No communication on a new VLAN and VLAN by default

abtt-39 · ‎10-26-2022

Hello,

I would like some help because I have a problem.
I have a remote site, where I replaced the switches with 9200s.
This site is linked to the central site by an operator VPN link. I don't have control over the operator routers.

On this remote site, previously, there was no vlan, the port of the switches were on the default vlan, vlan 1.
They were L2 switches, the default gateway was the IP of the LAN port of the operator router
ip default gateway 10.60.133.254

The subnet of the site is 10.60.133.0

Routing between the central site and the remote site is done on the operator routers (for 10.60.133.0)

The link between switchs and routers are in trunk

And it worked.

I was asked to create several local vlans on the remote site. To no longer use vlan 1 for data but vlan 10.

I installed a 9200 switch to replace the 2960 switch.
I have enabled inter vlan routing.
#ip routing
I put a route pointing to the LAN Ip of the operator router.
#ip route 0.0.0.0 0.0.0.0 10.60.133.254
I created 2 VLANs 10 and 20.
VLAN 10
ip address 10.60.133.253 255.255.255.0
VLAN 20
ip address 10.61.133.253 255.255.255.0

On the switch 9200, I connected a PC, I configured its port in access

#switchport mode access
#switchport access vlan 10

On the PC, I configured a static ip
10.60.133.100/24
Gateway : 10.60.133.253 (IP SVi VLAN 10).

But it doesn't work, I don't have network connectivity.

From the switch, i can't ping 10.60.133.254

I then plugged this PC into a switch port without conf (so still on vlan 1 by default), and replace GW : 10.60.133.253 by 10.60.133.254, And it worked.

I can ping 10.60.133.254, ping server on site A etc...

I have attached a drawing with the network before / after

MHM Cisco World · ‎10-26-2022

sorry can you re-attach the topology I couldnot open it

abtt-39 · ‎10-26-2022

I have reloaded the 2 files ( JPEG)

MHM Cisco World · ‎10-26-2022

Yes I see it now,
so in siteA are the Server-L3-ISP router share one subnet ? i.e. the Server have GW toward ISP router or it GW is SVI in L3SW and L3SW forward traffic to ISP ?
if the GW is not ISP it L3SW then you need in SiteA config static route in ISP for Server subnet toward L3SW

abtt-39 · ‎10-26-2022

On L3 switch (SiteA) :

interface Vlan15
description Vlan 15 - Routers
ip address 10.39.6.254 255.255.255.0
end

GW of server is SVI in L3 switch ( Server VLAN) : 10.39.1.254

interface Vlan2
description Vlan 2 - Servers
ip address 10.39.1.254 255.255.255.0
end

If i do a #show ip route on core L3SW (SiteA):

.....

C 10.39.1.0/24 is directly connected, Vlan2
L 10.39.1.254/32 is directly connected, Vlan2
C 10.39.6.0/24 is directly connected, Vlan15
L 10.39.6.254/32 is directly connected, Vlan15

....

I did not specify, but if I connect a PC on site B, (with switch port with no specific configuration, on vlan 1, it's work, i can obtain a DHCP address by DHCP server on SiteA, because I had asked our ISP to put the IP HELPER address on their router.
So routing between A and B works for 10.60.133.0 ( VLAN DATA on B, and for subnet 10.39.1.0 ( SVI with all server on SIteA). So I think my problem is something I don't have confure well on the SiteB L3 switch

MHM Cisco World · ‎10-26-2022

this need in SiteB
and in SiteA you need to make sure the ISP have route back to Server subnet, you can check my point in SiteA only make it L2SW not L3SW and do test again after you check SiteB point I share in photo

abtt-39 · ‎10-26-2022

I don't have control over the ISP router. but I think the return route for the ISP is known because, it works. SiteB is not a new office, it's been several years, and it works, there is no server on B, mail, proxy, NAS, printer server, everything is on site A.

Currently, the link, on B, between the ISP router and the switch is in trunk

But I tried not to put anything at all (neither access nor trunk) and it didn't work any better.
I tried to put a port (on SWB L3), in access on vlan 10, but it doesn't work, I don't get an Ip address, if I force the CP in static, it doesn't work either Plus, I don't PING anything except its gateway (10.60.133.253).
On the other hand, if I do not put any conf on the port of the switch
like this for example:
interface GigabitEthernet1/0/20
end

it works, i obtain an Ip addresse from DHCP server ( in the subnet 10.60.133.0, GW : 10.60.133.254) on site B, i can access NAS server ( all the servers ra in the subnet 10.39.1.0) all works!

Currently, I created a local SVi on SIteB (VLAN 20), but it is not used for the moment. I would like to solve the problems one by one.
And the thing I would like to do now is to use VLAN 10 (instead of the default VLAN, VLAN 1).
before, on the old B switch, I had configured it like this:
VLAN 1
ip address 10.60.133.250 255.255.255.0,
ip-default gateway 10.60.133.254
there was no other vlan and it worked.
I just wanted on the new switch, not to use vlan 1 but vlan 10, by putting back on vlan 10 the same conf ip address 10.60.133.253 ( 253 because 254 is used by on the ISP routers, on his LAN ports) 255.255.255.0

MHM Cisco World · ‎10-26-2022

this for access link between the ISP and SW
you must notice to make this work you need to config the port connect to host as access vlan 10
and port connect to ISP as access vlan 10

MHM Cisco World · ‎10-26-2022

for this to work
config port connect to host as access vlan 10
config port connect to ISP as truck
here
ISP port must config as subinterface otherwise the router will not accept the TAG traffic

NOTE:- ONE subinterface in ISP for each new VLAN add to SW.

MHM Cisco World · ‎10-26-2022

you can use access link between the ISP and L3SW as above
the inter-VLAN will done in L3SW and since you have default route toward ISP and in ISP there are static route for return traffic that will work

note:- I use VLAN1 to connect L3SW to ISP this vlan is called transit VLAN which mean it not use for host it use only to connect L3SW to ISP router.

mlund · ‎10-26-2022

Hi

You state "The link between switchs and routers are in trunk" and also "I then plugged this PC into a switch port without conf (so still on vlan 1 by default), and replace GW : 10.60.133.253 by 10.60.133.254, And it worked."

This, for me, indicates that the trunkport is using vlan 1 as native vlan, meaning vlan 1 is untagged. Now You have moved your config to vlan 10, and if vlan 10 is allowed on the trunk it will be tagged, and the router will drop those packets since it is unaware of vlan 10. I would configure the trunkport towards the router with "switchport trunk native vlan 10" so traffic in vlan 10 will then reach the router without a dot1q tag. Or as an alternative, make the router port an access-port with, "switchport mode access" and switchport access vlan 10"

/Mikael

abtt-39 · ‎10-26-2022

Ok, thanks for ours reponses

when I have a maintenance window. Actually, it could be something like that. however, if today I want to use vlan 10, in the future I also want to use vlan 20, and then another one. So the B switch port that goes to the ISP router will not be able to continue to be in access?

mlund · ‎10-27-2022

Hi

MHM have pictured three scenarios that all will work, scenario 1, with using an accessport on swB, will work immediately, and without the need for talking to the isp. If you later on will add another vlan you have to speek to isp, and ask them to put in a static route for the new vlan, The swB will then route between the 2 vlans and the rest of the word.

The picture 2 that MHM have done, with continuing using trunk, will also work immediately, but you have to specify native vlan 10, so there is no tag towards isp router. If you later on will add a new vlan, again talking to isp for an static route, and you doing the routing. Or at that moment, together with isp, you can decide to have both vlan tagged and let the isp do the routing.

The picture 3 is also a viable solution but is required to do it with isp.

/Mikael

MHM Cisco World · ‎10-27-2022

he need in some point to have access to ISP router add some routing when he decide to shift form L2 to L3 SW.

abtt-39 · ‎11-02-2022

Thank you for your answers

so if I summarize:

Solution 1 :
switport mode access
switchport access vlan 10
description Link to ISP

Solution 2 :

switchport mode trunk
switchport trunk native vlan 10
description Link to ISP

And if later ( with solution 1 or 2) , i want to add a new vlan, ask to my ISP for add a static route.

In this case I have to ask them to add the static route ( on ISP router B)?

if for example, I created a new vlan on swB, like this :

description VLAN ToIP
ip address 10.61.133.253 255.255.255.0

ISP Router A ( or B? im' little confuse), request the addition of a static route :

ip route 10.61.133.0 255.255.255.0 10.61.133.253 ( not sure for the next hop?)

On router B :

I do not have access to the ISP router but one of the technicians sent me the configuration of ISP B in txt files and i can see this static route

ip route 0.0.0.0 0.0.0.0 *DEL-OBS********************************* ( the next hop is censored by my provider)