Unable to ping across subinterfaces

waruinwarui · ‎10-23-2013

Hi everyone,

This is my first time using this service so please be gentle.

I have an 871 router connected to a 2960 switch via two ports; both ports are configured as trunks.

On one of the router's trunks, I have set up subinterfaces.

My issue is - how come I can't ping across subinterfaces, or even VLANs? Any suggestions would greatly help.

Following are my router's config and CDP output for both the router and switch:

Current configuration : 6000 bytes

!

! Last configuration change at 16:08:47 C Wed Oct 23 2013 by root

! NVRAM config last updated at 14:32:14 C Fri Jul 19 2013 by root

!

version 12.4

no service pad

service timestamps debug datetime msec localtime show-timezone year

service timestamps log datetime msec localtime show-timezone year

service password-encryption

service sequence-numbers

!

hostname kai-vlan-gw

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$lcxP$E3AqTmhjOU7dVGPhEEQCN1

!

no aaa new-model

!

resource policy

!

clock timezone C 3

ip subnet-zero

ip cef

!

no ip bootp server

ip domain name kenyanalliance.local

ip name-server 192.168.5.1

ip multicast-routing

ip ssh time-out 60

login block-for 100 attempts 3 within 100

!

crypto pki trustpoint TP-self-signed-1536830124

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1536830124

revocation-check none

rsakeypair TP-self-signed-1536830124

!

username root password 7 10455D485044111E1E57

!

class-map type port-filter match-all DHCP_Traffic

match port udp 67

class-map type port-filter match-all Telnet_Traffic

match port tcp 23

!

policy-map type port-filter Unnecessary_Ports

class DHCP_Traffic

drop

class Telnet_Traffic

drop

!

interface FastEthernet0

!

interface FastEthernet1

switchport mode trunk

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

interface FastEthernet4.5

encapsulation dot1Q 5

ip address 192.168.5.245 255.255.255.0

no snmp trap link-status

!

interface FastEthernet4.10

encapsulation dot1Q 10

ip address 192.168.10.254 255.255.255.0

ip verify unicast reverse-path

ip helper-address 192.168.10.250

no snmp trap link-status

!

interface FastEthernet4.11

encapsulation dot1Q 11

ip address 192.168.11.254 255.255.255.0

ip verify unicast reverse-path

ip helper-address 192.168.11.250

no snmp trap link-status

!

interface FastEthernet4.12

encapsulation dot1Q 12

ip address 192.168.12.254 255.255.255.0

ip verify unicast reverse-path

ip helper-address 192.168.12.250

no snmp trap link-status

!

interface FastEthernet4.13

encapsulation dot1Q 13

ip address 192.168.13.254 255.255.255.0

ip verify unicast reverse-path

ip helper-address 192.168.13.250

no snmp trap link-status

!

interface FastEthernet4.14

encapsulation dot1Q 14

ip address 192.168.14.254 255.255.255.0

ip helper-address 192.168.14.250

no snmp trap link-status

!

interface FastEthernet4.15

encapsulation dot1Q 15

ip address 192.168.15.254 255.255.255.0

ip verify unicast reverse-path

ip helper-address 192.168.15.250

no snmp trap link-status

!

interface FastEthernet4.16

encapsulation dot1Q 16

ip address 192.168.16.254 255.255.255.0

ip verify unicast reverse-path

ip helper-address 192.168.16.250

no snmp trap link-status

!

interface FastEthernet4.20

encapsulation dot1Q 20

ip address 192.168.20.254 255.255.255.0

ip verify unicast reverse-path

ip helper-address 192.168.20.250

no snmp trap link-status

!

interface Vlan1

ip address 10.10.10.25 255.255.255.0

ip route-cache flow

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.5.254

ip route 172.20.20.8 255.255.255.248 192.168.5.150

ip route 172.22.254.0 255.255.255.224 192.168.20.253 name TO-AKI

ip route 192.168.0.0 255.255.255.0 192.168.5.252 name Mombasa

ip route 192.168.1.0 255.255.255.0 192.168.5.252 name Thika

ip route 192.168.18.0 255.255.255.0 192.168.5.252 name Kisumu

ip route 192.168.21.0 255.255.255.0 192.168.5.150 name Machakos

ip route 192.168.22.0 255.255.255.0 192.168.5.150 name Bunyala_Yard

ip route 192.168.23.0 255.255.255.0 192.168.5.150 name Meru

ip route 192.168.100.0 255.255.255.0 192.168.5.150

!

no ip http server

ip http authentication local

ip http secure-server

!

logging trap debugging

logging 192.168.20.12

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

control-plane host

!

control-plane

!

banner exec ^C

Please be advised that you must be an administrator to proceed.

Failure to comply with this notification could lead to prosecution.

^C

banner login ^C

==============================================================

You're logging in to a restricted device. Please contact the

administrator if you need access!!

==============================================================

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

password 7 130E43435E5F073F3977

login local

transport preferred ssh

transport input ssh

!

scheduler max-task-time 5000

ntp clock-period 17174973

ntp server 128.138.141.172

end

Rouer CDP neighbors:

kai-vlan-gw#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

etsw1 Fas 1 142 S I WS-C2960-2Fas 0/23

etsw1 Fas 4 152 S I WS-C2960-2Gig 0/1

Switch CDP neighbors:

etsw1#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID

kai-vlan-gw.kenyanalliance.local

Fas 0/23 150 R S I 871 Fas 1

kai-vlan-gw.kenyanalliance.local

Gig 0/1 156 R S I 871 Fas 4

etsw3 Gig 0/2 177 S I WS-C2960- Gig 0/2

Kenyan_Alliance_MPLS_HQ

Fas 0/7 158 R S I 871 Fas 0

Kenya_Alliance.yourdomain.com

Fas 0/13 151 R S I 1841 Fas 0/0

Kenya_Alliance_HQ

Fas 0/14 158 R S I 881 Fas 3

SHIBI V DEV · ‎10-24-2013

Have you configured ip default-gateway in Swtch.?

waruinwarui · ‎10-24-2013

Hi Shibi

Yes I have. The default gateway for the switch is the IP address of Vlan 1 on the router i.e. 10.10.10.25

Warui

devils_advocate · ‎10-24-2013

Presumably the Vlans exist on the switch and are allowed on the trunk link back to the Router?

Can you post your switch config?

waruinwarui · ‎10-24-2013

Thanks for your response.

Yes, the Vlans exist on the switch. Here's my switch config:

Current configuration : 3125 bytes

!

! Last configuration change at 10:13:13 C Thu Oct 24 2013

!

version 12.2

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname etsw1

!

enable secret 5 $1$QtkT$ArHPOKJqiLtNCA1/a0cjr.

!

no aaa new-model

clock timezone C 3

system mtu routing 1500

ip subnet-zero

!

ip name-server 192.168.5.1

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/3

!

interface FastEthernet0/4

description VMHost_10.10.10.6

switchport mode trunk

!

interface FastEthernet0/5

description VMHost_10.10.10.7

switchport mode trunk

!

interface FastEthernet0/6

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/7

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/8

description VMHost_10.10.10.6

switchport mode trunk

!

interface FastEthernet0/9

description VMHost_10.10.10.7

switchport mode trunk

!

interface FastEthernet0/10

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/11

switchport access vlan 20

switchport mode access

!

interface FastEthernet0/12

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/13

switchport mode trunk

!

interface FastEthernet0/14

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/15

description VMHost_10.10.10.6

switchport access vlan 20

switchport mode trunk

!

interface FastEthernet0/16

description Proxy_Server

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/17

description VMHost_10.10.10.7

switchport mode trunk

!

interface FastEthernet0/18

switchport mode trunk

!

interface FastEthernet0/19

description VMHost_10.10.10.7

switchport mode trunk

!

interface FastEthernet0/20

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/21

switchport access vlan 20

switchport mode access

shutdown

!

interface FastEthernet0/22

switchport mode trunk

!

interface FastEthernet0/23

description Mgmnt_VLAN_Int

switchport access vlan 5

switchport mode trunk

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

switchport mode trunk

!

interface GigabitEthernet0/2

switchport mode trunk

!

interface Vlan1

ip address 10.10.10.1 255.255.255.0

no ip route-cache

!

ip default-gateway 10.10.10.25

ip http server

logging trap debugging

logging 192.168.20.12

!

control-plane

!

banner login ^C

============================================================

You're logging in to a restricted device. Please contact the

administrator if you need access!!

============================================================

^C

!

line con 0

password 7 15195F5D517928313A60

login

line vty 0 4

session-timeout 5

password 7 15195F5D517928313A60

login

line vty 5 15

login

!

ntp clock-period 36029439

ntp server 10.10.10.25

end

waruinwarui · ‎10-27-2013

Hi guys,

Any thoughts? I'm still strugling with this.....

Guru Mysoruu · ‎10-27-2013

Hi,

I suspect about the Domain name server that you configured in Switch.Have a look on that.

Guru

devils_advocate · ‎10-28-2013

Can you do a #show ip route on the Router and post the results?

waruinwarui · ‎10-28-2013

Hi,

Here's the routing table. I'm thinking it's an L2 issue rather than L3...

Gateway of last resort is 192.168.5.254 to network 0.0.0.0

C 192.168.12.0/24 is directly connected, FastEthernet4.12

C 192.168.13.0/24 is directly connected, FastEthernet4.13

C 192.168.14.0/24 is directly connected, FastEthernet4.14

C 192.168.15.0/24 is directly connected, FastEthernet4.15

C 192.168.10.0/24 is directly connected, FastEthernet4.10

172.20.0.0/29 is subnetted, 1 subnets

S 172.20.20.8 [1/0] via 192.168.5.150

172.22.0.0/27 is subnetted, 1 subnets

S 172.22.254.0 [1/0] via 192.168.20.253

C 192.168.11.0/24 is directly connected, FastEthernet4.11

S 192.168.21.0/24 [1/0] via 192.168.5.150

C 192.168.20.0/24 is directly connected, FastEthernet4.20

C 192.168.5.0/24 is directly connected, FastEthernet4.5

10.0.0.0/24 is subnetted, 1 subnets

C 10.10.10.0 is directly connected, Vlan1

S 192.168.23.0/24 [1/0] via 192.168.5.150

S 192.168.22.0/24 [1/0] via 192.168.5.150

S 192.168.0.0/24 [1/0] via 192.168.5.252

C 192.168.16.0/24 is directly connected, FastEthernet4.16

S 192.168.1.0/24 [1/0] via 192.168.5.252

S 192.168.100.0/24 [1/0] via 192.168.5.150

S 192.168.18.0/24 [1/0] via 192.168.5.252

S* 0.0.0.0/0 [1/0] via 192.168.5.254

waruinwarui · ‎10-28-2013

Hi all,

I've also just noticed something else that's a bit strange. The router can ping only one of its own subinterfaces; does this make sense?:

kai-vlan-gw#ping 192.168.5.245 source 192.168.5.245

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.5.245, timeout is 2 seconds:

Packet sent with a source address of 192.168.5.245

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

kai-vlan-gw#ping 192.168.20.254 source 192.168.20.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.254, timeout is 2 seconds:

Packet sent with a source address of 192.168.20.254

.....

Success rate is 0 percent (0/5)

kai-vlan-gw#ping 192.168.5.245 source vlan1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.5.245, timeout is 2 seconds:

Packet sent with a source address of 10.10.10.25

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

kai-vlan-gw#ping 192.168.20.254 source vlan1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.254, timeout is 2 seconds:

Packet sent with a source address of 10.10.10.25

.....

Success rate is 0 percent (0/5)

prajithtr_2 · ‎10-28-2013

Hi Warui Warui,

If you have configured the device interface with unicast reverse path forwarding,by default it cannot ping it self.So if you want to enable self ping you have to apply the following commands on the unicast rpf configured interfaces.

command:

kai-vlan-gw(config-if)ip verify unicast source reachable-via any allow-self-ping

please try this command and refer this doc

http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/secure.pdf

waruinwarui · ‎10-28-2013

Hi Prajithtr

Thanks for the suggestion; the router can now ping itself. Thanks.

I however still cannot ping across VLANS. Any other ideas?

Warui.

prajithtr_2 · ‎10-29-2013

I found Only vlan 5 and 20 is configured.

I1.The traffic from the switch should be coming to the router only through inteface Fa4 not through Fa1(Router).Confirm if the Switch interface Gi0/1 is up or it is not blocked (Since there is two connection to the router from the switch).

2.Just confirm if the Gi0/1 is configured with trunk encapsulation protocol (dot1q).

3.I found only vlan 5 and 20 in the switch.So confirm the end device's ip address(Vlan 5 and 20) and default gateway is correct.

======================================

kai-vlan-gw#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

etsw1 Fas 1 142 S I WS-C2960-2Fas 0/23

etsw1 Fas 4 152 S I WS-C2960-2Gig 0/1

========================================

PLEASE RATE THIS COMMENT IF YOU ARE SATISFIED

waruinwarui · ‎10-29-2013

Hi Prajithr,

I have other Vlans (other than 5 & 20) set up on the switch:

etsw1#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/3, Fa0/22, Fa0/24

5 VLAN0005 active Fa0/1, Fa0/2, Fa0/6, Fa0/7, Fa0/10, Fa0/12, Fa0/14, Fa0/16, Fa0/20

10 Finance active

11 Life active

12 Underwritting active

13 Claims active

14 Administration active

15 Marketing active

16 Wireless active

20 IT active Fa0/11, Fa0/21

Secondly, the switch is a 2960. Interface Gi0/1 is configured as a trunk and uses dot1q encap because 2960s do not support ISL.

etsw1#show int status

Port Name Status Vlan Duplex Speed Type

Fa0/23 Mgmnt_VLAN_Int connected trunk a-full a-100 10/100BaseTX

Fa0/24 notconnect 1 auto auto 10/100BaseTX

Gi0/1 connected trunk a-full a-100 10/100/1000BaseTX

Gi0/2 connected trunk a-full a-1000 10/100/1000BaseTX

The default gateway IP addresses are correct.

Warui.

prajithtr_2 · ‎10-29-2013

Can you check the devices in Vlan 5 have been given with gateway 192.168.5.245 <------Last octate is 245(Not 254)

and for devices in Vlan 20 have been given gateway 192.168.20.254<------Last octate is 254

===============================

interface FastEthernet4.5

encapsulation dot1Q 5

ip address 192.168.5.245 255.255.255.0 <------------------

interface FastEthernet4.20

encapsulation dot1Q 20

ip address 192.168.20.254 255.255.255.0 <-------------

================================

The rest all seems correct...