Catalyst 3560 inter vlan routing

benpridmore · ‎11-19-2013

Hi there.

Can anyone help me to configure a layer 3 switch to route between vlan's. I cant seem to get it to work. There's already configuration on the router which i didnt configure (im not sure if this is reason its not working).

I need to route from 10.0.0.x/24 to 10.0.2.x/24.

10.0.0.x is already configured as vlan 1 on the GigabitEthernet port.

Vlan 2 is already routing across a fiber link on port 1.

Iv setup vlan for the 10.0.2.x network with port 8, i just cant get them to route.

Can anyone help me do this? - running-config below.

Thanks

Ben

show running-config

Building configuration...

Current configuration : 1726 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Switch-One

!

boot-start-marker

boot-end-marker

!

enable password

!

username lac password

username bpridmore password

!

aaa new-model

!

aaa session-id common

system mtu routing 1500

ip routing

ip domain-name rrca.net.au

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface FastEthernet0/1

switchport access vlan 2

speed 100

duplex full

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

switchport access vlan 3

switchport mode access

!

interface GigabitEthernet0/1

!

interface Vlan1

ip address 10.0.0.251 255.255.255.0

!

interface Vlan2

description Fibre Link

ip address 10.254.253.1 255.255.255.252

!

interface Vlan3

ip address 10.0.2.249 255.255.255.0

!

interface Vlan4

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.138

ip route 192.168.50.0 255.255.255.0 10.254.253.2 permanent

ip route 192.168.60.0 255.255.255.0 10.254.253.2 permanent

ip http server

no ip http secure-server

!

access-list 2000 permit icmp any any

access-list 2001 deny ip host 192.168.60.254 10.254.253.0 0.0.0.255

access-list 2002 deny ip host 192.168.60.254 10.0.0.0 0.0.0.255

access-list 2003 permit ip 192.168.60.0 0.0.0.255 any

!

line con 0

line vty 0 4

transport input telnet

line vty 5 15

transport input ssh

!

end

Richard Burts · ‎11-19-2013

Ben

I am not clear about some parts of the description of your problem. Does port 1 in vlan 2 have any real part in the problem that you describe. It is not evident to me that it does. So please provide some clarification.

There is one port (port 8) in vlan 3. Can you tell us what is connected to this port? And can you tell us the status of this port and the status of interface vlan 3?

The output of show ip interface brief and the output of show interface status would be helpful.

The configuration of routing seems appropriate and I do not see particular issues in the routing configuration. So I am wondering about the possibility that it is an interface status issue that is preventing routing.

HTH

Rick

HTH

Rick

benpridmore · ‎11-19-2013

Thanks for your reply Rick.

No, i dont think port one will have a part in this problem, i just thought id explain the entire situation.

Port 8 is connecting to the network 10.0.2.x.

show ip interface brief:

Interface IP-Address OK? Method Status Protocol

Vlan1 10.0.0.251 YES NVRAM up up

Vlan2 10.254.253.1 YES NVRAM up up

Vlan3 10.0.2.249 YES NVRAM down down

Vlan4 unassigned YES NVRAM down down

FastEthernet0/1 unassigned YES unset up up

FastEthernet0/2 unassigned YES unset down down

FastEthernet0/3 unassigned YES unset down down

FastEthernet0/4 unassigned YES unset down down

FastEthernet0/5 unassigned YES unset down down

FastEthernet0/6 unassigned YES unset down down

FastEthernet0/7 unassigned YES unset down down

FastEthernet0/8 unassigned YES unset down down

GigabitEthernet0/1 unassigned YES unset up up

show interface status:

Port Name Status Vlan Duplex Speed Type

Fa0/1 connected 2 full 100 10/100BaseTX

Fa0/2 notconnect 1 auto auto 10/100BaseTX

Fa0/3 notconnect 1 auto auto 10/100BaseTX

Fa0/4 notconnect 1 auto auto 10/100BaseTX

Fa0/5 notconnect 1 auto auto 10/100BaseTX

Fa0/6 notconnect 1 auto auto 10/100BaseTX

Fa0/7 notconnect 1 auto auto 10/100BaseTX

Fa0/8 notconnect 3 auto auto 10/100BaseTX

Gi0/1 connected 1 a-full a-1000 10/100/1000BaseTX

Thanks again mate.

Ben

Nagaraja Thanthry · ‎11-19-2013

Hello Ben,

Please check the following steps to see if the intervlan routing is working:

Make sure that the PC's default gateway is set to the corresponding VLAN interface IP address
Ping from the PC to all the IP addresses on the Switch. If this step is successful, then InterVLAN routing is working.
Now ping the remote destination. If it is not working, check the remote destination/router to see if there is a route to your local network.

This should help you identify the cause for routing failure.

Hope this helps.

Regards,

Nagaraja

Richard Burts · ‎11-20-2013

Nagaraja

It is most important for Ben to solve the issue of why port 8 shows that it is down and not connected. After he figures this out and fixes it your suggestions may be appropriate.

HTH

Rick

Sent from Cisco Technical Support iPad App

HTH

Rick

benpridmore · ‎11-24-2013

Thanks for your replies.

I had disconnected port 8 for a moment because i deleted vlan 3 and didnt want a dhcp issue. Once i recreated vlan 3 i connected it again.

Let me explain the setup in more detail.

Both networks use a unmanaged switch. Since vlans cant be added to these switches would this be a problem?

Both networks also use srp527w routers. I have added a static route to the "other network" using the ip address of each vlan as the gateway (i know this may not be correct).

I know routing the networks should be possible using a layer 3 switch.

