Solved: Re: Looking for help with intervlan routing on 3850 switch

Craig Hunt · ‎09-27-2020

I am looking for some help with intervlan routing on a WS-C3850-48P-E switch running SW version 03.07.05E.

I have a few VLANs configured on the switch - 10-Data, 21-Wireless-Management, 105-VoIP.

The switch acts as a DHCP server for the 21 and 105 vlans and I have the WLC running on the 3850. I have APs registered to the WLC.

I have a trunk port connecting to a 2911 ISR with CME and CUE running. I have ephones registered to the CME and can make internal calls.

'ip routing' is activated via the CLI.

I can connect to everything only if I am on the same vlan as what I am accessing. If my PC is connected to VLAN 105, I can access the CME and CUE GUIs. If my PC is connected to VLAN 21, I can access the WLC GUI. I can ping every vlan from the switch but from my PC, I can only ping the devices which I am on the same vlan.

So now comes my n00b question. How do I get my PC on the Data vlan (10) to communicate with all the other vlans? Shouldn't I be able to do this with intervlan routing on the 3850?

Edit: Still looking for assistance. I can actually ping all vlan interfaces hosted on the switch from the PC but can no longer get to the IPs on the 2911 ISR.

I.e. from PC 192.168.10.99, I can ping 192.168.10.2 (vlan10), 192.168.21.1 (vlan21) and 192.168.105.1 (vlan105) all hosted on the switch but I can not ping 192.168.105.5 or 192.168.105.6 which are on the 2911 router. From the switch, I can ping 192.168.105.5 and .6. Seems I'm getting pretty close. Help is still very appreciated. Thanks.

Current configuration : 11185 bytes
!
! Last configuration change at 05:17:00 EDT Sun Sep 27 2020
!
version 15.2
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service compress-config
!
hostname huntco-3850-1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
username chunt privilege 15 password 7 04xxxxxxxxxxxx1D
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
switch 1 provision ws-c3850-48p
!
!
!
!
!
!
!
!
!
ip routing
!
no ip domain-lookup
ip domain-name huntco.ca
ip dhcp excluded-address 192.168.21.1 192.168.21.19
ip dhcp excluded-address 192.168.105.1 192.168.105.99
!
ip dhcp pool dhcp-huntco-aps
network 192.168.21.0 255.255.255.0
default-router 192.168.21.1
!
ip dhcp pool dhcp-huntco-voip
network 192.168.105.0 255.255.255.0
default-router 192.168.105.1
option 150 ip 192.168.105.5
lease 7
!
!
qos queue-softmax-multiplier 100
central-management-version 13882368945408704516
!
!
diagnostic bootup level minimal
!
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
description Access Point
switchport access vlan 21
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description Access Point
switchport access vlan 21
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/13
description Access Point
switchport access vlan 21
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/14
description Access Point
switchport access vlan 21
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 105
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/25
description Access Point
switchport access vlan 21
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/26
description Access Point
switchport access vlan 21
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/27
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/28
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/29
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/30
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/31
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/32
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/33
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/34
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/35
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/36
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/37
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/38
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/39
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/40
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/41
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/42
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/43
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/44
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/45
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/46
switchport access vlan 10
switchport mode access
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/47
description -= Uplink to 2911 VG Gi0/0 =-
switchport trunk native vlan 105
switchport mode trunk
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/0/48
description -= Uplink to 2911 VG Gi0/0 =-
switchport trunk native vlan 105
switchport mode trunk
switchport voice vlan 105
spanning-tree portfast
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
!
interface Vlan21
ip address 192.168.21.1 255.255.255.0
!
interface Vlan105
ip address 192.168.105.1 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip ssh version 2
!
ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
permit tcp any any eq 22
permit tcp any any eq 465
permit tcp any any eq 143
permit tcp any any eq 993
permit tcp any any eq 995
permit tcp any any eq 1914
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq smtp
permit tcp any any eq pop3
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
permit udp any any range 16384 32767
permit tcp any any range 50000 59999
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
permit tcp any any range 2300 2400
permit udp any any range 2300 2400
permit tcp any any range 6881 6999
permit tcp any any range 28800 29100
permit tcp any any eq 1214
permit udp any any eq 1214
permit tcp any any eq 3689
permit udp any any eq 3689
permit tcp any any eq 11999
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
permit tcp any any range 2000 2002
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
permit tcp any any eq 443
permit tcp any any eq 1521
permit udp any any eq 1521
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1630
permit tcp any any eq 1527
permit tcp any any eq 6200
permit tcp any any eq 3389
permit tcp any any eq 5985
permit tcp any any eq 8080
!
!
!
!
banner motd ^CC
_ _ _ ____ ___ _
| | | |_ _ _ __ | |_ / ___|___ |_ _|_ __ | |_
| |_| | | | | '_ \| __| | / _ \ | || '_ \| __|
| _ | |_| | | | | |_| |__| (_) | | || | | | |_ _
|_| |_|\__,_|_| |_|\__|\____\___/ |___|_| |_|\__(_)
^C
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
line vty 5 15
login
!
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
wireless mobility controller
wireless management interface Vlan21
ap country CA
ap group default-group
end

