Problem Trunking Between Router and Switches

iftam0001 · ‎07-15-2015

I am experiencing some really odd behavior when I add another VLAN to the switch, and I am hoping someone can tell me if I am doing anything wrong or what may cause this problem. Here's the topology on how the router and switches connected and everything is on VLAN 1.

Router - Cisco 1921

Switch A - Cisco 3560-24PS

Switch B - Cisco 3560-24PS

Switch A port configuration and show output:

The router is connected to int fa0/1 of switch A.

interface FastEthernet0/1

description Router

switchport trunk encapsulation dot1q

switchport mode trunk

Switch A is connected to Switch B via interface gi0/1.

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

Switch A#sh int gi0/1 trunk

Port Mode Encapsulation Status Native vlan

Gi0/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/1 1-4094

Port Vlans allowed and active in management domain

Gi0/1 1,10

Port Vlans in spanning tree forwarding state and not pruned

Gi0/1 1,10

Switch A#sh vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7

Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17

Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22

Fa0/23, Gi0/2

10 Guest_Wireless active

SwitchA#sh int status

Port Name Status Vlan Duplex Speed Type

Fa0/1 Router connected trunk a-full a-100 10/100BaseTX

Gi0/1 connected trunk a-full a-1000 1000BaseSX SFP

Switch B port configuration and show output:

Switch B is connected to Switch A via interface gi0/1.

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

VLAN configurations:

interface Vlan1

ip address 10.1.1.10 255.255.255.0

interface Vlan10

ip address 10.2.1.10 255.255.255.0

Switch B#sh int gi0/1 trunk

Port Mode Encapsulation Status Native vlan

Gi0/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/1 1-4094

Port Vlans allowed and active in management domain

Gi0/1 1,10

Port Vlans in spanning tree forwarding state and not pruned

Gi0/1 1,10

Switch B#sh vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11

Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21

Gi0/2

10 Guest_Wireless active

Port configuration of ASA on VLAN 10:

interface FastEthernet0/23

description ASA

switchport trunk encapsulation dot1q

switchport mode trunk

mls qos trust cos

macro description cisco-router

spanning-tree portfast trunk

spanning-tree bpduguard enable

SwitchB#sh int fa0/23 trunk

Port Mode Encapsulation Status Native vlan

Fa0/23 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/23 1-4094

Port Vlans allowed and active in management domain

Fa0/23 1,10

Port Vlans in spanning tree forwarding state and not pruned

Fa0/23 1,10

SwitchB#sh int status

Port Name Status Vlan Duplex Speed Type

Fa0/23 ASA connected trunk a-full a-100 10/100BaseTX

Gi0/1 connected trunk a-full a-1000 1000BaseSX SFP

From switch B:

I can ping vlan 10 IP of 10.2.1.10 and the ASA 10.2.1.254

From switch A:

I can ping vlan 10 IP of 10.2.1.10 but cannot ping the ASA IP 10.2.1.254

From router:

I cannot ping vlan 10 IP of 10.2.1.10 and the ASA IP 10.2.1.254

I don't understand why I cannot ping VLAN 10 from the router even though I trunked the port, and definitely don't know why I can ping VLAN gateway IP but not the device on VLAN 10. I even move the interface VLAN configuration from switch A to switch B, but still getting the same results. Any help regarding this issue will be greatly appreciated.

Tony Daniels · ‎07-15-2015

Your setup is a bit confusing. You first show a router and two switches, then you have an ASA listed.

Then the ASA has a port of F0/23 which is unusual.

iftam0001 · ‎07-15-2015

The ASA is in VLAN 10, it's just another device on VLAN 10 besides the gateway. The ASA is connected to port fa0/23 in switch B.

Sorry about the confusing setup, like it or not, I inherited this setup and can't change it at the moment.

Tony Daniels · ‎07-15-2015

If I am understanding your topology correctly, you will not be able to ping from the router because your attempting to ping vlan 10, but the router only knows about vlan 1. This won't work.

When you introduce two vlans to the switches, then the router needs to understand this also. This is where subinterfaces come into play.

Router Setup: (Assuming Router is connected to switch using F0/1)

Vlan 1:

interface FastEthernet0/1.1

ip address (vlan 1 IP address)

encapsulation dot1q 1 native

interface FastEthernet0/1.10

ip address (vlan 10 IP address)

encapsulation dot1q 10

Now the router can participate in the vlan config. You would remove the IP address from the F0/1 interface and move it to the sub-interface.

Make sense?

This is called "router on a stick" configuration. Here is a link to help explain:

http://www.orbit-computer-solutions.com/How-to-Configure-Router-on-a-Stick-InterVLAN-Routing.php