cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5267
Views
0
Helpful
22
Replies

Problem routing traffic to second network

bharvey
Level 1
Level 1

I have a Cisco 3925 and Cisco 2960S directly connected by to physical gigabit interfaces, One interface (Data) is working as expected, the other (Guest) is seen as a CDP Neighbor, I can ping it, but I cannot get the 2960 to pass traffic over it. The encapsulation on all interfaces is ARPA. I have set the default gateway to the working interface and added static route to the non-working interface, traceroute to the second non-working interface route through the working interface.

1 Accepted Solution

Accepted Solutions

It would be good to work this in the lab before you change production. How well it will work turns out to be an interesting question. Certainly you can configure two vlans on the switch and you can configure subinterfaces for the vlans on the router. But with one physical connection you will configure one switch port as a trunk and there will be vlan tags on the frames forwarded to the router. You can certainly make this work and what you learn in doing that may lead you to the solution of your production problem. But since the test environment does not directly reflect production it does complicate things a bit.

 

One thing to consider is a theory about the original problem. It is quite possible that when you configured routing for the subnet of guest vlan on the switch that it was sending traffic from the guest vlan over the data interface and that the router would attempt to send responses on the guest access interface, which did not work for some reason.

 

It is certainly worth trying it in the lab. Let us know what progress you make.

 

HTH

 

Rick 

HTH

Rick

View solution in original post

22 Replies 22

Mark Malone
VIP Alumni
VIP Alumni
Hi
can you provide the relevant config port configs and ip routes in place etc so we can take a look ,just leave out anything sensitive

Mark,

Thanks for the quick reply. Do to the Layer 8 issues (politics), I have no access to the router or it's configuration. I have posted what I was able to get from my WAN team on the 3925.

 

2960 interfaces

interface GigabitEthernet1/0/48 ** Working
description Data
switchport access vlan 2

 

 

interface GigabitEthernet1/0/46 ** Not Working
description Guest
switchport access vlan 4

 

3925 interfaces

GigabitEthernet0/0 is up, line protocol is up ** Working
Hardware is EHWIC-1GE-SFP-CU, 
Description: Routed Data
Internet address is 10.130.17.254/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA

 

GigabitEthernet0/2/0 is up, line protocol is up ** Not Working
Hardware is EHWIC-1GE-SFP-CU, 
Description: Routed Guest
Internet address is 10.199.53.254/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA

 

ip default-gateway 10.130.17.254
ip http server
ip http secure-server
I added these static routes after data network was passing traffic.
ip route 0.0.0.0 0.0.0.0 10.130.17.254
ip route 10.128.128.0 255.255.255.0 10.199.53.254 ***DNS for Guest 
ip route 10.199.53.0 255.255.255.0 10.199.53.254 
ip route XX.154.12.0 255.255.255.0 10.199.53.254 ***DNS for Meraki AP's

 

Is the 2960 operating as a layer 2 switch or as a layer 3 switch (is ip routing enabled)? You have the vlans defined on the 2960 but do you have vlan interfaces configured for these vlans (layer 3 interfaces for these subnets)? If vlan 4 is not working can you tell us what is the default gateway used by devices connected in vlan 4?

 

Would you post the output of the commands on the 2960

show ip route

show interface status

 

This static route is problematic

ip route 10.199.53.0 255.255.255.0 10.199.53.254 

If 10.199.53 is recognized as a connected subnet (if you have a vlan interface in this subnet) then the 10.199.53.0/24 is already in the routing table and you do not need the static route. If it is not recognized as a connected subnet then you have no path to the next hop of 10.199.53.254 and it would be forwarded through the default route to the data vlan, which is not what the static route appears to be attempting to do.

 

HTH

 

Rick

 

HTH

Rick

 I was attempting to keep the switch layer 2 but that was no working so I enabled IP Routing.

 

show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

 

SW01#show int status

Port Name Status Vlan Duplex Speed Type
Gi1/0/1 connected 2 a-full a-1000 10/100/1000Ba  **interfaces 1-40 are the same as 1
Gi1/0/41 To Mitel notconnect 3 auto auto 10/100/1000Ba
Gi1/0/42 FLH3-SW01 trunk connected trunk a-full a-100 10/100/1000Ba
Gi1/0/44 CBS-SW03 trunk connected trunk a-full a-1000 10/100/1000Ba
Gi1/0/45 CBS-SW02 trunk connected trunk a-full a-1000 10/100/1000Ba
Gi1/0/46 Guestnet connected 4 a-full a-1000 10/100/1000Ba
Gi1/0/47 Voice notconnect 3 auto auto 10/100/1000Ba

Port Name Status Vlan Duplex Speed Type
Gi1/0/48 Data connected 2 a-full a-1000 10/100/1000Ba
Te1/0/1 notconnect 1 full 10G Not Present
Te1/0/2 notconnect 1 full 10G Not Present
Fa0 disabled routed auto auto 10/100BaseTX

 

Gateway of last resort is 10.130.17.254 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.130.17.254
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.130.17.0/24 is directly connected, Vlan2
L 10.130.17.253/32 is directly connected, Vlan2

 

Thanks for the additional information and especially for the config. I notice several things:

- your config says that Gig1/0/1 is in vlan 2. But the show vlan info says it is in vlan 4

4    Guestnet                         active    Gi1/0/1, Gi1/0/46

which should I believe?

