Re: Inter VLAN configuration on C2600

martyvandeveerdonk · ‎07-12-2005

I have a C2600 (IOS 12.1(16)) with several FastEthernet subinterfaces that outlines the different VLAN i have.

Int F0/0 is directly connected to my physical network, consisting of serveral switches (2924 and 4006).

eg. int fa0/0.2 & int fa0/0.4 are created for VLAN 2 and 4.

I created now VLAN 71 and VLAN 72, which need to talk to eachother.

I configured it like this;

interface Fastethernet 0/0.71

encapsulation dot1Q 71

ip address 10.10.10.1 255.255.255.0

interface Fastethernet 0/0.72

encapsulation dot1Q 72

ip address 10.10.20.1 255.255.255.0

Command sh ip route;

C 10.10.10.0/24 is directly connected, FastEthernet 0/0.71

C 10.10.20.0/24 is directly connected, FastEthernet 0/0.72

People at VLAN 71 can ping 10.10.20.1,but no other host on VLAN 72.

And also visa versa.

Can ANYBODY HELP????

Richard Burts · ‎07-12-2005

It certainly looks like the router is properly configured to do intervlan routing. I am guessing that the issue has to do with how the PCs are configured. Can you provide information from the PCs, especially what IP addresses are used, what subnet mask, and what default gateway.

It would also be helpful to know if users in VLAN 71 and 72 can communicate with VLANs 2 and 4?

HTH

Rick

HTH

Rick

daniel.price · ‎07-12-2005

Also helpful would be the knowledge that the switch has an established trunk on the ethernet connection where the router is attached.... not just placed in VLAN 71.

There is a command useful for performance here as well:

ip route-cache same-interface

Thanks

Dan

martyvandeveerdonk · ‎07-12-2005

Also the clients in VLAN 2 and 4 cannot reach/ping users in VLAN 71/72.

See below some outputs:

C:\Documents and Settings\BC2SCX92>ping 10.10.10.1

Pinging 10.10.10.1 with 32 bytes of data:

Reply from 10.10.10.1: bytes=32 time=1ms TTL=255

Ping statistics for 10.10.10.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\Documents and Settings\BC2SCX92>ping 10.10.10.216

Pinging 10.10.10.216 with 32 bytes of data:

Request timed out.

Ping statistics for 10.10.10.216:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\BC2SCX92>route print

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 a0 d1 da ce 00 ...... Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport

0x3 ...00 0e 35 2d 33 04 ...... Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler

iniport

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.205.0.1 10.205.1.52 20

10.10.10.0 255.255.255.0 10.205.0.2 10.205.1.52 1

10.205.0.0 255.255.240.0 10.205.1.52 10.205.1.52 20

10.205.1.52 255.255.255.255 127.0.0.1 127.0.0.1 20

10.255.255.255 255.255.255.255 10.205.1.52 10.205.1.52 20

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.200.0 255.255.248.0 10.205.0.2 10.205.1.52 1

224.0.0.0 240.0.0.0 10.205.1.52 10.205.1.52 20

255.255.255.255 255.255.255.255 10.205.1.52 10.205.1.52 1

255.255.255.255 255.255.255.255 10.205.1.52 3 1

Default Gateway: 10.205.0.1

===========================================================================

Persistent Routes:

None

C:\Documents and Settings\BC2SCX92>

This is the condig of my C2600... Any ideas???

!

interface FastEthernet0/0

description connected to vlan 1 management

ip address 192.168.200.1 255.255.254.0

ip access-group 10 out

ip helper-address 10.205.14.211

speed 100

full-duplex

!

interface FastEthernet0/0.2

description connected to vlan2 kantoor

encapsulation dot1Q 2

ip address 10.205.0.2 255.255.240.0

ip access-group 10 out

!

interface FastEthernet0/0.4

encapsulation dot1Q 4

ip address 192.168.203.1 255.255.255.0

ip access-group 100 out

ip directed-broadcast

!

interface FastEthernet0/0.5

!

interface FastEthernet0/0.6

encapsulation dot1Q 6

ip address 192.168.202.1 255.255.255.0

!

interface FastEthernet0/0.50

description connected to vlan50 OT0 (Train-Vlan)

encapsulation dot1Q 50

ip address 10.21.0.1 255.255.240.0

ip access-group 10 out

!

interface FastEthernet0/0.71

encapsulation dot1Q 71

ip address 10.10.10.1 255.255.255.0

!

interface FastEthernet0/0.72

encapsulation dot1Q 72

ip address 10.10.20.1 255.255.255.0

!

interface FastEthernet0/0.902

encapsulation dot1Q 902

ip address 192.168.210.10 255.255.255.192

ip access-group 20 out

!

interface FastEthernet0/0.999

description connected to vlan 999 logonvlan

encapsulation dot1Q 999

ip address 11.0.0.1 255.255.240.0

ip access-group 10 out

ip helper-address 10.205.14.211

!

ip default-gateway 192.168.211.2

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.211.2

no ip http server

!

