Solved: C2960XR-48FPS-I as a Core/Access SW

alfo208 · ‎03-26-2019

Hello I am new with Cisco Configuration. we have 2 C2960XR-48FPS-I stack and we need to have Wifi, voip, server (DHCP) and internet and I need to have 8 different vlans for WAPS, Server, Access, Voice, etc, and all those vlans need to comunicate in between. I have a Firewall Sonicwall (10.23.200.1)<-----> C2960XR (Core/Access) <---------> (WAPs, Printers, Voip, POS, Server, Security(Cameras))

I did a configuration but I cannot ping or have connectivity between VLANS.

example: a device in vlan 99 cannot ping a device in Vlan 100 or a a device in vlan 100 cannot ping a device in Vlan 200

partial config:

!

switch 1 provision ws-c2960x-48fps-l
switch 2 provision ws-c2960x-48fps-l
ip routing
!

interface GigabitEthernet1/0/1
description *** Server DHCP - Ethernet connection ***
switchport access vlan 100
switchport mode access
spanning-tree portfast

!

interface GigabitEthernet1/0/48
description ******Master Internet VLAN to Firewall X0 Main*****
switchport access vlan 200
switchport mode access
speed 1000
duplex full

!

interface GigabitEthernet2/0/1
description *** WAN SW Management PHWANSW1 GE 3 ***
switchport access vlan 99
switchport mode access
!

!
interface Vlan99
description ***Management***
ip address 10.23.99.1 255.255.255.0

!

interface Vlan100
description ***Server***
ip address 10.23.100.1 255.255.255.0

!
interface Vlan200
description *** Internet ***
ip address 10.23.200.2 255.255.255.0

!

ip default-gateway 10.23.200.1

!

ip route 0.0.0.0 0.0.0.0 10.23.200.1

please help!!!

!

Richard Burts · ‎03-27-2019

Glad to know that you have done testing and verify that routing between vlans is working. Based on what you showed in the original post about assigning ports to vlan 200 (which would be the ports connecting to the firewall), and configuring interface vlan 200 with its IP address, and configuring the default route with the IP of the firewall as the next hop then I am confident that this will work for any vlan to route to the firewall and be able to access the Internet.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-26-2019

I do not see obvious issues in the partial config that you posted. I suggest that we focus on solving the issues with routing between local vlans/subnets and consider issues with routing to the firewall and issues with Internet access after the local routing issues are solved.

Can you post the output of these commands on your 2960

show interface status

show ip route

show arp (or perhaps show ip arp)

HTH

Rick

HTH

Rick

balaji.bandi · ‎03-26-2019

can you post show version and have you enabled ip routing

if not

config t

!

ip routing

!

end

wr

post the output show ip route

and test and advise.

if still not working, post the full config show run

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Deepak Kumar · ‎03-26-2019

Hi,

You didn't posted the complete configuration but as per your question I am assuming that you are missing a command

"IP Routing"

This command will enable the Routing on the switch.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

alfo208 · ‎03-27-2019

Hi Deepak, thanks for the reply. that is the problem, IP Routing is enable and still can ping inter vlan

alfo208 · ‎03-27-2019

Sorry still cannot pong intervlan

Richard Burts · ‎03-27-2019

Can you post the output of these commands on your 2960

show interface status

show ip route

show arp (or perhaps show ip arp)

HTH

Rick

HTH

Rick

alfo208 · ‎03-27-2019

Hello Rick, here it is:

PHSWCORE#sho arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.23.1.1 - 7018.a77d.b144 ARPA Vlan231
Internet 10.23.2.1 - 7018.a77d.b145 ARPA Vlan232
Internet 10.23.3.1 - 7018.a77d.b146 ARPA Vlan233
Internet 10.23.5.1 - 7018.a77d.b147 ARPA Vlan235
Internet 10.23.9.1 - 7018.a77d.b148 ARPA Vlan239
Internet 10.23.99.1 - 7018.a77d.b141 ARPA Vlan99
Internet 10.23.99.250 246 70c9.c6fa.84d6 ARPA Vlan99
Internet 10.23.100.1 - 7018.a77d.b142 ARPA Vlan100
Internet 10.23.100.2 236 f8ca.b804.30d2 ARPA Vlan100
Internet 10.23.200.2 - 7018.a77d.b143 ARPA Vlan200

PHSWCORE#
PHSWCORE#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.23.99.0/24 is directly connected, Vlan99
L 10.23.99.1/32 is directly connected, Vlan99
C 10.23.100.0/24 is directly connected, Vlan100
L 10.23.100.1/32 is directly connected, Vlan100

HSWCORE#sh interfaces status

Port Name Status Vlan Duplex Speed Type
Gi1/0/1 *** Server DHCP - connected 100 a-full a-1000 10/100/1000BaseTX
Gi2/0/1 *** WAN SW Managem connected 99 a-full a-1000 10/100/1000BaseTX

right now I only have connected 2 ports and cannot ping from vlan 100 to vlan 99
vlan 200 is the static route to 10.23.200.1 which that port I do not have it connected today that is why on the route table the gateway does not show it

thanks

Richard Burts · ‎03-27-2019

Thanks for the information. The output seems appropriate and I do not see anything in it that looks like a problem. So I suggest these steps to investigate the issue:

1) from the switch ping to the device in vlan 99 (ping 10.23.99.250)

if successful we have demonstrated access and that it will respond to ping. If not successful then we see the problem is about that device and ping.

2) from the switch ping to the device in vlan 99 and this time specify that the source address should be 10.23.100.1

if successful we have demonstrated that its default gateway is correct and that it should respond to remote devices.

3) from the switch ping to the device in vlan 100 (ping 10.23.100.2)

if successful we have demonstrated access and that it will respond to ping. If not successful then we see the problem is about that device and ping.

4) from the switch ping to the device in vlan 100 and this time specify that the source address should be 10.23.99.1

if successful we have demonstrated that its default gateway is correct and that it should respond to remote devices.

Hopefully one of those steps will reveal a problem.

HTH

Rick

HTH

Rick

alfo208 · ‎03-27-2019

this are the tests:

PHSWCORE#ping 10.23.99.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.99.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
PHSWCORE#ping 10.23.99.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.99.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/14 ms
PHSWCORE#ping 10.23.99.250 source 10.23.100.2
% Invalid source address- IP address not on any of our up interfaces
PHSWCORE#ping 10.23.99.250 source 10.23.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.99.250, timeout is 2 seconds:
Packet sent with a source address of 10.23.100.1
.....
Success rate is 0 percent (0/5)
PHSWCORE#ping 10.23.99.250 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.99.250, timeout is 2 seconds:
Packet sent with a source address of 10.23.100.1
.....
Success rate is 0 percent (0/5)
PHSWCORE#ping 10.23.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
PHSWCORE#ping 10.23.100.2 sourve vlan 100
^
% Invalid input detected at '^' marker.

PHSWCORE#ping 10.23.100.2 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.23.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
PHSWCORE#ping 10.23.100.2 source vlan 99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.23.99.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
PHSWCORE#ping 10.23.100.2 source 10.23.99.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.23.99.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/14 ms
PHSWCORE#ping 10.23.100.2 source 10.23.99.250
% Invalid source address- IP address not on any of our up interfaces
PHSWCORE#ping 10.23.100.2 source 10.23.99.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.100.2, timeout is 2 seconds:
Packet sent with a source address of 10.23.99.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
PHSWCORE#

Richard Burts · ‎03-27-2019

Thank you for performing the tests and posting the output. I believe that this is the key result

PHSWCORE#ping 10.23.99.250 source 10.23.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.99.250, timeout is 2 seconds:
Packet sent with a source address of 10.23.100.1
.....
Success rate is 0 percent (0/5)

We can see in your test results that the device at 10.23.99.250 does respond to ping when the ping source is in the local subnet but does not respond to ping when the ping source is in a remote subnet. I suggest that you check the configuration of that device. I believe that you will find that its default gateway is not set to 10.23.99.1 as it should be.

HTH

Rick

HTH

Rick

Deepak Kumar · ‎03-27-2019

Hi,

What is 10.23.99.250? Turn off the firewall on this machine including AntiVirus program and test it again.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Richard Burts · ‎03-27-2019

@Deepak Kumar the fact that the device at 10.23.99.250 does respond to ping from a local address indicates that there is not an issue with firewall on that device

PHSWCORE#ping 10.23.99.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.23.99.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/14 ms

HTH

Rick

HTH

Rick

Deepak Kumar · ‎03-27-2019

Hi @Richard Burts

Windows 10 is having profile based rules in the firewall and many time we counter this type of issues. There is trusted or untrusted rules.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Richard Burts · ‎03-27-2019

@Deepak Kumar it is an interesting point about the possibility that the firewall may differentiate trusted networks vs untrusted networks. One way to verify this issue would be to test with pings from the device at 10.23.99.250. I am confident that it would be successful in pinging its local gateway at 10.23.99.1. But would it be able to ping the remote address 10.23.100.1?

HTH

Rick

HTH

Rick