Interconnecting 2 different networks via L3 Switch using inter-vlan routing?

Shahnil Sahir · ‎06-20-2016

Hi,

I want to inter-connect the 2 different running networks (192.168.72.0/21 and 192.168.80.0/21) by using this the catalyst 3850 switch.

For which I am using inter-vlan routing by enabling 'ip routing'.

IP on interface vlan1 - 192.168.79.241 & IP on interface vlan20 - 192.168.80.199.

All the ports of this switch are in default vlan1(192.168.72.0/21) and 23 and 24 ports are in vlan20(192.168.80.0/21).

The client machines are getting the IP setting via DHCP in both the networks with Gateways 192.168.72.1/21 and 192.168.80.1/21 in respective networks, and that I cannot change.

So I am using the static routes on the gateway devices of both networks toward the catalyst 3850 for these 2 networks.

Rest is shown in the attached scenario.

The issue is that both the gateways are pinging to each other but the client machines are not pinging. When we perform 'tracert' for client machines to each other, if tracert is completed successfully then the machines pings but for the short time only.

Tracert stops at Catalyst 3850 switch.

Note : In cisco packet tracer and GNS3 this scenario is working fine, but in real life implementation it not working desirably.

Config file of that L3 switch (Cat 3850) is

Current configuration : 5472 bytes
!
! Last configuration change at 01:14:11 UTC Tue Jun 14 2016
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname sw_gapl_dist_01
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
switch 1 provision ws-c3850-24t
ip routing
!
ip device tracking
!
!
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-2999374289
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2999374289
 revocation-check none
 rsakeypair TP-self-signed-2999374289
!
!
crypto pki certificate chain TP-self-signed-2999374289
 certificate self-signed 01
 30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
 69666963 6174652D 32393939 33373432 3839301E 170D3136 30363134 30313134 
 31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39393933 
 37343238 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
 81009588 35D4425C 402A2FA6 6C348285 AC685556 3B8DA1A1 AF62C377 BBA203CE 
 E05540BA B8403868 04BCA2E8 513D069D 431BC1AF 8BEBD30A D5D48899 362C8CFE 
 C396BFFD 1FA4FED2 CED47145 946160EF D3074101 8F2AA71E A2DB6445 8D8B3414 
 F0CDD14E 0133BA09 EF4F3C51 AABAAAC1 83726644 71FB4951 B24E0BF1 C80F10F2 
 D75B0203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603 
 551D1104 13301182 0F73775F 6761706C 5F646973 745F3031 301F0603 551D2304 
 18301680 14DA7AB1 FEAAA882 80EC31BB BAB27449 03659394 D8301D06 03551D0E 
 04160414 DA7AB1FE AAA88280 EC31BBBA B2744903 659394D8 300D0609 2A864886 
 F70D0101 04050003 81810031 10C4B429 292B48ED 3685ACD9 6C5F2EB6 91B93FA1 
 1F8434E4 1A048371 EFB24E2F 816BC18C 51C35A89 32DFC57F D1D5C644 698F6C58 
 0409BE2B FE96071C 9EA8A25E D566A740 151AA97B 0160F4AB 355C8067 814B5F2A 
 863835B1 F3072111 7AF743ED 90205E0F 0CFEA360 68A73D48 44B31190 3D0E0F7E 
 0D72642E F0D9AC47 B3DB50
 quit
!
!
!
!
!
diagnostic bootup level minimal
identity policy webauth-global-inactive
 inactivity-timer 3600 
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
 mode sso
!
!
!
class-map match-any non-client-nrt-class
 match non-client-nrt 
!
policy-map port_child_policy
 class non-client-nrt-class
 bandwidth remaining ratio 10
!
!
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 192.168.0.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
 switchport access vlan 20
 switchport mode access
!
interface GigabitEthernet1/0/24
 switchport access vlan 20
 switchport mode access
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
 ip address 192.168.79.241 255.255.248.0
!
interface Vlan20
 ip address 192.168.80.199 255.255.248.0
!
no ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.72.1
!
!
!
!
!
line con 0
 logging synchronous
 login local
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 logging synchronous
 login local
 transport input all
line vty 5 15
 login
!
wsma agent exec
 profile httplistener
 profile httpslistener
wsma agent config
 profile httplistener
 profile httpslistener
wsma agent filesys
 profile httplistener
 profile httpslistener
wsma agent notify
 profile httplistener
 profile httpslistener
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
ap dot11 24ghz rrm channel dca 1
ap dot11 24ghz rrm channel dca 6
ap dot11 24ghz rrm channel dca 11
ap dot11 5ghz rrm channel dca 36
ap dot11 5ghz rrm channel dca 40
ap dot11 5ghz rrm channel dca 44
ap dot11 5ghz rrm channel dca 48
ap dot11 5ghz rrm channel dca 52
ap dot11 5ghz rrm channel dca 56
ap dot11 5ghz rrm channel dca 60
ap dot11 5ghz rrm channel dca 64
ap dot11 5ghz rrm channel dca 149
ap dot11 5ghz rrm channel dca 153
ap dot11 5ghz rrm channel dca 157
ap dot11 5ghz rrm channel dca 161
ap group default-group
end

Thanks in advance.

Mark Malone · ‎06-20-2016

hi

have you got the right mask set on the pc default gateways , usually when intervlan is working but pcs are not its from the gateway ip/mask being wrong on end devices, the fact you can ping between gateways suggests the intervlan works ok

if its not that you could just do basic dynamic routing to rule out any issues with your statics , just advertise everything connected and see if same issue is there

Shahnil Sahir · ‎06-21-2016

Hi Mark,

Thanks for the reply.

I hope you understand the whole scenario, please let me know if there is any doubts.

The client PCs are getting IP configuration from form the DHCP servers of their respective networks with correct net mask i.e. 255.255.248.0 (/21). Checked the client PCs and DHCP servers configurations.

I can use the dynamic routing, but problem is that one Gateway is linux machine as firewall and other is Cyberoam, I have only one CISCO device connecting these networks.

I have also tried the router ports method using the 'no switchport' on L3 switch instead of vlans but the issue is same.

Thanks.