03-26-2019 02:12 PM - edited 03-26-2019 02:14 PM
Hello I am new with Cisco Configuration. we have 2 C2960XR-48FPS-I stack and we need to have Wifi, voip, server (DHCP) and internet and I need to have 8 different vlans for WAPS, Server, Access, Voice, etc, and all those vlans need to comunicate in between. I have a Firewall Sonicwall (10.23.200.1)<-----> C2960XR (Core/Access) <---------> (WAPs, Printers, Voip, POS, Server, Security(Cameras))
I did a configuration but I cannot ping or have connectivity between VLANS.
example: a device in vlan 99 cannot ping a device in Vlan 100 or a a device in vlan 100 cannot ping a device in Vlan 200
partial config:
!
switch 1 provision ws-c2960x-48fps-l
switch 2 provision ws-c2960x-48fps-l
ip routing
!
interface GigabitEthernet1/0/1
description *** Server DHCP - Ethernet connection ***
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/48
description ******Master Internet VLAN to Firewall X0 Main*****
switchport access vlan 200
switchport mode access
speed 1000
duplex full
!
interface GigabitEthernet2/0/1
description *** WAN SW Management PHWANSW1 GE 3 ***
switchport access vlan 99
switchport mode access
!
!
interface Vlan99
description ***Management***
ip address 10.23.99.1 255.255.255.0
!
interface Vlan100
description ***Server***
ip address 10.23.100.1 255.255.255.0
!
interface Vlan200
description *** Internet ***
ip address 10.23.200.2 255.255.255.0
!
ip default-gateway 10.23.200.1
!
ip route 0.0.0.0 0.0.0.0 10.23.200.1
please help!!!
!
Solved! Go to Solution.
03-27-2019 11:42 AM
Glad to know that you have done testing and verify that routing between vlans is working. Based on what you showed in the original post about assigning ports to vlan 200 (which would be the ports connecting to the firewall), and configuring interface vlan 200 with its IP address, and configuring the default route with the IP of the firewall as the next hop then I am confident that this will work for any vlan to route to the firewall and be able to access the Internet.
HTH
Rick
03-26-2019 02:22 PM
I do not see obvious issues in the partial config that you posted. I suggest that we focus on solving the issues with routing between local vlans/subnets and consider issues with routing to the firewall and issues with Internet access after the local routing issues are solved.
Can you post the output of these commands on your 2960
show interface status
show ip route
show arp (or perhaps show ip arp)
HTH
Rick
03-26-2019 02:22 PM
can you post show version and have you enabled ip routing
if not
config t
!
ip routing
!
end
wr
post the output show ip route
and test and advise.
if still not working, post the full config show run
03-26-2019 10:07 PM
Hi,
You didn't posted the complete configuration but as per your question I am assuming that you are missing a command
"IP Routing"
This command will enable the Routing on the switch.
Regards,
Deepak Kumar
03-27-2019 04:55 AM
03-27-2019 05:27 AM
03-27-2019 05:39 AM
Can you post the output of these commands on your 2960
show interface status
show ip route
show arp (or perhaps show ip arp)
HTH
Rick
03-27-2019 06:50 AM
03-27-2019 07:16 AM
Thanks for the information. The output seems appropriate and I do not see anything in it that looks like a problem. So I suggest these steps to investigate the issue:
1) from the switch ping to the device in vlan 99 (ping 10.23.99.250)
if successful we have demonstrated access and that it will respond to ping. If not successful then we see the problem is about that device and ping.
2) from the switch ping to the device in vlan 99 and this time specify that the source address should be 10.23.100.1
if successful we have demonstrated that its default gateway is correct and that it should respond to remote devices.
3) from the switch ping to the device in vlan 100 (ping 10.23.100.2)
if successful we have demonstrated access and that it will respond to ping. If not successful then we see the problem is about that device and ping.
4) from the switch ping to the device in vlan 100 and this time specify that the source address should be 10.23.99.1
if successful we have demonstrated that its default gateway is correct and that it should respond to remote devices.
Hopefully one of those steps will reveal a problem.
HTH
Rick
03-27-2019 07:32 AM
03-27-2019 08:11 AM
Thank you for performing the tests and posting the output. I believe that this is the key result
PHSWCORE#ping 10.23.99.250 source 10.23.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.99.250, timeout is 2 seconds:
Packet sent with a source address of 10.23.100.1
.....
Success rate is 0 percent (0/5)
We can see in your test results that the device at 10.23.99.250 does respond to ping when the ping source is in the local subnet but does not respond to ping when the ping source is in a remote subnet. I suggest that you check the configuration of that device. I believe that you will find that its default gateway is not set to 10.23.99.1 as it should be.
HTH
Rick
03-27-2019 09:31 AM
Hi,
What is 10.23.99.250? Turn off the firewall on this machine including AntiVirus program and test it again.
Regards,
Deepak Kumar
03-27-2019 09:36 AM
@Deepak Kumar the fact that the device at 10.23.99.250 does respond to ping from a local address indicates that there is not an issue with firewall on that device
PHSWCORE#ping 10.23.99.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.99.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/14 ms
HTH
Rick
03-27-2019 09:46 AM
Windows 10 is having profile based rules in the firewall and many time we counter this type of issues. There is trusted or untrusted rules.
Regards,
Deepak Kumar
03-27-2019 09:54 AM
@Deepak Kumar it is an interesting point about the possibility that the firewall may differentiate trusted networks vs untrusted networks. One way to verify this issue would be to test with pings from the device at 10.23.99.250. I am confident that it would be successful in pinging its local gateway at 10.23.99.1. But would it be able to ping the remote address 10.23.100.1?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide