02-27-2016 10:04 AM - edited 03-05-2019 03:26 AM
Hey Guys;
I need some help here; two of my sub nets are not working; To make a long story short; I'm unable to ping my secondary or third network to my vlan switch which is causing my servers unable to communicate thru my internal network. See info below
On my switch I have created vlan interfaces and vlan's
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM up down
Vlan10 10.10.0.x YES NVRAM up up
Vlan15 10.10.15.x YES NVRAM up up
Vlan20 10.10.20.x YES NVRAM up up
I can ping vlan 10; but unable to ping vlan 15, 20 to the router and/or vice versa router can't ping back to switch on vlan 15, 20.
Interface FA
I even clear my configurations and was still unable to ping back & forth
interface FastEthernet0/2
description Win-Server
switchport access vlan 15
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging static
switchport port-security mac-address sticky
speed 100
duplex full
arp snap
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
If you have any question's or concerns please let me know;
Thanks
Solved! Go to Solution.
03-01-2016 12:45 AM
Hello j_J624001,
to what port of the switch is the R1 fastethernet1 connected?
It should be gi0/1 of the switch the only one configured for trunk mode.
Your ping attempts are started from the router or from a host in one vlan ?
The port security configuration on the link between the switch and the router can be removed?
You have the line
switchport port-security mac-address sticky 001e.7aa1.8ca7 vlan 10
but nothing about vlan15 and vlan20 where likely the same MAC address should appear (if it is the R1 fas1 MAC address all subifs use the same MAC address).
I would make a try without port security configured on the switch side of the port to the router.
Hope to help
Giuseppe
02-27-2016 04:46 PM
Hi,
Have you enabled routing on the switch? ip routing command
Thanks
John
02-28-2016 10:18 AM
Hey John;
No I don't believe I don't have that enable due to my setup was working before until I change routers; but here's my config on my switch helpful that would help.
Current configuration : 9182 bytes
!
no aaa new-model
clock timezone EAST 23 59
system mtu routing 1998
ip subnet-zero
!
ip port-map dns port 53
ip port-map smtp port 161
ip port-map pop2 port 109
ip port-map pop3 port 110
ip port-map nntp port 119
ip port-map ldap port 389
ip port-map imap port 143
ip port-map nfs port 944
ip device tracking
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree logging
spanning-tree extend system-id
spanning-tree vlan 1 hello-time 10
spanning-tree vlan 1 forward-time 30
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
description L-Server
switchport access vlan 15
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging static
speed 100
duplex full
arp snap
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface FastEthernet0/5
description client
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging static
speed 100
duplex full
arp snap
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
description Sw-FA0/1
switchport trunk allowed vlan 10,15,20
switchport mode trunk
switchport nonegotiate
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging static
switchport port-security mac-address sticky
speed 100
duplex full
arp snap
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface Vlan10
ip address 10.10.0.x 255.255.255.0
ip broadcast-address 255.255.255.0
ip mask-reply
ip information-reply
ip sticky-arp
no ip route-cache
ip tcp adjust-mss 1460
arp snap
spanning-tree portfast
!
interface Vlan15
ip address 10.10.15.x 255.255.255.0
ip broadcast-address 255.255.255.0
ip mask-reply
ip information-reply
ip sticky-arp
no ip route-cache
ip tcp adjust-mss 1460
arp snap
spanning-tree portfast
!
interface Vlan20
ip address 10.10.20.x 255.255.255.0
ip broadcast-address 255.255.255.0
ip mask-reply
ip information-reply
ip sticky-arp
no ip route-cache
ip tcp adjust-mss 1460
arp snap
spanning-tree portfast
!
no ip http server
access-list 40 permit 10.10.x.x 0.0.255.255
02-29-2016 01:05 AM
Hello j_j624001,
the router should be connected to the following interface:
interface GigabitEthernet0/1
description Sw-FA0/1
switchport trunk allowed vlan 10,15,20
switchport mode trunk
switchport nonegotiate
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging static
switchport port-security mac-address sticky
speed 100
duplex full
arp snap
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
and should have Vlan subinterface for each Vlan
router config:
int gi0/0
no ip address
int gi0/0.10
encapsulation dot1q 10
ip address 10.10.0.y 255.255.255.0
int gi0/0.15
enc dot1q 15
ip address 10.10.15.y 255.255.255.0
int gi0/0.20
enc dot1q 20
ip address 10.10.20.y 255.255.255.0
in this way the router will provide the intervlan routing
Otherwise you need to enable inter vlan routing on the switch
Hope to help
Giuseppe
02-29-2016 03:26 PM
Hello; I have Vlan subinterfaces on my router; so it must be on my switch; idk; here configuration on router and switch; on my switch I have three vlan's im using for internal from show vlan brief.... Idk see configurations
Router
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.0.84
ip dhcp excluded-address 10.10.0.101 10.10.0.255
ip dhcp excluded-address 10.10.20.1 10.10.20.84
ip dhcp excluded-address 10.10.20.101 10.10.20.255
!
ip dhcp pool 10_Net_POOL
import all
network 10.10.0.0 255.255.255.0
update dns
default-router 10.10.0.1
dns-server 10.10.15.2 10.10.15.3 8.8.8.8 8.8.4.4
domain-name J_Internal_Net.com
update arp
!
ip dhcp pool 20_NET_POOL
import all
network 10.10.20.0 255.255.255.0
update dns
default-router 10.10.20.1
dns-server 10.10.15.2 10.10.15.3 8.8.8.8 8.8.4.4
domain-name BACK_NET.com
update arp
!
ip ssh version 2
!
interface FastEthernet0
description OUT
ip address 192.168.0.x 255.255.255.0
ip access-group filter-inbond in
ip access-group filter-outbond out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1
description Internal
no ip address
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1.10
description Clients
encapsulation dot1Q 10
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet1.15
description Servers
encapsulation dot1Q 15
ip address 10.10.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet1.20
description Backup
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
ip route 0.0.0.0 0.0.0.0 192.168.0.x
!
no ip http server
no ip http secure-server
ip nat inside source list 50 interface FastEthernet0 overload
!
ip access-list extended filter-inbond
permit icmp any any echo-reply
permit tcp any eq www any established
permit tcp any eq 443 any established
permit tcp any eq 8080 any established
permit udp any eq domain any
deny ip any any
deny udp any any
deny tcp any any
ip access-list extended filter-outbond
permit icmp any any echo
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8080
deny ip any any
deny tcp any any
deny udp any any
!
access-list 50 permit 10.10.0.0 0.0.255.255
!
control-plane
Switch
Current configuration : 9271 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone EAST 23 59
system mtu routing 1998
ip subnet-zero
!
ip domain-name J10.Net.com
ip name-server 255.255.255.0
ip port-map dns port 53
ip port-map smtp port 161
ip port-map pop2 port 109
ip port-map pop3 port 110
ip port-map nntp port 119
ip port-map ldap port 389
ip port-map imap port 143
ip port-map nfs port 944
ip device tracking
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree logging
spanning-tree extend system-id
spanning-tree vlan 1 hello-time 10
spanning-tree vlan 1 forward-time 30
!
interface FastEthernet0/1
description L-Server
switchport access vlan 15
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging static
speed 100
duplex full
arp snap
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface FastEthernet0/6
description client
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging static
speed 100
duplex full
arp snap
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
description Sw-FA0/1
switchport trunk allowed vlan 10,15,20
switchport mode trunk
switchport nonegotiate
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging static
switchport port-security mac-address sticky 001e.7aa1.8ca7 vlan 10
speed 100
duplex full
arp snap
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/2
description AP
switchport access vlan 10
switchport mode access
speed 1000
duplex full
arp snap
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan10
ip address 10.10.0.2 255.255.255.0
ip broadcast-address 255.255.255.0
ip helper-address 10.10.0.1
ip mask-reply
ip information-reply
ip sticky-arp
no ip route-cache
ip tcp adjust-mss 1460
arp snap
spanning-tree portfast
!
interface Vlan15
ip address 10.10.15.2 255.255.255.0
ip broadcast-address 255.255.255.0
ip helper-address 10.10.15.1
ip mask-reply
ip information-reply
ip sticky-arp
no ip route-cache
ip tcp adjust-mss 1460
arp snap
spanning-tree portfast
!
interface Vlan20
ip address 10.10.20.2 255.255.255.0
ip broadcast-address 255.255.255.0
ip helper-address 10.10.20.1
ip mask-reply
ip information-reply
ip sticky-arp
no ip route-cache
ip tcp adjust-mss 1460
arp snap
spanning-tree portfast
!
no ip http server
access-list 40 permit 10.10.0.0 0.0.255.255
03-01-2016 12:45 AM
Hello j_J624001,
to what port of the switch is the R1 fastethernet1 connected?
It should be gi0/1 of the switch the only one configured for trunk mode.
Your ping attempts are started from the router or from a host in one vlan ?
The port security configuration on the link between the switch and the router can be removed?
You have the line
switchport port-security mac-address sticky 001e.7aa1.8ca7 vlan 10
but nothing about vlan15 and vlan20 where likely the same MAC address should appear (if it is the R1 fas1 MAC address all subifs use the same MAC address).
I would make a try without port security configured on the switch side of the port to the router.
Hope to help
Giuseppe
03-01-2016 03:13 PM
Hello Giuseppe;
my router is connected to switch port Gi0/1 which is trunk to allowed other vlans to commiuncate.
I got it now; after removing the switchport security; I was able to ping all vlans from router-switch-client or vice versa;
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide