Router on a Stick and Vlans

zoro_2009

Hello,

I have this scenario: A router trunked to core L3 switch 3550 which is connected to 2 L2 2950 switches en access mode, the 3550 switch has 2 VLans: vlan1 and vlan2 connected to switch 1 and switch 2 respectively !




The router is doing the routing well, I can ping clients in vlan2 from vlan1 clients, the problem I can't ping 2950(2) from a host1 machine in vlan1, the same goes the other way around, I can't ping 2950(1) from vlan2 hosts!

Any suggestions ? thanks

mikeybinec

assuming that you gave the 2950s IP addresses, give them a default gateway also

(config)#ip-default gateway (ip_address) and the gateway address would be the router

I think you have to VTP them also

zoro_2009

mikeybinec wrote: »

assuming that you gave the 2950s IP addresses, give them a default gateway also

(config)#ip-default gateway (ip_address) and the gateway address would be the router

I think you have to VTP them also

the router is doing DHCP, so the 2950 switches will get the default gateway of the subinterface of the routers interfaces?

By VTP, you mean, the link between 3550 and the 2 2950 should be trunk isn't it ?

Hondabuff

The trunks to the L2 switches need to be be in trunk mode also not access. Make sure to change the encapsulation to dot1q on the 3550. Once you have mastered the router on a stick, You will want to do all your routing on the L3 switch. Play around with this lab. http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.pdf

zoro_2009

Hondabuff wrote: »

The trunks to the L2 switches need to be be in trunk mode also not access. Make sure to change the encapsulation to dot1q on the 3550. Once you have mastered the router on a stick, You will want to do all your routing on the L3 switch. Play around with this lab. http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.pdf

Hi, thanks for pointing that out, the weird thing is that I can access the switch via web browser, but I can't ping it, nor access it with Telnet or ssh, which have worked without problem before implementing the vlans !

Codeman6669

do you have any ACL's configured?

EdTheLad

Hondabuff wrote: »

The trunks to the L2 switches need to be be in trunk mode also not access. Make sure to change the encapsulation to dot1q on the 3550. Once you have mastered the router on a stick, You will want to do all your routing on the L3 switch. Play around with this lab. http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.pdf

No they don't, as per the description, there is only 1 vlan on each switch so the ports are fine as access in this scenario.

Zoro, maybe you should think about providing some config outputs and show cmd outputs?
Something to note, you are using vlan 1, vlan 1 is by default is the native vlan on the trunk port. Have you configured your router subinterface with the "native" option ?

_Gonzalo_

zoro_2009 wrote: »

the router is doing DHCP, so the 2950 switches will get the default gateway of the subinterface of the routers interfaces?

Yo do not want to do that in any scenario. Your switches IP´s can be obtained through DHCP, but you have to configure the switch for it, and I bet you didn´t. And if you did, undo it! You will want a static IP for your switches (or for any of your network devices) to connect to them via IP (to give you a clear example)

In any case, as you will have to troubleshoot it, why not start there? Assign manual IP and default gateway to the switch and try again. That discards DHCP malfunction. And go on from there...

Add to that, as per the image, that you are working with a simulator (looks like Cisco´s PT). You should also be aware that some things are beyond it. MAybe you´re testing its limits...

Jon_Cisco

I would suggest watching your packets in simulator mode. It is one of my favorite features of packet tracer. It will should you what is moving on the network and why it fails.

zoro_2009

_Gonzalo_ wrote: »

Yo do not want to do that in any scenario. Your switches IP´s can be obtained through DHCP, but you have to configure the switch for it, and I bet you didn´t. And if you did, undo it! You will want a static IP for your switches (or for any of your network devices) to connect to them via IP (to give you a clear example)

In any case, as you will have to troubleshoot it, why not start there? Assign manual IP and default gateway to the switch and try again. That discards DHCP malfunction. And go on from there...

Add to that, as per the image, that you are working with a simulator (looks like Cisco´s PT). You should also be aware that some things are beyond it. MAybe you´re testing its limits...

No the switch does not get an IP from the DHCP I verified that... plus, I've assigned a manual IP and that didn't go either !

When assigning the default gateway on the switch should I set the routers one ?
I re-confirm I can access through web Gui to the switches, but NOT through terminal (ssh or telnet and no ping)

Also the core switch (c3550), can ping the 2950 switches no problem whatsoever !

EdTheLad wrote: »

No they don't, as per the description, there is only 1 vlan on each switch so the ports are fine as access in this scenario.

Zoro, maybe you should think about providing some config outputs and show cmd outputs?
Something to note, you are using vlan 1, vlan 1 is by default is the native vlan on the trunk port. Have you configured your router subinterface with the "native" option ?

There was some misinterpretation in my example here for the real problem for the sake of simplicity, in my real production environment I have vlan 10 and 20 (and some others) ... so the issue with being vlan 1 and native thing is not the cause, I've eliminated that !

tecnodog7

zoro_2009 wrote: »

Hello,

I have this scenario: A router trunked to core L3 switch 3550 which is connected to 2 L2 2950 switches en access mode, the 3550 switch has 2 VLans: vlan1 and vlan2 connected to switch 1 and switch 2 respectively !




The router is doing the routing well, I can ping clients in vlan2 from vlan1 clients, the problem I can't ping 2950(2) from a host1 machine in vlan1, the same goes the other way around, I can't ping 2950(1) from vlan2 hosts!

Any suggestions ? thanks

Why are the two switches in access mode? They need to be in trunk mode so that Vlan traffic can pass through them.

EdTheLad

tecnodog7 wrote: »

Why are the two switches in access mode? They need to be in trunk mode so that Vlan traffic can pass through them.

No they don't ! In the example given there is one vlan per switch, you don't need a trunk if their is only one vlan.

Hondabuff

I got it to work. Make sure the L2 switchports connecting to the L3 switch are access ports. You do not need VTP or Vlan 2 on the switch that is associated with VLAN 2 because the 3550 makes everything in VLAN 2 by default. The whole switch is in Vlan2 but you assign the IP address to vlan 1 to be in the same subnet. Ip default gateways on each L2 switch points to the routers respective sub interfaces that are the gateway address. Clear as mud!

EdTheLad

It doesn't sound like you have it clear as mud to me.
What you should have:

1) Simple setup with access ports.

Router fa0/0 configured with 2 subinterfaces, lets say vlan 10 and vlan 20. Each subinterface has an assigned address i.e. 192.168.10.1/24 and 192.168.20.1/24 respectfully. The subinterfaces have dot1q encapsulation which means they are sending tagged frames. The 3550 fa0/1 is configured as a trunk port connected to the router, this trunk is allowing vlans 10 and 20. The 3550 is configured with 2 vlans 10 and 20, int fa0/2 and fa0/3 are both configured as access ports in their respective vlans 10 and 20.
2950-A is configured with vlan 10 and both ports fa0/1 and fa0/2 are configured with access-port vlan 10.
2950-B is configured with vlan 20 and both ports fa0/1 and fa0/2 are configured with access-port vlan 20.

Host-A ip address 192.168.10.2/24 DG 192.168.10.1
Host-B ip address 192.168.20.2/24 DG 192.168.20.1

2) A better solution, using trunks between the 3550 and the 2950 so that the 2950s can support multiple vlans.

Hondabuff

EdTheLad wrote: »

It doesn't sound like you have it clear as mud to me.
What you should have:

1) Simple setup with access ports.

Router fa0/0 configured with 2 subinterfaces, lets say vlan 10 and vlan 20. Each subinterface has an assigned address i.e. 192.168.10.1/24 and 192.168.20.1/24 respectfully. The subinterfaces have dot1q encapsulation which means they are sending tagged frames. The 3550 fa0/1 is configured as a trunk port connected to the router, this trunk is allowing vlans 10 and 20. The 3550 is configured with 2 vlans 10 and 20, int fa0/2 and fa0/3 are both configured as access ports in their respective vlans 10 and 20.
2950-A is configured with vlan 10 and both ports fa0/1 and fa0/2 are configured with access-port vlan 10.
2950-B is configured with vlan 20 and both ports fa0/1 and fa0/2 are configured with access-port vlan 20.

Host-A ip address 192.168.10.2/24 DG 192.168.10.1
Host-B ip address 192.168.20.2/24 DG 192.168.20.1

2) A better solution, using trunks between the 3550 and the 2950 so that the 2950s can support multiple vlans.

I actually found the OP's lab quite frustrating. I'm so used to setting up routing on the Distribution layer "3550" and routing back up to the edge or core router that I almost forgot how to do router on a stick setups. It reminded me of a lab I used top do over and over for my voice studies. I actually found a bug in the new Packet Tracer 6.2 that will not allow the phones to register or DCHP with sub interfaces. Also when I turned on portfast for the phones the 3560 spazzed out and was giving some crazy power failure CDP something. Looks like the developers need a bug fix. Wonder if Cisco Packet tracer has a TAC

_Gonzalo_

zoro_2009 wrote: »

When assigning the default gateway on the switch should I set the routers one ?

That seems pretty clear then. The gateway is the router´s IP that services the VLAN that you assigned to the switches. If you have none configured, you will only be able to ping from inside each network, as the switch will not be able to go beyond it for the reply (pings reach the switch but don´t return)

Even more. I just reread your initial post and you appear to have assigned an IP address from VLAN 10 to the first switch and from VLAN 20 to the second. Best practices advise to have a management network separated from your other VLANs. I´d do that also.