InterVlan Routing? Not sure if this is cause.

mrmadgig · ‎06-08-2015

Hello,

I am struggling to my surprise at what I thought was going to be quite simple so... here I am. Thanks in advance :)

I have two Cisco routers on each end of the building and one is a 3825 and one is 2851 each of these routers has their own switch and one is a Cisco 3560 and one is an HP 1910 I have no issue with the connectivity via the vlans that are trunked between these switches everything works as expected.

The problem is trying to get the two to talk.... the 2851 LAN is 10.10.111.0/24 and the 3825 is 10.10.12.0/24

The 2851 is also configured as a router on a stick however this is no issue with this either. I can plug a laptop in any respective vlan port on the cisco and get the desired results.

The main native vlan starts on the HP switch (vlan1 10.10.111.0) and all the vlans then trunk to the 3560 I have 1,2,10,500 allowed. I just added 7 on the cisco in effort to connect the two routers together. There is no Vlan 7 on the HP because there is no real need to have it there (for what I can see) if I wanted to interVlan route at the Cisco. I created vlan 7 and connected the LAN port of the 3825 and tried to intervlan these however I cannot get them to talk at all. I did follow the Intervlan docs and I seem to not be interpreting these correctly as I get errors telling me that the addresses overlap when I created the ip address on the no switchport command then added the ip addresses. Vlan 7 on the 3560 is 10.10.12.253/24 and the 3825 is 10.10.12.254 as I read it, this was to be on the same subnet as the router but wasn't successful. Could someone please advise on what I am missing here to get these two routers to talk? Of course I could just go interface to interface if that is the case. Attached is the switch config.

Thanks again

Joseph

Gregory Leeson · ‎06-08-2015

Hi

A couple questions :

You're using Router-on-a-Stick on each separate LAN and it's working correcting? So you can ping from a VLAN 2 PC to a VLAN 7 PC on the same physical switch without an issue? And if you go across to the other side of the building and plug two PCs into separate VLANs, they can ping each other?

Can the two routers communicate? Can you ping from the 3825 to the 2851 without a problem?

What routing protocol are you using?

It may just be a simple issue with your routes and not a VLAN problem.

Can you post the running configs of the routers?

mrmadgig · ‎06-08-2015

Hello Gregory,

1. No I am not using Router on a stick on both routers just the 2851.

2. No I am not trying to ping PC just the router communication. Vlan 7 doesn't have any PC on it.

3. Routing protocol is normal being that it is not eirgp or ospf just command ip routing.

I am really just trying to get the 3825 accessible and not doing very well at it.

I can post router config.

Thank you

Joseph

Gregory Leeson · ‎06-09-2015

How are the routers connected to each other? Is it a direct connection between each router's gig0/0? Is there a network in between them?

if they're directly connected they should be on the same subnet.

You need to be able to ping the routers from each other.

After that you'll need to set up routes between them. Without routes, they won't be aware of the vlans on the other end.

If you have multiple vlans on each side you should do router on a stick on each side, or have each vlan plugged into a separate router interface. Otherwise you'll have some vlans you can't access.

mrmadgig · ‎06-09-2015

Hello Gregory,

Thanks for your reply.

I see I do not have them directly connected there is no real network between them per se. let me describe this better. however I am aware of the direct link between routers I was thinking that I would try this to see if it worked.

r1 2851 router on stick with vlans 1,2,10 and this is connected to an HP 1910 switch and its connecting port is a trunk port. then this HP 1910 trunks a port for all vlans over to the Cisco 3560. the same vlans are on the cisco 3560 and I stopped the intervlan routing of these vlans on the 2851 with ACL's

Vlan 1 is 10.10.111.0/24 subnet from switch to switch

Valn 2 is 172.16.0.0/16 subnet from switch to switch

Vlan 10 is 10.10.10.0/24 subnet from switch to switch

This all works very well and what I has originally had

Phase two:

I bought a 3825 and just configured the gi0/1 as a basic LAN. with 10.10.12.0/24

Now that was configured to just provide internet service. and it does.... but then I wanted to be able to connect to it to manage it from the 10.10.111.0/24 subnet and this has proven to be quite a task to get the two to talk.

So I thought that if I added Vlan 7 just on the cisco side where the 3825 is I could just inervlan route between the vlans and that would have solved it. however I still cannot ping between the two routers.

