Re: VLAN ROUTING & COMMUNICATION - Page 2

I-TECH · ‎03-04-2023

Good Afternoon-

I am hoping to get some technical insight into an ongoing issue I've been trying to resolve...

I have an all-Cisco-shop consisting of:

(1) ASA, (2) ROUTERS, (4) SWITCHES (4) IP PHONES

ALL SWITCH PORTS ON ALL SWITCHES ARE CONFIGURED AS TRUNK PORTS!

SW1 | connects to the ASA, and to SW2, SW3, and SW4. ALL SWITCHES CONNECT TO EACH OTHER WITH FAIL-OVER...

SW1 | VLAN 7 SERVERS AND WORKSTATIONS LIVE HERE

SW2 | VLAN 200 IP PHONES LIVE HERE

SW3 | VLAN 101 SECURITY DVRS LIVE HERE

SW4 | VLAN 99 STREAMING DEVICES LIVE HERE

All Servers are connected to SW1 and are configured with IP Addresses of all the VLANs, DNS Records, and Pointer Records for connected end-devices for each VLAN…

All Switches function at L2 with no routing. The VLANs are configured on all (4) Switches

All Routers are configured with SVIs for each VLAN.

All Routers and Switches can ping all VLAN Gateway Addresses…

From the Router(s) and any of the Switches (VLAN 7), I can ping the Default Gateway x.x.7.1, and the ASA x.x.7.250, and I can also ping any end-device within VLAN 7.

From a laptop configured on VLAN 7, I can ping all other VLAN gateways, (x.x.7.1, x.x.99.1, x.x.100.1, Etc...)

PROBLEM:

I CAN'T PING any other end-devices configured with any VLAN other than VLAN7...!

Not from the Router(s), Not from any of the Switches where the end-devices are physically connected...!!! The Switches can't ping any of the connected end-devices on any VLAN, OTHER THAN VLAN 7...

Although all VLANs should have Internet Access; VLAN 7 is the only VLAN that can access the Internet.

**Any help you can provide would be greatly appreciated!!!**

Thank you.

KJK99 · ‎03-07-2023

@I-TECH

If VLAN 7 is not native, I’m even more curious about how you associate your end-point devices with proper VLANs. Usually, it is done using access ports, but all your ports are trunk. If so, all end-point devices will end up in the native VLAN unless they send tagged frames or some other special VLAN assignment is in place (MAC-based, protocol-based, subnet-based, etc). In my opinion, any investigation of your issue should start with making sure that your end-point devices are properly associated with their designated VLANs.

Kris K

I-TECH · ‎03-07-2023

Hi KJK99-

I'll reconfigure the L2 Switches with Access-Ports for all VLANs, and I'll Leave the Trunk Port Connections for SW-SW, SW-RTR, and RTR-ASA...

I'LL KEEP YOU ALL POSTED ON THE OUTCOME...

Thanks.

MHM Cisco World · ‎03-07-2023

you share topology of PKT but you talk about real network, are this real network or PKT lab?

I-TECH · ‎03-07-2023

Hi MHM-

This is a real network...

I just used PKT to do the Topology so you could visualize the setup...

Thx

paul driver · ‎03-07-2023

Hello

@I-TECH wrote:

ere is the topology.

Thanks for sharing the topology , it looks like this was created with Packet tracer, if this is the case can you share the PT file

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I-TECH · ‎03-08-2023

Hi Paul-

Here is a quick update...

All connections From the SWs to the RTRs - to the ASA are configured as Trunks Ports. Default, and Native VLAN 1...

All VLANs are allowed on all the Trunks...

I changed the ports for end devices (Workstations, Servers, Etc...) From Trunk Ports to Access Ports for VLAN 7.

switch port mode access

switch port access VLAN 7

All workstations which are connected to IP Phones have IP Addresses for VLAN 7 (X.X.7.X) gateway x.x.7.x.

The IP Phone's are STATICALLY configured with IP Addresses matching the VOICE VLAN ID 200 (X.X.200.X) GATEWAY x.x.200.x.

