Solved

cisco 3560x vlan routing issue

Posted on 2011-09-09
10
1,733 Views
Last Modified: 2012-05-12
I'm trying to route between VLAN1 172.16.0.1/23 and a newly created VLAN20& VLAN30 172.16.20.1/23  172.16.30.1/23. I have 3 buildings that are connected in a star topology via directly connected fiber. At each location I have a 3560X running 12.2(58)SE2 IPBase IOS image.

At site 1 I have:
3560X IP 172.16.0.2/23
VLAN1 is 172.16.0.1/23
VLAN20 is 172.16.20.1/23
VLAN30 is 172.16.30.1/23

At site 2 I have:
3560X IP 172.16.0.30/23
VLAN1 is 172.16.0.1/23
VLAN20 is 172.16.20.1/23
VLAN30 is 172.16.30.1/23

At site 3 I have:
3560X IP 172.16.0.38/23
VLAN1 is 172.16.0.1/23
VLAN20 is 172.16.20.1/23
VLAN30 is 172.16.30.1/23

My problems is @ site 2 and 3 where I have servers sitting on the 172.16.20.1/23  and the 172.16.30.1/23 subnet. None of those servers can access the internet or ping out to VLAN1. Nor can I see anything on VLAN20 or VLAN30 from VLAN1. I know it's a routing issue but I can't peg the problem.

Here is the VLAN config from the site1 switch (172.16.0.2)

interface Vlan1
 ip address 172.16.0.2 255.255.254.0
!
interface Vlan20
 ip address 172.16.20.1 255.255.254.0
!
interface Vlan30
 ip address 172.16.30.1 255.255.254.0
!
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.0.1
!


Here is the VLAN config from the site 2 switch (172.16.0.30)

interface Vlan1
 ip address 172.16.0.30 255.255.254.0
!
interface Vlan20
 ip address 172.16.20.1 255.255.254.0
!
interface Vlan30
 ip address 172.16.30.1 255.255.254.0
!
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.0.1
!

Here is the VLAN config from the site 3 switch (172.16.0.38)

interface Vlan1
 ip address 172.16.0.38 255.255.254.0
!
interface Vlan20
 ip address 172.16.20.1 255.255.254.0
!
interface Vlan30
 ip address 172.16.30.1 255.255.254.0
!
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.0.1
!


I have a sonicwall pro3060 sitting as the gateway at 172.16.0.1. The ports connecting the fiber between site 1, site2, and site3 are all set to trunk and the VLANs are passing from switch to switch. My ports for the servers are static access vlan20 or 30 depending on the site.
0
Comment
Question by:irish1der
10 Comments
 
LVL 24

Expert Comment

by:Ken Boone
ID: 36514461
So basically you have vlan 1, 20 and 30 extending across your network via fiber trunks.

So why do you have layer 3 interfaces on each vlan at each location?

Also, the way you have it set up you have duplicate IP addresses on your network.  You have the same IP address configured on each switch on each vlan.  

Normally in this deployment I would do a) set up layer 3 p2p links between the switches use different ip address spaces at each location and route across the fiber or b) set up the main site to handle all layer 3 routing and just configure a management vlan on each switch with the exception of the main switch which will have an ip address on each vlan.
0
 

Author Comment

by:irish1der
ID: 36514487
Site2 and 3 were originally connected to site1 via T1's and 2811 routers. Site2 and 3's original network were 172.16.20.0/23 and 172.16.30.0/23. When the fiber wan was finished, I was told I could just connect all the switches at sites 2 and 3 on the management VLAN1 and then create VLAN20 and 30 on the core 3560x at site1 and then assign static access ports to everything at their appropriate site. I've never created a vlan so i'm guessing then that I don't need the layer3 interfaces at each location, just site1.

I want all routing to be handled by the site1 3560x and forward that to the gateway at 172.16.0.1. Is that correct?
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 36514534
That is correct. get rid of the layer 3 interfaces at site 2 and site 3
but each switch should have a **unique** IP address on vlan 1 for management of the switch.
0
 
LVL 1

Expert Comment

by:Mizzio59
ID: 36514548
If you want to make the routing into site 1, you need to carry the VLAN20 and VLAN30 traffic separated from site 2 and 3 (using trunk interfaces between the two sites that carry all three VLANs).
That means that no interface VLAN20 and VLAN30 are needed on the other locations except site 1 (vlan 1 interface is needed for management).
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:irish1der
ID: 36514897
I made the changes and vlan20 @ site2 still cannot route to anything. I cannot ping vlan20 from vlan1. I didn't think it would be this hard setting up two simple vlans.  

Site1 3560 (core)


!
interface Port-channel1
 switchport access vlan 1
 switchport mode access
!
interface Port-channel2
 switchport access vlan 1
 switchport mode access
!
interface Port-channel3
 switchport access vlan 1
 switchport mode access
!
interface FastEthernet0
 no ip address
 no ip route-cache cef
 no ip route-cache
!
interface GigabitEthernet0/1
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/4
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/7
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/8
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/9
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/10
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/11
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/12
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/13
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/14
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/15
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/16
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/17
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/18
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/19
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/20
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/21
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/22
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/23
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/24
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/25
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/26
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/27
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/28
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/29
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/30
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/31
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/32
 switchport access vlan 1
 switchport mode access
!
interface GigabitEthernet0/33
 switchport access vlan 1
 switchport mode access
 channel-group 1 mode active
!
interface GigabitEthernet0/34
 switchport access vlan 1
 switchport mode access
 channel-group 1 mode active
!
interface GigabitEthernet0/35
 switchport mode access
 channel-group 2 mode active
!
interface GigabitEthernet0/36
 switchport mode access
 channel-group 2 mode active
!
interface GigabitEthernet0/37
 switchport access vlan 1
 switchport mode access
 channel-group 3 mode active
!
interface GigabitEthernet0/38
 switchport access vlan 1
 switchport mode access
 channel-group 3 mode active
!
interface GigabitEthernet0/39
 switchport access vlan 1
 switchport mode access
 channel-group 4 mode active
!
interface GigabitEthernet0/40
 switchport access vlan 1
 switchport mode access
 channel-group 4 mode active
!
interface GigabitEthernet0/41
 switchport access vlan 1
 switchport mode access
 channel-group 5 mode active
!
interface GigabitEthernet0/42
 switchport access vlan 1
 switchport mode access
 channel-group 5 mode active
!
interface GigabitEthernet0/43
 switchport access vlan 1
 switchport mode access
 channel-group 6 mode active
!
interface GigabitEthernet0/44
 switchport access vlan 1
 switchport mode access
 channel-group 6 mode active
!
interface GigabitEthernet0/45
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/46
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/47
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/48
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/2
 description Lace
 switchport access vlan 102
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/3
 description DeLay
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/4
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface TenGigabitEthernet1/1
!         
interface TenGigabitEthernet1/2
!
interface Vlan1
 ip address 172.16.0.2 255.255.254.0
!
interface Vlan11
 no ip address
!
interface Vlan20
 ip address 172.16.20.1 255.255.254.0
!
interface Vlan30
 ip address 172.16.30.1 255.255.254.0
!
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.0.1
!

Open in new window

Site2 3560



Current configuration : 2828 bytes
!
! Last configuration change at 20:59:35 UTC Fri Sep 9 2011
! NVRAM config last updated at 20:45:53 UTC Fri Sep 9 2011
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Lace-MDF-A
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$m9c2$kvX.NuWlo22v.ZJ7HqEso1
!
no aaa new-model
clock timezone UTC -6 0
clock summer-time UTC recurring
system mtu routing 1500
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet0/1
 switchport access vlan 20
 switchport mode access
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!         
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
!
interface GigabitEthernet0/30
!
interface GigabitEthernet0/31
!
interface GigabitEthernet0/32
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface GigabitEthernet1/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
 ip address 172.16.0.30 255.255.254.0
!
ip default-gateway 172.16.0.1
ip http server
ip http secure-server
!
!

Open in new window

0
 

Author Comment

by:irish1der
ID: 36514903
vtp is enables as server on site1 3560 and vtp is enabled as client at site2. both running vtp version 1 and site 2 sees both the of the vlans as propagated from site1.
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 250 total points
ID: 36514956
Can you you ping site 2 from site 1?

On site 1 you might need to enable routing

config t
ip routing
0
 
LVL 17

Assisted Solution

by:rochey2009
rochey2009 earned 250 total points
ID: 36517498
Hi,

remove "ip default-gateway 172.16.0.1"
 
and configure

ip routing

Also make sure the vlans are created

please post

show vlan
sh ip int brief
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 37426489
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now