Re: Subinterface Question - Page 2

dkblee · ‎07-21-2004

hi!

If i'm configuring subinterface on my 2600 router(eg.fa0/0.1, fa0/0.2) will there be any problem if on the physical interface fa0/0 i config it with a ip and ties it with one of my vlan? I need to verify this because i'm having problem in the access-list applied on these sub interfaces. In the access list, the source that include all the clients in a subnet is functioning well but not the source with only single host. eg.

access-list 111 permit ip 10.71.9.0 0.0.0.255 10.71.12.65 --------- OK

access-list 111 permit ip host 10.71.9.93 10.71.10.0

------------this statement with one host as a source is not functioning.

milan.kulik · ‎08-30-2004

Hi,

I've got a feeling you are in native VLAN trouble.

Your trunk should use encapsulation dot1Q 1 native on one subinterface. But this option is not available in older IOSes.

So you are using a workaround with an IP address assigned to the Fa0/0 interface, which is assigned to the native VLAN then. I.e., all untagged frames are supposed to belong to the native VLAN and to the Fa0/0 assigned subnet.

But you have to know which VLAN is configured as native (untagged) on the other trunk side.

If you move the IP address from Fa0/0 to a subinterface, the frames are sent tagged then (and expected to come tagged, too).

My understandig of this very long thread is that everything works fine in this case.

If yes, the problem is caused by applying an ACL to Fa0/0 used as a native VLAN problem workaround with subinterfaces configured on the same interface (Fa0/0). You might have found an undocumented bug.

So there might be two possible fixes:

1) Upgrade to the latest IOS with "encapsulation dot1Q 1 native" option supported. Don't assign any IP address to Fa0/0 then.

2) If you can't upgrade for any reason, create a new "dead" VLAN and use it as a native one on the trunk to your router. Don't apply any ACL on Fa0/0, only on subinterces.

Regards,

Milan

Richard Burts · ‎08-04-2004

I have looked at the messages in this thread and am still not sure quite what the problem is.

I looked at the syntax of the access list:

access-list 111 permit ip host 10.71.9.93 any

and I do not see any problems with syntax. If it it not working then I think the probable causes of the problem would include:

- problems with the way in which the access list was applied. You have not shown how you applied the list so I am not sure there. My first suggestion would be to remove the access list entirely and see if things work. If things do work with no access list and do not work with the access list then you can be sure that the flaw is with the access list or with the way in which it was applied.

- problems with basic connectivity. (Given the confusion about whether the subnet is associated with the physical interface or some subinterface, I wonder if this is not the cause.) I would suggest removing any access list and see if things work. If they do not work then you have some basic configuration error to resolve. If they do work with no access list and do not work with the access list then you can concentrate on the access list.

HTH

Rick

HTH

Rick

dkblee · ‎08-27-2004

hi!

I've configured the .9 vlan on subinterface fa0/0.6

(with dot1q encapsulation + IP) and removed the access-list,ip on fa0/0 and issued command no shut. After that, i tried the testings below

Testing tried

===================

1) removed all the access-list on all subinterface and physical interface, the .9 vlan are not able to ping any other subnet.

2) Applied access list 111 on .9 subnet's inteface and access list 113 on .10 subnet's interface.

added another statments into access-list 113, which is permitting host 10.71.10.109 to access any. That's working!!!

So, what's causing the problem? How to troubleshoot on this. Pls help. Thk!

dkblee · ‎08-29-2004

hi!

anyone to help on this? Thks!

Richard Burts · ‎08-30-2004

It seems that you keep wanting to describe this as a problem with access lists. In one of the most recent responses in this thread, I sugested that I think it is a problem with basic connectivity more than it is a problem with access lists. You have not responded to those comments.

My suggestion to you is to remove the access lists from all interfaces. Then see if devices in the .9 subnet can access anything. If not you need to troubleshoot the connectivity issue. When the devices in .9 can access other subnets properly you can see what access list issues you may have.

HTH

Rick

HTH

Rick

dkblee · ‎08-31-2004

hi!

I've tried to remove the access-list from all the subinterfaces + moving the .9 vlan(previously in phsyical interface) to a new subinterface that i created for testing purpose.

After doing that, all my .9 hosts are not able to access other subnets at all. All my other subnets are working fine. What might be the most possible problem here? basic connectivity problem? how should i troubleshoot from here?

Thks!

Richard Burts · ‎08-31-2004

The suggestion by Milan about the issue possibly involving the native VLAN is quite interesting. In fact I had thought a little bit about that possibility. To investigate this possibility we will need to know some things about the configuration of the switch to which your router is attached. In particular we will need to know how the switch port is configured which connects to the router, we will need to know what vlan is the vlan for the .9 subnet, we will need to know which vlan is the native vlan on your switch.

HTH

Rick

HTH

Rick