ā06-27-2024 01:03 PM - edited ā06-27-2024 01:17 PM
I have a VERY simple problem, that not even chat GPT or any other resource can solve. I have
Laptop - Switch1 - Router - Switch2 - Vlan10
The router can ping Laptop and anything on Vlan10, but it WILL NOT let traffic pass left or right. It is not cable, and it's not IP. When I plug in my laptop in place of the router and mirror IP/Subnet I can ping everything on the Vlan10 (laptop - switch - Vlan10). So it's not ACL or anything on the Vlan side stopping traffic. It's something on the router. I wiped the router to factory settings. It doesn't even have an ACL setup on it to block traffic. Show Ip Route even lists both sides of the network as discovered routes with the appropriate /24 and /32 masks. So, it knows exactly where to send traffic when it gets it... but it wont.
Router
gi0/0/0 no ip, no shutdown
gi0/0/0.10 encap dot1q 10, ip 10.6.1.126/26
Switch
Vlan10 ip 10.6.1.64/26
fa0/20 switchport mode trunk, access vlan10, trunk access vlan10
Solved! Go to Solution.
ā07-05-2024 10:12 AM
TLDR: I got it working. I changed the trunk on switch2 to a L3 Routed port, 10.6.10.10, changed the Router gi0/0 10.6.10.1, added a static route to 10.6.1.0 255.255.255.0 to gi0/0 and I can access VLAN 10 from the ACAS "side".
Fun facts, Sw2 fa0/20 was native vlan10 and that stopped the router from allowing pinging across gi0/0 and 0/1. How does that make sense?? I tried it three times going back and forth with native vlan trunk and none. Every time i set native VLAN the router STOPPED communicating from 0/0 - 0/1. How the *$#! does that even make sense from a coding standpoint, CISCO??
That got me to thinking what other settings on the Switch is making the Router not even function on a basic level. So, I made the fa0/20 on the Switch a L3 interface and viola. Everything worked. How CISCO can design two of it's own devices to not function with VLANs is mind blowing. I keep trying to get "my boss" to dump CISCO and just FRR. Won't have these issues then.
Thank you for your input everyone. The issue was CISCO does not allow the 2901 or 4331 to VLAN to a 2520.
ā06-27-2024 01:33 PM
Hello,
A couple things you can try:
1. The VLAN 10 IP on the switch is the Network address of the subnet. You can try to change it to a useable IP such as 10.6.1.65/26.
2. Make sure each device can ping its default GW.
If that doesn't work can you provide the configs of all 4 devices. (Laptop included from cmd prompt showing ipconfig)
-David
ā06-28-2024 08:08 AM - edited ā06-28-2024 08:12 AM
Per forum rules I cannot be too specific, and what I do for work, I really cannot be specific. All I can say is the VLAN "size" is very much set-in-stone, I can say there are multiple VLAN in-play and it's all mapped out to fit in a specific ip-pool.
I've tried putting the gi0/0/0.10 ip address directly in the subnet, 10.6.1.126, and the router pings .65 and .66 (if the devices turned on ATM). I really don't understand why the router won't forward a simple ping to those addresses when coming from the "left-side" of my network going to the "right-side" (VLAN).
Edit: I feel like there is a setting on the router that I, and everyone else, is missing that is keeping the router from allowing traffic through when itself can ping "through". Is there something fundamental about using the "ping" command from the console that inherently alters the router behavior that is allowing for this... special-circumstance? I.E. The router ping does not behave as though it's a normal user and as such, certain settings on the router are not applied that are applied to "normal traffic"?
ā06-28-2024 08:21 AM
Well, something special with routers (or L3 switches), they, by default, source ping from the "closest" interface IP. So, for example, if you ping anything on the other side of a tunnel, on a router, the router will use its local tunnel interface IP.
What routers often support, is a extended ping, where you can specific the source IP or interface. Trying pinging through the tunnel, from the router, using an IP or interface that's not the router's tunnel's.
ā06-28-2024 08:28 AM
Thank you, I'll try that. I suspect that is what is making me, erroneously, think that the router can indeed "ping the 10VLAN" and leading me in the wrong direction to find a solution.
ā06-27-2024 01:47 PM
Hi @Korban Day ,
Host based FW often allows traffic to hosts on the local subnet, but not remote subnets. Can you make sure the FW is disabled and try the test again.
Regards,
ā06-28-2024 08:20 AM
All I can say is we have STIG'ed FWs on our production network that allow pings. When "on" the 10VLAN directly, on the exact switch in question, I can ping all the devices currently turned on. And the 4331 I factory reset and did not put any FWs on the 0/0/0.10 sub-interface. Do I have it backwards that the default is allow when it is really deny all?
ā06-27-2024 11:35 PM
Hello
@Korban Day wrote:
Switch
Vlan10 ip 10.6.1.64/26
This is a subnet ip not usable - try .65
ā06-28-2024 08:05 AM
I think that is a typo on my part. The VLAN10 config on the Switch does say .65, the .64 and .127 are reserved for the VLAN.
ā06-28-2024 08:26 AM
Can you share the config of SW1 port and SW2 port connect to router
Also router ports connect to SW1 and SW2
It seem that tag is issue let me check it
MHM
ā07-03-2024 12:04 PM
SW1 is not on any VLAN, it's a single switch network with four ACAS stations so they can run multiple scans at once. It's just a normal physical network on the same subnet.
ā06-28-2024 08:49 AM
Hello @Korban Day ,
post in text format
on the switch
show interface fas0/20 trunk
show interface fas0/20 switchport
pay special attention to the native Vlan settings
as noted by @MHM Cisco World you may be facing a native Vlan issue between the two sides of the link the router and the switch
you say that when you connect a PC it works, your PC has only IP settings not a vlan tag with value 10 ?
Hope to help
Giuseppe
ā07-03-2024 12:02 PM
That is correct, i have zero vlan settings on my Dell laptop, when I replace the router with my Dell, I can ping everything on the 10vlan network with the exact same IP address on the .10 subinterface, so it is NOT an FW/ACL issue.
ā07-03-2024 01:07 PM - edited ā07-03-2024 01:08 PM
Router:
interface GigabitEthernet0/0
description ACAS Connection
no ip address
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.6.1.126 255.255.255.192
ip nat enable
no cdp enable
!
Switch2:
interface FastEthernet0/20
description ACAS Trunk
switchport trunk allowed vlan 10
switchport trunk native vlan 10
switchport mode trunk
no cdp enable
!
interface Vlan10
ip address 10.6.1.129 255.255.255.128 secondary
ip address 10.6.1.65 255.255.255.192
ip access-group WAN_IN in
no ip redirects
no ip unreachables
ip pim neighbor-filter DENY_ALL
ip pim query-interval 1
ip pim sparse-mode
ip multicast boundary MCAST_BOUNDARY
ip igmp version 3
load-interval 30
!
ā06-28-2024 01:35 PM
Hello
Switch x
Port to to host =vlan10
port to router gig0/0= trunk
Switch Y
port to rtr gig01 = vlan1
port to host = vlan1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide