Hi sorry I am not quite sure how to get the file right now.

Ok so if I create an SVI on the switch for each sub-interface subnet on the router that I could not ping it worked. I am not sure why that is the case if I have a

0.0.0.0 0.0.0.0  (router ip) default route. Can you help me understand why?

I don’t understand what’s not working.

What ping are you doing:

 - source ip and destination

From the switch to the router?

Ping from switch to any other IP address on router except the .252 which works.

I am only able to ping the other IP addresss/interfaces on the router if I create a SVI for that subnet on the switch. Once again I don't see why when I have  a default route pointing to the router.

So when I enter debug ip icmp on both swith and router it does not show anything.

After some testing however, I noticed that if I create an SVI on the Intsw and the IntRt has a corresponding sub-int, I can only ping the sub-int if it is on the directly connected interface (interface between Int switch and Router) and vice versa. So if I remove or shutdown the SVI for those subnets on the Intswitch I can ping.

The main thing I want to be able to do is pass all traffic that is destined for the FW through the IntSw and all traffic that is destined for the InterRt from the FW be passed through as well.

Right now the connection g0/1 from the IntSw to the IntRt is trunked - can ping but only if I don't create SVIs for subnets that are not configured on the directly connected interface of the router, and the port connection on the IntSw that connects to the FW is switchport access vlan for the same subnet of the inside interface of the FW - I can't get it to ping if I make this connection a trunk.

Will all internal subnet traffic that is destined for the FW from the IntRt and vice versa pass through the switch this way? 

On which switch are you connected to? Layer 3 or Layer 2?

I mean if your laptop on the switch is on a vlan where the default gateway is on the switch, then you can ping all subnets because it’s inter vlan routing.

However, if your host is on a switch that acts as default gateway, you need to activate ip routing on this switch to make sure you can reach subnets on router side.

Have you activated ip routing?

That’s why I asked for your packet tracer file because we can open it and check where the issue is and point it out to you.

On which switch are you connected to? Layer 3 or Layer 2?

I am pinging directly from the Layer 3 switch and IP routing is enabled.

I mean if your laptop on the switch is on a vlan where the default gateway is on the switch, then you can ping all subnets because it’s inter vlan routing. I can connect a laptop and try.

However, if your host is on a switch that acts as default gateway, you need to activate ip routing on this switch to make sure you can reach subnets on router side.

IP routing is enabled.

I am not sure how to get the packet tracer file. 

See configs.

InterConSw_Prim#sh run

Building configuration...

Current configuration : 1836 bytes

!

version 12.2(37)SE1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname InterConSw_Prim

!

!

!

!

!

!

ip routing

!

!

!

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

description Trunk2_InterRt_Prim

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/2

description Link2_FW

switchport access vlan 251

switchport mode access

switchport nonegotiate

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

mac-address 000c.cf26.8701

ip address 10.10.10.7 255.255.255.0

!

interface Vlan40

mac-address 000c.cf26.8702

ip address 192.168.40.7 255.255.255.0

!

interface Vlan251

mac-address 000c.cf26.8703

ip address 192.168.251.7 255.255.255.0

!

interface Vlan252

mac-address 000c.cf26.8704

ip address 192.168.252.7 255.255.255.0

!

ip classless

ip route 192.168.252.0 255.255.255.0 192.168.251.1

ip route 192.168.0.0 255.255.0.0 192.168.251.1

ip route 10.10.0.0 255.255.0.0 192.168.251.1

!

ip flow-export version 9

!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

-------------------

Vlan1 unassigned YES unset administratively down down

Vlan10 10.10.10.7 YES manual up up

Vlan40 192.168.40.7 YES manual up up

Vlan251 192.168.251.7 YES manual up up

Vlan252 192.168.252.7 YES manual up up

=====================================================

IntRr_Prim#sh run

Building configuration...

Current configuration : 1659 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname IntRr_Prim

!

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface Loopback1

ip address 1.1.1.1 255.255.255.255

!

interface GigabitEthernet0/0/0

description Link2_Sw0

ip address 10.10.0.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/0/0.10

encapsulation dot1Q 10

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet0/0/0.12

encapsulation dot1Q 12

ip address 10.10.12.1 255.255.255.0

!

interface GigabitEthernet0/0/0.14

encapsulation dot1Q 14

ip address 10.10.14.1 255.255.255.0

!

interface GigabitEthernet0/0/0.40

encapsulation dot1Q 40

ip address 192.168.40.1 255.255.255.0

!

interface GigabitEthernet0/0/0.252

description NE_Mgmt

encapsulation dot1Q 252

ip address 192.168.252.2 255.255.255.0

standby 1 ip 192.168.252.1

standby preempt

standby 0 track GigabitEthernet0/0/1

!

interface GigabitEthernet0/0/1

description Link2_FW

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0/1.40

no ip address

!

interface GigabitEthernet0/0/1.251

encapsulation dot1Q 251

ip address 192.168.251.2 255.255.255.0

standby 2 ip 192.168.251.1

standby 2 preempt

standby 0 track GigabitEthernet0/0/1

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.250.0 255.255.255.0 192.168.252.5

ip route 192.168.200.0 255.255.255.0 192.168.252.5

ip route 192.168.180.0 255.255.255.0 192.168.252.5

ip route 0.0.0.0 0.0.0.0 192.168.251.251

!

ip flow-export version 9

!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 ---------------------------

IntRr_Prim#sh ip int br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0/0 10.10.0.1 YES manual up up

GigabitEthernet0/0/0.1010.10.10.1 YES manual up up

GigabitEthernet0/0/0.1210.10.12.1 YES manual up up

GigabitEthernet0/0/0.1410.10.14.1 YES manual up up

GigabitEthernet0/0/0.40192.168.40.1 YES manual up up

GigabitEthernet0/0/0.252192.168.252.2 YES manual up up

GigabitEthernet0/0/1 unassigned YES unset up up

GigabitEthernet0/0/1.40unassigned YES unset up up

GigabitEthernet0/0/1.251192.168.251.2 YES manual up up

Loopback1 1.1.1.1 YES manual up up

Vlan1 unassigned YES unset administratively down down

IntRr_Prim#

==========================

PINGS - basically if I shut down the SVI on the Interconnect swtich  I have for a sub-int that is not on the directly connect intreface on the router I can ping. I Shutdown SVI 252 but for some reason I still can't ping now which is weird as I though I could before. See below.

===========================

InterConSw_Prim#ping 192.168.252.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.252.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

InterConSw_Prim#ping 192.168.252.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.252.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

InterConSw_Prim(config)#interface vlan 10

InterConSw_Prim(config-if)#shut

InterConSw_Prim(config-if)#

%LINK-5-CHANGED: Interface Vlan10, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to down

end

InterConSw_Prim#

%SYS-5-CONFIG_I: Configured from console by console

InterConSw_Prim#ping 10.10.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

 ---------

InterConSw_Prim#

%SYS-5-CONFIG_I: Configured from console by console

InterConSw_Prim#ping 192.168.252.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.252.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

InterConSw_Prim#ping 10.10.12.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.12.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

--------------

IntRr_Prim#ping 192.168.252.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.252.7, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

-----------------

=---------------------

On your switch, this route is useless:

ip route 192.168.252.0 255.255.255.0 192.168.251.1

On your router, you’re also missing some routes for 192.168.251.0/24, 192.168.40.0/24

Also what’s strange is that your Intswitch Primary has 192.168.252.0/24 subnet and you have the same on your access switch but there are separated by a router and are not connected together. How did you span your vlan because I don’t see any L2 link and what you’re doing is not correct.

You can take your pka file saved from your default packet-tracer location, you can save at a new location.

On your switch, this route is useless:

ip route 192.168.252.0 255.255.255.0 192.168.251.1

Sorry I was making some changes to test and left that. I removed it.

On your router, you’re also missing some routes for 192.168.251.0/24, 192.168.40.0/24

I was making changes again. Also see Access Switch config below.

I entered routes for all the subnet on the Access switch  for 192.168.251.5 

Didn't enter one for 192.168.252.5 because I could always ping it. This correct?

Here my routes on IntRt. These would all be correct?

ip route 192.168.250.0 255.255.255.0 192.168.252.5

ip route 192.168.200.0 255.255.255.0 192.168.252.5

ip route 192.168.180.0 255.255.255.0 192.168.252.5

ip route 0.0.0.0 0.0.0.0 192.168.251.251

ip route 10.10.12.0 255.255.255.0 192.168.252.5

ip route 10.10.10.0 255.255.255.0 192.168.252.5

I have a default route for 0.0.0.0 0.0.0.0 192.168.251.251 and still does not work.

Also what’s strange is that your Intswitch Primary has 192.168.252.0/24 subnet and you have the same on your access switch but there are separated by a router and are not connected together. How did you span your vlan because I don’t see any L2 link and what you’re doing is not correct.

Looks like that was my problem. I don't know another way but I connected a trunk between the Accesssw and the InterconSw and now I can ping all sub-interfaces and SVIs!!

I am merely using the InterConsw just so I can connect the 2 routers to 1 FW somehow. I just need whatever traffic destined for the FW to pass-though the switch.

How do you suggest I connect to that switch or SPAN that 252 VLAN across all devices if what is did is not the best practice?

That 252 subnet is used for or at least I am trying to use for mgmt. The access switch is connected to the IntRt via trunk and likewise for the IntRt connected to the IntSw. How do you suggest I change this if I want to use 192.168.252. for true OOB mgmt?

=============================================

ServerAccSw# sh run

Building configuration...

Current configuration : 2474 bytes

!

version 12.2(37)SE1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname ServerAccSw

!

!

!

!

!

!

ip routing

!

!

!

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/1

switchport access vlan 180

switchport mode access

switchport nonegotiate

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

description Link2_Rt0

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/2

description Link2_Sw1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

mac-address 0001.c9cc.0e01

ip address 10.10.10.5 255.255.255.0

!

interface Vlan12

mac-address 0001.c9cc.0e02

ip address 10.10.12.5 255.255.255.0

!

interface Vlan14

mac-address 0001.c9cc.0e09

ip address 10.10.14.5 255.255.255.0

!

interface Vlan40

mac-address 0001.c9cc.0e0a

ip address 192.168.40.5 255.255.255.0

!

interface Vlan51

mac-address 0001.c9cc.0e03

ip address 192.168.51.5 255.255.255.0

shutdown

!

interface Vlan180

mac-address 0001.c9cc.0e04

ip address 192.168.180.1 255.255.255.0

!

interface Vlan200

mac-address 0001.c9cc.0e05

ip address 192.168.200.1 255.255.255.0

!

interface Vlan250

mac-address 0001.c9cc.0e06

ip address 192.168.250.1 255.255.255.0

!

interface Vlan251

mac-address 0001.c9cc.0e07

ip address 192.168.251.5 255.255.255.0

!

interface Vlan252

description NEMgmt

mac-address 0001.c9cc.0e08

ip address 192.168.252.5 255.255.255.0

!

ip classless

ip route 192.168.50.0 255.255.255.0 192.168.252.6

ip route 10.10.0.0 255.255.0.0 192.168.252.1

ip route 192.168.51.0 255.255.255.0 192.168.252.6

ip route 0.0.0.0 0.0.0.0 192.168.252.1

!

ip flow-export version 9

===============================

PING

==============================

Vlan1 unassigned YES unset administratively down down

Vlan10 10.10.10.5 YES manual up up

Vlan12 10.10.12.5 YES manual up up

Vlan14 10.10.14.5 YES manual up up

Vlan40 192.168.40.5 YES manual up up

Vlan51 192.168.51.5 YES manual administratively down down

Vlan180 192.168.180.1 YES manual up up

Vlan200 192.168.200.1 YES manual up up

Vlan250 192.168.250.1 YES manual up up

Vlan251 192.168.251.5 YES manual up up

Vlan252 192.168.252.5 YES manual up up

------------------------

ServerAccSw#ping 192.168.251.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.251.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

ServerAccSw#ping 192.168.252.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.252.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

ServerAccSw#ping 10.10.14.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.14.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/1 ms

See packet tracer device configs and topology in attachment.