InterVLAN Query

satishtechsatishtech Member Posts: 243
Why cannot I have InterVLAN routing when I add a Router to a L3 3560
switch on PT ?

I have created a simple InterVLAN on a 3560 L3 Switch.
I added a Router on one interface and created a VLAN on the
connected interface to the router , as I did to all the PC's.
I am unable to Ping the Router Interface.PC's interVLAN
works fine.In PC's i give the default gateway as the VLAN's
interface.

show ru :

ip routing

interface FastEthernet0/1
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
!

interface GigabitEthernet0/1
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 40
switchport mode access
!
interface Vlan1
ip address 192.168.5.2 255.255.255.0
!
interface Vlan10
ip address 192.168.1.1 255.255.255.252
!
interface Vlan20
ip address 192.168.1.9 255.255.255.252
!
interface Vlan30
ip address 192.168.10.2 255.255.255.0
[Router connected to this VLAN on g0/1 with IP 192.168.10.1 , cannot ping ]
!
interface Vlan40
ip address 192.168.20.2 255.255.255.0

[PC connected here ,same as vlan's 10 and 20 ]

Comments

  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    In packet tracer there should be a simulation where you can follow the path of the ping one step at a time. When you do this, where does the ping fail?
  • volfkhatvolfkhat Member Posts: 1,072 ■■■■■■■■□□
    You have alot going on... and it's too early in the morning for VLSM :]


    I would recommend you 'baby step" this process.
    Create a new scenario:
    1 router,
    1 switch,
    2 PC (in different Vlans).

    Then try to ping across the Vlans.

    post the running-configs for the switch :]
    Oh, and also for the router!
  • SimridSimrid Member Posts: 327
    Have you done a no shutdown on the vlan interfaces?
    Network Engineer | London, UK | Currently working on: CCIE Routing & Switching

    sriddle.co.uk
    uk.linkedin.com/in/simonriddle
  • shortstop20shortstop20 Member Posts: 161 ■■■□□□□□□□
    Things to check:

    Router interface connecting to switch is up/up.
    VLAN 30 interface is up/up.
    Gi0/1 on switch is up/up.
    VLAN 30 is created. Check with "show VLAN" on switch.
    CCNA Security - 6/11/2018
    CCNP TShoot - 3/7/2018
    CCNP Route - 1/31/2018
    CCNP Switch - 12/10/2015
    CCNA R/S - 1/14/2015
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    What's the IP address of the PC's plugged into Fa0/1 and 2?

    Also add this to the switch: Switch(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1
    Add this to the Router plugged into Gi0/1 Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.10.2

    Worked for me.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • TWXTWX Member Posts: 275 ■■■□□□□□□□
    The router cannot reply to the PC because the router does not know how to reach the subnet that the PC is on. It receives an echo-request from the 3560 from an IP address in the 192.168.20.0/24 network but that does not mean that it automatically sends an echo-reply back to the 3560. First it looks up in its own routing table the destination for the echo-reply, finds no route entry for 192.168.20.0/24, and drops the packet.

    Congratulations, you have now discovered why manually-entered static routes and why routing protocols exist. You either need to add static routes to the router or you need to put all of the devices on the same VLAN as the router and use the same subnet.

    Do do what you're trying to do without doing that you need NAT, but the 3560 does not do NAT.

    I put a real Cisco router up as my router and I'm running OSPF. That's how I got around it.
  • satishtechsatishtech Member Posts: 243
    A simpler configuration :
    1.3560 L3 switch.
    2.PC connected to f0/1 and a Router 2911 connected to G0/1

    Here is the running config:

    interface FastEthernet0/1
    switchport access vlan 10
    switchport mode access

    !
    interface GigabitEthernet0/1
    switchport access vlan 20
    switchport mode access
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan10
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan20
    ip address 192.168.2.1 255.255.255.0

    Switch#show int f0/1
    FastEthernet0/1 is up, line protocol is up (connected)

    Switch#show int g0/1
    GigabitEthernet0/1 is up, line protocol is up (connected)

    Switch#show vlan brief

    VLAN Name Status Ports
    ----


    1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
    Fa0/6, Fa0/7, Fa0/8, Fa0/9
    Fa0/10, Fa0/11, Fa0/12, Fa0/13
    Fa0/14, Fa0/15, Fa0/16, Fa0/17
    Fa0/18, Fa0/19, Fa0/20, Fa0/21
    Fa0/22, Fa0/23, Fa0/24, Gig0/2
    10 jedi active Fa0/1
    20 sith active Gig0/1
    1002 fddi-default active
    1003 token-ring-default active
    1004 fddinet-default active
    1005 trnet-default active
    Switch#

    The PC can Ping the int vlan 20 but router cannot ping int vlan 10.

    img.png 16.6K
  • shortstop20shortstop20 Member Posts: 161 ■■■□□□□□□□
    As was pointed out, you either need to run a routing protocol on the switch and router or implement a static route on the router pointing towards the switch.
    CCNA Security - 6/11/2018
    CCNP TShoot - 3/7/2018
    CCNP Route - 1/31/2018
    CCNP Switch - 12/10/2015
    CCNA R/S - 1/14/2015
  • satishtechsatishtech Member Posts: 243
    added static routes on the switch and router
    now able to ping the vlan interfaces , but not beyond ...?

    switch :

    ip route 192.168.2.0 255.255.255.0 192.168.2.2

    Router :

    Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1
  • TWXTWX Member Posts: 275 ■■■□□□□□□□
    We need more information---

    What can ping what, exactly? What can't ping what, exactly?

    What are the routing tables on the PCs and network devices?
  • GDainesGDaines Member Posts: 273 ■■■□□□□□□□
    I recently set up a network using a 3560 switch for DHCP and Inter-VLAN routing and the guys on here were great for talking me through the issues as I found them. At first my additional switches weren't working correctly as I hadn't set up "trunk" ports between switches, and then I too could not ping the router. Here's my network:



    For the router to work you need to configure the port on your switch it's connected to as follows:

    SW1(config)# int g0/1
    SW1(config-if)# no switchport
    SW1(config-if)# ip address 192.168.10.2 255.255.255.0
    SW1(config-if)# no shutdown
    SW1(config-if)# exit

    If you add another switch then you'll need to configure the switch-to-switch interfaces on both as follows:

    SW1(config)# int fa0/24
    SW1(config-if)# switchport trunk encapsulation dot1q
    SW1(config-if)# switchport mode trunk
    SW1(config-if)# exit

    I stand to be corrected as I'm new to this myself but I don't believe you use a VLAN between the switch and router - the VLANs are on the network side for separating groups of PCs.

    Once you make the change above you'll also need to make sure you have routes set up on your router to all the different VLANs. Too early to get my head around your config and change my routes to what you need so you'll have to do that, just to say my VLANs are using 1.x 2.x and 3.x networks and the next hop address on the end is the switch port address on my 3560 (so yours will be 192.168.10.2). This is the output from 'show run' on my router:

    ip route 10.10.1.0 255.255.255.0 10.10.0.2
    ip route 10.10.2.0 255.255.255.0 10.10.0.2
    ip route 10.10.3.0 255.255.255.0 10.10.0.2

    In my setup a PC will be given an IP address from the appropriate range depending on what VLAN the port it's connected to is configured as, so if the port is set to VLAN1 then the PC will get a 1.x address while for VLAN2 it'll get a 2.x address etc - the fact that I used 3 switches is irrelevant and just allows me to connect more hosts. I could just as easily have 10 different VLANs on a single 24-port switch.

    Haven't played with a setup where the router handles DHCP because it's unlikely to be configured like that in the real world.

    Am happy to help you get to the same stage as myself.
  • TWXTWX Member Posts: 275 ■■■□□□□□□□
    No reason you can't use SVIs and VLANs...

    Taken from a production box:
    #sh ip route connected
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
           + - replicated route, % - next hop override
    
    Gateway of last resort is 10.255.246.9 to network 0.0.0.0
    
          10.0.0.0/8 is variably subnetted, 869 subnets, 13 masks
    C        10.0.205.0/24 is directly connected, Vlan16
    L        10.0.205.1/32 is directly connected, Vlan16
    C        10.2.205.0/24 is directly connected, Vlan16
    L        10.2.205.1/32 is directly connected, Vlan16
    C        10.4.24.0/21 is directly connected, Vlan16
    L        10.4.24.1/32 is directly connected, Vlan16
    C        10.8.13.0/24 is directly connected, Vlan224
    L        10.8.13.1/32 is directly connected, Vlan224
    C        10.9.6.0/24 is directly connected, Vlan704
    L        10.9.6.1/32 is directly connected, Vlan704
    C        10.9.34.0/24 is directly connected, Vlan701
    L        10.9.34.1/32 is directly connected, Vlan701
    C        10.9.54.0/24 is directly connected, Vlan700
    L        10.9.54.1/32 is directly connected, Vlan700
    C        10.255.246.8/30 is directly connected, TenGigabitEthernet1/32
    L        10.255.246.10/32 is directly connected, TenGigabitEthernet1/32
    
    

    All of the local LANs (the PCs at the site) use VLANs.

    Define a new VLAN if you want, and put one interface in that VLAN as an access interface or with the native VLAN of a trunk defined, and connect it to any other L3 device that is in the same network and it should work.

    On routers you can even get fancy and use bridged virtual interfaces where you need a VLAN to span multiple physical interfaces.

    Taken from my lab at home:
    >sh ip route connected
    
          172.16.0.0/16 is variably subnetted, 18 subnets, 7 masks
    C        172.16.0.0/27 is directly connected, BVI10
    L        172.16.0.1/32 is directly connected, BVI10
    C        172.16.0.32/27 is directly connected, BVI20
    L        172.16.0.33/32 is directly connected, BVI20
    C        172.16.0.64/27 is directly connected, BVI30
    L        172.16.0.65/32 is directly connected, BVI30
    C        172.16.0.236/30 is directly connected, GigabitEthernet0/0.40
    L        172.16.0.237/32 is directly connected, GigabitEthernet0/0.40
    C        172.16.0.240/28 is directly connected, BVI5
    L        172.16.0.241/32 is directly connected, BVI5
    
    


    The configs for the physical interfaces look something like this:
    interface GigabitEthernet0/0.5
     encapsulation dot1Q 5
     bridge-group 5
    !
    interface GigabitEthernet0/0.10
     encapsulation dot1Q 10
     bridge-group 10
    !
    interface GigabitEthernet0/0.20
     encapsulation dot1Q 20
     bridge-group 20
    !
    interface GigabitEthernet0/0.30
     encapsulation dot1Q 30
     bridge-group 30
    
    

    The switched virtual interface that I need for an L2 interface:
    interface Vlan10
     no ip address
     bridge-group 10
    

    And for the bridged virtual interfaces that tie it all together:
    interface BVI5
     ip address 172.16.0.241 255.255.255.240
     ip nat inside
     ip virtual-reassembly in
     ipv6 address FDAA:2:2:2005::1/64
    !         
    interface BVI10
     ip address 172.16.0.1 255.255.255.224
     ip nat inside
     ip virtual-reassembly in
     ipv6 address FDAA:2:2:2010::1/64
    !
    interface BVI20
     ip address 172.16.0.33 255.255.255.224
     ip nat inside
     ip virtual-reassembly in
     ipv6 address FDAA:2:2:2020::1/64
    !
    interface BVI30
     ip address 172.16.0.65 255.255.255.224
     ip nat inside
     ip virtual-reassembly in
     ipv6 address FDAA:2:2:2030::1/64
    
  • GDainesGDaines Member Posts: 273 ■■■□□□□□□□
    Whoa TWX, you've lost me on that one but I'll not hijack the thread looking for an explanation, instead I'll just revisit if I need anything like this for CCNA or someday decide to try to get my head around it for fun.

    I stated that I 'didn't believe' a VLAN would be used between the switch and the router as per my setup which you helped get working. Are you saying you could use one? Perhaps the OP (satishtech) may ask for more clarification.
  • shortstop20shortstop20 Member Posts: 161 ■■■□□□□□□□
    GDaines wrote: »
    Whoa TWX, you've lost me on that one but I'll not hijack the thread looking for an explanation, instead I'll just revisit if I need anything like this for CCNA or someday decide to try to get my head around it for fun.

    I stated that I 'didn't believe' a VLAN would be used between the switch and the router as per my setup which you helped get working. Are you saying you could use one? Perhaps the OP (satishtech) may ask for more clarification.

    Yes, you could use a VLAN if you wished.

    You'd simply create the VLAN and the VLAN interface, then assign the switchport that will connect to the router to that VLAN.
    CCNA Security - 6/11/2018
    CCNP TShoot - 3/7/2018
    CCNP Route - 1/31/2018
    CCNP Switch - 12/10/2015
    CCNA R/S - 1/14/2015
  • satishtechsatishtech Member Posts: 243
    I did the simple lab again , below is the config :
    Figure is the same as above.

    Works now !! (added after this post )
    Switch(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2
    Router(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1


    sh ru :

    ip routing

    interface FastEthernet0/1
    switchport access vlan 10
    switchport mode access
    !
    interface FastEthernet0/2
    switchport access vlan 20
    switchport mode access


    interface Vlan10
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan20
    ip address 192.168.2.1 255.255.255.0
    !


    Switch#show ip route


    Gateway of last resort is not set

    C 192.168.1.0/24 is directly connected, Vlan10
    C 192.168.2.0/24 is directly connected, Vlan20

    Switch#show int f0/1 switchport
    Name: Fa0/1
    Switchport: Enabled
    Administrative Mode: static access
    Operational Mode: static access
    Administrative Trunking Encapsulation: dot1q
    Operational Trunking Encapsulation: native
    Negotiation of Trunking: Off
    Access Mode VLAN: 10 (jedi)
    Trunking Native Mode VLAN: 1 (default)
    Voice VLAN: none
    Administrative private-vlan host-association: none
    Administrative private-vlan mapping: none
    Administrative private-vlan trunk native VLAN: none
    Administrative private-vlan trunk encapsulation: dot1q
    Administrative private-vlan trunk normal VLANs: none
    Administrative private-vlan trunk private VLANs: none
    Operational private-vlan: none
    Trunking VLANs Enabled: All
    Pruning VLANs Enabled: 2-1001
    Capture Mode Disabled
    Capture VLANs Allowed: ALL
    Protected: false
    Unknown unicast blocked: disabled
    Unknown multicast blocked: disabled
    Appliance trust: none


    Switch#show int f0/2 switchport
    Name: Fa0/2
    Switchport: Enabled
    Administrative Mode: static access
    Operational Mode: static access
    Administrative Trunking Encapsulation: dot1q
    Operational Trunking Encapsulation: native
    Negotiation of Trunking: Off
    Access Mode VLAN: 20 (sith)
    Trunking Native Mode VLAN: 1 (default)
    Voice VLAN: none
    Administrative private-vlan host-association: none
    Administrative private-vlan mapping: none
    Administrative private-vlan trunk native VLAN: none
    Administrative private-vlan trunk encapsulation: dot1q
    Administrative private-vlan trunk normal VLANs: none
    Administrative private-vlan trunk private VLANs: none
    Operational private-vlan: none
    Trunking VLANs Enabled: All
    Pruning VLANs Enabled: 2-1001
    Capture Mode Disabled
    Capture VLANs Allowed: ALL
    Protected: false
    Unknown unicast blocked: disabled
    Unknown multicast blocked: disabled
    Appliance trust: none


    Switch#show vlan brief

    VLAN Name Status Ports
    ----


    1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
    Fa0/7, Fa0/8, Fa0/9, Fa0/10
    Fa0/11, Fa0/12, Fa0/13, Fa0/14
    Fa0/15, Fa0/16, Fa0/17, Fa0/18
    Fa0/19, Fa0/20, Fa0/21, Fa0/22
    Fa0/23, Fa0/24, Gig0/1, Gig0/2
    10 jedi active Fa0/1
    20 sith active Fa0/2
    1002 fddi-default active
    1003 token-ring-default active
    1004 fddinet-default active
    1005 trnet-default active

    PC connected to F0/1 port on the switch :
    192.168.1.2 /24 GW : 192.168.1.1


    Router connected to F0/2 port on the switch :
    192.168.2.2 /24


    Figure is same as above.

    Can anyone try an interVLAN on L3-3560 , PC on one port router on another, please... on PT.
  • TWXTWX Member Posts: 275 ■■■□□□□□□□
    All I see are connected routes. What command, specifically, did you enter on the router to add the static route?
  • satishtechsatishtech Member Posts: 243
    Yup works now ,

    either static or default routes work ,

    but why this additional configuration when it comes to interVLAN
    between a Router and PC ?

    novice questions sorry.

    Switch:

    ip classless
    ip route 192.168.2.0 255.255.255.0 192.168.2.2
    !
    (or default route Switch(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 )

    Router:
    ip classless
    ip route 192.168.1.0 255.255.255.0 192.168.2.1
  • TWXTWX Member Posts: 275 ■■■□□□□□□□
    I don't see how it's working, if the PC is on a subnet that the router doesn't know about, then as far as the router is concerned, the subnet is unreachable.

    This is an example from my lab. It's EIGRP, so there are some extra bits in the entry, but it should still help.

    There are essentially four major kinds of routes in my lab. One is the default route that is set by the DHCP client process to my ISP. Another is the local user devices that are on an L2 network that this router directly touches. Yet another are the routes to directly-connected routers. The final type, which are the kind that require either a static route, or a route learned by a routing protocol, are routes to other networks that are not directly connected to this router.

    Local Routes for end-user devices, I've carved up 172.16.0.0/24 with VLSM for the users in this physical area:
    C        172.16.0.0/27 is directly connected, BVI10
    L        172.16.0.1/32 is directly connected, BVI10
    C        172.16.0.32/27 is directly connected, BVI20
    L        172.16.0.33/32 is directly connected, BVI20
    C        172.16.0.64/27 is directly connected, BVI30
    L        172.16.0.65/32 is directly connected, BVI30
    C        172.16.0.236/30 is directly connected, GigabitEthernet0/0.40
    L        172.16.0.237/32 is directly connected, GigabitEthernet0/0.40
    
    The "C" routes are for the networks. The "L" routes with /32 CIDR masks are my own interfaces on a given network.


    Routes to other routers, these happen to use Point to Point Frame Relay but regardless of the method the end result is that this is routers talking to other routers:
          172.25.0.0/16 is variably subnetted, 8 subnets, 2 masks
    C        172.25.0.0/30 is directly connected, Serial0/1/0.109
    L        172.25.0.1/32 is directly connected, Serial0/1/0.109
    C        172.25.0.4/30 is directly connected, Serial0/1/0.108
    L        172.25.0.5/32 is directly connected, Serial0/1/0.108
    C        172.25.0.8/30 is directly connected, Serial0/1/0.106
    L        172.25.0.9/32 is directly connected, Serial0/1/0.106
    C        172.25.0.12/30 is directly connected, Serial0/1/0.107
    L        172.25.0.13/32 is directly connected, Serial0/1/0.107
    
    As before, the "C" routes are for the networks and the "L" routes are my own interfaces on these networks.


    Routes that require connecting through another router, my router would have no idea how to reach these routes if either they weren't propagated by a routing protocol, or else they weren't statically added:
    D        172.16.2.0/25 [90/2172416] via 172.25.0.2, 1w5d, Serial0/1/0.109
    D        172.16.2.240/28 [90/2172416] via 172.25.0.2, 1w5d, Serial0/1/0.109
    D        172.16.3.0/26 [90/2170112] via 172.25.0.6, 1w5d, Serial0/1/0.108
    D        172.16.3.240/28 [90/2170112] via 172.25.0.6, 1w5d, Serial0/1/0.108
    D        172.16.4.0/24 [90/2172416] via 172.25.0.14, 1w4d, Serial0/1/0.107
                           [90/2172416] via 172.25.0.10, 1w4d, Serial0/1/0.106
    
    Note the lack of "L" routes with /32 CIDR. My router has no interfaces on these networks.

    In the case of routing protocols there's that 1w5d portion of the entry that I do not know the meaning of, but either way, there's the network-to-reach, the IP address out which to communicate to reach it, and the physical interface out which to send. In the case of 172.16.4.0/24 there are two equal-cost paths to reach it, as there are two routers that have reported that they have routes to it. In this case both 172.25.0.10 and 172.25.0.14 have interfaces on 172.16.4.0/24 as they're doing HSRP to provide fault-tolerance to the hypothetical users on 172.16.4.0/24.


    Now, let's pretend that I am going to re-address my 172.16.2.0/25 network behind router 172.25.0.2 on Serial0/1/0.109. I'll now use 192.168.20.0/24 and I won't use EIGRP. I'll have to add the following to my router:

    RT(config)#ip route 192.168.20.0 255.255.255.0 172.25.0.2

    which adds this to my routing table:
    S     192.168.20.0/24 [1/0] via 172.25.0.2
    

    My router now knows how to reach through another router to communicate with that network. It knows that the path to 192.168.20.0/24 is through the router 172.25.0.2, which it knows because it knows that to reach 172.25.0.2 it must communicate out the connected interface associated with 172.25.0.0/30, which it knows is Serial0/1/0.109 because it has an IP address of 172.25.0.1 255.255.255.252 on that interface.
  • satishtechsatishtech Member Posts: 243
    Works :
    Static Routes on switch and Router enable pinging
    through this nano network.Figure above.
    Works
  • GDainesGDaines Member Posts: 273 ■■■□□□□□□□
    One way to be completely sure is to change the ip addressing scheme on the router side so you know for sure you're routing right. I hope I've got this sussed as I've only just covered inter-VLAN routing myself (but I didn't use a VLAN on the router side in my network design). TWX please check and advise any errors made, thanks.

    Remove any existing static routing on both the router and switch then use these settings (skip existing settings that are correct).

    On the router add G0/0 interface into VLAN10, give it an ip address and set up a static route telling it how to find the 192.168 network:

    R1(config)# vlan 10
    R1(config)# name VLAN10
    R1(config)# int G0/0
    R1(config-if)# switchport access vlan 10
    R1(config-if)# ip address 10.10.10.1 255.255.255.252
    R1(config-if)# exit
    R1(config)# ip route 192.168.1.0 255.255.255.0 G0/0

    And on the switch add G0/1 interface into VLAN10 and F0/0 interface into VLAN20. Give them both ip addresses and configure the gateway of last resort to send anything it can't find to the router:

    SW1(config)# vlan 10
    SW1(config-vlan)# name VLAN10
    SW1(config-vlan)# exit
    SW1(config)# vlan 20
    SW1(config-vlan)# name VLAN20
    SW1(config-vlan)# exit
    SW1(config)# int G0/1
    SW1(config-if)# description router network
    SW1(config-if)# switchport access vlan 10
    SW1(config-if)# ip address 10.10.10.2 255.255.255.252
    SW1(config-if)# exit
    SW1(config)# int F0/1
    SW1(config-if)# description switch network
    SW1(config-if)# switchport access vlan 20
    SW1(config-if)# ip address 192.168.1.1 255.255.255.0
    SW1(config-if)# exit
    SW1(config)# ip route 0.0.0.0 0.0.0.0 G0/1
    SW1(config)# ip routing

    Now the switch can physically see both VLANs as they're directly connected, and the router has a route to the 192.168 network via the switch. There's been no mention of DHCP so I assume on the pc you're using a static address of 192.168.1.10 255.255.255.0 with a default gateway of the vlan address (192.168.1.1 in this example).

    If I've got this right the pc should be able to ping everything:

    192.168.1.10 - itself
    192.168.1.1 - default gateway/switch
    10.10.10.2 - switch exit interface to router
    10.10.10.1 - router

    Quite a bit more configuration required if you're doing this in a physical lab and want to connect the router to the internet as I found myself when the router could access the internet but the network couldn't.
  • satishtechsatishtech Member Posts: 243
    ??
    Router(config)#vlan ?
    % Unrecognized command
  • GDainesGDaines Member Posts: 273 ■■■□□□□□□□
    satishtech wrote: »
    ??
    Router(config)#vlan ?
    % Unrecognized command

    Mmm sorry, like I said, I didn't use a VLAN on my router side, just multiple VLANs for my client side. The stuff I posted clearly only works on a L3 switch and not on a router so I guess I've no idea how to correctly configure your VLAN on that side in which case I'd better take a step back and leave it to TWX and the other more knowledgeable participants to assist.

    The setup (my setup) from post 12 works as I have it set up on my lab, but while my uncertainty as to whether you could use a VLAN on the router side was clarified by shortstop20 in post 15 the posts since have been way outside my understanding.
  • shortstop20shortstop20 Member Posts: 161 ■■■□□□□□□□
    You cannot create VLANs on routers, they do not have a VLAN database.

    There are two ways to connect a router to a switch in this situation.

    Option 1 - Router connects to a port on the switch which is setup as a "switchport". This means it's a layer 2 port, just as ports are by default on switches. Then you'd assign the port a VLAN using "switchport access vlan". That VLAN needs a matching VLAN interface with an IP address in the same subnet as the interface on the router.

    You do not need to define a VLAN or a VLAN interface on the router. Simply connecting the port on the router to the switchport and configuring it as I've described makes it work.

    Option 2 - Router connects to a Layer 3 port on switch, configured with the "no switchport" command. This makes the port on the switch a routed or Layer 3 port.
    CCNA Security - 6/11/2018
    CCNP TShoot - 3/7/2018
    CCNP Route - 1/31/2018
    CCNP Switch - 12/10/2015
    CCNA R/S - 1/14/2015
  • TWXTWX Member Posts: 275 ■■■□□□□□□□
    I had started a reply but got off on a side-note and must not have finished typing it before the computer crashed.

    You can set up 802.1q trunking to a router, but you have to define the subinterfaces (command like interface gigabitethernet0/0.10 for example) define the encapsulation type and the vlan to use (encapsulation dot1q 10) and then put the IP address on the subinterface. I have a few subinterfacess like that.

    Because of where my service-entrance is, my ISP connection unfortunately has to plug into a switch. That means I have to VLAN trunk from the switch at the service-entrance to the router in another part of the house. I chose to use VLAN 2 to do this. I have an access interface on VLAN2 on the switch, then a trunk interface connecting from the switch to the router. VLAN 2 comes in on G0/0.2. There are extra commands in the interface configuration (I'm tinkering) but you should recognize a bunch of the commands:
    rt#sh run int g0/0.2 
    Building configuration...
    
    Current configuration : 358 bytes
    !
    interface GigabitEthernet0/0.2
     description ISP Service Entrance
     encapsulation dot1Q 2
     ip address dhcp
     ip access-group WAN-In-Inspect-ACL in
     ip access-group WAN-Out-Inspect-ACL out
     ip nat outside
     ip inspect ROUTER-WAN-OUT out
     ip virtual-reassembly in
     ipv6 enable
     ipv6 traffic-filter LOG-ALL in
     ipv6 traffic-filter LOG-ALL out
     no cdp enable
    

    I have another subinterface for another VLAN, VLAN 40, to go back up to that switch. My old consumer-grade wireless access point is on that VLAN, in case any legacy devices in the house are still looking for that WAP instead of the new one, and it's plugged into that switch up where the cablemodem is:
    rt#sh run int g0/0.40
    Building configuration...
    
    Current configuration : 225 bytes
    !
    interface GigabitEthernet0/0.40
     description WIFI-Ivanhoe
     encapsulation dot1Q 40
     ip address 172.16.0.237 255.255.255.252
     ip nat inside
     ip virtual-reassembly in
     ipv6 address FDAA:2:2:2040::1/64
     ipv6 ospf 1 area 1
    


    On the switch I've set up the VLAN 2 interface to the ISP as follows:
    interface FastEthernet0/9
     description ->Cable-Modem
     switchport access vlan 2
     switchport mode access
     switchport nonegotiate
     ip access-group ISP-Inbound in
     ipv6 traffic-filter LOG-ALL in
     no cdp enable
     no lldp transmit
     spanning-tree bpdufilter enable
     spanning-tree bpduguard disable
     ip dhcp snooping trust
    

    I've intentionally done what I could to not make it obvious that it's Cisco gear, and I've removed stuff that the ISP doesn't need to see on account of that. No CDP, no LLDP (if it's even running), no spanning-tree, etc. I probably should run switchport nonegotiate to disable DTP, but so far it hasn't been a problem. I do have an ACL running on the switch, it's sort of a pre-filter to block incoming RFC1918 addresses and other addresses that have no business coming into my network from the outside in case my ISP screws up and doesn't filter properly for me.

    As for the WAP:
    interface FastEthernet0/7
     description ->WAP
     switchport access vlan 40
     switchport mode access
    

    Just set up as an access interface on the correct VLAN.
  • satishtechsatishtech Member Posts: 243
    One default route on the router is enough , to enable pinging throughout.
    ip route 0.0.0.0 0.0.0.0 192.168.2.1
  • satishtechsatishtech Member Posts: 243
    Simplest solution I found :convert router to a host

    Router(config)#no ip routing
    Router(config)#ip default-gateway 192.168.2.1
Sign In or Register to comment.