Georg Pauwen · ‎07-12-2005

Hello,

can you also post the access lists you have configured on your router ? What happens when you remove the access lists from the interfaces for VLAN 2 and 4 ?

Regards,

GP

martyvandeveerdonk · ‎07-12-2005

ACL configs

logging history warnings

access-list 10 deny 192.168.210.0 0.0.0.255 log

access-list 10 permit any

access-list 100 remark ** Allow WOL traffic from SAN management segment

access-list 100 permit ip 192.168.202.0 0.0.0.255 any

access-list 100 deny ip any host 10.205.15.255

access-list 100 permit ip any any

access-list 102 remark ** TMS filter to C2SC domain

access-list 102 deny ip 192.168.210.0 0.0.0.255 any log

access-list 102 deny ip 10.10.0.0 0.0.255.255 224.0.0.0 0.255.255.255 log

access-list 102 permit ip any any

access-list 110 remark ** TMS filter to C2SC domain

access-list 110 deny 137 any 10.205.0.0 0.0.255.255 log

access-list 110 deny ip host 10.10.10.255 10.205.0.0 0.0.255.255 log

access-list 110 deny ip host 10.10.20.255 10.205.0.0 0.0.255.255 log

access-list 110 permit ip any any

snmp-server community public RO

snmp-server community mindef RW

snmp-server host 192.168.200.110 all

Ignore ACL 102 and 110. These are acl's for the future.

amit-singh · ‎07-13-2005

What is the default gateway set on the clients on Vlan 71 and 72.

Does routing between Vlan 2, 4 or any other vlan except Vlan 71 and 72 works fine ?

Do you have the same issue in any other Vlan.

regards,

-amit singh

game123 · ‎07-13-2005

Hi,

Do three things first before retrying again:

1. Disable firewalls of any sort on PCs( restart them too)

2. Make sure of PC default gateway and ip masks proper on PCs.

3. Also double check Switch LEDs.

regards.

tarun209 · ‎07-13-2005

Hi,

Please refer to the points below they may solve your problem

1.If you have followed the configuration steps listed in the above sections, and are still not

able to ping across the VLANs (between workstation1 and workstation2), then there is a

possibility that you have come across Caveat CSCds42715, in which the 802.1Q native VLAN

keyword does not function properly when fast switching is enabled. The bug fix was integrated in

the following code versions: 12.2(0.5), 12.2(0.5)T, 12.1(5)DC, 12.1(5)YB, 12.2(0.18)S,

12.1(5)YD02, 12.2(2)B, 12.2(15)ZN. You can check the status and a brief description of the bug

by using the Bug Toolkit ( registered customers only) and entering the bug ID CSCds42715.

2.As described earlier in this document, while configuring 802.1Q trunking it is very

important to match the native VLAN across the link. In the Cisco IOS software versions

earlier than 12.1(3)T, you cannot define the native VLAN explicitly, as the encapsulation

dot1Q 1 native command under the sub−interface is not available. In the earlier Cisco IOS

versions, it is important to configure the native VLAN−Interface not as a sub−interface,

which is in our example VLAN1. If configured wrong, the router would expect a tag dot1q

frame on VLAN1 and the switch is not expecting a tag on VLAN1. As a result, no traffic

will pass between VLAN1 on the switch and the router.

3.switchport trunk allowed vlan all

4.Refer to the link below for further details

http://www.cisco.com/warp/public/473/50.shtml

Richard Burts · ‎07-13-2005

The output that was posted is very interesting. I assume that it is from one of the end stations in VLAN 71. In particular I notice this:

Default Gateway: 10.205.0.1

If the default gateway is 10.205.0.1 what device is this and where is it located, and does it have connectivity to the router with vlans 2 and 4?

If devices in these VLANs are attempting to get to 10.205.0.1 to get to any "remote" destination and 10.205.0.1 is not on this router it explains a lot about the issue.

I believe that your problem is a misconfigured gateway.

HTH

Rick

HTH

Rick

martyvandeveerdonk · ‎07-13-2005

All, thanks for your support/advise.

After asking thousand times to my end users, they suddently discovered an active firewall on one of there workstations..!?!?

And yes, after shutting it down everything is worked fine.!

So again it's shows; never trust your end-users...