Solved: Routing problems between VLANs

hepterida · ‎11-24-2011

Hello,

on Cisco Catalyst infrastructure, there has been two VLANs. One for switch communications (VLAN1). Second for client communication (VLAN10).

Every switch has an uplink in trunk mode, so everything works fine.

The problem is, when I added a new VLAN77 e.g. This VLAN was defined on VTP server (Cisco Catalyst 3750) and user on VTP client (Cisco Catalyst 2950) on dedicated ports (reserved for VLAN77 only).

Device

IOS

IP

VLAN

Cisco Catalyst 3750 (vtp server)

12.2(55)SE1-IP-BASE-CRYPTO

10.1.0.232

10.3.0.1

VLAN10

VLAN77

Cisco Catalyst 2950 (vtp client)

12.1(22)EA14-C2950-I6Q4L2-M

10.1.0.245

VLAN10

Cisco ASA 5510 (f/w)

10.1.0.252

Even if the vtp server has set the route 0.0.0.0 0.0.0.0 10.1.0.252, VLAN77 cannot reach external networks or other VLANs.

Only access from VLAN77 to VLAN10 is from device on port dedicated for VLAN77. But only to 10.1.0.232 IP address could this 10.3.0.2 device ping.

Where could be the problem?

acampbell · ‎11-24-2011

Hi,

It is also stated that there is a default route 0.0.0.0 0.0.0.0 10.1.0.252 from the 3750 to the ASA

but does the ASA have a route back to 10.3.0.0

Regards

Alex

Regards, Alex. Please rate useful posts.

View solution in original post

Amit Singh · ‎11-24-2011

Alex pointed out correctly to check if ASA as a roiyer back to Vlan 77. Also on your 2950 (VTP Client), Please could you add a command " ip default-gateway 10.1.0.232". You should be able to ping 2950 after you add that command.

Hope this helps.

Cheers,

-amit singh

View solution in original post

cadet alain · ‎11-24-2011

Hi,

the default gateway of this dvice must be the interface VLAN 77 Ip address on the 3750, is this the case?

are you sure the vlan 77 was advertised by vtp ? : sh vlan br

Can you post output on 2950 from sh int trunk and sh int x/x switchport where x/x is interface where this devices is connected.

Regards.

Alain

Don't forget to rate helpful posts.

acampbell · ‎11-24-2011

Hi,

It is also stated that there is a default route 0.0.0.0 0.0.0.0 10.1.0.252 from the 3750 to the ASA

but does the ASA have a route back to 10.3.0.0

Regards

Alex

Regards, Alex. Please rate useful posts.

hepterida · ‎11-28-2011

This is the "show vlan brief" command from 3750:

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/2, Gi1/0/24

2 Guest active

10 office active Gi1/0/3, Gi1/0/4, Gi1/0/5

Gi1/0/6, Gi1/0/7, Gi1/0/8

Gi1/0/9, Gi1/0/10, Gi1/0/11

Gi1/0/12, Gi1/0/13, Gi1/0/14

Gi1/0/15, Gi1/0/16, Gi1/0/17

Gi1/0/18, Gi1/0/19, Gi1/0/20

Gi1/0/21, Gi1/0/22, Gi1/0/23

77 Vodafone_FemtoCell active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

And this is trunk show of 2950:

Port Mode Encapsulation Status Native vlan

Gi0/2 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/2 1-4094

Port Vlans allowed and active in management domain

Gi0/2 1-2,10,77

Port Vlans in spanning tree forwarding state and not pruned

Gi0/2 1-2,10,77

2950: And sh int Gi0/2 switchport - uplink:

Name: Gi0/2

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

2950: And show switchport on dedicated port for VLAN77:

Name: Fa0/23

Switchport: Enabled

Administrative Mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 77 (Vodafone_FemtoCell)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

Amit Singh · ‎11-24-2011

Alex pointed out correctly to check if ASA as a roiyer back to Vlan 77. Also on your 2950 (VTP Client), Please could you add a command " ip default-gateway 10.1.0.232". You should be able to ping 2950 after you add that command.

Hope this helps.

Cheers,

-amit singh

hepterida · ‎11-28-2011

Hi Amit,

thank you for your tip. I added "ip default-gateway" command, and now I can ping 10.1.x.x and 10.3.x.x networks from 2950 device.

Now, I cannot ping from device connected to 2950 port to other IPs than 2950's IP and 10.1.0.232 IP.

Thotsaphon Lueangwattanaphong · ‎11-28-2011

Hello,

Make sure that you have VLAN77 in VLAN database on C2950.

Make sure that you correctly assign VLAN77 to access port on C2950

Make sure that you have vlan interface 77 on C3750.

Make sure that you turn on "ip routing" on C3750.

Make sure that you correctly configure a gateway on hosts in VLAN77

HTH,

Toshi

hepterida · ‎11-28-2011

hepterida · ‎11-28-2011

For better understanding

Thotsaphon Lueangwattanaphong · ‎11-28-2011

Hello,

What's the cloud in your picture?

Toshi

hepterida · ‎11-28-2011

All clouds are is one (the same) internal LAN.

JohnTylerPearce · ‎11-28-2011

Can you ping the default gateway for VLAN 77 from VLAN 77? If so, since there is a default route going to the ASA, can you verify that there is a route back to VLAN 77 from the ASA? You should see something like...

route inside 10.3.0.0 255.255.255.0

hepterida · ‎11-28-2011

You, acampbell and Amit were right. An ASA routing has been forgotten :-)

Now I can ping all devices and ASA from VLAN77. Thank you all!