balaji.bandi · ‎09-27-2020

Thanks for the information, can we have ip config information from Linux - Looks more towards Linux side for now.

1. From Linux post - ifconfig , route -n output.

2. from the switch are you able to ping Linux IP? ( on Linux reset iptables - iptables -F to disable any firewall ?)

3. From switch using source VLAN 10 can you ping any IP of other VLAN wise versa? please confirm.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Richard Burts · ‎09-28-2020

This is interesting. If you can ping from the PC all the vlan interfaces on the switch but "no longer get to the IPs on the 2911 ISR" then it suggests that the issue might be something on the ISR, such as the ISR not having a route to the subnet where the PC is. Would you post the output of ipconfig from the PC and show ip route from the ISR?

HTH

Rick

View solution in original post

balaji.bandi · ‎09-27-2020

High level -

Where is VLAN 10 IP address coming from, i do not see any DHCP config for VLAN10 , who is hand overing DHCP IP for VLAN 10 ? is this static IP address ?

Also, see the VLAN 10 configured as .2 IP do you have .1 configured anywhere?

interface Vlan10
ip address 192.168.10.2 255.255.255.0

From PC can you paste ipconfig /all when you configured VLAN10?

i do not see any ip route x.x.x.x x.x.x.x to point to external ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Craig Hunt · ‎09-27-2020

Hi balaji.bandi. Thanks for your quick reply.

Currently this is just set up in a lab-type setting for learning purposes but I hope to get it connected to the internet next for a production-type setting.

So.....Yes, I don't have DHCP on the 3850 so I have just been statically configuring an IP on my laptop for testing. Again, if I give my self a 192.168.10.x address, I can ping .2 on the switch but no other vlans. I chose .2 because I planned on using .1 for the gateway when I am ready to connect to the internet.

So basically I am trying to just access everything internally at the moment.

Georg Pauwen · ‎09-27-2020

Hello,

odd indeed. The config of the switch looks perfectly ok. Are all Vlan interfaces on the switch up/up (sh ip int brief) ?

Richard Burts · ‎09-27-2020

The posted switch config does seem appropriate. In particular it does show that ip routing is enabled. And for the 2 vlans where DHCP is configured the default router statement in DHCP does point to the configured vlan IP address. It seems to me that the problem is more likely some issue with the PC than with the switch config. Based on the symptoms described my first guess would be an incorrect gateway on the PC and agree that the output of ipconfig would be helpful. Are we sure that the PC is using DHCP to get its IP address?

It might be helpful to have the output of these commands on the switch

show ip protocol

show ip route

show ip interface brief

I agree that not seeing a static default route (and not seeing a routing protocol that could advertise a default route) is surprising and would impact access to remote resources. It should not impact access to locally connected subnets or routing between those subnets.

HTH

Rick

Craig Hunt · ‎09-27-2020

Really appreciate all your help guys. Really helping me learn.
My PC is running Ubuntu. I have the IP configured as 192.168.10.99 and the gateway is 192.168.10.2 I can ping the Vlan10 interface of the switch at 192.168.10.2.

Additional output from Switch

huntco-3850-1#show ip protocols
*** IP Routing is NSF aware ***

Routing Protocol is "application"
Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Maximum path: 32
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 4)

huntco-3850-1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan10
L 192.168.10.2/32 is directly connected, Vlan10
192.168.21.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.21.0/24 is directly connected, Vlan21
L 192.168.21.1/32 is directly connected, Vlan21
192.168.105.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.105.0/24 is directly connected, Vlan105
L 192.168.105.1/32 is directly connected, Vlan105
huntco-3850-1#
huntco-3850-1#
huntco-3850-1#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset down down
Vlan1 unassigned YES NVRAM administratively down down
Vlan10 192.168.10.2 YES NVRAM up up
Vlan21 192.168.21.1 YES NVRAM up up
Vlan105 192.168.105.1 YES manual up up
GigabitEthernet1/0/1 unassigned YES unset up up

balaji.bandi · ‎09-27-2020

Thanks for the information, can we have ip config information from Linux - Looks more towards Linux side for now.

1. From Linux post - ifconfig , route -n output.

2. from the switch are you able to ping Linux IP? ( on Linux reset iptables - iptables -F to disable any firewall ?)

3. From switch using source VLAN 10 can you ping any IP of other VLAN wise versa? please confirm.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎09-27-2020

when you configure Pc 192.168.10.X IP what is the Gateway ?

I am more interested to see below output :

1. from PC ipconfig /all output

2. show IP route from the switch?

Another thing you need to bear in mind, If no device connected to VLAN 10, the VLAN 10 Interface go down,

So you need to have a device in VLAN 10 for the VLAN interface up. ( as soon as you remove your device connected to VLAN 10 removed, this no longer reachable.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Craig Hunt · ‎09-27-2020

Guys!! Thank you so much for your help. I can now access everything from the PC. I do believe it was my default gateway on my PC. I think I had it set to 192.168.10.1 (doesn't exist). Rookie mistake! I changed it to .2 and can now access the other vlans. I was able to ping the virtual interface on the switch previously, I assume, because I was in the same subnet even with the wrong gateway. So, in the end the switch config was fine.

balaji.bandi · ‎09-27-2020

Glad you able to identified the issue and sorted.

that is the main point i was asking from the first post, we want to look your ipconfig/all (thinking windows) so once you confirmed linux ( still asked for ifconfig , route -n)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Craig Hunt · ‎09-27-2020

uggggh. I think I jumped the gun. I can now access the 192.168.21.0/24 subnet while I am connected via vlan10 (192.168.10.0/24) but still can't get to the 192.168.105.0/24 subnet.

Edit: I can actually ping all vlan interfaces hosted on the switch from the PC but can no longer get to the IPs on the 2911 ISR.

I.e. from PC 192.168.10.99, I can ping 192.168.10.2 (vlan10), 192.168.21.1 (vlan21) and 192.168.105.1 (vlan105) all hosted on the switch but I can not ping 192.168.105.5 or 192.168.105.6 which are on the 2911 router. From the switch, I can ping 192.168.105.5 and .6. Seems I'm getting pretty close. Help is still very appreciated. Thanks.

Richard Burts · ‎09-28-2020

This is interesting. If you can ping from the PC all the vlan interfaces on the switch but "no longer get to the IPs on the 2911 ISR" then it suggests that the issue might be something on the ISR, such as the ISR not having a route to the subnet where the PC is. Would you post the output of ipconfig from the PC and show ip route from the ISR?

HTH

Rick

Craig Hunt · ‎09-28-2020

BINGO!! Thanks Richard. That was it. I added a static route on the 2911 back to the 3850 and my PC now has access to everything. I guess I was incorrectly assuming that if there was a route from the PC > Switch > ISR, that it would automatically learn the route back since to where the traffic originated from.

ip route 192.168.10.0 255.255.255.0 192.168.105.1

Richard Burts · ‎09-28-2020

I am glad that we have the issues worked out. It is easy to assume that the router would automatically learn the return route. And in fact, if you were to configure a dynamic routing protocol running between the switch and the router then the router would indeed learn the return route. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick