VLAN Trunking between a switch and a router

Ensure windows firewall is off.... or at least has exceptions to allow icmp echo/echo reply

This is the common issue when each host can ping their gateway or eachothers for that matter but cannot get any further than that....

cisco_trooper

Let's see your router and switch configurations...

tech-airman

Setotek wrote:

According to cisco's website: [http://www.cisco.com/warp/public/473/50.shtml]

This would set up trunking for 2 vlans on a switch and the router would provide the routing for traffice between the 2 vlans via trunking. Theory wise, that makes perfect sense.

The part that im having problems is pinging from wkstn A to wkstn B. I used a different class of IP's but followed the directions as careful as possible. I was able to ping eachother's gateway but not the workstation themselves. I was stuck for hours on figuring out how to fix it.

Wrkstn A
172.16.130.2 is the IP
255.255.255.0 is the SM
172.16.130.1 is the DG

Wrkstn B
172.16.140.2 is the IP
255.255.255.0 is the SM
172.16.140.1 is the DG

On the router i set

FA0/0.1 with 172.16.130.1 for VLAN 2

and

FA0/0.2 with 172.16.140.1 for VLAN 1

I also have the correct IOS on the switch and router as noted on the link at the bottom of the page.

What am i doing wrong guys?? Need some help!

Thanks,
Setotek

Setotek,

Which type of trunking are you using?

compy

yeh did u set the encap type correct ??

dtlokee

The post stated he can ping the hosts gateways so it's most likely not the encapsulation if that is the case.

I'll bet it's the windows firewall. It blocks pings by default on xp and vista.

ctdawson

Try pinging the other vlans gateway and see if thats still giving you trouble. If it is still giving you trouble then you know its not the xp vista firewall issue. A question ill also ask is do you possibly need to set the ip default-gateway command on the switch?

Thanks for the quick response guys.

I checked the windows firewall on both workstations and they are turned OFF. I am currently using dot1q for encap trunking. I can post the configs when i extract them.

Do both vlans need to be assigned manual default gateways on the switch? According to the example from cisco vlan 2 is not set to any default gateway but vlan 1 was....just a thought.

Setotek

I also added the exceptions for incoming echo requests. The router can ping both workstations on the diff subnets but cannot ping the vlans.

your can ping both machines from the router now?

What do you mean you can't ping the vlans??? the vlan interfaces??? More info please

Can you ping through to each devices..... If windows firewall is turned off you won't need to add manual exceptions for icmp it will be allowed....

When im logged into the router, I can only ping from the router to each workstation but not from workstation to workstation. I also, cannot ping the vlan interfaces which has assigned ip addresses. I hope i clarified myself.

sub-ifs\vlan interfaces cannot be pinged from the router or you mean from the workstations?

Lets start from the beginning shall we....

1) interfaces specified on the router for each vlan... with dot1q encapsulation configured for each (eg encapsulation dot1q 2 = VLAN2)

2) Switchport connecting to router is configured as a trunk port to allow all vlan traffic and if necessary trunk encapsulation is set to dot1q (2950 switches only support dot1q.... Whereas some models support dot1q and isl)

2) On your switch\switches you have created a vtp domain or transparent modes containing vlans that have interfaces configured on the router... Each workstation connected to the switch must be assigned to one of these vlans. If VLAN 1 is used that leave the switchport access as default.

3)Ensure devices have been configured with correct ip addressing details for the configured VLAN....

4) ping gateway and ensure connectivity to other subnet devices\gateway

Switch config:

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW2
!
enable secret 5 $1$nOse$L7ZpjW1oABkbmf9nh9wF41
enable password ciscoadmin
!
ip subnet-zero
ip routing
!
vtp domain CCNA
vtp mode transparent
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan 2
!
!
interface FastEthernet0/1
no switchport
no ip address
shutdown
speed 100
duplex full
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport access vlan 2
switchport mode dynamic desirable
spanning-tree portfast

\\OMITTING ALL UNUSED PORTS
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
ip address 172.16.130.2 255.255.255.0
shutdown
!
interface Vlan2
ip address 172.16.140.2 255.255.255.0
shutdown
!
ip default-gateway 172.16.130.1
ip classless
ip http server
!
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end

Router config:

R1#show run
Building configuration...

Current configuration : 1344 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
logging queue-limit 100
enable secret 5 $1$cUyM$vNFS2KEfu1Ab2KpwYTjG/0
enable password ciscoadmin
!
ip subnet-zero
no ip routing
!
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
controller T1 0/0
framing sf
linecode ami
!
controller T1 0/1
framing sf
linecode ami
!
controller T1 0/3
framing sf
linecode ami
!
controller T1 0/2
framing sf
linecode ami
!
!
!
interface FastEthernet0/0
no ip address
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 172.16.130.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 172.16.140.1 255.255.255.0
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface FastEthernet0/1
ip address 172.16.120.205 255.255.255.0
no ip route-cache
no ip mroute-cache
duplex auto
speed 100
!
ip http server
ip classless
!
!
!
!
snmp-server community public RO
snmp-server enable traps tty
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end

APA, everything sounds correct according to your checklist. Please take a look at the config and let me know if there is anything wrong. Appreciate it greatly. Thanks.

Setotek

networker050184

Well your VLAN interfaces are shutdown which is why you can't ping them. YOu can only have one up at a time on the L2 switches.

Why have you got your access switchports in a mode where they can negotiate a trunk??
If the switchport is purely an access switchport always lock it in access mode with switchport mode access.

On your router the 'no ip routing' command looks suspicious this is telling me that inter-vlan routing will not take place or any routing for that matter...

On your router in global config mode please use the following command. --> ip routing (enter)

After you have completed this please test connectivity between vlans.... if all works then remember to write your config!!!

I'm going to bed I'll check this again tomorrow morning.... as I'm bound to have missed something being so tired!!

networker050184

Good catch on the no ip routing! I missed that. Need to be routing ip thats for sure...

BTW on your L2 switch you are only allowed one management ip address as the address is only there for management access and nothing else..... both of yours are currently shutdown.... choose which one you want to be active with the 'no shutdown' command.

Then remove the config of the vlan interface no longer needed on the l2 switch...... remember to configure the correct default gateway on the switch for the interface you keep to enable access from different subnets.

Now I'm off to bed.....

You guys are right on the following:

1. Vlan interfaces were shutdown on SW2 but i thought i configured them with a "no shutdown"...
2. Enabled ip routing on R1 and wrkstn 1 can ping wrkstn 2!!

3. FA0/2 on SW2 was set to switchport mode trunk bc that port is connected to R1's fa0/0 for vlan trunking.

Thanks everyone for their help. I should've came to you guys sooner rather than taking 2 days on my own to figure it out. It just gives me more experience i guess...hahaha

Setotek

What changes would I have to make if I were to throw in a 2nd switch and had each vlan on its own switch?

I believe its VTP to the rescue correct? have to assign vtp server and client and probably pruning so that each switch know the correct vlan config...

Would anyone want to shed some light on this? Thanks.

Setotek

itdaddy

vtp transparent mode can receive vlan information but will not send it on isnt that correct?
i would choose client and server vtp modes.. not transparent...
pruning isnt necessary on for to limit you to correct broadcasts..

just a thought....what do you guys think????

Well it looks like you've got inter-vlan routing going as long you have the no shut set on your SVI's (the VLAN1 and VLAN2 interfaces)

Let us know what kind of switch you have (probably at least a 3550 if you can do ip routing)

You'll need a second switch of course. Run a crossover cable between the two and make sure they are set to trunk.

The following is a good guide for setting up the VLANs for the newer switches

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swvlan.html

If your IOS is 12.0 or less, try this link:

http://www.cramsession.com/articles/files/vlan-basics---a-look-at-c-992003-0848.asp

Good luck

Netwurk,

I have a 3550 and a 2900XL for vlan trunking. I was able to set up trunking on the 2 ports for each switch but pruning was not working as I couldnt verify if the 2nd switch was updating itself...

I have the 3550 as the vtp server and the 2900 as the client. I configured a port on each for trunking with encap dot1q. I also used a crossover cable and set up a vlan 3 on the 3550 and turned on vtp pruning. I made sure the 3550 revision number was higher than the 2900. I waited for the default 5 mins for the 3550 to push out the info to the 2900 and nothing.

Any suggestions?

Setotek

Are the VTP domain names the same on both boxes?

VTP domain and password are the same on both ends including case sensitivity. Thanks.

cisco_trooper

Setotek wrote:

VTP domain and password are the same on both ends including case sensitivity. Thanks.

Make sure there isn't a space at the end of one of them....

darkuser

on some switches

sh vtp password

will actually show you what you have configured.
so there is no real security , just prevention from rouge or accidental devices joining the network.

networker050184

Ensure the interfaces are trunking. Try a show interface trunk.

darkuser

Configuring VTP and Virtual LANs

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_2/config/vlans.htm