Solved: TeemuNo problem, we all make

teemufrosen · ‎02-02-2015

Hello everyone!

I study CCNA and I'm kind of stuck with a network scenario, and hope to receive some feedback on what I could be doing wrong. This truly is a great forum and I have spent many hours getting answers to my questions. But for this scenario I have not found answers...

Scenario: I have a network with 1 router, two switches and 4 different VLANs. I want to be able to communicate with the switch remotely, and have set up an IP address on VLAN 99 for remote management. I have set up a trunk that carries all traffic from all VLANs between my switches and set up a router with subinterfaces for each VLAN.
I can access the switches remotely from hosts connected to VLAN 99, but not from the other VLANs. However I can SOMETIMES ping between the VLANs (set up static IP on the computers with a default gateway to the subinterfaces IP they are connected to on the router). So really my problem is probably more related to the fact that I can not ping between VLANs correctly.

Below is link with PT file including configurations so that we can distinguish what is wrong with my configuration. Any feedback is (obviously) highly appreciated as I can not get answers through searching.

http://www.speedyshare.com/Jns7S/roas.pkt

Kind regards,
Teemu

Jon Marshall · ‎02-04-2015

L3 vlan interface just means the subinterfaces on the router.

What you are seeing is to do with proxy arp which is enabled by default.

When you either -

1) set no default gateway on the switch

or

2) set an incorrect gateway on the switch

you are relying on proxy arp on the router to provide a mac address to the arp request from the switch.

So what happens is you telnet from a remote client ie. not on the switch management subnet and the router sends the packet to the switch.

To return the packet the switch has to send the packet to it's default gateway.

If one is configured, no matter what it is it sends an arp request for the default gateway IP.

If no default gateway is configured it sends an arp request for the client IP.

Either way the vlan 99 interface on the router receives this request as it is a broadcast. If the IP address in the request is from a subnet configured on any of the router interfaces then the router simply responds with the mac address of the interface the request was received on.

The switch receives this response and sends the return packets to the router interface.

And the router then sends the packet back to the client.

If you disable proxy arp on the vlan 99 interface then it won't work unless you configure the correct default gateway on the switch ie. the IP address of the vlan 99 subinterface on the router.

If you want to test this with different default gateways or no default gateway you must clear the arp cache on the switch every time you make a change otherwise you get inconsistent results because the switch has the mac address in it's arp cache.

To disable proxy arp on your subinterface just go to the vlan 99 subinterface and type -

"no ip proxy-arp"

you only need to do it on that subinterface.

Jon

View solution in original post

Reza Sharifi · ‎02-02-2015

Hi,

Can you attach your config to the post and not use the URL?

Jon Marshall · ‎02-02-2015

In addition to Reza's request if you post a .pkt file then you are limiting who can help you as a lot of us don't use PT and don't have it.

If you include in your post the topology diagram and the configurations as attachments then a lot more people will be able to help.

Jon

teemufrosen · ‎02-02-2015

Hi!

Thank you Jon and Reza for your answers. I'm not sure that I am doing this the right way but I will paste the raw configs of devices and topology of my network below.

SW1:

Switch#sh ru
Building configuration...

Current configuration : 1592 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
switchport mode access
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
switchport access vlan 50
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 50
switchport mode access
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
switchport mode access
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
switchport mode access
switchport voice vlan 150
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/1
switchport trunk native vlan 80
switchport trunk allowed vlan 1-99
switchport mode trunk
!
interface GigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 192.168.99.99 255.255.255.0
!
!
line con 0
password cisco
login
!
line vty 0 4
password cisco
login
transport input telnet
line vty 5 15
password cisco
login
transport input telnet
!
!
end

SW2:

Switch#sh ru
Building configuration...

Current configuration : 1740 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport trunk native vlan 80
switchport trunk allowed vlan 1-99,150
switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
switchport access vlan 50
switchport mode access
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
switchport access vlan 99
switchport mode access
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
switchport priority extend cos 1
switchport mode access
switchport voice vlan 150
!
interface FastEthernet0/21
switchport mode access
switchport voice vlan 150
!
interface FastEthernet0/22
switchport mode access
switchport voice vlan 150
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
switchport trunk native vlan 80
switchport trunk allowed vlan 1-99,150
switchport mode trunk
!
interface GigabitEthernet1/2
switchport trunk allowed vlan 1,50,99,150
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 192.168.99.3 255.255.255.0
!
!
line con 0
password enable
!
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

Router:

Router#sh ru
Building configuration...