- there is output from a show command about Gig0/2/0. But there is not anything in the posted config about it

GigabitEthernet0/2/0 is up, line protocol is up
  Hardware is EHWIC-1GE-SFP-CU, address is 4403.a73b.9a09 (bia 4403.a73b.9a09)
  Description: Routed Guest
  Internet address is 10.199.53.254/24

 

and that subnet does not show up in your show ip route. And that makes several of your static routes problematic.

- I notice that you have access ports in both vlan 2 and vlan 4 (Gig1/0/46 and 1/0/48) connected to the router. This suggests that the intention was for the gateway for hosts in those vlans to be the router.

- there is not a vlan interface for either vlan 2 or 4 on the 2960. So the switch is not routing for either of those vlans.

 

If hosts in vlan 2 are working then it suggests that those hosts are using the address of the router interface as their gateway. If vlan 4 is not working then it suggests that whatever they are using as their gateway is not the address of the router interface. You need to check with the administrator of the router about how the router interface connected to Gig1/0/46 (Gig0/2/0 according to CDP) is configured.

 

HTH

 

Rick 

HTH

Rick

Sorry for the confusion, the 2960 config posted is a month old, I have only added and written the static routes since that time, I configured gig 1/0/1 for access to VLAN 4 for testing, it will be in vlan 2.

The output from Gig 0/2/0 is what I was given from my WAN team when I requested the interface config.
GigabitEthernet0/2/0 is up, line protocol is up
Hardware is EHWIC-1GE-SFP-CU, address is 4403.a73b.9a09 (bia 4403.a73b.9a09)
Description: Routed Guestnet for DCFS CBS
Internet address is 10.199.53.254/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA


access ports in both vlan 2 and vlan 4 (Gig1/0/46 and 1/0/48) connected to the router. When I trunked them they defaulted to encap dot.1q,which did not pass traffic.


there is not a vlan interface for either vlan 2 or 4 on the 2960. So the switch is not routing for either of those vlans. I have configured vlan interfaces addressed with 10.130.17.253 (vlan2) and 10.199.53.253 (vlan 4) and neither passed traffic. I have deleted that config.txt and reconfigured to where I am now.


If vlan 4 is not working then it suggests that whatever they are using as their gateway is not the address of the router interface.
show CDP Neigh De;
-------------------------
Device ID: Router
Entry address(es):
IP address: 10.199.53.254
Platform: Cisco CISCO3925-CHASSIS, Capabilities: Router Switch IGMP
Interface: GigabitEthernet1/0/46, Port ID (outgoing port): GigabitEthernet0/2/0
Holdtime : 163 sec

Version :
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 21:28 by prod_rel_team

advertisement version: 2
VTP Management Domain: ''
Duplex: full
Power Available TLV:

Power request id: 0, Power management id: 0, Power available: 0, Power management level: 0
Management address(es):

-------------------------
Device ID: Router
Entry address(es):
IP address: 10.130.17.254
Platform: Cisco CISCO3925-CHASSIS, Capabilities: Router Switch IGMP
Interface: GigabitEthernet1/0/48, Port ID (outgoing port): GigabitEthernet0/0
Holdtime : 131 sec

Version :
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 21:28 by prod_rel_team

advertisement version: 2
VTP Management Domain: ''
Duplex: full
Power Available TLV:

Power request id: 0, Power management id: 0, Power available: 0, Power management level: 0
Management address(es):

how the router interface connected to Gig1/0/46 (Gig0/2/0 according to CDP) is configured. I have done so several times, the output from show interface is all they will provide.

Thanks for the additional information. First let me say that using a config that is a month old and which has been modified during that time is not a good basis for asking for help. We can only respond based on the information that we have received and if that information is not accurate then our advice is flawed.

 

Second let me suggest that we need to clarify how you want this to work. At present it is a mix and that complicates efforts to get it to work. Clearly the original intent was that this switch would operate as a layer 2 switch forwarding traffic from connected devices to the router which would act as the gateway and do the routing for all the subnets. When there were issues in getting that to work you changed and began to implement logic for the switch to be layer 3 and to do the routing for the subnets. (note that these changes should have had corresponding changes on the router - but I assume that did not happen). When you can tell us which approach you want to use then we can work on getting that to work. (note that answering this question will require some coordination and agreement from the folk who are responsible for the router)

 

HTH

 

Rick

HTH

Rick

I have sanitized and attached the current 2960 config. So the end result I am trying to achieve is to get VLAN 4(Guest) to pass traffic for 2 Meraki MR42 Wireless Access Points and 4 computers.At this point I no longer care if this is completed at Layer 2 or 3. As I see it all traffic is routing through the data network

SW01#traceroute 10.199.53.254
Type escape sequence to abort.
Tracing the route to 10.199.53.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.130.17.254 !A !A *

The WAP cannot ping/reach it's Default Gateway 10.199.253.254 or supplied DNS XX.154.12.24 & 25 
SW01#

Meraki MR42.png

I will attempt to get the routers config again 

Hello,

 

with the configuration you have posted, your Vlan 4 interface needs an IP address (which is the default gateway for all clients on Vlan 4).

