Layer 3 switching screwing with me...

Morty3

I simply cant get this. This is my scenario: A 3560 with a couple of VLANs should have restricted access between the VLANs but free access to the internet. But, before I should do the restrictions I noticed that routing only works between VLANs, not to the internet. The 3560 can ping the Internet, and every SVI ofc. From one VLAN I can ping the other SVIs (ofc only when they are up), but somehow the SVIs dont know how to route to the Internet, even though my default route tells them how to. How do I solve this? Maybe I'm supposed to make the port that goes to the router a l3-port?

Here is some pics to make it easier to understand. Config at bottom.

The Scenario:

Sh ip cef

sh ip route


Config: (Sorry its so damn long ;P)
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone Secret 1
system mtu routing 1500
vtp interface fastethernet0/9
ip subnet-zero
ip routing
ip name-server 4.2.2.2
ip name-server 8.8.8.8
ip name-server 4.2.2.3
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 192.168.10.1 192.168.10.25
ip dhcp excluded-address 192.168.30.1 192.168.30.25
ip dhcp excluded-address 192.168.20.1 192.168.20.25
ip dhcp excluded-address 192.168.100.0 192.168.100.25
ip dhcp excluded-address 192.168.200.0 192.168.200.25
!
ip dhcp pool scope1
network 192.168.10.0 255.255.255.0
dns-server 4.2.2.2
default-router 192.168.10.254
lease 3
!
ip dhcp pool scope2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
dns-server 4.2.2.2
lease 3
!
ip dhcp pool scope3
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
dns-server 4.2.2.2
lease 3
!
ip dhcp pool PUBLIC_WIFI
network 192.168.200.0 255.255.255.0
default-router 192.168.200.254
dns-server 4.2.2.2
lease 0 1
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
description LINK TO ISA AND WAN
!
interface FastEthernet0/2
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
description PORTS TO a LAN
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/4
switchport mode access
!
interface FastEthernet0/5
description LINK TO a LAN
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/6
switchport mode access
!
interface FastEthernet0/7
description LINK TO a LAN
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 100
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1
!
interface Vlan1
ip address 192.168.0.254 255.255.255.0
!
interface Vlan10
ip address 192.168.10.254 255.255.255.0
!
interface Vlan20
ip address 192.168.20.254 255.255.255.0
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0
!
interface Vlan100
ip address 192.168.100.254 255.255.255.0
!
interface Vlan200
ip address 192.168.200.254 255.255.255.0
!
!
router eigrp 1
eigrp stub connected summary
network 192.168.1.0
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
network 192.168.100.0
network 192.168.200.0
!
ip default-gateway 192.168.0.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
!
!
control-plane
!
!
line con 0
exec-timeout 999 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
!
end

ColbyG

What's the config on the router look like? Where does your traceroute die?

Morty3

The router is just a linksys wrt54 with DDWRT running. Traceroute dies in the switch, reaches the first SVI then dies.

ColbyG

Can you ping the router from your host? It sounds to me like your Linksys doesn't have routes back to VLAN 10. Have you manually input the routes in the Linksys? An easy way to test this is to ping the Linksys using your SVI as the source.

Morty3

From the 3560 I can ping to the internet. From the host, I cant. So I know for sure that the Internet connection works, and that I do in fact have connectivity between my devices (and the Internet)

ColbyG

The IP you're pinging from is known to the router (192.168.0.254), it is directly connected. Please try what I said, do this:

ping 4.2.2.2 source vlan 10

Morty3

Whoa, it seems like you nailed the problem.



So, the l3-switching is not screwing with me...

I'll do a traceroute in a sec aswell.

ColbyG

You need to go on the Linksys and enter the routes to your networks behind the L3 switch with .0.254 as the next hop. Or could run RIP between the switch and the Linksys, DDWRT should support RIP, IIRC.

Morty3

Hm nice...

Morty3

"OH PLEASE" was what I thought when I did a few tests this morning. I pinged between the .10, .20 and .30 vlans without any trouble, but from the .0 vlan I could not ping the other vlans. Here is a traceroute from 0.140 (me) to .10.29 (host on that vlan). Pinging 10.254 (svi) works.



WHY THE HELL does it send the .10.x packets to the default gateway?? The routingtable entrys are there...

I removed the EIGRP process from the switch btw. Shouldnt matter, the SVI:s are connected and routed between freely.

ColbyG

Ok, so you're on the .0 VLAN and you can't ping any other VLANs? But you can ping the VLAN 10 SVI? What is your default gateway on the host you're pinging from?

Morty3

Default gateway on the host on the .0 net. 192.168.0.254 (all SVI's are .254). The switch got a def. route to 0.1, the router.

How can this happen? Really, now the l3-switching is screwing with me...

Morty3

Morty3 wrote: »

"OH PLEASE" was what I thought when I did a few tests this morning. I pinged between the .10, .20 and .30 vlans without any trouble, but from the .0 vlan I could not ping the other vlans. Here is a traceroute from 0.140 (me) to .10.29 (host on that vlan). Pinging 10.254 (svi) works.



WHY THE HELL does it send the .10.x packets to the default gateway?? The routingtable entrys are there...

I removed the EIGRP process from the switch btw. Shouldnt matter, the SVI:s are connected and routed between freely.

This info aint correct! This traceroute goes to the SVI, the ping to the host on this subnet failed and so did the ping to the SVI (obviusly, from the pic).

ColbyG

It looks like your default gateway is the Linksys, not the L3 switch. Are you sure it's pointing to .0.254? Can you verify your route entries in the Linksys, maybe post some screenshots?

Morty3

I found the issue. The linksys is a dhcp server aswell, and I get my address from him. And ofc the DG is 0.1 then! Haha!

Tell me, you got kinda confused by this one aswell?

ColbyG

I got confused cause you kept posting the wrong info, hahah.

For these situations you need a very solid understanding of the basics. You just sit back for a second and check things off in your head. Here was my thought process:

1. I thought your router was Cisco as well, which made me think of a NAT issue.
2. After finding out that it was a Linksys and that your traceroute died after the L3, it seemed very likely that the router didn't have routes back to the VLANs.

The next thing seemed like more routing with the Linksys and confusion about which device was the DG.

The hardest part of this was trying to convince you to try what I'm asking and not act like I'm a tard, lol.

Morty3

Hehe yeah, I was totally working to fast for my own best. If I would just have relaxed, I would problably been able to see this aswell... Not really CCNP-level topics