Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
0
Helpful
5
Replies

inter VLAN routing issue using 2821 and 3750

ebanach
Level 1
Level 1

‎09-27-2016 07:00 PM - edited ‎03-08-2019 07:36 AM

<<RESOLVED>> Thanks Windows firewall (once access to internet became available local windows firewall changed it's network profile and disable non local ICMP traffic - hence router to ping, but non-local subnets are dropped.) Same updated configuration works (updated with removing SVI)

So I am doing a router on a stick type of configuration and have some issues with my ability to ping hosts on different VLANs off the same physical switch.

Hosts on any of my VLAN's can ping all VLAN gateways, and VLAN IP, and ping internet addresses example:

Host IP information:

IP address: 172.16.0.51

Subnet: 255.255.255.0

Gateway: 172.16.0.1

Successfully ping all router [2821] interfaces and sub interfaces, and ping IP addresses of VLAN's - but cannot ping hosts in other VLAN's.

I can ping hosts in all VLAN's from router [2821], and all VLAN ip's.  I have validated this same item from hosts in all three of my VLAN's which I am assigning DHCP address to from the router.

Attaching my running configs for 2821 and 3750, any insights into what I am missing would be appreciated greatly.  At this point my inter VLAN routing is my only issue that I am attempting to resolve, all my other items seem to be working, I am aware I have some additional best practice type of configurations to address, mostly in the name of security and standardization.

Thanks

Ravennthornn

[Edit corrected Host IP address]

Labels:
Preview file
4 KB
Preview file
3 KB
0 Helpful
5 Replies 5

ahmedshoaib
Level 4
Level 4

‎09-27-2016 08:40 PM

Hi;

It's not a configuration issue and it's seems to be ok. The Host you are using to test with IP address "172.16.0.1" is doing IP address conflict with the Router IP Address. That's why you are feeling abnormal behavior.

Remove the static IP address from the host, get IP address via dhcp and test it again.

Also remove the SVI (Vlan 101, Vlan 102 & Vlan 103) from the switch. because you are using Router for inter-vlan routing. These SVI is required when you want switch to do inter-vlan routing.

Thanks & Best regards;

0 Helpful

ebanach
Level 1
Level 1
In response to ahmedshoaib

‎09-27-2016 08:52 PM

Ahmedshoaib - I mistyped the host IP address in the post - it has been corrected and I did not use static IP's for the hosts in the testing - they we're all DHCP assigned Host IP's

I confirm the same results for all three VLAN's that I had DHCP scopes setup on.

I'll need to research your suggestion about removing the SVI, because I am not sure how to enable the trunk port on the switch without creating them.  Since I am using the router's GI 0/1 interface [I don't have any cards for ethernet ports] I don't believe the 2821 can create a trunk, so I have to use the subs - are you suggesting that I create a similar sub interface on the switch in order to trunk the VLAN's down to the switch?

R_

0 Helpful

ebanach
Level 1
Level 1
In response to ebanach

‎09-27-2016 09:17 PM

Ok after doing some online searches, basically you are suggesting that I purge the following lines from the configuration of the switch:

 ip address 192.168.0.2 255.255.255.0

 ip address 172.16.0.2 255.255.255.0

 ip address 172.16.1.2 255.255.255.0

 ip address 10.0.0.2 255.255.254.0

[Since I am likely going to re-enter my configuration from scratch, I'll just skip the configure terminal > interface VLAN nnn steps]

Is that a correct understanding of what you are recommending?  Also at that point I shouldn't need to enable IP routing on the switch either, correct?

R_

0 Helpful

ebanach
Level 1
Level 1
In response to ahmedshoaib

‎09-28-2016 11:14 AM

So I have redone the configuration on the 3750 without defining SVI's on the VLAN's and the behavior is unchanged.  I still have the ability to ping everything [internet, router interfaces, hosts on the same VLAN], but not hosts across the VLAN's.

Any further thoughts?

R_

0 Helpful

ebanach
Level 1
Level 1

‎09-28-2016 03:31 PM

All right I have identified that this seems to be some type of NAT/PAT issue.

Redoing my configurations, step by step - I confirmed prior to enabling nat, I have been able to ping between VLAN's, however after enabling nat - I seem to no longer be able to ping between VLAN's.

I suspect it may have something to do with my ACL source list, so I may need to refine it to deny all internal IP destinations and then permit external destinations.

I have the requirement on this configuration that my 'WAN' interface is a DHCP assigned IP so I will still need to point it at my interface, and try and make the permit line the last in the access list.

If anyone has thoughts on a better way to mitigate this, I'm all ears (so to speak), I guess I will also be re-addressing my IP address scheme so I can cut down on the number of deny lines.

R_

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card