Solved: Simple VLAN Routing?

Rory Hamaker · ‎10-01-2011

Hello all, I am probably the only person workin on a Saturday so I am afraid that I wont hear back until Monday but I am going ahead anyway. I have a Cisco 3560G that I am trying to setup to route multiple VLAN's. The setup is this, port g0/1 goes back to a Macintosh DHCP server that is handing out addresses. It is on the 192.168.1.x network, and is configured to give addressed for 192.168.1.x and 192.168.2.x. The switch has 6 VLAN's configured with the default VLAN being disabled. Right now I am only working with VLAN 2 and 6, 2 is the VLAN my workstations will be on and will have addresses in the 192.168.2.x subnet, and 6 is the server VLAN using the 192.168.1.x subnet. VLAN 2 has an ip of 192.168.2.1 and 6 has an ip of 192.168.1.254. THe DHCP server is configured to use the switch as a router, so the 192.168.1.x range uses router 192.168.1.254 and similarly with the .2.x. If I assign a computer to VLAN 6 it gets an address no problem, but VLAN 2 does not issue them and as i have been monkey-ing with this all morning, I am exhausted as to what to do. My switch config is below, any help would be appreciated.

2097_Dev_3560# sh run
Building configuration...

Current configuration : 12758 bytes
!
! Last configuration change at 00:44:58 UTC Mon Mar 1 1993
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2097_Dev_3560
!
boot-start-marker
boot-end-marker
!
!
logging console emergencies
no aaa new-model
system mtu routing 1500
ip routing
--More--         ip domain-name develop.ds.amrdec.army.mil
!
!
!
!
!
crypto pki trustpoint TP-self-signed-107389056
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-107389056
revocation-check none
rsakeypair TP-self-signed-107389056
!
!
crypto pki certificate chain TP-self-signed-107389056
certificate self-signed 01
30820260 308201C9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303733 38393035 36301E17 0D393330 33303130 30303331
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3130 37333839
30353630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BF2AF9D2 7E088539 EE934AED C2856E52 7928AB84 CE902458 B736428A B657B98D
1F340E71 4E0C8AD2 7C9CF736 823A899D A5497047 46C4536B 856BBA2C 04E63681
2A54DBA6 EB33BCA3 F9334BC9 9DCB1451 D5802155 88B56C77 53029AD7 2A344503
--More--           D6CECDA3 D2395DFB 08B4BF95 1239CD76 A72C7471 4F36A86E 86FBCDB0 68DA757D
02030100 01A38189 30818630 0F060355 1D130101 FF040530 030101FF 30330603
551D1104 2C302A82 28323039 375F4465 765F3335 36302E64 6576656C 6F702E64
732E616D 72646563 2E61726D 792E6D69 6C301F06 03551D23 04183016 801449F6
DB77116A 75513044 D160F250 7E7D08B1 DCD6301D 0603551D 0E041604 1449F6DB
77116A75 513044D1 60F2507E 7D08B1DC D6300D06 092A8648 86F70D01 01040500
03818100 288247EF 2C5FC860 6B3D797F E1CEF22A 02FF0B32 C0D93219 FED34060
CB9B9840 F3224E85 D1F5B9E7 EC27A10F D3A7BE65 336F8F8C 66420E69 345B08BC
13F2C6C4 FC26A7A2 275D521C 86956F65 551419E5 2AE30DAE B44F4816 A6C2F4B5
7A9881FE D3E0A671 E311742C C173F4E6 177B6022 9486629E EE7BFFF9 079BF622 9CF3E9DE
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
--More--         !
!
interface GigabitEthernet0/1
switchport access vlan 6
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/2
switchport access vlan 2
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/3
switchport access vlan 2
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
--More--          spanning-tree portfast
!
interface GigabitEthernet0/4
switchport access vlan 2
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/5
switchport access vlan 2
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/6
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
--More--         !
interface GigabitEthernet0/7
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/8
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/9
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/10
switchport mode access
--More--          switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/11
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/12
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/13
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
--More--          spanning-tree portfast
!
interface GigabitEthernet0/14
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/15
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/16
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/17
--More--          switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/18
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/19
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/20
switchport mode access
switchport port-security maximum 255
switchport port-security
--More--          switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/21
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/22
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/23
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
--More--         interface GigabitEthernet0/24
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/25
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/26
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/27
switchport mode access
switchport port-security maximum 255
--More--          switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/28
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/29
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/30
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
--More--         !
interface GigabitEthernet0/31
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/32
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/33
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/34
switchport mode access
--More--          switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/35
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/36
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/37
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
--More--          spanning-tree portfast
!
interface GigabitEthernet0/38
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/39
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/40
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/41
--More--          switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/42
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/43
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/44
switchport mode access
switchport port-security maximum 255
switchport port-security
--More--          switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/45
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/46
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/47
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
--More--         interface GigabitEthernet0/48
switchport mode access
switchport port-security maximum 255
switchport port-security
switchport port-security violation protect
spanning-tree portfast
!
interface GigabitEthernet0/49
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
!
interface GigabitEthernet0/50
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
!
interface GigabitEthernet0/51
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
!
interface GigabitEthernet0/52
switchport trunk encapsulation dot1q
--More--          switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.1.254
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip helper-address 192.168.1.254
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip helper-address 192.168.1.254
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
ip helper-address 192.168.1.254
!
interface Vlan6
ip address 192.168.1.254 255.255.255.0
--More--          ip helper-address 192.168.1.6
ip helper-address 192.168.1.8
!
ip default-gateway 192.168.1.254
ip http server
no ip http secure-server
!
!
!
ip access-list extended VTYACL
permit ip host 192.168.1.6 any
permit ip 192.168.1.0 0.0.0.255 any
!
access-list 1 permit 192.168.1.6
!
!
!
line con 0
logging synchronous
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
--More--          transport input ssh
!
end

2097_Dev_3560#

Alexander Maroukian · ‎10-03-2011

Hi Rory,

In your config you have used "ip default-gateway 192.168.1.254". You should not use this command when you are using "ip routing". You can use "ip route 0.0.0.0 0.0.0.0 ".

Where do you apply the ACLs in the end of the config?

Best regards,

Alex

View solution in original post

Peter Paluch · ‎10-03-2011

Hi Rory,

The routing table of your 3560 looks just fine.

At this point, I am strongly considering the DHCP server to be wrongly configured, as it should be capable of talking to any network on your switch perfectly.

If you connected a normal PC in place of the DHCP server, configured it with the same IP address as the DHCP server and used the default route via 192.168.1.254, would the PC be capable of pinging both 192.168.1.254 and 192.168.2.1?

Best regards,

Peter

View solution in original post

Peter Paluch · ‎10-01-2011

Hi Rory,

You may be the only one working on Saturdays, but we all here are having our relax by responding at CSC

The first thing I recommend correcting is the ip helper-address on your VLAN interfaces. It is pointing towards an incorrect address: it should always point towards the IP address of the DHCP server - and moreover, in your case, it should not be applied to interface Vlan6 because the stations in that VLAN can already speak to DHCP server directly.

Therefore, be sure to remove the ip helper-address command from all your SVI interfaces, and reapply it on all SVIs except for interface VLAN6, using the same IP address each time - the IP address of your DHCP server.

Give it a try!

Best regards,

Peter

Rory Hamaker · ‎10-01-2011

Thank you so much for the weekend reply Peter. Here is a snippet from the mods that I made to the switch, after changing the ip helpers it still is not giving IP's to VLAN 2.

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip helper-address 192.168.1.6

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip helper-address 192.168.1.6

!

interface Vlan4

ip address 192.168.4.1 255.255.255.0

ip helper-address 192.168.1.6

!

interface Vlan5

ip address 192.168.5.1 255.255.255.0

ip helper-address 192.168.1.6

!

interface Vlan6

ip address 192.168.1.254 255.255.255.0

!

ip default-gateway 192.168.1.254

ip http server

no ip http secure-server

!

ip access-list extended VTYACL

permit ip host 192.168.1.6 any

permit ip 192.168.1.0 0.0.0.255 any

!

access-list 1 permit 192.168.1.6

!

line con 0

logging synchronous

line vty 0 4

login local

transport input ssh

line vty 5 15

login local

transport input ssh

!

end

Peter Paluch · ‎10-01-2011

Rory,

These changes are correct. Please verify whether you are able to ping the 192.168.1.6 from the switch, and ideally, whether it can be pinged using the source IP borrowed from the interface Vlan2:

ping 192.168.1.6 source vlan6

In addition please verify whether the machine with the DHCP server is using the IP address 192.168.1.254 as its default gateway. You should also remove the ip default-gateway command from your configuration - that command is effective only if the IP routing is deactivated on your switch - but currently, the IP routing is active and this command is merely confusing and superfluous.

Let me know about the results. Thanks!

Best regards,

Peter

wilrow113 · ‎10-01-2011

The ip helper on vlan 2 is pointing at the switch and not the dhcp server

Hope this helps

Sent from Cisco Technical Support iPad App

Rory Hamaker · ‎10-01-2011

OK i received the following when pinging from "source vlan 2" - "invalid source interface. - Ip not enabled or source interface is down." I get 100% success when pinging from VLAN 6, i also removed the default-gateway to no avail.

Peter Paluch · ‎10-01-2011

Hello Rory,

This all is fine. The inability to ping the DHCP server from VLAN2 suggests that most probably, either the VLAN 2 is not created, or there is no physical interface currently up/up that is assigned to VLAN2.

Verify the existence of the VLAN2 using the show vlan brief command. If the VLAN2 is missing, add it in the global configuration using the following commands:

vlan 2

exit

Then, verify whether there are any active ports in it using the show vlan id 2 command. Lastly, use the show interface vlan 2 command to check whether the interface is reported as "up, line protocol up".

Best regards,

Peter

Rory Hamaker · ‎10-01-2011

Alright so more useful info i hope, and in trying not to mess up my report back, here are the results of that. It shows VLAN 2 as up line protocol down. Also note that for this test i am really only using ports g0/1 (to dhcp) and port g0/2 to client.

2097_Dev_3560#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/6, Gi0/7, Gi0/8, Gi0/9
                                                Gi0/10, Gi0/11, Gi0/12, Gi0/13
                                                Gi0/14, Gi0/15, Gi0/16, Gi0/17
                                                Gi0/18, Gi0/19, Gi0/20, Gi0/21
                                                Gi0/22, Gi0/23, Gi0/24, Gi0/25
                                                Gi0/26, Gi0/27, Gi0/28, Gi0/29
                                                Gi0/30, Gi0/31, Gi0/32, Gi0/33
                                                Gi0/34, Gi0/35, Gi0/36, Gi0/37
                                                Gi0/38, Gi0/39, Gi0/40, Gi0/41
                                                Gi0/42, Gi0/43, Gi0/44, Gi0/45
                                                Gi0/46, Gi0/47, Gi0/48, Gi0/49
                                                Gi0/50, Gi0/51, Gi0/52
2    Development                      active    Gi0/2, Gi0/3, Gi0/4, Gi0/5
3    TestTeam                         active
4    Database                         active
5    Exercise                         active
6    VLAN0006                         active    Gi0/1
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
2097_Dev_3560#sh int vlan 2
Vlan2 is up, line protocol is down
Hardware is EtherSVI, address is 2037.0666.a0c1 (bia 2037.0666.a0c1)
Internet address is 192.168.2.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:44:48, output 00:49:42, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     178 packets input, 33488 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     3 packets output, 192 bytes, 0 underruns
     0 output errors, 3 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
2097_Dev_3560#

Peter Paluch · ‎10-01-2011

Hello Rory,

Thank you, I believe we are moving forward. The up/line proto down state of the interface Vlan2 suggests that currently, there is no port in VLAN2 that is up/up and forwarding in STP.

What does the show vlan id 2 say?

Also, do you physically have a client connected to the Gi0/2? If so, can you please post the output of the show interface gi0/2 switchport command?

Best regards,

Peter

Rory Hamaker · ‎10-01-2011

OK Peter, here is what i get from thos commands. Also, you are correct, i didnt have my laptop plugged into the port when i did the sh int vlan 2 command last time. I am having to traverse from my desk to the lab with this computer so i can get information and bring it back to you. oops... : )

2097_Dev_3560#show vlan id 2

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
2 Development active Gi0/2, Gi0/3, Gi0/4, Gi0/5

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
2 enet 100002 1500 - - - - - 0 0

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

2097_Dev_3560#show int g0/2 swi
2097_Dev_3560#show int g0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 2 (Development)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Peter Paluch · ‎10-01-2011

Rory,

You have to have a PC plugged into Gi0/2, otherwise the interface Vlan2 will be down (because the switch can not claim that it is connected to VLAN2 when there is no port in VLAN2 that is actually alive and capable of forwarding data). Actually, I believe you want to perform these experiments with a PC connected to Gi0/2, otherwise it is hard to know if the DHCP really works.

Best regards,

Peter

Rory Hamaker · ‎10-01-2011

Gotcha, i have brought a different computer in and plugged it into g0/2 for testing, however the last set of results i gave you there was a machine on that VLAN that is still null an IP address.

Peter Paluch · ‎10-01-2011

Rory,

Alright, but if the machine is plugged into the Gi0/2, does the ping command work as I suggested earlier?

Best regards,

Peter

Rory Hamaker · ‎10-01-2011

Nope, it chugged along for a minute then came back with success rate 0%

Peter Paluch · ‎10-01-2011

Rory,

So let me summarize the ping behavior:

If you issue simply ping 192.168.1.6 then it works. If you issue ping 192.168.1.6 source vlan 2 then the pings are unsuccessful. Is that correct? Please tell me if the switch still gives out any error messages besides no responses to pinging. You may also try pingin 192.168.1.254 and 192.168.2.1 from the DHCP server.

You should verify the default gateway setting on the 192.168.1.6 machine (the DHCP server) - it should use 192.168.1.254 as its default gateway. Also verify if there is any firewall in place, and if so, disable it temporarily.

Best regards,

Peter