10-25-2011 07:42 AM - edited 03-11-2019 02:42 PM
I'm sure some of these questions have been asked, but I think my setup is a little different. I have a rather large network with multiple VLANs and routing that I need some help on. Here's the layout:
5540 subinterface = gi0/2.18 = 10.16.18.1/24 TRUNKED to a 2960
2960 has an interface set to VLAN 18 (no IP) goes to a Cisco 4507 with an int. set to VLAN 18 (no IP)
4507 then has a trunk to a Cisco 7206
7206 then trunks to a Cisco 3845
3845 trunks to a 3750 (single)
3750 (single) trunks to a 3750 Stack
3750 Stack has int. set to VLAN 18 that goes to a 3750(lab) w/ int set to VLAN 18 w/ IP 10.16.18.251/24, VLAN502 = 10.202.255.1/30,
VLAN510 = 10.203.255.1/30
3750(lab) then has a trunk that connects to ASA 5510 w/ subinterfaces: e0/1.18 = 10.16.18.253/24, e0/1.510 = 10.203.255.2/30, e0/1.502 = 10.202.255.2/30
ASA5510 then goes to Internet
Any trunks are set to allow all VLANs. From the 2960 to the 3750 stack it's obviously all Layer 2 with trunking.
Issue:
If I sit at the 5540, I can ping 10.16.18.251 and .253 with no problems. I can also ping 10.203.255.1 with no problems. Problem is that I cannot get to the other subinterfaces on the 5510 for VLANs 502 and 510. How do I ensure that my trunk is set up right? I have a route in the 5540 pointing to the 10.203 and 10.202 using the 10.16.18.251 address. It seems like a traceroute gets to the 10.16.18.251 address but then it stops. What route should be on the 5510 to make sure it gets back? The default route on the 5510 points to the Outside. What am I missing? I think it's something to do with the trunk that's just something I don't understand yet. Any help is appreciated. Thanks,
5510:
show int ip bri:
Ethernet0/1.18 10.16.18.253 YES manual up up
Ethernet0/1.502 10.202.255.2 YES manual up up
Ethernet0/1.510 10.203.255.2 YES manual up up
show route
Gateway of last resort is x.x.x.x to network 0.0.0.0
C x.x.x.x 255.255.255.248 is directly connected, Outside
C 10.202.255.0 255.255.255.252 is directly connected, ***
C 10.203.255.0 255.255.255.252 is directly connected, ***
C 10.16.18.0 255.255.255.0 is directly connected, VLAN18
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, Outside
3750(lab):
interface GigabitEthernet1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
end
show int status:
Gi1/0/24 connected trunk a-full a-100 10/100/1000BaseTX
show ip int bri:
Vlan18 10.16.18.251 YES NVRAM up up
10-25-2011 08:24 AM
Jason
What is the connection between the 3750 stack and the 3750 lab ?
It needs to be a trunk link because you are routing the traffic on the 3750 stack so the packet from the 5540 will be routed onto either vlan 502 or 510.
If the connection is only in vlan 18 then it won't be able to send the traffic onwards.
Out of interest, what is the reasoning behind this setup ie. all the trunks between the 5540 and the 3750 stack ?
Jon
10-25-2011 08:37 AM
Well I understand what you're saying, but before this current setup was in place, the 3750(lab) didn't exist, and we just had 3 different Cisco 871s plugged directly into the stack with interfaces set to VLAN 18. The 871s took care of all the other VLANs including 502 and 510 and that traffic was accessible over the VLAN 18 link between the 3750 stack and the 871s. Does the fact that it's a L3 switch change how this would work? Thanks,
Jason
10-25-2011 08:42 AM
Jason
It depends on where the vlans were routed and how the 871s were setup. If the 3750 stack wasn't routing but simply L2 and the vlans were routed off the 871s then yes that would have worked.
With the 3750 stack routing that is why the traceroute stops at the 3750 ie. it routes the packet onto vlan 502 for example and then tries to send it on. But it can't unless the link is a trunk link which includes vlan 502.
Jon
10-25-2011 08:49 AM
The stack isn't doing the routing. The 3750(lab) would be handling the routing for each VLAN, like 502 and 510. The 3750(lab) has a VLAN 18 address of 10.16.18.251 and has a VLAN18 interface plugged into the 3750 Stack with the VLAN 18 interface but no VLAN 18 IP is on the stack.
Should the 3750(lab) have a port set to L3 and be a routed port with the VLAN 18 IP Address and then to access the other VLANs, the next hop from the 5540 would be that IP Address?
I will definitely try the trunking, but I know when I make some changes, I'm going to lose access and I'm not next to it right now.
10-25-2011 08:54 AM
So if the 3750 lab switch is doing the routing then it should work as you have it.
Can you post "sh in trunk" from the 3750 lab switch,
Jon
10-25-2011 09:09 AM
Can you also confirm how you have setup the ASA 5510 ie. it may be firewall configuration issue.
Jon
10-25-2011 09:20 AM
Sorry for the confusion. It just seems like it's something with the ASA cause everything stops there. If I log into the 3750(lab), I can ping the subinterfaces that are on the 5510 just fine. If I back up to the 3750 stack, I can ping the VLAN 18 address that is on the 5510, but I cannot ping the other subinterfaces, like VLAN 502 or 510.
Here is some info on the 5510:
Gateway of last resort is x.x.x.x to network 0.0.0.0
C x.x.x.x 255.255.255.248 is directly connected, Outside
C 10.202.255.0 255.255.255.252 is directly connected, *** (*** obviously just the name of the subinterface)
C 10.203.255.0 255.255.255.252 is directly connected, *** (*** obviously just the name of the subinterface)
C 10.16.18.0 255.255.255.0 is directly connected, VLAN18
S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, Outside
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.18
vlan 18
nameif VLAN18
security-level 0
ip address 10.16.18.253 255.255.255.0
!
interface Ethernet0/1.502
vlan 502
nameif ****
security-level 0
ip address 10.202.255.2 255.255.255.252
!
interface Ethernet0/1.510
vlan 510
nameif ****
security-level 0
ip address 10.203.255.2 255.255.255.252
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide