Solved: Re: Inter-vlan routing not working on the C3750X Layer 3 Switch

moamen1230 · ‎01-17-2021

Hello,

I need your help

Inter-vlan routing doesn't working on the C3750E Switch

I need to route between vlans for ex: vlan 5 and vlan 10 as shown below
ip routing enabled
a vlan 5 hosts can't communicate with vlan 10 hosts although each of them can reach their default gateway
I can't find the issue

Building configuration...

Current configuration : 7307 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core-Switch
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 7 provision ws-c3750x-48
system mtu routing 1500
ip routing
!
ip dhcp pool BDM
network 10.5.0.0 255.255.255.0
default-router 10.5.0.254
dns-server 10.0.0.1
!
ip dhcp pool IT
network 10.10.0.0 255.255.255.0
default-router 10.10.0.254
dns-server 10.0.0.1
!
!
!
!
crypto pki trustpoint TP-self-signed-3954600960
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3954600960
revocation-check none
rsakeypair TP-self-signed-3954600960
!
!
crypto pki certificate chain TP-self-signed-3954600960
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393534 36303039 3630301E 170D3933 30333031 30303031
32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39353436
30303936 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A287 2BFBB436 F3B28696 4072AE64 0A7BBE77 C965AB2F 70B764D3 8399740D
2EFF8F41 E1CCC9E4 6498970D 7E5D10D3 AB3E01E5 5BB768C0 879E3CB9 129FAE2E
CD9E14C2 B1C9997C 5D120ED6 7BEDF6DC 5A0C1FF0 73E528E8 0DDF6090 60CAC9B9
9D347FEF 7B48879B 2DBDB22D F88B3E57 45D38544 0B4D21F6 DB02C75B 51DEAFF6
43C70203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C436F72 652D5377 69746368 2E301F06 03551D23 04183016
8014D3A4 C81F1400 F756CB08 91874A91 5626755B 43D1301D 0603551D 0E041604
14D3A4C8 1F1400F7 56CB0891 874A9156 26755B43 D1300D06 092A8648 86F70D01
01040500 03818100 5B2389F6 9C69679A 481D482D 16740E62 15645E47 6BD01459
0F542403 B7E219A0 E9C21470 60CEC5D1 C579C67C CE276066 89A35C30 6AC2B849
E6AC0E6C 09A8E48E 13C0F731 C9513778 9F0CB98E 2376A1E3 172B481D 76FEA0D4
C8FB237E 402DC46B B57F8C2D CD770763 8364A498 5CE5AC8A B81287B7 AE9B0B83
8DA5BEBA 57D6B0B2
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
interface GigabitEthernet7/0/46
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/0/47
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet7/0/48
switchport access vlan 10
switchport mode access
interface Vlan1
no ip address
!
interface Vlan5
ip address 10.5.0.254 255.255.255.0
!
interface Vlan10
ip address 10.10.0.254 255.255.255.0
!
interface Vlan15
ip address 10.15.0.254 255.255.255.0
!
interface Vlan16
ip address 10.16.0.254 255.255.255.0
!
interface Vlan20
ip address 10.20.0.254 255.255.255.0
!
interface Vlan25
ip address 10.25.0.254 255.255.255.0
!
interface Vlan30
ip address 10.30.0.254 255.255.255.0
!
interface Vlan35
ip address 10.35.0.254 255.255.255.0
!
interface Vlan40
ip address 10.40.0.254 255.255.255.0
!
interface Vlan45
ip address 10.45.0.254 255.255.255.0
!
interface Vlan50
ip address 10.50.0.254 255.255.255.0
!
interface Vlan55
ip address 10.55.0.254 255.255.255.0
!
interface Vlan60
ip address 10.60.0.254 255.255.255.0
!
interface Vlan65
ip address 10.65.0.254 255.255.255.0
!
interface Vlan100
ip address 10.0.0.2 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
!

Richard Burts · ‎01-17-2021

I see DHCP pools configured for vlans 5 and 10. And see a switch port assigned to vlans 5 and 10. Are there PCs connected to these ports? If your testing is based on ping between PCs is it possible that the PCs have their firewall enabled and the firewall is blocking the ping?

You say that each PC can reach its own gateway address. Can the PC connected in vlan 5 ping the gateway for vlan 10? And can the PC connected in vlan 10 ping the gateway for vlan 5? If not then please post the output of ipconfig from both PCs.

I do see that ip routing is enabled and the parts of the config that we see seem appropriate. Would you post the output of these commands on the switch

show ip route

show interface status

show arp

HTH

Rick

View solution in original post

Richard Burts · ‎01-17-2021

I see DHCP pools configured for vlans 5 and 10. And see a switch port assigned to vlans 5 and 10. Are there PCs connected to these ports? If your testing is based on ping between PCs is it possible that the PCs have their firewall enabled and the firewall is blocking the ping?

You say that each PC can reach its own gateway address. Can the PC connected in vlan 5 ping the gateway for vlan 10? And can the PC connected in vlan 10 ping the gateway for vlan 5? If not then please post the output of ipconfig from both PCs.

I do see that ip routing is enabled and the parts of the config that we see seem appropriate. Would you post the output of these commands on the switch

show ip route

show interface status

show arp

HTH

Rick

moamen1230 · ‎01-18-2021

Dear Richard,

Thank you for your support. The issue was the firewall of PCs, Sorry for interruption

Richard Burts · ‎01-18-2021

You are welcome. Thanks for the update. Glad to know that the issue turned out to be firewall on the PCs. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

fbeye · ‎01-17-2021

I have the same issue, in a sense. My Interfaces in question, set as L3, can ping each others locla interface and both gateways, but can not ping/communicate with any other devices.

GE 1/0/21 10.0.1.115 can Ping 10.0.1.1 (External Router) and itself. Can also Ping 10.0.2.115 (GE 1/0/22) and 10.0.2.1 (Router)

GE 1/0/22 10.0.2.115 can Ping 10.0.2.1 (External Router) and itself. Can also Ping 10.0.1.116 (GE 1/0/21) and 10.0.1.1 (Router)

So, GE 21 and GE 22 can ping themselves, each other and the Gateways each other are connected to BUT they can not Ping/connect (don't be so focused on PING) .

I.E 10.0.1.x can not PING 10.0.2.115 (NAS). Nor can it connect to it or even see it.

Would this need an ACL?

Current configuration : 2776 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
switch 1 provision ws-c3750g-24ps
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/21
description TPLink
no switchport
ip address 10.0.1.115 255.255.255.0
!
interface GigabitEthernet1/0/22
description VPN
no switchport
ip address 10.0.2.115 255.255.255.0
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Home Lan
no ip address
!
interface Vlan11
description Home VPN
no ip address
!
ip classless
ip route 10.0.1.0 255.255.255.0 10.0.1.1
ip route 10.0.2.0 255.255.255.0 10.0.2.1
ip http server
!
!
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login
!
end

MHM Cisco World · ‎01-17-2021

why ip route for route it already connect?

you need vlan ip to make inter vlan work otherwise it will not work.

fbeye · ‎01-18-2021

So turning an interface into an L3 with an IP address can’t crossover?

MHM Cisco World · ‎01-17-2021

...

MHM Cisco World · ‎01-17-2021

...

fbeye · ‎01-17-2021

I can not speak for him but I speak out of my thinking we are somewhat in same boat... I have Version 12.2(25r)SE am I to assume this is already enabled? Still unsure how or why this would not allow access/packets outside of the vlans.