Router on a Stick Problem

krjay

I'm having a bit of trouble getting 2 devices to communicate with a router on a stick setup. In short I have a 3825 router, and a 3550 switch.

The switch has a trunk from f0/24 to g0/0 on the router.
The switch has an IP camera on f0/1. (192.168.2.2)
The switch has a laptop on f0/13. (192.168.10.2)

Router:

interface GigabitEthernet0/0
 description LAN
 ip address 10.10.0.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 !        
!
interface GigabitEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 no cdp enable
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 no cdp enable
!

On the switch:

interface FastEthernet0/1
 switchport mode access
 switchport access vlan 2
!
interface FastEthernet0/13
 switchport mode access
 switchport access vlan 10

From the laptop I can ping both sub interfaces, and I can ping the camera. However I can not access the web interface of the camera. Is there a reason pings would work, but no other protocol? I should be able to telnet to it as well, but that doesn't work either. I can confirm the web interface and telnet is working, if I put both the laptop and camera in the same subnet and VLAN I can access both just fine.

jamthat

Do you have any routing protocols or static routes defined?

networker050184

My first thought is gateways set incorrectly since everything works when on the same subnet but not different subnets.

Legacy User

Did you assign an ip address to vlan 2 and 10? Such as 192.168.2.254 for vlan 2 and 192.168.10.254 for vlan 10?

krjay

networker050184 wrote: »

My first thought is gateways set incorrectly since everything works when on the same subnet but not different subnets.

Why do the pings work when the devices are on different subnets?

Did you assign an ip address to vlan 2 and 10? Such as 192.168.2.254 for vlan 2 and 192.168.10.254 for vlan 10?

Not sure what you mean.. On the sub interfaces?

Do you have any routing protocols or static routes defined?

No routing protocol, and just the connected routes, I havent defined any static routes

Legacy User

I'm going by the configs you have posted previously. Did you assign an ip address on the vlan interfaces on the switch?

krjay

interface vlan1 on the switch has 192.168.2.10 so I could access it via the laptop. It shouldnt need IP addresses on both VLANs for anything unless it was the gateway, unless I'm mistaken

Legacy User

Ok, do me a favor and copy and paste the show vlan brief and sh ip int brief both from the switch.

Legacy User

I'm cutting out from at 5 from work so I won't be on later if you post the configs. But you would need to assign an ip address for vlan 10 and 2. Remove the ip address from vlan 1. Since you have a set the encap dot1q on the router to vlans 10 and 2 those are the vlans that sub-interfaces are connected to.

Also not sure if you've done it already but on the switch interface connected to the router make sure its configured as a trunk.

int f0/24
switchport trunk encapsulation dot1q
switchport mode trunk

networker050184

Sorry missed the ping working part. Most likely some software firewalling issue I'd think at this point. Any settings on the camera you are missing?

dmarcisco - You can use VLAN 1 (or whatever your native VLAN is on the trunk) address with the IPs on the main interface on the router. So VLAN 1 would need an address out of the subnet on there. Regardless that shouldn't prevent this from working.

Legacy User

Yea missed the pinging part as well. If its a home lab try to disable the pc firewall see if anything changes.

@networker True.. but when I do router on a stick I like to add ip addresses to the vlans interfaces to avoid confusion of whats supposed to go to where. Whatever works to get the job done.

theodoxa

I'm not sure if this holds true for Router on a stick also, but I seem to remember reading that for Frame Relay if you assign an IP Address to the physical interface that it will break any subinterfaces you have configured.

[EDIT] That doesn't seem to explain the ping issue though. My first thought when one protocol works and another doesn't would be a misconfigured Access Control List.

krjay

I used another device (temperature sensor) that had both a web interface and was pingable. Same symptoms. I can telnet, ssh and view it via http when its on a trunk, but I can only ping it when I throw the VLANs back in. I was thinking about the ACL but I don't currently have any ACLs denying anything, do I need to explicitly allow port 80 with an ACL for http to work? I was going to throw together an actual web server to verify but I'm pretty sure the web interface on these devices is the equivalent

DCD

@krjay can you supply interface F0/24 config and copy of the IP camera IP address Subnetmask and Default gateway. And any access-list that you have on the router. Also do you have a firewall on the itself router?


And a Show Vlan info and which port the camera is on and show interface trunk.

snadam

networker050184 wrote: »

Any settings on the camera you are missing?

I'm thinking the same thing. Sometimes the IP cameras management port has some sort of "remote access option" (e.g. accessing it outside of its own network) that you may have to enable. Not sure if this one does, but worth a shot?

theodoxa

krjay wrote: »

do I need to explicitly allow port 80 with an ACL for http to work?

Yes and No. ACLs contain an implicit deny any at the end. That means if an ACL is applies anywhere in between it would block any traffic not explicitly permitted. For example, if you wanted to deny certain traffic, but permit everything else:

access-list 101 deny udp any 192.168.0.0 0.0.0.255 eq 53
access-list 101 permit ip any any

Without that last line, the ACL would effectively deny all traffic.

OTOH, if you only wanted to permit specific traffic:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80

would allow any host on the 192.168.1.0/24 network to access any host/server on any destination network as long as it was using TCP port 80. All other traffic would be blocked.