Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8280
Views
0
Helpful
21
Replies

Transit vlan to router from layer 3 switch

Go to solution
Bobby P
Level 1
Level 1

‎10-02-2018 07:29 AM - edited ‎03-08-2019 04:17 PM

I can use some assistance with this since I've not created anything like this before.  I have 5 switches, 1 Cisco Catalyst 9300 and 4 Meraki MS225-48FP's.  The meraki's are our LAN switches that are on 4 different floors.  In the attached image B2SW01 is on the 6th floor with a fiber run to B2SW04 which is on the 1st floor.  Switches B2SW02 & B2SW03 are on the 2nd and 3rd floor and connect to B2SW04.  From the B2SW04 we are connected to our internet router.

The Cisco 9300 switch is on the 6th floor with a connection to B2SW01.  It is at the top of a new server rack supporting UCS-Mini.  We want to implement vlans for our network and have been advised that the Cisco switch would be the best solution.  It is suggested that we create a static route on the 9300 to the router and the vlans would use that for connecting to the internet. 

The question I have is can we do that when we don't have a direct connection between the 9300 and the router? Is it as simple as creating the transit vlan and then tagging the port on B2SW04 that is connected to the router to only allow traffic from the transit vlan?

We are trying to avoid a new run from the 6th floor to the 1st floor for now.  Our 2019 plans will be to move the router and internet connection to the 6th floor and also add redundant connection between the meraki switches.   Thanks in advance for suggestions and assistance.

Labels:
Preview file
41 KB
0 Helpful
21 Replies 21

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Bobby P

‎10-04-2018 09:18 AM

Thanks for posting the config. I believe that this will be helpful. The main thing that I notice in the config is the static default route which specifies the outbound interface but not the next hop. I suggest that you change the static default route so that it specifies the IP address of the router as the next hop. I do not see any other obvious issues in the config and do have these questions:

- when you connected your PC on Meraki did it receive an IP address via DHCP?

+  if so what IP address, what mask, and what default gateway did it get?

+  what is handling DHCP for your network? Are you confident that it is set up correctly?

- when you connected your PC on Meraki what vlan was it in?

- when you connected your PC on Meraki what address were you attempting to ping?

- when you attempted to ping and immediately showed the content of the arp table (perhaps arp -a depending on the OS of your PC) do you see an entry in the arp table of your PC?

- the above questions when you connected your PC on the 9300

- would you post the output of the command show cdp neighbor

- would you post the output of the command show ip interface brief

- would you post the output of the command show interface trunk

- would you post the output of the command show arp

- how did you configure the connection between the Meraki and the router on the Meraki? Is is access port or trunk?

- how did you configure the connection between the router and the Meraki on the router? Is it a standard interface of a vlan sub interface?

- would you post the output of the command show ip interface brief on the router

- would you post the output of the command show ip route on the router

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Bobby P
Level 1
Level 1
In response to Richard Burts

‎10-04-2018 10:23 AM

In response to you questions:

when you connected your PC on Meraki did it receive an IP address via DHCP Currently PC on the network have static ip assignment.  DHCP is where we want to get to.

+ if so what IP address, what mask, and what default gateway did it get? The ip address on my PC is 172.17.5.141, 255.255.255.0. GW is 172.17.5.250. Because of the Gateway address I setup a laptop connected to the 9300 with the address of 172.17.3.124, 255.255.255.0, gateway 172.17.3.1

It's a long story on why we have 172.17.5.250 setup as a gateway on our current network configuration.

what is handling DHCP for your network? Are you confident that it is set up correctly - No DHCP setup right now.  Not sure yet if we'll use the Cisco in the future or a Windows server

when you connected your PC on Meraki what vlan was it in? No vlan set.  The port I'm connected to is a trunk port with all vlans allowed.

- when you connected your PC on Meraki what address were you attempting to ping?  I was trying to ping 172.17.1.15 which is a new SAN.  When needing to connect to the new SAN from my PC if I add 172.17.1.141 to in the advance tap of the IpV4 settings for my nic I can ping and access the new SAN.  I've done this before so that I could access the equipment to be able to admin the device.  Once I remove that address no more access.

 

- when you attempted to ping and immediately showed the content of the arp table (perhaps arp -a depending on the OS of your PC) do you see an entry in the arp table of your PC? Have attached file with the results.

Responses to question on PC connected to 9300

- when you connected your PC on 9300 did it receive an IP address via DHCP? No DHCP, Used Static IP 172.17.3.124 , 255.255.255.0 , gw 172.17.3.1
+ if so what IP address, what mask, and what default gateway did it get? See above
+ what is handling DHCP for your network? Are you confident that it is set up correctly? No DHCP yet
- when you connected your PC on 9300 what vlan was it in? Connection to 9300 is on port G12/0/23 which is set as a trunk port and all vlans allowed

- when you connected your PC on 9300 what address were you attempting to ping? Tried to ping 172.17.1.15

I've attached file with the results of the command you requested.

The connection to the router from the B2SW04 meraki is set as a trunk port with all vlans allowed.  If also tried limiting it to just the vlan 50 but results are the same.

The router is not owned by us and is managed by an outside agency.  I will see if they can provide the information requested.

I have attached files with the results from the commands you requested I run.

 

 

 

Preview file
11 KB
Preview file
1 KB
Preview file
1 KB
Preview file
8 KB
Preview file
2 KB
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Bobby P

‎10-05-2018 06:38 AM

Thanks for the additional information. There is a lot of information in what you sent and it will take me a while to work through all of it. But I want to send a response now to address a couple of things and will respond again later after I have worked through what you have sent.

 

I know that you have said that you do not regard your network as a vlan. But in the terms that we use to describe modern networks it is a vlan and it will be helpful if we can agree that the term is appropriate. A vlan is a broadcast domain. When a broadcast frame is sent out it will be delivered to every device operating in that broadcast domain. And that is the way that your network has been operating. Another way to look at it is that in general there is a one to one relationship between a vlan and a network or subnet. Since all of your devices have been operating in the same network or subnet then they have been operating in the same vlan. 

 

When we talk about vlans there is a concept of a native vlan. The important aspect of the native vlan is that all frames for the native vlan are sent with no tag. And that is what your network has been doing. Basically all of your network devices have been operating in a single vlan and it has been the native vlan. When you connect a device to a switch access port without specifying a vlan assignment then the switch will assign that port to the default native vlan. Even though I do not know a lot about the Meraki switches I am confident that this is what they have been doing. So at this point every device connected to an access port is operating in the default native vlan which is vlan 1.

 

As you get more than one vlan in the network then there is the opportunity to configure a port as a trunk. A trunk can carry more than one vlan. The switch keeps track of which vlan a frame belongs to by using a tag on the frame. If the frame belongs to vlan 10 then its tag would say 10. On the trunk there is one vlan which is identified as the native vlan. The important thing about the native vlan is that its frames do not have a tag. The purpose of the native vlan is to provide compatibility with devices that do not tag frames, such as your PC. When you connect your PC to a port configured as a trunk then your PC will operate as a member of the native vlan (which by default would be vlan 1). 

 

I suspect that part of what is going on in your testing reflects the fact that you are connecting your PC on interfaces that are configured as trunks. I suggest configuring an interface as an access port in some vlan and then testing again.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎10-05-2018 06:51 AM

This is part of what I am talking about

B2SRSW(config)#interface gigabitethernet 2/0/16
B2SRSW(config-if)#switchport mode trunk
B2SRSW(config-if)#switchport access vlan 160

 

The switchport access vlan 160 looks like it would put the PC into vlan 160 (and it would if this were configured as an access port). But since it is configured as a trunk then the PC will actually operate in vlan 1.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Bobby P

‎10-05-2018 07:40 AM

I am looking at this comment

The ip address on my PC is 172.17.5.141, 255.255.255.0. GW is 172.17.5.250

Is there a device in the network with address 172.17.5.250? Where is it? What is it? What is the story about this?

 

You tell us

I was trying to ping 172.17.1.15

If you assign IP address 172.17.1.141 to your PC then both devices are in the same subnet/same vlan and can communicate directly (no need for a default gateway). If the devices are in different subnets then they would need a working default gateway.

 

The arp output from your PC is interesting and shows that it is communicating with devices in 172.17.0.0, 172.17.1.0, and 172.17.5.0 which works because everything is in one simple broadcast domain. (not quite what I was expecting but nice to see that it does work)

 

The arp output from the 9300 is good to see. It shows the switch interfaces (as expected) and shows that it is successfully communicating with 172.17.3.124. I am especially interested in the arp entry for 192.168.1.1 in vlan 50. Would I be correct in believing that this is the address on the router? If so this demonstrates that vlan 50 transit link is working.

 

The CDP output shows two Meraki switches as connected neighbors. Does that agree with your cabling arrangement?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Bobby P
Level 1
Level 1
In response to Richard Burts

‎10-24-2018 11:23 AM

Thanks for everyone's input. Issue has been resolve with some work from our firewall provider

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Bobby P

‎10-24-2018 02:45 PM

Thanks for the update telling us that the issue has been resolved with some work from your firewall provider.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card