The configuration within the IP Phones is below:

VLAN ON - VLAN ID 200

PC PORT VLAN ON - PC PORT VLAN ID 7

LLDP-MED ON - CDP ON

I tried to ping and It failed…!

I changed the ports back to Trunks and retested the ping, Success!

I changed the Ports to General Port. I tried to ping and It failed…!

I changed them back to Trunks and retested the ping, Success!

From the Workstation with the above config. I can ping all the VLAN Gateways, (X.X.7.1 | X.X.99.1 | X.X.200.1 Etc....

I can also do the same from the Servers, Routers, and other Switches…

However, I still can’t ping any other end-point device with the same VLAN IP Assignment in the same VLAN except VLAN 7.

I can’t even ping from the SW with the IP Phones directly connected to it, (SW to IP Phone!)

But, from that same switch, I can ping all other addresses in the network and all other VLAN Gateways in the network, and I can also ping out to the internet…

Any Ideas...???

I-TECH · ‎03-12-2023

Good Afternoon, Paul Driver-

FYI- Initially all the connections to the switches by DEFAULT were Trunk Ports…

All the DC’s have a NIC for each VLAN, and they provide AD. DNS, and DHCP for all network devices on all VLANs…

Currently, they are all connected to Trunk Ports on the Switches…

Question…

What is the correct type of port should they be connected to on the switches as they do support all VLANs…? Trunk Ports, Access Ports, or General Ports???

My desired results would be to have:

DC’s Supplying All Domain Services To All VLANs

Workstations On VLAN 7 Connected to IP Phones With Voice VLAN 200

All Other Ip Phones on VLAN 200

Security Devices Like DVRs on VLAN 101

Streaming Devices on VLAN 99

Management Devices on VLAN 100

ETC…

ALL WITH INTER-VLAN COMMUNICATION AND INTERNET SERVICES

Thanks...

KJK99 · ‎03-08-2023

@I-TECH

You may like to log into your switches and check their MAC Address tables. This is an easy way to verify if the connected devices are in proper VLANs. Also, keep in mind that if you use the General switchport mode, you need to set the PVID for the ports to the VID of the untagged VLAN.

Kris K

I-TECH · ‎03-12-2023

Good Afternoon KJK99-

Quick Update...

I did check the Mac Tables and the IP Phones are indeed in VLAN 200...

I did some diags with the Port Types and found that when I change the Port to General with the PVID 1; and then change the VLAN membership to; 1TP 99T... If I plug a Laptop into that port, I CAN then ping an end device with the IP address of the same VLAN 99; BUT there is still no Internet connection for that VLAN which may be a different issue concerning the ASA.

I still have Internet Access on X.X.7.X network VLAN 7 Only!

KJK99 · ‎03-12-2023

What is the correct type of port should they be connected to on the switches as they do support all VLANs…? Trunk Ports, Access Ports, or General Ports???

I'm pretty sure Paul will give you a very good answer, but you may consider mine in the mean time.

All of that can be done with General ports, but that’s not the CISCO way of doing. On CISCO devices, you rather use access and trunk ports. If you have typical end-point devices, you may try this setup.

DC’s Supplying All Domain Services To All VLANs

I understand you have a separate NIC for each VLAN so use access ports for each of them.

Workstations On VLAN 7 Connected to IP Phones With Voice VLAN 200

I have never used IP phones with CISCO switches so I will only show you the way how you can do it with General ports.

The ports need to belong to both VLANs, VLAN 7 and VLAN 200. They need to be UNTAGGED in VLAN 7 and TAGGED in VLAN 200. Also, their PVID needs to be set to 7, that is the VID of VLAN 7.

All Other Ip Phones on VLAN 200

I expect it to be working with access ports in VLAN 200, but no PC in such a case. You can use General ports as above.

Security Devices Like DVRs on VLAN 101

Access ports to VLAN 101.

Streaming Devices on VLAN 99

Access ports to VLAN 99

Management Devices on VLAN 100

Access ports to VLAN 100

Kris K