I setup this Cisco 1921 with three vlans; vlan2, vlan3, vlan11 & vlan 3500. Vlan 3500 is my management vlan and I am currently not able to ping or access any of the management devices. The switch where all of the devices are connected has the uplink port tagged with the same vlans and the ports have the correct settings for its particular vlan configuration. What am I missing??? Here is part of the config:
version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RT1 ! boot-start-marker boot-end-marker ! ! no aaa new-model clock timezone EST -5 0 clock summer-time EDT recurring ! no ipv6 cef ip source-route ip cef ! ! ip dhcp excluded-address 192.168.1.120 192.168.1.140 ip dhcp excluded-address 10.10.10.2 10.10.10.10 ip dhcp excluded-address 192.168.2.1 192.168.2.10 ip dhcp excluded-address 192.168.1.98 192.168.1.100 ! ip dhcp pool OPERATIONS network 192.168.1.0 255.255.255.0 domain-name OPs default-router 192.168.1.254 dns-server 126.96.36.199 188.8.131.52 ! ip dhcp pool OPERATIONS2 network 192.168.2.0 255.255.255.0 domain-name OPsPhones default-router 192.168.2.1 dns-server 184.108.40.206 220.127.116.11 ! ip dhcp pool WIFI network 10.170.1.0 255.255.255.0 domain-name Wifi default-router 10.170.1.1 dns-server 18.104.22.168 22.214.171.124 ! ip dhcp pool MGMT network 10.10.10.0 255.255.255.0 domain-name MGMT default-router 10.10.10.1 dns-server 126.96.36.199 188.8.131.52 ! ! multilink bundle-name authenticated ! ! redundancy ! class-map match-any WebEmail match protocol http match protocol secure-http match protocol ftp match protocol smtp match protocol pop3 class-map match-any Voip match protocol sip match protocol skype ! ! policy-map QoSPolicy class Voip set dscp ef priority percent 70 class WebEmail bandwidth remaining percent 30 class class-default fair-queue ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description Fiber ip address 100.100.100.200 255.255.255.240 ip nbar protocol-discovery ip nat outside ip virtual-reassembly in duplex auto speed auto service-policy output QoSPolicy ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/1.2 description [0/1.2] OPERATIONS encapsulation dot1Q 2 ip address 192.168.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1.3 description [0/1.3] Operations2 encapsulation dot1Q 3 ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1.11 description [0/1.11] WIFI encapsulation dot1Q 11 ip address 10.170.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1.3500 description [0/1.3500] MGMT encapsulation dot1Q 3500 ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! ip forward-protocol nd ! ip http server ip http authentication local ip http secure-server !
ip route 0.0.0.0 0.0.0.0 100.100.100.199 ! ip access-list extended dvr permit tcp any any range 8000 8001 permit tcp any any eq 7000 permit tcp any any range 8000 8002 permit tcp any any range 9010 9012 ! access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 100 permit ip 10.10.10.0 0.0.0.255 any access-list 100 permit ip 10.170.1.0 0.0.0.255 any ! ! route-map ACL-ACCESS permit 10 match ip address 100
I have looked through the part of the config that you posted and do not see any particular issues that would impact access for the management vlan. I do see some things such as route-map ACL-ACCESS and ip access-list extended dvr which are not used in the part of the config that you posted and it makes me wonder what else is in the config that you have not shown us.
As a starting point in investigating the issue I would suggest that you post the output of show arp (or show ip arp) from the 1921. It will show us some things about what can be accessed. In particular I would like to see whether the router has learned any arp entries in vlan 3500.
I would suggest that we should consider the possibility that the issue is not with the 1921 but with the switches to which it connects. What can you tell us about those switches? Is vlan 3500 a valid vlan on the switch to which the 1921 connects? Can you post the output of these commands from that switch
Cisco DNA Software Demo Series - Cisco ThousandEyesRegister nowWednesday, May 12, 202110:00 am Pacific Daylight Time(San Francisco, GMT-07:00)SaaS applications and cloud-based services are increasingly critical for on-campus users, but they can be challen...