Solved: Re: Layer 3 Switch - VLAN's will not talk to each other despite IP Routing being active

Michael Perkins · ‎07-12-2018

Hi

I have setup a 3750 with 2 Vlans and DHCP pools.

VLAN 2 has internet connectivity via 2 routers (i have no control over these)

VLAN 3 has no internet connectivity currently. This is what i am trying to achieve.

I have configured the vlans and ports as required for now and everything is connecting ok, but none of the machines i connect to VLAN 3 can talk to VLAN 2 and vice versa and i presume this is the reason i cannot get network connectivity (that or i have totally set that up wrong!) Please see below and any possible assistance would be greatly appreciated!

Show Run:

StagingNet#show run
Building configuration...

Current configuration : 3666 bytes
!
! Last configuration change at 16:52:00 UTC Thu Jul 12 2018
! NVRAM config last updated at 16:38:45 UTC Thu Jul 12 2018
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname StagingNet
!
enable secret 5 $1$hHVs$6TvVQQEi5T1OztDzwqyKy0
!
no aaa new-model
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
switch 1 provision ws-c3750-48p
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 217.38.17.66
ip dhcp excluded-address 217.38.17.67
ip dhcp excluded-address 217.38.17.65
ip dhcp excluded-address 217.38.17.70
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool Staging
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
netbios-name-server 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool Core
network 217.38.17.64 255.255.255.240
default-router 217.38.17.70
netbios-name-server 194.72.6.57 194.73.82.242
dns-server 194.72.6.57 194.73.82.242
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan internal allocation policy ascending
!
interface FastEthernet1/0/1
description Primary WAN link
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/2
description Secondary WAN link
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/3
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/4
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/5
switchport access vlan 3
switchport mode access
!
interface FastEthernet1/0/6
switchport access vlan 3
switchport mode access

interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 217.38.17.70 255.255.255.240
ip helper-address 192.168.1.1
ip helper-address 192.168.1.0
!
interface Vlan3
ip address 192.168.1.1 255.255.255.0
ip helper-address 217.38.17.70
ip helper-address 217.38.17.64
!
ip classless
ip http server
!
!
control-plane
!
end

StagingNet#

Show VLAN

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Fa1/0/25, Fa1/0/26, Fa1/0/27
Fa1/0/28, Fa1/0/29, Fa1/0/30
Fa1/0/31, Fa1/0/32, Fa1/0/33
Fa1/0/34, Fa1/0/35, Fa1/0/36
Fa1/0/37, Fa1/0/38, Fa1/0/39
Fa1/0/40, Fa1/0/41, Fa1/0/42
Fa1/0/43, Fa1/0/44, Fa1/0/45
Fa1/0/46, Fa1/0/47, Fa1/0/48
Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4
2 VLAN0002 active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4
3 VLAN0003 active Fa1/0/5, Fa1/0/6
4 VLAN0004 active
5 VLAN0005 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
4 enet 100004 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

StagingNet#

dbeattie · ‎07-13-2018

Can you please verify that 192.168.1.3 does not have a host-based firewall? This would produce the symptom that you have described. When you try to ping from the switch, please check the ARP table to see if you get a layer-2 response: show ip arp

If this is a host-based firewall issue, I would expect to see a valid entry in the ARP table for every host on VLANs 2 & 3.

Regards,

Dave

View solution in original post

Reza Sharifi · ‎07-12-2018

Hi,

Is there a device connected to one of vlan 3 ports?

Do you see the MAC address for that device?

Also, is the svi for vlan 3 ip and running? "sh ip int bri vlan3"

HTH

Michael Perkins · ‎07-12-2018

Hi

Yup both VLAN 2 and 3 are up, devices on both and both can ping / connect to the switch but cant communicate with each other.

Reza Sharifi · ‎07-12-2018

Does each end device have the correct gateway?

Also, can you disable and re-enable IP routing and test again?

no ip routing

ip routing

Also, the output of "sh ip route" show the correct vlan IPs?

HTH

dbeattie · ‎07-13-2018

Hi Michael,

How are you trying to prove that routing is working? If you are trying to ping the routers that you have no control over, you may find that they have no route to 192.168.1.0/24, which means that they cannot forward the return traffic properly. You need to be trying to ping to a host that you know can route to the source. Initially start by trying to ping 217.38.17.70 on your switch from a PC on VLAN 3 and then ping the routers from the 192.168.1.1 interface on the switch. I think that this will be the issue, however, please note:

you have a DHCP exclusion for 192.168.0.1 but should be 192.168.1.1
It is worth changing your STP mode to rapid
You should put portfast on your access ports to prevent STP getting in the way of DHCP
The ip helper lines should not be needed

I hope this helps.

Regards,

Dave

Michael Perkins · ‎07-13-2018

Hi Dave

Changed those as advised and now i can get devices on both to ping the VLAN addresses of 192.168.1.1 and 217.38.17.70.

Also the device on VLAN 3 (192.168.1.3) can ping the device I have on VLAN 2 (217.38.17.75)

The device on VLAN 2 cannot ping the device on VLAN 3 however.

The VLAN 3 device cannot ping the routers.

From the switch CLI i cannot ping the device on VLAN 3 either (192.168.1.3) despite it being able to ping the interface and VLAN 2 device as well as picking up DHCP details.

Also i did try disabling and enabling IP Routing which seems to have made no difference so far.

(EDIT)

Tried to ping the router from the 192.168.1.1 interface and I got no response.

dbeattie · ‎07-13-2018

Can you please verify that 192.168.1.3 does not have a host-based firewall? This would produce the symptom that you have described. When you try to ping from the switch, please check the ARP table to see if you get a layer-2 response: show ip arp

If this is a host-based firewall issue, I would expect to see a valid entry in the ARP table for every host on VLANs 2 & 3.

Regards,

Dave

Michael Perkins · ‎07-13-2018

Thanks Dave

It was indeed a client side firewall stopping it. They are all populated in the ARP table as below.

Now able to ping each other just leaves me with the issue of other Vlans not making it outside. So I would most likely need the ISP to setup an IP route or similar on there routers to the VLAN ranges in question seeing as i have no control over those devices?

dbeattie · ‎07-13-2018

Yes, that would seem to be about right. The alternative would be to use a device that can NAT your private range onto the ISP range, so that the ISP thinks that all of your hosts are on the hand-off VLAN. Obviously, NAT functionality is platform-dependent and it would be more normal to use a firewall to do this so that layer 5-7 security can be added at the same time.

Hope this helps

Dave