Current configuration : 1917 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 192.168.50.100
ip dhcp excluded-address 192.168.50.101
ip dhcp excluded-address 192.168.50.1
!
ip dhcp pool voip
network 192.168.150.0 255.255.255.0
default-router 192.168.150.1
option 150 ip 192.168.150.1
ip dhcp pool security
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 10.0.0.1
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.10.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
!
interface FastEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
!
interface FastEthernet0/1.99
encapsulation dot1Q 99
ip address 192.168.99.1 255.255.255.0
!
interface FastEthernet0/1.150
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
!
!
!
!
!
telephony-service
max-ephones 10
max-dn 10
ip source-address 192.168.150.1 port 2000
auto assign 3 to 5
auto assign 1 to 9
!
ephone-dn 1
number 62001
!
ephone-dn 2
number 62002
!
ephone-dn 3
number 62003
!
ephone-dn 4
number 911
!
ephone 1
device-security-mode none
mac-address 0002.171B.0CBA
type 7960
button 1:1
!
ephone 2
device-security-mode none
mac-address 000A.F366.CB04
type 7960
button 1:2
!
ephone 3
device-security-mode none
mac-address 0060.4795.89D0
type 7960
button 1:3
!
ephone 4
device-security-mode none
mac-address 00E0.A379.3256
type 7960
button 1:4
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Thank you again for taking your time to help me.

Kindly,
Teemu

Jon Marshall · ‎02-02-2015

Teemu

Which ports are used to connect SW1 to SW2 ?

Which port on SW1 connects to R2 ?

When you ping between vlans what are your source and destination IPs ?

Jon

teemufrosen · ‎02-02-2015

SW1 gi1/1 - SW2 gi1/1

SW2 fa0/1 - R2 fa0/1

192.168.1.101 - fa0/5

192.168.50.100 - fa0/10

After a couple of changes (can not even remember which now) I can now ping between all VLANs except 1. VLAN1 can still ping other hosts in the same VLAN.
But main problem remains - can not telnet into the switches other than from VLAN 99.

Jon Marshall · ‎02-02-2015

Where are you trying to ping from and to ?

Note that SW2 is not allowing vlan 150 on the trunk link so if you are trying to ping using that vlan and both devices are not on SW2 it won't work.

Jon

teemufrosen · ‎02-02-2015

My answers to your questions are above, I edited my previous message!

I had completely forgot to add that one, thanks. However that one is SW1 as the topology shows, and the right one is SW2.

Kindly,
Teemu

teemufrosen · ‎02-03-2015

Hello again

I have reached a result after further testing. The problem was that my configuration of my end devices had not been saved and some were not configured with a default gateway...

To solve my second problem with remote management I had to set the default gateway of the switch. I guess I can choose the default gateway of whichever subnet I want, as long as it's trunked all the way from the router.

I'm not proud of the topic quality as it was small errors that caused my problem... Thanks for your replies.

Br,
Teemu

Jon Marshall · ‎02-03-2015

Teemu

No problem, we all make those type of mistakes, or at least I do :-)

Just for your reference the default gateway on the switches should be the IP address of the management vlan interface on the router.

Jon

teemufrosen · ‎02-03-2015

That felt logical to me, but to be sure I tested with VLAN 1 (not mgt vlan) as default gateway on the switch and I could still telnet from VLAN 50 (not mgmt vlan).

My final statement didn't really feel right, but PT tells me it is... I would love to hear your thought on this Jon.

Br,
Teemu

Jon Marshall · ‎02-03-2015

Teemu

My final statement didn't really feel right, but PT tells me it is... I would love to hear your thought on this Jon.

Sorry I'm not understanding.

Do you mean about being able to telnet to the switch from a different vlan or something else ?

Jon

teemufrosen · ‎02-04-2015

My mistake! The post I made was unclear.
I meant what you said - being able to telnet to the switch from a different VLAN. I can telnet the switch from all VLANs no matter which of the valid default gateways I assign to the switch.

Br,
Teemu

Jon Marshall · ‎02-04-2015

Teemu

Can you be specific in what you did ie.

which L3 vlan interface(s) were on the switch with which IPs and what default gateway did you use on the switch ?

Jon

teemufrosen · ‎02-04-2015

Hi again Jon

I don't think I understand your question about L3 VLAN... May I ask you to rephrase it? But I will try to answer anyway:

If you watch the topology that I posted an image of in my first post, you can see which VLAN is intented for remote mgmt etc (see the devices connected to SW1). I used the default gateway of VLAN 1 (192.168.1.1) on the switch, but remote management is in VLAN 99 (192.168.99.3 is the IP of VLAN 99 on one of the switches). But I could still telnet to the switch from VLAN 1, 50 and 99.

Br,
Teemu

Access switch remotely from different VLAN