Solved: Router Will Not Route Between Two Switches (1 VLAN & 1 Traditional)

Korban Day · ‎06-27-2024

I have a VERY simple problem, that not even chat GPT or any other resource can solve. I have

Laptop - Switch1 - Router - Switch2 - Vlan10

The router can ping Laptop and anything on Vlan10, but it WILL NOT let traffic pass left or right. It is not cable, and it's not IP. When I plug in my laptop in place of the router and mirror IP/Subnet I can ping everything on the Vlan10 (laptop - switch - Vlan10). So it's not ACL or anything on the Vlan side stopping traffic. It's something on the router. I wiped the router to factory settings. It doesn't even have an ACL setup on it to block traffic. Show Ip Route even lists both sides of the network as discovered routes with the appropriate /24 and /32 masks. So, it knows exactly where to send traffic when it gets it... but it wont.

Router
gi0/0/0 no ip, no shutdown
gi0/0/0.10 encap dot1q 10, ip 10.6.1.126/26

Switch
Vlan10 ip 10.6.1.64/26
fa0/20 switchport mode trunk, access vlan10, trunk access vlan10

Korban Day · ‎07-05-2024

TLDR: I got it working. I changed the trunk on switch2 to a L3 Routed port, 10.6.10.10, changed the Router gi0/0 10.6.10.1, added a static route to 10.6.1.0 255.255.255.0 to gi0/0 and I can access VLAN 10 from the ACAS "side".

Fun facts, Sw2 fa0/20 was native vlan10 and that stopped the router from allowing pinging across gi0/0 and 0/1. How does that make sense?? I tried it three times going back and forth with native vlan trunk and none. Every time i set native VLAN the router STOPPED communicating from 0/0 - 0/1. How the *$#! does that even make sense from a coding standpoint, CISCO??

That got me to thinking what other settings on the Switch is making the Router not even function on a basic level. So, I made the fa0/20 on the Switch a L3 interface and viola. Everything worked. How CISCO can design two of it's own devices to not function with VLANs is mind blowing. I keep trying to get "my boss" to dump CISCO and just FRR. Won't have these issues then.

Thank you for your input everyone. The issue was CISCO does not allow the 2901 or 4331 to VLAN to a 2520.

View solution in original post

David Ruess · ‎06-27-2024

Hello,

A couple things you can try:

1. The VLAN 10 IP on the switch is the Network address of the subnet. You can try to change it to a useable IP such as 10.6.1.65/26.

2. Make sure each device can ping its default GW.

If that doesn't work can you provide the configs of all 4 devices. (Laptop included from cmd prompt showing ipconfig)

-David

Korban Day · ‎06-28-2024

Per forum rules I cannot be too specific, and what I do for work, I really cannot be specific. All I can say is the VLAN "size" is very much set-in-stone, I can say there are multiple VLAN in-play and it's all mapped out to fit in a specific ip-pool.

I've tried putting the gi0/0/0.10 ip address directly in the subnet, 10.6.1.126, and the router pings .65 and .66 (if the devices turned on ATM). I really don't understand why the router won't forward a simple ping to those addresses when coming from the "left-side" of my network going to the "right-side" (VLAN).

Edit: I feel like there is a setting on the router that I, and everyone else, is missing that is keeping the router from allowing traffic through when itself can ping "through". Is there something fundamental about using the "ping" command from the console that inherently alters the router behavior that is allowing for this... special-circumstance? I.E. The router ping does not behave as though it's a normal user and as such, certain settings on the router are not applied that are applied to "normal traffic"?

Joseph W. Doherty · ‎06-28-2024

Well, something special with routers (or L3 switches), they, by default, source ping from the "closest" interface IP. So, for example, if you ping anything on the other side of a tunnel, on a router, the router will use its local tunnel interface IP.

What routers often support, is a extended ping, where you can specific the source IP or interface. Trying pinging through the tunnel, from the router, using an IP or interface that's not the router's tunnel's.

Korban Day · ‎06-28-2024

Thank you, I'll try that. I suspect that is what is making me, erroneously, think that the router can indeed "ping the 10VLAN" and leading me in the wrong direction to find a solution.

Harold Ritter · ‎06-27-2024

Hi @Korban Day ,

Host based FW often allows traffic to hosts on the local subnet, but not remote subnets. Can you make sure the FW is disabled and try the test again.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Korban Day · ‎06-28-2024

All I can say is we have STIG'ed FWs on our production network that allow pings. When "on" the 10VLAN directly, on the exact switch in question, I can ping all the devices currently turned on. And the 4331 I factory reset and did not put any FWs on the 0/0/0.10 sub-interface. Do I have it backwards that the default is allow when it is really deny all?

paul driver · ‎06-27-2024

Hello

@Korban Day wrote:

Switch
Vlan10 ip 10.6.1.64/26

This is a subnet ip not usable - try .65

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Korban Day · ‎06-28-2024

I think that is a typo on my part. The VLAN10 config on the Switch does say .65, the .64 and .127 are reserved for the VLAN.

MHM Cisco World · ‎06-28-2024

Can you share the config of SW1 port and SW2 port connect to router

Also router ports connect to SW1 and SW2

It seem that tag is issue let me check it

MHM

Korban Day · ‎07-03-2024

SW1 is not on any VLAN, it's a single switch network with four ACAS stations so they can run multiple scans at once. It's just a normal physical network on the same subnet.

Giuseppe Larosa · ‎06-28-2024

Hello @Korban Day ,

post in text format

on the switch

show interface fas0/20 trunk

show interface fas0/20 switchport

pay special attention to the native Vlan settings

as noted by @MHM Cisco World you may be facing a native Vlan issue between the two sides of the link the router and the switch

you say that when you connect a PC it works, your PC has only IP settings not a vlan tag with value 10 ?

Hope to help

Giuseppe

Korban Day · ‎07-03-2024

That is correct, i have zero vlan settings on my Dell laptop, when I replace the router with my Dell, I can ping everything on the 10vlan network with the exact same IP address on the .10 subinterface, so it is NOT an FW/ACL issue.

Korban Day · ‎07-03-2024

Router:

interface GigabitEthernet0/0
description ACAS Connection
no ip address
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.6.1.126 255.255.255.192
ip nat enable
no cdp enable
!

Switch2:
interface FastEthernet0/20
description ACAS Trunk
switchport trunk allowed vlan 10
switchport trunk native vlan 10
switchport mode trunk
no cdp enable
!

interface Vlan10
ip address 10.6.1.129 255.255.255.128 secondary
ip address 10.6.1.65 255.255.255.192
ip access-group WAN_IN in
no ip redirects
no ip unreachables
ip pim neighbor-filter DENY_ALL
ip pim query-interval 1
ip pim sparse-mode
ip multicast boundary MCAST_BOUNDARY
ip igmp version 3
load-interval 30
!

paul driver · ‎06-28-2024

Hello
Switch x
Port to to host =vlan10
port to router gig0/0= trunk

Switch Y
port to rtr gig01 = vlan1
port to host = vlan1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul