cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
717
Views
0
Helpful
6
Replies

Internal Sub_Net !!!!!!!!!!

j_j624001
Level 1
Level 1

Hey Guys;

I need some help here; two of my sub nets are not working; To make a long story short; I'm unable to ping my secondary or third network to my vlan switch which is causing my servers unable to communicate thru my internal network. See info below

On my switch I have created vlan interfaces and vlan's

Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM  up                    down
Vlan10                 10.10.0.x       YES NVRAM  up                    up
Vlan15                 10.10.15.x      YES NVRAM  up                    up
Vlan20                 10.10.20.x      YES NVRAM  up                    up

I can ping vlan 10; but unable to ping vlan 15, 20 to the router and/or vice versa router can't ping back to switch on vlan 15, 20.

Interface FA

I even clear my configurations and was still unable to ping back & forth

interface FastEthernet0/2
 description Win-Server
 switchport access vlan 15
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security aging static
 switchport port-security mac-address sticky 
 speed 100
 duplex full
 arp snap
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable

 

If you have any question's or concerns please let me know;

Thanks

1 Accepted Solution

Accepted Solutions

Hello j_J624001,

to what port of the switch is the R1 fastethernet1 connected?

It should be gi0/1 of the switch the only one configured for trunk mode.

Your ping attempts are started from the router or from a host in one vlan ?

The port security configuration on the link between the switch and the router can be removed?

You have the line

switchport port-security mac-address sticky 001e.7aa1.8ca7 vlan 10

but nothing about vlan15 and vlan20 where likely the same MAC address should appear (if it is the R1 fas1 MAC address all subifs use the same MAC address).

I would make a try without port security configured on the switch side of the port to the router.

Hope to help

Giuseppe

View solution in original post

6 Replies 6

johnd2310
Level 8
Level 8

Hi,

Have you enabled routing on the switch? ip routing command

Thanks

John

**Please rate posts you find helpful**

Hey John;

No I don't believe I don't have that enable due to my setup was working before until I change routers; but here's my config on my switch helpful that would help.

Current configuration : 9182 bytes
!
no aaa new-model
clock timezone EAST 23 59
system mtu routing 1998
ip subnet-zero
!
ip port-map dns port 53
ip port-map smtp port 161
ip port-map pop2 port 109
ip port-map pop3 port 110
ip port-map nntp port 119
ip port-map ldap port 389
ip port-map imap port 143
ip port-map nfs port 944
ip device tracking
!

spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree logging
spanning-tree extend system-id
spanning-tree vlan 1 hello-time 10
spanning-tree vlan 1 forward-time 30
!
vlan internal allocation policy ascending
!

interface FastEthernet0/1
 description L-Server
 switchport access vlan 15
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security aging static
 speed 100
 duplex full
 arp snap
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable

!

interface FastEthernet0/5
 description client
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security aging static
 speed 100
 duplex full
 arp snap
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable

!

interface GigabitEthernet0/1
 description Sw-FA0/1
 switchport trunk allowed vlan 10,15,20
 switchport mode trunk
 switchport nonegotiate
 switchport port-security
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security aging static
 switchport port-security mac-address sticky 
 speed 100
 duplex full
 arp snap
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable

!

interface Vlan10
 ip address 10.10.0.x 255.255.255.0
 ip broadcast-address 255.255.255.0
 ip mask-reply
 ip information-reply
 ip sticky-arp
 no ip route-cache
 ip tcp adjust-mss 1460
 arp snap
 spanning-tree portfast
!
interface Vlan15
 ip address 10.10.15.x 255.255.255.0
 ip broadcast-address 255.255.255.0
 ip mask-reply
 ip information-reply
 ip sticky-arp
 no ip route-cache
 ip tcp adjust-mss 1460
 arp snap
 spanning-tree portfast
!
interface Vlan20
 ip address 10.10.20.x 255.255.255.0
 ip broadcast-address 255.255.255.0
 ip mask-reply
 ip information-reply
 ip sticky-arp
 no ip route-cache
 ip tcp adjust-mss 1460
 arp snap
 spanning-tree portfast
!
no ip http server
access-list 40 permit 10.10.x.x 0.0.255.255

Hello j_j624001,

the router should be connected to the following interface:

interface GigabitEthernet0/1
 description Sw-FA0/1
 switchport trunk allowed vlan 10,15,20
 switchport mode trunk
 switchport nonegotiate
 switchport port-security
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security aging static
 switchport port-security mac-address sticky 
 speed 100
 duplex full
 arp snap
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable

!

and should have Vlan subinterface for each Vlan

router config:

int gi0/0

no ip address

int gi0/0.10

encapsulation dot1q 10

ip address 10.10.0.y 255.255.255.0

int gi0/0.15

enc dot1q 15

ip address 10.10.15.y 255.255.255.0

int gi0/0.20

enc dot1q 20

ip address 10.10.20.y 255.255.255.0

in this way the router will provide the intervlan routing

Otherwise you need to enable inter vlan routing on the switch

Hope to help

Giuseppe

Hello; I have Vlan subinterfaces on my router; so it must be on my switch; idk; here configuration on router and switch; on my switch I have three vlan's im using for internal from show vlan brief.... Idk see configurations

Router

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.0.1 10.10.0.84

ip dhcp excluded-address 10.10.0.101 10.10.0.255

ip dhcp excluded-address 10.10.20.1 10.10.20.84

ip dhcp excluded-address 10.10.20.101 10.10.20.255

!

ip dhcp pool 10_Net_POOL

   import all

   network 10.10.0.0 255.255.255.0

   update dns

   default-router 10.10.0.1

   dns-server 10.10.15.2 10.10.15.3 8.8.8.8 8.8.4.4

   domain-name J_Internal_Net.com

   update arp

!

ip dhcp pool 20_NET_POOL

   import all

   network 10.10.20.0 255.255.255.0

   update dns

   default-router 10.10.20.1

   dns-server 10.10.15.2 10.10.15.3 8.8.8.8 8.8.4.4

   domain-name BACK_NET.com

   update arp

!

ip ssh version 2

!

interface FastEthernet0

 description OUT

 ip address 192.168.0.x 255.255.255.0

 ip access-group filter-inbond in

 ip access-group filter-outbond out

 ip nat outside

 ip virtual-reassembly

 speed 100

 full-duplex

!

interface FastEthernet1

 description Internal

 no ip address

 ip nat inside

 ip virtual-reassembly

 speed 100

 full-duplex

!

interface FastEthernet1.10

 description Clients

 encapsulation dot1Q 10

 ip address 10.10.0.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 no snmp trap link-status

!

interface FastEthernet1.15

 description Servers

 encapsulation dot1Q 15

 ip address 10.10.15.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 no snmp trap link-status

!

interface FastEthernet1.20

 description Backup

 encapsulation dot1Q 20

 ip address 10.10.20.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 no snmp trap link-status

ip route 0.0.0.0 0.0.0.0 192.168.0.x

!

no ip http server

no ip http secure-server

ip nat inside source list 50 interface FastEthernet0 overload

!

ip access-list extended filter-inbond

 permit icmp any any echo-reply

 permit tcp any eq www any established

 permit tcp any eq 443 any established

 permit tcp any eq 8080 any established

 permit udp any eq domain any

 deny   ip any any

 deny   udp any any

 deny   tcp any any

ip access-list extended filter-outbond

 permit icmp any any echo

 permit udp any any eq domain

 permit tcp any any eq www

 permit tcp any any eq 443

 permit tcp any any eq 8080

 deny   ip any any

 deny   tcp any any

 deny   udp any any

!

access-list 50 permit 10.10.0.0 0.0.255.255

!

control-plane

Switch

Current configuration : 9271 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone EAST 23 59
system mtu routing 1998
ip subnet-zero
!
ip domain-name J10.Net.com
ip name-server 255.255.255.0

ip port-map dns port 53
ip port-map smtp port 161
ip port-map pop2 port 109
ip port-map pop3 port 110
ip port-map nntp port 119
ip port-map ldap port 389
ip port-map imap port 143
ip port-map nfs port 944
ip device tracking
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree logging
spanning-tree extend system-id
spanning-tree vlan 1 hello-time 10
spanning-tree vlan 1 forward-time 30

!

interface FastEthernet0/1
 description L-Server
 switchport access vlan 15
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security aging static
 speed 100
 duplex full
 arp snap
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable

!

interface FastEthernet0/6
 description client
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security aging static
 speed 100
 duplex full
 arp snap
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable

!

interface GigabitEthernet0/1
 description Sw-FA0/1
 switchport trunk allowed vlan 10,15,20
 switchport mode trunk
 switchport nonegotiate
 switchport port-security
 switchport port-security violation protect
 switchport port-security mac-address sticky
 switchport port-security aging static
 switchport port-security mac-address sticky 001e.7aa1.8ca7 vlan 10
 speed 100
 duplex full
 arp snap
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable
!
interface GigabitEthernet0/2
 description AP
 switchport access vlan 10
 switchport mode access
 speed 1000
 duplex full
 arp snap
 spanning-tree bpdufilter disable
 spanning-tree bpduguard disable
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan10
 ip address 10.10.0.2 255.255.255.0
 ip broadcast-address 255.255.255.0
 ip helper-address 10.10.0.1
 ip mask-reply
 ip information-reply
 ip sticky-arp
 no ip route-cache
 ip tcp adjust-mss 1460
 arp snap
 spanning-tree portfast
!
interface Vlan15
 ip address 10.10.15.2 255.255.255.0
 ip broadcast-address 255.255.255.0
 ip helper-address 10.10.15.1
 ip mask-reply
 ip information-reply

 ip sticky-arp
 no ip route-cache
 ip tcp adjust-mss 1460
 arp snap
 spanning-tree portfast
!
interface Vlan20
 ip address 10.10.20.2 255.255.255.0
 ip broadcast-address 255.255.255.0
 ip helper-address 10.10.20.1
 ip mask-reply
 ip information-reply
 ip sticky-arp
 no ip route-cache
 ip tcp adjust-mss 1460
 arp snap
 spanning-tree portfast
!
no ip http server
access-list 40 permit 10.10.0.0 0.0.255.255

Hello j_J624001,

to what port of the switch is the R1 fastethernet1 connected?

It should be gi0/1 of the switch the only one configured for trunk mode.

Your ping attempts are started from the router or from a host in one vlan ?

The port security configuration on the link between the switch and the router can be removed?

You have the line

switchport port-security mac-address sticky 001e.7aa1.8ca7 vlan 10

but nothing about vlan15 and vlan20 where likely the same MAC address should appear (if it is the R1 fas1 MAC address all subifs use the same MAC address).

I would make a try without port security configured on the switch side of the port to the router.

Hope to help

Giuseppe

Hello Giuseppe;

my router is connected to switch port Gi0/1 which is trunk to allowed other vlans to commiuncate.

I got it now; after removing the switchport security; I was able to ping all vlans from router-switch-client or vice versa;

Thanks