MAC addresses populating, layer 3 routing will not even be considered as layer 2 is not working. What port is the ESX host connected to?
Furthermore, your configuration for:
any reason you are using dot1q-tunnel (QinQ) and if there is a reason, the ESX host must be configured for the same encapsulation.
By the way, great alias exec commands.
Billy
Can you ping from Vlan 30 to vlan40 or any other vlans for that matter (Is routing actually working is what we are trying to establish). Additionally, what do the ARP and MAC tables look like (on the router, ESX host and guest, do you see ARP populating and even a MAC address for the VLANs in question?
Host:
arp -a (linux or windows, the command is the same)
show mac-address-table
show ip arp | inc 192.168.4.x
Does any of this information match up with the BIA and settings of the TCP/IP properties?
This is very important, if you are not even seeing the MAC addresses populating, layer 3 routing will not even be considered as layer 2 is not working. What port is the ESX host connected to?
Furthermore, your configuration for:
interface Port-channel4
description TO ESW-520
switchport mode dot1q-tunnel
any reason you are using dot1q-tunnel (QinQ) and if there is a reason, the ESX host must be configured for the same encapsulation.
By the way, great alias exec commands.
Billy
ASKER
i can ping from vlan1 to vlan 20 / 30 / 40 /100 but only if i add a route onto my windows computer.
i dont know what the command is for arp -a on ESXi it seems that this command isnt valid.
mac address table is attached.
i couldnt tell you what port the ESX host is plugged into as it is a blade center and plugs into some dell switches and then into the esx hosts.
we are using a dot1q-tunnel as this is all that is supported with our ESW-520 for merging the 2 connections.
mac-address-table.txt sh-ip-arp.txt
i dont know what the command is for arp -a on ESXi it seems that this command isnt valid.
mac address table is attached.
i couldnt tell you what port the ESX host is plugged into as it is a blade center and plugs into some dell switches and then into the esx hosts.
we are using a dot1q-tunnel as this is all that is supported with our ESW-520 for merging the 2 connections.
mac-address-table.txt sh-ip-arp.txt
>i can ping from vlan1 to vlan 20 / 30 / 40 /100 but only if i add a route onto my windows computer.
what gateway are you using for the next hop for the static route, this should be needed if you have a single connection utilizing a single gateway (192.168.4.1). Do you have a different default gateway? What abou the other hosts, are they multihomed?
Then the mac-address-table and show ip arp will not help us much.
At this point, I am assuming the switch is routing as you have not indicated that routing is not working for other vlans. So, please explain to us about the static routing your are adding on the host.
Thanks,
Billy
Billy
what gateway are you using for the next hop for the static route, this should be needed if you have a single connection utilizing a single gateway (192.168.4.1). Do you have a different default gateway? What abou the other hosts, are they multihomed?
i couldnt tell you what port the ESX host is plugged into as it is a blade center and plugs into some dell switches and then into the esx hosts. Then the mac-address-table and show ip arp will not help us much.
At this point, I am assuming the switch is routing as you have not indicated that routing is not working for other vlans. So, please explain to us about the static routing your are adding on the host.
Thanks,
Billy
Billy
ASKER
the static route that i add is:
route add 10.0.10.0 mask 255.255.255.0 192.168.4.253
this is because our router is 192.168.4.254 which is our default gateway, the other networks have no need to access this router which is why it is setup this way.
route add 10.0.10.0 mask 255.255.255.0 192.168.4.253
this is because our router is 192.168.4.254 which is our default gateway, the other networks have no need to access this router which is why it is setup this way.
what is 192.168.4.253?
ASKER
192.168.4.253 is the 3560
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you so much you have saved my life.
xxx
xxx
Anything showing in the logs?
Do the devices where you ping from/to also have the correct routes set up?