Knowing more can either of you suggest a better way of solving this problem?

Thankyou both for your help.

Ben

devils_advocate · ‎11-25-2013

Hi Ben

So you have access switches which are supposed to be using Vlans 3 and 4 but these switches are not capable of Vlan tagging?

glen.grant · ‎11-25-2013

If you just have dumb switches of of those ports you should be able to route with no issues. No static routes are needed . Devices on those vlans need their default gateways pointed at the 3560 SVI for the appropriate vlan .

Post a show vlan , show ip route from the 3560. Of course those ports must be in a connect status for them to work.

Besides that don't see an issue , they should be in "switchport access vlan X" which they are. Also if you are trying to ping windows devices you must turn off windows firewall to be able to ping those devices.

Richard Burts · ‎11-25-2013

Ben

Thanks for the explanation about the situation with port 8. If that is now up/up then this addresses one of the issues. In that output that you posted I also note that there were multiple ports on the switch that are in vlan 1 but that only interface Gig0/1 shows as connected and up. Is this the port where the other switch is connected?

If an unmanaged switch is connected to interface Fast0/8 then all of its ports should be in vlan 3. And if another unmanaged switch is connected to interface Gig0/1 then all of its ports should be in vlan 1. And the switch configuration that you posted looks to be appropriate for routing between these vlans. So a bit more output might be helpful. Can you post the output of the command to show the entries in the switch mac address table? Also the output of show arp from the switch.

One of your posts mentions having srp527w routers in the network. I am not clear whether they are playing a role or not. If the PCs are connected and receiving addresses via DHCP then it would be helpful to check and see what is configured for their default gateway. If the PC default gateway is the address of the switch interface then routing should work. And if their default gateway is the srp527w then this may explain why routing is not working.

HTH

Rick

HTH

Rick

benpridmore · ‎11-27-2013

Correct, the layer2 switches are not capable of vlan tagging. Iv added a static route from the 10.0.0.138 router to 10.0.2.x using the ip address vlan on the layer 3 switch (10.0.2.249).

A ping request shows this is working:

Ping has started…

PING 10.0.2.6 (10.0.2.6): 56 data bytes

Request timeout for icmp_seq 0

92 bytes from 10.0.0.138: Redirect Host(New addr: 10.0.0.251)

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst

4 5 00 0054 7f2d 0 0000 3f 01 e651 10.0.0.37 10.0.2.6

A ring request to vlan 3's address works

The switch is using the Gig0/1 port to connect to vlan 1. DHCP is coming from a server on the 10.0.0.x and the router on the 10.0.2.x. The default gateways on both networks are set to the router (10.0.0.138 & 10.0.2.138)

show arp-

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.0.2.9 91 5426.96ce.8863 ARPA Vlan3

Internet 10.0.0.8 10 28cf.e908.6345 ARPA Vlan1

Internet 10.0.2.14 144 3415.9e90.1b19 ARPA Vlan3

Internet 10.0.2.15 73 3c07.545f.f5a4 ARPA Vlan3

Internet 10.0.0.2 0 70cd.60aa.99eb ARPA Vlan1

Internet 10.254.253.1 - f41f.c2f1.26c1 ARPA Vlan2

Internet 10.0.0.3 0 0025.9011.6baf ARPA Vlan1

Internet 10.254.253.2 107 f41f.c262.0cc1 ARPA Vlan2

Internet 10.0.2.5 57 f81e.dfdd.7c4b ARPA Vlan3

Internet 10.0.2.6 7 3c07.545f.f5a4 ARPA Vlan3

Internet 10.0.2.24 0 040c.ce1d.3fbe ARPA Vlan3

Internet 10.0.0.27 75 0023.df94.8dea ARPA Vlan1

Internet 10.0.2.16 69 0023.6c99.d717 ARPA Vlan3

Internet 10.0.2.21 4 78a3.e44f.783b ARPA Vlan3

Internet 10.0.0.23 0 0023.1213.9314 ARPA Vlan1

Internet 10.0.2.23 24 0000.747a.75cc ARPA Vlan3

Internet 10.0.0.38 85 406c.8f38.bff5 ARPA Vlan1

Internet 10.0.2.37 0 Incomplete ARPA

Internet 10.0.0.36 86 3415.9e90.1b19 ARPA Vlan1

Internet 10.0.0.37 0 58b0.35f3.2560 ARPA Vlan1

Internet 10.0.0.138 0 203a.0754.7c21 ARPA Vlan1

Internet 10.0.2.138 4 203a.0754.7b35 ARPA Vlan3

Internet 10.0.0.200 0 70cd.60aa.9900 ARPA Vlan1

Internet 10.0.2.249 - f41f.c2f1.26c2 ARPA Vlan3

Internet 10.0.0.251 - f41f.c2f1.26c0 ARPA Vlan1

Thanks for your help guys. I feel this is close to working now.

Ben

Richard Burts · ‎11-28-2013

Ben

I am glad that we have made progress. The output of show arp would seem to me to indicate that things are working. At least what I am seeing, in particular, is that the switch has MAC addresses in the arp table for devices in vlan 1 and also for devices in vlan 3. So from what I can see it should be routing between those vlans/subnets.

If there are devices that are not working (can not access devices on the other vlan) then my first suggestion would be to check and see if their default gateway is pointing to this switch.

I also notice that you have referred again to a router in the network. I am still not clear about the router and what its function is, and therefore not clear whether the router is part of what is causing whatever problem you may still be having.

Perhaps you can provide some clarification about what is not yet working?

HTH

Rick

HTH

Rick