I then added vlan 7 on the HP switch and the 2851 and I can ping back and forth on the same vlan but I cannot ping between subnets.

My goal is not to put my main PC in vlan 7 just to configure/access this router.

Thanks for your time and patience.

Joseph

UPDATE:

I added 10.10.12.1 on interface gi0/1.3 on the 2851 and also added a static route on the 3825 ip route 10.10.111.0 255.255.255.0 10.10.12.1

now I can ping between the routers both ways in the CLI and I can ping from a laptop on vlan7 on a port in the Cisco 3560 to the 2851 however I cannot ping from client to client. this sounds like a firewall issue to me. any thoughts?

So to clarify:

Client laptop CAN ping both routers when connected to vlan 7 on the cisco 3560 and I can open a telnet session to both from here.

I cannot ping a client PC on subnet 10.10.111.0

PC on vlan 1 10.10.111.0 CANNOT ping either 3825 or client however if I telnet into the 3825 on 10.10.111.0 I can ping frm the router to the other router and the client.

Thank you

Joseph

Gregory Leeson · ‎06-09-2015

Ok. There are probably no routes between those subnets. The quickest fix would probably be to configure ospf on both routers :

Config t

router ospf 1

network 10.10.12.0 0.0.0.255 area 0

(Repeat the Network command for each subnet, just change the 10.10.xxx.0 part)

do that on both routers. Only do the network commands for routes that are attached to that router.

Gregory Leeson · ‎06-09-2015

Also, it sounds like you don't need both routers.

If you're trunking between the switches, just do router on a stick for all of the vlans on both switches and remove the old router from the mix. If it's not connected anywhere except to the switch you don't need it.

mrmadgig · ‎06-09-2015

Hi Gregory,

I don't need both routers I am just trying this out for learning purposes. I enable the ospf and it did not affect it. still same scenario. I am going to rebuild this later and post back. I think that when I enabled the firewall with CCP it created some issues.

I say this because if you configure a router ont a stick it by default intervlan routes. So if you created a:

Vlan 2 ,4 , 7 and 10 no matter the IP addresses it will vlan route between each other until you use ACL's So... lets say that the other router is in vlan 7 on anohter switch plugged in to a port that was just access mode it would still see it. as long as the vlans were trunked properly to include vlan 7

So in my case you can ping from rotuer to router but not client to client that would leave me to believe that there is a route and An ACL or firewall zone rule is stopping this. After I rebuild it in a more succinct manner then I can really tell.

Thanks a lot!

Joseph

paul driver · ‎06-09-2015

Hello

can you post a diagram to sumrise your topology

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mrmadgig · ‎06-09-2015

Hi Paul,

I will try but that takes a while. Give me a bit.

Thank you

mrmadgig · ‎06-09-2015

Found the issue.

interface GigabitEthernet0/1.2
encapsulation dot1Q 10
ip address 10.10.10.254 255.255.255.0
ip access-group Vlan_10 out
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface GigabitEthernet0/1.3
description $ETH-LAN$
encapsulation dot1Q 7
ip address 10.10.12.1 255.255.255.0

<<<<<<<<<<<<<<zone-member missing
!
interface Serial0/0/0
no ip address
shutdown
!
router ospf 100
network 10.10.12.0 0.0.0.255 area 0
network 10.10.111.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source list 3 interface GigabitEthernet0/0 overload

MGROUTER#
MGROUTER#config t
Enter configuration commands, one per line. End with CNTL/Z.
MGROUTER(config)#zone-member security in-zone
^
% Invalid input detected at '^' marker.

MGROUTER(config)#int gi0/1.3
MGROUTER(config-subif)#zone-member security in-zone
MGROUTER(config-subif)#^Z
MGROUTER#

mrmadgig · ‎06-09-2015

Paul,

Here is a quick one. The gist of it is that no client on the HP side on any network can ping anything on the 10.10.12.0 network on the Cisco 3560 side. And anything in the Cisco side can ping anything but the clients on the HP side. I think its firewall. But I have been looking at it tooooo long! :)

Thanks

Joseph.

paul driver · ‎06-10-2015

Hello

Glad to hear that

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mrmadgig · ‎06-09-2015

I actually thought about this however never implemented it. I will give it a try. I am trunking between the switches and i thought that the router on a stick would have taken care of the intervlan routing to the 3851 also just as it did for the other clients. Wierd. I will give ospf a try and then redo this all over again.

Thank you for all the help