 

Also, remove the line:

 

ip default-gateway 10.130.17.254

 

from your configuration.

Thank you for the additional information and especially for a current config from the 2960. This will give us something more reliable to work from. I will say again that before we spend much time trying to figure out how to make it work we need you to make a decision about how you want it to work. If you decide that you want the 2960 to operate in L3 routing mode then here are the essentials of what we would need:

1) a vlan 2 interface on the switch defining the subnet for vlan 2 (which you already have)

2) a vlan 4 interface on the switch defining the subnet for vlan 4 (which you do not have)

3) hosts in vlan 2 and 4 are configured to use the switch vlan address as their vlan gateway.(which is probably a change from what you have)

4) a routed link between the 2960 and the router (which you do not really have - right now you are routing over the vlan 2 interface but you do not want to route to the router over a vlan where you have hosts connected)

5) routing logic on the switch that forwards traffic for non-local destinations over the routed link to the router (essentialy it is a static default route)

6) the router no longer has an interface for vlan 2

7) the router no longer has an interface for vlan 4

8) the router has routing logic to forward traffic for the subnets of vlan 2 and 4 over the routed link to the switch.

 

You can see what things are changes on the 2960 that you will need to make and can see what things are changes that will need to be made on the router. If you want to go in this direction it is quite possible and here is the scope of the changes required. If this is more complicated than you want to do then we go back to the 2960 without ip routing, figure out what you want to do for a management interface on the 2960, and figure out why vlan 4 is not working. Once you tell us how you want it to work then we can help you get that accomplished. Until you tell us that I believe that we are just spinning our wheels.

 

HTH

 

Rick

HTH

Rick

I really appreciate your assistance with this problem. I believe I should revert to Layer 2 switching. This would also allow me to utilize the Layer 2 switches purchased to complete this and other network upgrades. The only reason I enabled layer 3 switching was on advise from our WAN team, who has now left me hanging.

Problems I see with layer 3 switching

3) hosts in vlan 2 and 4 are configured to use the switch vlan address as their vlan gateway.

The host on our entire (WAN) network use the local router interface as the default gateway, changing this would confuse everyone I work with.

You can see what things are changes on the 2960 that you will need to make and can see what things are changes that will need to be made on the router.

I can guarantee the WAN team will make no changes to the router configuration for any reason.

I agree that it is best to go back to the approach based on layer 2 switching, especially if you can guarantee that the router administrators will make no changes on the router. I wonder why they suggested that you enable routing if they were not prepared to make some changes on the router to match the changes that you were making. But at this point it may not be productive to explore that question.

 

I suggest that you remove the changes that you made to implement routing. When you are back to a config implementing the layer 2 switching check to see what is working and what is not working (perhaps as things have shifted around the guest vlan/subnet might have started to work?).Assuming that one or both vlan/subnet are not working then gather these outputs from your switch and post them:

show ip interface brief

show interface status

show interface trunk

show vlan

show cdp neighbor

 

Hopefully that will give us enough information to figure out the issues. At some point we may want to review the entire config. But for now I hope these outputs will be enough.

 

A minor issue to consider is about management access for the switch. For you to be able to access the switch remotely there needs to be an IP address on the switch. In the original config you accomplished that by having the interface vlan 2 with an IP address, and by having configure the ip default-gateway command. Depending on where you will use to access the switch that approach probably works fine. If not we can consider this after the guest access is worked out.

 

HTH

 

Rick

HTH

Rick

Thanks once again for your advise. I will move the management IP address to interface VLAN 1, to match the other 4 switches. I will have to use the current address as this is a remote site.

 

Since this is a production network I have decided I am going to attempt lab this out (which I should have done in the first place). As I have been out of the switch/route game for a few years I have a question. The router I have has only 1 Gig Hwic card I was thinking of using a sub-interface for the data or guest VLAN. Am I correct in thinking this should work? 

It would be good to work this in the lab before you change production. How well it will work turns out to be an interesting question. Certainly you can configure two vlans on the switch and you can configure subinterfaces for the vlans on the router. But with one physical connection you will configure one switch port as a trunk and there will be vlan tags on the frames forwarded to the router. You can certainly make this work and what you learn in doing that may lead you to the solution of your production problem. But since the test environment does not directly reflect production it does complicate things a bit.

 

One thing to consider is a theory about the original problem. It is quite possible that when you configured routing for the subnet of guest vlan on the switch that it was sending traffic from the guest vlan over the data interface and that the router would attempt to send responses on the guest access interface, which did not work for some reason.

 

It is certainly worth trying it in the lab. Let us know what progress you make.

 

HTH

 

Rick 

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco