cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2700
Views
0
Helpful
27
Replies

Two switches on different network can't communicate.

tantony
Level 1
Level 1

I'm starting a new discussion because I made some changes to my network.

 

I have a Juniper SRX550 firewall. Juniper is providing DHCP for networks 172.16.64.0/18 and 172.16.1280/18.

 

Cable goes from port 0/0/2, 172.16.64.1/18 Juniper to port 1 VLAN 1 to a Cisco 3560 switch with ip 172.16.64.2/18
Cable goes from port 0/0/3, 172.16.128.1/18 Juniper to port 1 VLAN 1 to a Cisco 3560 switch with ip 172.16.128.2/18

I have a WiFi router connected to the 172.16.64./ switch on port 23. The IP of WiFi router is 172.16.128.3/18.

 

I have IP Routing enabled on both switches. When I connect my laptops to both switches, I'm getting the correct DHCP and default gateways, but I'm not able to communicate across.

 

For example, if I'm on the 172.16.64.2 switch, I can't ping anything on the 172.16.128.0 network. I can only ping the default gateway.

 

I'll post configs from both switches.

27 Replies 27

I did that, and I'm back to the previous situation.  The laptop on 172.16.64.2 can ping the other laptop.  The other laptop can't ping the laptop on 172.16.128.2

I tried pinging 172.16.128.2 from the 172.16.64.2 switch, and it was not able.

I tried pinging 172.16.64.2 from the 172.16.128.2 switch, and it was not able.

 

I have ip routing on both switches.

I had the second switch on VLAN 1 also.  I changed it to VLAN 3 like you said, but now I can't ping anything.

ok, I made the changes on 172.16.64.2 switch port 0/17

 

switchport mode access

spanning-tree portfast

 

Hello,

 

post the full configs of both switches as they are now configured...

If a trunk is not being used, why would you not have IP addresses assigned on the non-switchport ports (Fa0/24) connecting the two switches?

 

Also, "ip routing" simply enables routing capabilities on the switch, such as basic inter-VLAN routing, and allows routing protocols to be configured.  But without routing protocols actually configured (such as EIGRP, OSPF, iBGP, etc), the switches aren't doing any dynamic routing other than between VLAN SVIs configured on the local switch.

 

If the SVIs are configured across two different L3 switches, I would think you would need either a static or dynamic route between them to forward traffic.

In addition, if the VLANs are separated by a layer 3 boundary (ie routed port), then the VLAN id doesn't really matter either (although best practice is obviously not to use the default VLAN 1).

 

 

Otherwise if wanting a strictly layer 2 path between the switches, then a trunk allowing the specific VLANs in question across would suffice, with ideally some sort of third, management VLAN (with SVI configured on both switches) as the native VLAN; also make sure all relevant VLANs are on both switches, and configure the SVIs for all the VLANs on one of the switches to act as the routing point.

 

I wonder, does the OP want layer 3 separation and both switches acting as L3 devices, or is a layer 2 path with just inter-VLAN routing for communication needed?  Or is the Juniper Firewall device connected to both employing switching or routing at all between the switches, or just providing DHCP for clients?

The design will also affect how the WiFi router mentioned has its IP and connected switchport configured.

 

Based on clarification of the desired end goal I can provide some sample configuration.

 

Sorry, just saw the diagram of the network and somehow missed all the posts after that.  Whoops.

So just curious, how is the Firewall configured to act between the switches?

Agree to request posting the now current configs of both switches.

I tried this in Cisco packet tracer, and I'm able to communicate between switches, laptops etc.  I added RIP in router.

 

I need to figure out one more thing.  I need to connect a WiFi 172.16.128.3/18 to the 172.16.64.2 switch.  How would I do that?  I guess do static routing in the router? 

I guess you can use static routing in this switch. The WiFi is connected to 172.16.64.2 switch on port 0/3

 

In the 172.16.64.2 switch config I typed

 

ip route 172.16.128.3 255.255.192.0 fastEthernet 0/3  

 

It says "% Must specify a L3 port as the next hop interface"

Are you unable to assign the WiFi router an IP in the subnet on the 172.16.64.2 switch?

Or connect it to the 172.16.128.2 switch?

Or, are you able to do a routed port to the WiFi with a /30 network, and do a static route to the /30 IP or routed interface of the WiFi?

Yes, I can assign the WiFi router 172.16.64.0 ip address (that's the easiest way), but I have to assign it a 172.16.128.0 address and connect it to the 172.16.64.2 switch per user request.

 

I'll check on the router port.

Ok...that kinda brings me back to asking how the switches are separated - via Layer 2, or Layer 3 via the Juniper Firewall?

If the Firewall is acting as a layer 3 boundary itself, you can't have a single network span a layer 3 boundary (easily or even practically anyway).

You COULD further subnet your .128 network with like a /19 instead, putting one half on one switch and one half the other and advertising the routes accordingly based on the appropriate mask.

 

If the Firewall is acting as a layer 2 device, then try putting all routing on the 172.16.64.2/18 switch along with a management VLAN & SVI, and then swapping the 172.16.128.2/18 SVI with an IP in the newly created management VLAN.

 

Hope that helps.

 

Assuming the Firewall is acting as a layer 3, it is making a layer 3 boundary.

I would suggest either subnetting the network if the user absolutely insists on keeping that block of addresses for whatever reason, or explain to them how networks work, so they will understand why a network can't span a layer 3 boundary and that it would be best to just re-IP the WiFi router or change its connection to the .128 switch :)

 

For subnetting, put the 172.16.128.0/19 (255.255.224.0) on the .64 switch so the router can keep the 172.16.128.3 IP, and then put 172.16.160.0/19 (255.255.224.0) on the current .128 switch - though the switch will need a new IP itself then in that case as well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: