Re: intervlan routing and two many interface vlans

adamabel · ‎09-29-2017

Hello, I am teaching a networking class with some old 2620XM routers, C3550, and C2960 switches.

In the lab I have them create on SW1 an access port to Sw2 vlan 5 on both sides. Also on SW1 they create an interface vlan 5 and assigna 192.168.5.x /24 IP to allow pings to and from the switch as we have no hosts.

On switch 2 they setup access 5 to SW1, a trunk to a 2620XM router, and a access vlan 10 to SW 3.

On switch 3 they setup access vlan 10 and an interface vlan 10 with an ip 192.168.10.x /24

on the router we setup subinterfaces 0/0.x for each vlan. Setup encapulation and an IP for each Vlan.

At this point everything works we can ping from switch 1 to switch 3 etc.

Here is the problem we face. Since we reuse these switches over and over again some of the students leave interface vlans on the switches. So on Sw1 and 3 they have interface vlan 5 and 10 with IPs.

When they have both sets of interface vlans this stops pings between the switches. It still allow pings to the router 10.x or 5.x IP address.

The question I have is why does having the additional interface vlan break the ping?

There is some switch logic I am missing.

mark2741 · ‎09-29-2017

If I’m correct you are talking about the layer to switch having two vlan interfaces, as it’s a layer 2 switch only 1 vlan can be active at one time which may be the reason your pings are stopping.

adamabel · ‎09-29-2017

yes this is a layer 2 interface.

So some more details.

config example:

Sw1

interface vlan 5

ip address 192.168.5.1 255.255.255.0

no shut

interface vlan 10

ip address 192.168.10.1 255.255.255.0

no shut

int fa0/10

switchport mode access

switchport access vlan 10

desc link to sw2

no shut

sw2

int fa0/4

switchport mode trunk

desc link to router

no shut

int fa0/10

switchport mode access

switchport access vlan 10

desc link to sw1

no shut

int fa0/20

switchport mode access

switchport access vlan 5

desc link to sw3

no shut

sw3

int vlan 5

ip address 192.168.5.3 255.255.255.0

no shut

int vlan 10

ip addresss 192.168.10.3 255.255.255.0

no shut

int fa0/20

switchport mode access

switchport access vlan 5

router IPs

192.168.5.10

192.168.10.10

so ping from sw3 to router

192.168.5.10 !!!!!

192.168.10.10 !!!!!!

sw3 to sw1

192.168.10.1 ..... timeout

if we setup a vlan interface on sw2 in vlan 5 or 10 sw3 can ping either IP on sw2.

So based on that I can tell that the router is routing the pings but pings dont make it to the either switch 1 or 3.

Flavio Miranda · ‎09-29-2017

Hi,

You are making a mistake on your topology. There´s no limitation on how many vlans can work at same time.

You create Interface vlan 5 and 10 on SW1, but the interface that connects SW1 to SW2 is in the VLAN 10 only.

You can not reach Vlan 5 on SW1 if Interfac 0/10 can carrie only VLAN 10 traffic. On this case, a trunk between SW1 and SW2 would be required.

Keep in mind that Port in Access can carrie traffic to only one VLAN at a time. To carrie traffic to more then one VLAN, you need trunk.

Hope I could explain clearly.

Try setup trunk and let me know if you need any more help.

adamabel · ‎09-29-2017

Thanks for the reply. I do understand that a trunk would save this, but since this is for a lab of how intervlan routing works, that would defeat the purpose. A trunk would allow all vlan 5 traffic to reach all other switches on vlan 5 and would not have to go to the router. Same with vlan 10.

Again what I'm asking here is with interface vlan's of 5 and 10 on both end switches why does having them both setup stop intervlan router to complete when either end can ping the routers vlan 5 or 10 IP's.

Julio E. Moisa · ‎09-29-2017

Hi Adamabel,

Could you please provide more details about this:

Again what I'm asking here is with interface vlan's of 5 and 10 on both end switches why does having them both setup stop intervlan router to complete when either end can ping the routers vlan 5 or 10 IP's.

There are 2 ways to make intervlan routing.

Having a Router and use different networks configured on its interfaces, remember the IP configured on the Router's interfaces will be the gateway for each network. Other way using Router is creating the scheme: router in a stick, where you are going to use encapsulation dot1q.

The other way is using a Multilayer switch, this kind of switch basically can work over Layer 3 as well, enabling the command: IP Routing. You can use the SVI's (Interface vlan) in order to assign the default gateway for each VLAN.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Flavio Miranda · ‎09-29-2017

I think I got your point. I simulated your environment on the PackeTracer and I got the same situation.

The problem is as follow. As you create two Interface Vlan on the Switch but you have only one interface either Vlan 5 or Vlan 10, the other Vlan stay in Down status.

Run the command "show ip int br" on both ends and confirm that:

Vlan5 192.168.5.2 YES manual up up

Vlan10 192.168.10.2 YES manual down

I am attaching my Lab for your reference. You need to rename it with .pkt extension.

The conclusion is that this setup wont work,

adamabel · ‎10-09-2017

Thanks for the reply. This explains how to fix it but not why the behavior happens. While in class I believe I found one possible explaination, but it doesn't quite work with what you found in the show ip int bri. But here it is anyways.

1. SW1 sends a ping to SW3 and the packet will look like this.

Dest MAC R1

Src MAC SW1

Dest IP 192.168.5.3

Src IP 192.168.5 or 10.1 (since we have two interface vlans that could be the source)

for this explaination lets use 192.168.5.1

1. So packet goes to SW 2 and shows up in the vlan 10 mac table of the switch.

2. it checks the dest mac and sends the packet to the router.

3. packet is tagged vlan 10 going to the router

4. router gets it checks SRC IP and Dest IP and send it down its vlan 5 interface and tags it.

5. Packet gets to Sw2 tagged vlan 5. It then adds this to its vlan 5 mac table and sends it to SW3 the only other port on vlan 5.

6. SW3 gets it and sends a reply. So far so good, but what does the reply look like.

dest MAC Router

src mac SW3

dest IP 192.168.5.1

src 192.168.5.3

7. Sw3 sends this out its vlan 5 interfaces

8. sw2 gets it adds it to the vlan 5 mac table and sends it up the trunk to the router.

9. Here is where things break. the router gets it sees the dest is 192.168.5.1 which is on the vlan 5 tagged interfaces. so it sends it back down the same interface that SW2 sent the packet tagged vlan 5.

10. SW 2 gets it tagged vlan 5 so the only place it could send it is back to Sw3 not to SW1 and the packet eventually dies here because of either TTL or switch filtering rules.

Flavio Miranda · ‎10-09-2017

Well elaborated but I think the explanation is way more simple.

If you create a Int VLAN in IOS but does not attribure any interface to it, the status will be down and no communitation will be possible on this vlan, simple like that.

I just create this Interface vlan on my switch right now:

Switch(config)#int vlan 10
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#ip add 10.10.10.9 255.255.255.0

Then I run :

sh ip int br

FastEthernet2/15 unassigned YES unset up up
Vlan1 unassigned YES unset up up
Vlan10 10.10.10.9 YES manual up down

As soon as I added an Interface to it, the status now is up:

FastEthernet2/14 unassigned YES unset up up
FastEthernet2/15 unassigned YES unset up up
Vlan1 unassigned YES unset up up
Vlan10 10.10.10.9 YES manual up up

The proper way to play with Intervan routing is create independent connection with router and switches and done!

The switch in between is increasing complexity and does not help on the Intervlan routing at all.

adamabel · ‎10-09-2017

Thanks for the update. Hmmm we seem to be getting close to the answer to the question “why does creating a second interface vlan break ping between devices” but I still don’t quite see why it breaks things.

Oddly I just tried to rebuild this scenario in my real lab and can’t get it to break. ☹ Tomorrow I’ll take another crack at it to get it to break and then run debug to see what the actual packet activity is.

paul driver · ‎11-05-2017

Hello

In your OP you state that:
sw2 is connected to sw 1 via access port vlan 5 and a trunk ( why both?)
sw2 is connect to sw3 via access port vlan 10

But then in the config you posted its the other away around?

However - if you have multiple SVI on a switch then you need to enable ip routing and in your scenario you have "routing on a stick" with the router providing inter-vlan routing but at the same time both sw1& sw3 have multiple SVIs. ( do they have ip routing enabled?)

I am thinking even if this two switches have multiple SVis applied if the ip routing being enabled that could be causing the problem.

Correct topology regards your setup (with the rtr performing inter-vlan routing):
rtr
subinterfaces with dot1q enacp for each vlan

sw2
trunk to rtr
access port to each sw1 & sw3 on specific vlan
ip routing disabled

sw1-sw3
svi for the specific vlan the access port is connected to sw 2 is in ( for mgt purposes ONLY)
ip routing disabled

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul