What am I Missing?!?!

peanutnoggin

I'm finally motivated to get back into my studies for the CCNA:Security after a couple of months off due to conditions beyond my control... but I ran into a slight issue. In my lab, I'm able to ping from my client to the router and vice versa, but i cannot ping the switch from either the client or the router. My setup is as such: client -->fa0/4-- switch --> trunk port (fa0/12)-- router. I've posted the configs. I can ping from 205.50.5.150 (client) to 205.50.5.1 (router's sub-if). But I cannot ping 205.50.5.2 (switch's interface vlan) from either the router or the client. I'm obviously overlooking something... Any help would be greatly appreciated.

Here's the output of "show run" from the router:

version 12.4
parser config cache interface
parser config interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HOUSTON
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging buffered 4096 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication fail-message ^C
INCORRECT PASSWORD. THIS INCIDENT HAS BEEN LOGGED.
IF YOU ARE UNAUTHORIZED TO ACCESS THIS DEVICE.
DO NOT ATTEMPT TO LOGON.
^C
aaa authentication login default local enable none
aaa authentication login console-in local line
aaa authentication login vty-in local line
aaa authentication enable default enable
!
!
aaa session-id common
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name TEXAS.US
login block-for 30 attempts 3 within 30
login delay 3
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1227836561
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1227836561
 revocation-check none
 rsakeypair TP-self-signed-1227836561
!
!
crypto pki certificate chain TP-self-signed-1227836561
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31323237 38333635 3631301E 170D3130 30313237 31313338
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32323738
  33363536 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  810097B7 F2C8A701 E59B86B1 DEFEC046 40B7C9BA DC9EE890 15B90BD2 22BBFA56
  09B056DB F5E8B4F5 597B65CF 10619F2C E5572389 F851619F A2C91FE6 3E70D0E9
  48A3D99C 483284B1 4815D9A6 26B8D189 BD9F5AF5 707DC76A 23F33552 6C8B4F03
  D7C95EE1 2F1719AB C3B658D1 336C964D 7D1F8F4B 78DEEADB E78D7D88 680BCAA9
  41330203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
  551D1104 14301282 10484F55 53544F4E 2E544558 41532E55 53301F06 03551D23
  04183016 8014D3A5 B0625469 42ED4BF6 96DDDBB5 11C01EB0 D54C301D 0603551D
  0E041604 14D3A5B0 62546942 ED4BF696 DDDBB511 C01EB0D5 4C300D06 092A8648
  86F70D01 01040500 03818100 237AE666 4B8AF06A 5D843C5F 11B8C067 2480A53C
  8FCF8CF3 FFBE0971 61801199 105096F1 B1CA9A22 7607BC10 9A490566 7230D5E5
  74479EF9 581DEEE9 59421152 56C92EA8 A8B1E580 DEED896A 48884377 C9CD1829
  68F57F15 F84D733D A9896AD4 95D64F26 E6AEEB81 2E2F2B40 D9E93CC9 DE8E112A
  4C7AA59D 24AFC04B 033B6A51
        quit
!
!
username me privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx
archive
 log config
  hidekeys
!
!
!
!
ip ssh time-out 30
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 speed 100
 no keepalive
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 205.50.5.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface FastEthernet0/0.6
 encapsulation dot1Q 6
 ip address 205.50.6.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface FastEthernet0/0.7
 encapsulation dot1Q 7
 ip address 205.50.7.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface FastEthernet0/0.900
 encapsulation dot1Q 900 native
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 no fair-queue
!
interface Serial1/0
 description \\WAN CONNECTION//
 ip address 193.17.1.2 255.255.255.252
 ip access-group 111 in
 ip access-group 111 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip summary-address eigrp 500 205.50.0.0 255.255.240.0 5
!
router eigrp 500
 network 193.17.1.0 0.0.0.3
 network 205.50.0.0 0.0.15.255
 no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
ip http secure-server
!
!
logging trap warnings
logging 205.50.5.150
access-list 111 remark DENY PRIVATE IP ADDRESSES
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 111 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 111 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 111 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 111 permit ip any any
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^C
BLAH BLAH BLAH
^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password 7 xxxxxx
 logging synchronous
 login authentication console-in
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password 7 xxxxxx
 logging synchronous
 login authentication vty-in
 transport input telnet ssh
!
sntp server 205.50.5.150
end

and now the output from the switch:

version 12.1
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname TX_SW1
!
logging console notifications
enable secret 5 xxxxxxxxxxxxxxxxxx
!
ip subnet-zero
!
ip domain-name TX.US
!
spanning-tree mode pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/2
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/3
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/4
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/5
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/6
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/7
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/8
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/9
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/10
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/11
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport port-security
 switchport port-security maximum 2
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/12
 switchport mode trunk
!
interface Vlan1
 ip address 205.50.5.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 205.50.5.1
ip http server
!
logging 205.50.5.150
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password 7 xxxxxx
 logging synchronous
 login
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password 7 xxxxxx
 logging synchronous
 login
line vty 5 15
 login
!
ntp server 205.50.5.150
end

mikem2te

Ok, I think I see why it won't ping the switch.

Your 205.50.5.x network is configured for vlan 5, all your access points are on vlan 5 and your router has an interface on this network for vlan 5. All ping are fine.

The switch on the other hand has an interface configured for this network BUT is on vlan 1

interface Vlan1
 ip address 205.50.5.2 255.255.255.0
 no ip route-cache

The traffic cannot pass from vlan 5 to 1 without a layer three device (router on a stick) so I guess you could add vlan 1 to your router using a 205.50.1.x range and change the vlan 1 interface on the switch to the same range. Should work then.

Alternativly it should be possible to shut down the vlan 1 interface on the switch and create a vlan 5 interface instead on the 205.50.5 range. All devices are then on ther same vlan

peanutnoggin

mikem2te wrote: »

Ok, I think I see why it won't ping the switch.

The traffic cannot pass from vlan 5 to 1 without a layer three device (router on a stick) so I guess you could add vlan 1 to your router using a 205.50.1.x range and change the vlan 1 interface on the switch to the same range. Should work then.

Alternativly it should be possible to shut down the vlan 1 interface on the switch and create a vlan 5 interface instead on the 205.50.5 range. All devices are then on ther same vlan

Mike,

I had tried that before and that didn't work. I just tried it again to be sure. I added Fa0/0.1 with an ip of 205.50.1.1/24 and changed interface vlan 1 to 205.50.1.2/24

I still had no luck. I'm thinking that it had something to do with the native vlan... I changed the native vlan from 5 (which all my ports were on) to 900 after reading about moving all clients from the native vlan of 1. That's when I think my problems began. Prior to moving the native vlans... I hadn't tried to ping the switch before, so I'm not sure if some of the security settings that I ran affected the ping to the switch in any way or what.

Correct me if I'm wrong please... The native vlan should be a vlan with no clients on it correct? I changed my native vlan on the router to vlan 900 so that any packets on the 900 vlan would be untagged. Now on my switch, I haven't set the native vlan to anything. Shouldn't I have received a native vlan mismatch?

Thanks for the assistance... any other ideas, I'm more than happy to try.

~Peanut

peanutnoggin

Okay... I got it worked out... just removed the native vlan 900 from interface fa0/0.900 and now all is well. So my next question is... if I wanted my native vlan to be something other than vlan 1 (which its currently set back to)... then what do I do? Thanks.

~Peanut