Link to home
Start Free TrialLog in
Avatar of huffmana
huffmanaFlag for United States of America

asked on

Can't reach enclave switch on the MNGT network.

Created an enclave (192.168.170.0/24) on our office network using a Cisco 2921 and overload NAT to the ISP Firewall (192.168.168.1).  The enclave NAT works OK but I can't get the management network (10.10.10.0/27) out to the switch in the enclave.  I can't ping 10.10.10.11 even from the CORE switch.

See the attached diagram.  MNGT 10.10.10.0/27  OFFICE 192.168.168.0/24  ENCLAVE 192.168.170.0/24

  User generated image
Avatar of Soulja
Soulja
Flag of United States of America image

When you ping from the enclave router to 10.10.10.11, are you sourcing the ping from the enclave mgmt interface?
Avatar of Andy Bartkiewicz
Andy Bartkiewicz

I believe you are having issues because of a Native vlan mismatch on 7 and 8. You've got vlan 200 as the native on 8 and vlan 1 as the native on 7.
Avatar of huffmana

ASKER

$ ssh user@10.10.10.10
C
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.
Password:

guestrtr1>en
Password:
guestrtr1#ping 10.10.10.11 source 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.11, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10
.....
Success rate is 0 percent (0/5)
guestrtr1#
Also you've got interface 9 setup as a trunk when I think it's supposed to be access
What is the result of a trace route from the core switch to 10.10.10.11?
Tried the trunks with native 200 on both sides and with native 1 on both sides.... And it still doesn't ping....  How can the broadcast domain get interrupted between two switches connected by a trunk?  Maybe the vlans aren't allocated....
Int 9 is working as a trunk.  I thought that it would be more secure than a mode access....  I think that the Firewall is tagging it's port as vlan 200.  I don't have access to the Meraki router :-(  I'm afraid to change it....
ASKER CERTIFIED SOLUTION
Avatar of Soulja
Soulja
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Got it, there was a port monitoring I forgot about!!!! All I had to do was look at UP/DOWN.

How stupid can I be - ignoring the obvious....

Thank you everyone....
Well your not tagging vlan 200 to the router, its native. That's probably why its working. I don't think thats more secure however. Are the vlans defined on both the core and etherswitch?
It is so much appreciated to have these professional help me out.  They are invaluable.