Client to client doesn't work either, between vlans anyway. Someone on the payroll vlan was unable to get to a printer on a separate vlan, or the file server on a separate vlan. The router's routing table:

Gateway of last resort is 192.168.64.2 to network 0.0.0.0

S 192.168.88.0/24 [1/0] via 10.3.0.1

S 192.168.15.0/24 [1/0] via 10.0.4.2

S 172.16.0.0/16 [1/0] via 159.24.201.205

159.24.0.0/30 is subnetted, 1 subnets

C 159.24.201.204 is directly connected, Serial0/0/0.1

10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks

S 10.4.6.0/24 [1/0] via 10.4.0.84

S 10.4.7.0/24 [1/0] via 10.4.0.84

S 10.0.0.0/8 [1/0] via 159.24.201.205

S 10.4.5.0/24 [1/0] via 10.4.0.84

S 10.4.2.0/24 [1/0] via 10.0.4.2

S 10.4.3.0/24 [1/0] via 10.4.0.84

C 10.4.0.0/24 is directly connected, FastEthernet0/0

C 10.0.4.0/30 is directly connected, Serial0/1/0

S* 0.0.0.0/0 [1/0] via 192.168.64.2

S 192.168.0.0/16 [1/0] via 159.24.201.205

Hummelstown2811#

I've also attached the 2811's config.

William

Thanks for the additional information. Based on this I think that we have answers for part of the question. The 2811 needs static routes for the subnets that are on the switches because otherwise it has no knowledge of them. They are not connected subnets on the 2811 and there is no dynamic routing protocol between the 3560 and the 2811. So static routes are needed for connectivity from the 2811 to anything in those VLANs connected through the switches.

I am not clear why client to client does not work. Looking at the 3560 it sees those subnets as connected and I would expect it to route between the VLANs. I am not sure why it would be forwarding to the 2811, but from your description that appears to be what is happening. Can you verify how the clients are configured? In particular I am interested in the mask that they have and their default gateway. I am wondering if there is some aspect of the client config that is sending traffic to the 2811.

Also in a brief look at the documentation for the 3560 there is a statement that which version of software (standard version or enhanced) is running impacts the options for routing. Which version of software is the 3560 running? It might be helpful if you post the output of show protocol and of show ip protocol on the 3560.

HTH

Rick

An example of a client's ip config for the payroll vlan, would be

10.4.5.101/24

gateway is 10.4.5.1

One odd thing I noticed is I can ping fine from hyperterminal on the switch without the static routes on the 2811, but the clients connected to the switch get lost. Here's also a sample of the routing table on one of my switches.

The primary gateway: 10.4.0.84

Destination Gateway RouteMask Flags Use Interface

--------------- --------------- ---------- ----- -------- ---------

default 10.4.0.84 0x0 UG 2 sc0

10.4.0.0 10.4.0.86 0xffffff00 U 15678 sc0

192.168.6.0 10.4.0.1 0xff000000 UGD 0 sc0

sh ver for 3560

Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(25)SEB1, RELEA

SE SOFTWARE (fc1)

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Fri 29-Apr-05 22:25 by yenanh

ROM: Bootstrap program is C3560 boot loader

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEB, RELEASE SOFTWAR

E (fc)

Humm3560 uptime is 1 week, 2 days, 21 hours, 21 minutes

System returned to ROM by power-on

System image file is "flash:c3560-ipbase-mz.122-25.SEB1/c3560-ipbase-mz.122-25.S

EB1.bin"

cisco WS-C3560-48TS (PowerPC405) processor (revision A0) with 118784K/12280K byt

es of memory.

Processor board ID CAT0905R0PW

Last reset from power-on

5 Virtual Ethernet interfaces

48 FastEthernet interfaces

4 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:13:1A:F5:61:00

Motherboard assembly number : 73-9898-05

Power supply part number : 341-0097-01

Motherboard serial number : CAT09050BRV

Power supply serial number : DCA085301E2

Model revision number : A0

Motherboard revision number : A0

Model number : WS-C3560-48TS-S

System serial number : CAT0905R0PW

SFP Module assembly part number : 73-7757-02

SFP Module revision Number : A0

SFP Module serial number : CAT09050FDZ

Top Assembly Part Number : 800-26162-01

Top Assembly Revision Number : A0

Version ID : V01

CLEI Code Number : COMMJ00ARA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 52 WS-C3560-48TS 12.2(25)SEB1 C3560-IPBASE-M

Configuration register is 0xF

sh protocol is

Humm3560#sh proto

Global values:

Internet Protocol routing is enabled

Vlan1 is up, line protocol is up

Internet address is 10.4.0.84/24

Vlan100 is up, line protocol is up

Internet address is 10.4.5.1/24

Vlan110 is up, line protocol is up

Internet address is 10.4.6.1/24

Vlan120 is up, line protocol is up

Internet address is 10.4.7.1/24

Vlan130 is up, line protocol is up

Internet address is 10.4.3.1/24

FastEthernet0/1 is down, line protocol is down

omitted

sh ip proto

Humm3560#sh ip proto

*** IP Routing is NSF aware ***

Thank you

One other note I wanted to add, a client, for example from the payroll vlan, is able to ping all the vlan ip addresses as defined on the 3560, 10.4.5.1, 10.4.6.1, etc, but is unable to ping any hosts on those vlan subnets, or the 2811 router, 10.4.0.1

You added the layer 3 information , did you ever create the layer 2 side of it . Do all vlans show active and show up when you do a "show vlan" ? Do all ports look like they are in the correct vlan when you do this command ?

A show vlan from the 3560 and the 2948 reveals all the vlan and their status as active.

William

Thanks for the additional information. The output from the 3560 pretty much looks like what I was expecting. The config looks right to me and I would expect the 3560 to route for the local VLANs, but it is not. I have sometimes observed that when the config looks right but the behavior is not what is expected, that a reboot will sometimes produce the correct behavior. Is there an chance that you could reboot the 3560?

I am trying to figure what we can learn from what you mention that a client can ping the several VLAN interfaces on the 3560 but can not ping hosts within the VLAN. I believe that this demonstrates that the IP addressing and default gateway on the client are correct since it is able to ping a "remote" destination. I think it suggests that the 3560 is not routing/forwarding directly between the VLANs but is forwarding to the 2811 for this traffic. I am puzzled why this would be happening this way.

HTH

Rick

I will reload it tonite and try again in the morning. Will let you know the results. It does look like even though the 3560 has the vlans directly attached, it is forwarding to teh 2811 to get to hosts inside the various vlans.

Rick, I rebooted, but still the same behaviour. I did a few traceroutes again, and notice clients are able to get to other clients, even if they are in different vlans, as long as they are on the same switch, but not other switches. I also tried changing the default gateway to the 3560, 10.4.0.84, but a trace still went to the vlan address first, 10.4.8.1, and got lost after that. I still don't get why I'm able to ping everywhere from the swtich while connected to the switch through hyperterminal, but not clients connected to the switch. Something has to be missing from the 3560 to prevent correct routing.

William

I think it is very strange that clients can get to other clients in other VLANs as long as they are on the same switch but can not get to clients on other switches. My understanding is that to get to other VLANs would require getting to the 3560 and at that point it should not matter whether the destination is on another switch or not. It makes me wonder about the switch connections to the 3560 and their trunking.

When you say that you can ping everywhere when connected to the switch via hyperterm, are you talking about being connected to the 3560 or to the other switches?

HTH

Rick

Should I have configured the port on the 3560 that uplinks to the 2811 to be a layer 3 port with an IP address on the same subnet as the fast ethernet port of the 2811?

William

I would think that it should work ok either way. But while we are trying things, it might be worth a try to configure the 3560 port as layer 3 and put the IP address there.

HTH

Rick

while I'm not sure exactly what I did to resolve this, it is no longer an issue. One thing I did have wrong, on some of my static clients like servers, I had them using the 2811 as their gateway instead of the 3560. I think my understanding of how things were supposed to work was skewed by that misconfiguration. Anyway, thank you very much for your help, I appreciate it.

Bill