04-28-2003 04:15 PM - edited 03-02-2019 06:58 AM
hi
this is my network
10.84.0.10 (pix 515)
|
10.84.0.9 (c3550 emi)
/ \
(host) (host)
i have a problem with vlan routing,i set up svi(Switch Virtual
Interfaces), vlan 1 ip:10.84.0.9 vlan 2 ip:10.84.255.1 .but the
vlan routing isn't work. i can't ping pass 10.84.255.1 in the
switch .why? i want the traffic can be across the vlans.
thanks
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
ip subnet-zero
ip routing
spanning-tree extend system-id
interface FastEthernet0/1
no ip address
duplex half
speed 10
interface FastEthernet0/2
no ip address
duplex half
speed 10
interface FastEthernet0/3
no ip address
speed 100
interface FastEthernet0/4
no ip address
duplex half
speed 10
interface FastEthernet0/5
no ip address
duplex full
speed 100
interface FastEthernet0/6
no ip address
interface FastEthernet0/7
no ip address
interface FastEthernet0/8
no ip address
interface FastEthernet0/9
no ip address
interface FastEthernet0/10
no ip address
interface FastEthernet0/11
no ip address
duplex half
speed 10
interface FastEthernet0/12
no ip address
interface FastEthernet0/13
no ip address
interface FastEthernet0/14
no ip address
duplex half
speed 10
interface FastEthernet0/15
no ip address
interface FastEthernet0/16
no ip address
duplex half
speed 10
interface FastEthernet0/17
no ip address
interface FastEthernet0/18
no ip address
interface FastEthernet0/19
no ip address
interface FastEthernet0/20
no ip address
interface FastEthernet0/21
no ip address
interface FastEthernet0/22
no ip address
interface FastEthernet0/23
no ip address
interface FastEthernet0/24
no ip address
interface FastEthernet0/25
no ip address
duplex half
speed 10
interface FastEthernet0/26
no ip address
interface FastEthernet0/27
no ip address
interface FastEthernet0/28
no ip address
interface FastEthernet0/29
no ip address
interface FastEthernet0/30
no ip address
interface FastEthernet0/31
no ip address
interface FastEthernet0/32
no ip address
duplex half
speed 10
interface FastEthernet0/33
no ip address
duplex half
speed 100
interface FastEthernet0/34
no ip address
duplex half
speed 10
interface FastEthernet0/35
no ip address
duplex half
speed 10
interface FastEthernet0/36
no ip address
interface FastEthernet0/37
no ip address
duplex half
speed 10
interface FastEthernet0/38
no ip address
interface FastEthernet0/39
no ip address
duplex half
speed 10
interface FastEthernet0/40
no ip address
interface FastEthernet0/41
no ip address
duplex half
speed 10
interface FastEthernet0/42
no ip address
interface FastEthernet0/43
no ip address
interface FastEthernet0/44
no ip address
duplex half
speed 10
interface FastEthernet0/45
no ip address
interface FastEthernet0/46
no ip address
duplex half
speed 10
interface FastEthernet0/47
no ip address
interface FastEthernet0/48
no ip address
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/2
no ip address
interface Vlan1
ip address 10.84.0.9 255.255.255.0
no ip mroute-cache
interface Vlan2
ip address 10.84.255.1 255.255.255.0
no ip mroute-cache
ip classless
ip route 10.84.0.0 255.255.255.0 Vlan2
ip route 10.84.255.0 255.255.255.0 Vlan1
ip http server
end
Solved! Go to Solution.
04-30-2003 07:55 PM
The router at 10.84.0.1 on your VLAN1 changes the network picture. It is probably the default gateway for your 10.84.0.0/24 VLAN1 users.
The router probably has a default route that points to the PIX Firewall inside IP address 10.84.0.9 for Internet access. Also, the router probably has a static route or routes pointing to the intranet 10.*.*.* and reaches them through other interfaces, for example serial.
The router does not know that subnet 10.84.255.0/24 on your VLAN2 is reached via 10.84.0.9. We need to change some of the steps I outlined in my earlier post, to fix this.
On the switch:
2a. Remove static default route that points to the PIX Firewall inside interface:
no ip route 0.0.0.0 0.0.0.0 10.84.0.10 1
2b. Add static default route that points to that router's LAN interface:
ip route 0.0.0.0 0.0.0.0 10.84.0.1 1
2c. Save the config.
On the router:
2d. Add static route to VLAN2's subnet via the switch's VLAN1 IP address:
ip route 10.84.255.0 255.255.255.0 10.84.0.9 1
This tells the router where to send traffic destined for VLAN2 hosts.
2e. Save the config.
Now try to ping between the PCs on VLAN1 and those on VLAN2. If my guess about the router's configuration is correct, this should work.
Next, ping in the opposite direction, from VLAN2 back to VLAN1 PCs. This should work, too.
04-28-2003 06:14 PM
What's the purpose of the two static routes? They appear to be backwards, and aren't necessary anyway since so-called "connected" routes will be created by default for the two VLAN interfaces.
04-28-2003 07:01 PM
also when i show the interface
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0009.e8fd.6280 (bia 0009.e8fd.6280)
Internet address is 10.84.0.9/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 1000 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
59465 packets input, 8183243 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
1356 packets output, 143983 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Vlan2 is up, line protocol is down
Hardware is EtherSVI, address is 0009.e8fd.6280 (bia 0009.e8fd.6280)
Internet address is 10.84.255.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 51
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
why the vlan 2 line protocol is down ???
04-29-2003 06:39 PM
I didn't notice this before, but none of the switch's ports are in VLAN2. Hence, the VLAN2 interface is down.
04-29-2003 08:12 PM
On the switch:
1. Remove the two static routes that are in your original config:
no ip route 10.84.0.0 255.255.255.0 Vlan2
no ip route 10.84.255.0 255.255.255.0 Vlan1
They are confusing the switch.
2. Add a static default route that points to the PIX Firewall inside interface:
ip route 0.0.0.0 0.0.0.0 10.84.0.10 1
This lets VLAN1 and VLAN2 traffic go out the PIX to the Internet.
3. Move at least one port (FastEthernet or GigabitEthernet) into VLAN2. For example:
interface FastEthernet0/48
switchport access vlan 2
Interface VLAN2 should come up now.
4. Save the config.
On the PIX:
5. Make sure there's a static route to VLAN2's subnet via the switch's VLAN1 IP address:
route inside 10.84.255.0 255.255.255.0 10.84.0.9 1
This tells the PIX where to send traffic destined for VLAN2 hosts.
6. Make sure there are no other static routes on the PIX which could affect traffic headed to the VLAN2 subnet.
7. Save the config.
Back to the switch:
8. Plug a computer into that Ethernet port, give it an IP address and mask for VLAN2 (10.84.255.something), give it 10.84.255.1 as the default gateway.
9. Find a PC on VLAN1, and make sure the PC's default gateway is the switch's VLAN1 IP address and NOT the PIX's inside IP address.
10. From the VLAN2 PC, ping to the PC on VLAN 1. This tests Layer 3 across the switch to a VLAN1 host.
11. From the VLAN2 PC, ping the PIX inside IP address. This tests whether you can reach the Internet from VLAN2.
12. From the VLAN1 PC, ping the PC on VLAN2. This tests Layer 3 across the switch to a VLAN2 host.
13. From the VLAN1 PC, ping the PIX inside IP address. This tests whether you can reach the Internet from VLAN1.
Hope this helps.
04-30-2003 12:02 AM
thanks.
i have a router :10.84.0.1 it is connet to intranet(10.*.*.*).i want any machine can visit the internet,also can visit the intranet.how can i do?
i have put a port int vlan2.and the vlan2 come up.and i Remove the two static routes that are in my original config. and i have not do the 4-13 step.
butmachine in vlan 2 can ping pass the vlan 1 ip:10.84.0.9. but i can't ping any machine in vlan 1.and any machine in vlan 1can't ping the vlan 2 ip:10.84.255.0.
04-30-2003 07:55 PM
The router at 10.84.0.1 on your VLAN1 changes the network picture. It is probably the default gateway for your 10.84.0.0/24 VLAN1 users.
The router probably has a default route that points to the PIX Firewall inside IP address 10.84.0.9 for Internet access. Also, the router probably has a static route or routes pointing to the intranet 10.*.*.* and reaches them through other interfaces, for example serial.
The router does not know that subnet 10.84.255.0/24 on your VLAN2 is reached via 10.84.0.9. We need to change some of the steps I outlined in my earlier post, to fix this.
On the switch:
2a. Remove static default route that points to the PIX Firewall inside interface:
no ip route 0.0.0.0 0.0.0.0 10.84.0.10 1
2b. Add static default route that points to that router's LAN interface:
ip route 0.0.0.0 0.0.0.0 10.84.0.1 1
2c. Save the config.
On the router:
2d. Add static route to VLAN2's subnet via the switch's VLAN1 IP address:
ip route 10.84.255.0 255.255.255.0 10.84.0.9 1
This tells the router where to send traffic destined for VLAN2 hosts.
2e. Save the config.
Now try to ping between the PCs on VLAN1 and those on VLAN2. If my guess about the router's configuration is correct, this should work.
Next, ping in the opposite direction, from VLAN2 back to VLAN1 PCs. This should work, too.
05-01-2003 05:45 PM
konigl
thank you really !
i will test it!
05-01-2003 10:25 PM
thank you!
i have resolve the problem!
i want to know ,
1).why the rip and ospf protocol have no use.
2).if i have many vlan routing,
how can i do?
3).if i have no pix or router
how can i resolve the vlan routing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide