Solved: Routing and switching

nmwenda01 · ‎07-22-2017

Hi

I have configured a cisco 3850 to act as my core switch which assigns dhcp in different vlans. On the access switch I have a 2960x switch which I have configured to access one of the dhcp vlan 3. On the access and 3850 i have created a trunk port and allowed all vlans. Below is the configuration. On the 3850.

My problem is from the access switch 2960x I cannot ping the core switch but when connected to the switch in a machine I can telnet to the core switch. The core switch is receiving internet but the users on the access cannot access Internet.

3850

Inter vlan policy ascending 

ip dhcp pool vlan2                  
 network 192.168.2.0 255.255.255.0                                  
 default-router 192.168.2.254 255.255.255.0                                           
 dns-server 192.168.0.1 8.8.8.8                               
! 
ip dhcp pool vlan3                  
 network 192.168.3.0 255.255.255.0                                  
 default-router 192.168.1.1 255.255.255.0                                        dns-server 8.8.8.8

IP route 0.0.0.0 0.0.0.0 192.168.10.1

interface Vlan1               
 no ip address              
! 
interface Vlan2               
 ip address 192.168.2.254 255.255.255.0                                       
 shutdown
! 
interface Vlan3               
 ip address 192.168.1.1 255.255.255.0 

Interface gigabitethernet 1/0/1
No switch port
IP address 192.168.10.1

Interface gigabitethernet 1/0/3
Switch port mode trunk
Switch port trunk allowed vlan all                                      
! 
ip forward-protocol nd                  
no ip http server                 
ip http authentication local                                        
Router eigrp 1
Network 192.168.0.0
Redistribute connected
Stub summary
Passive interface default 
No passive interface gigabit ether net 1/0/1


On the access switch 2960x

Interface gigabitethernet 1/0/49
Switchport mode trunk 
Switchport trunk allowed vlan all

Interface gigabitethernet 1/0/1 -1/0/48
Switchport mode access
Switchport access vlan 3

GRANT3779 · ‎07-23-2017

What is the device with the address 192.168.10.1 that is connected to gi1/0/1 with the routed port? Does it have routes back to the other 192.168.0.0 networks you have? Sounds like it doesn't and only knows about its directly connected interfaces

View solution in original post

paul driver · ‎07-24-2017

Hello

one thing i have noticed is if i do a tracert from my pc it reaches the default gateway 192.168.1.1 then it doesnt knw where to take the traffic so i think the 3850 might be the one with an issue

3860 has these L3 interfaces with a default next hop of 192.168.10.1

interface Vlan2
ip address 192.168.2.254 255.255.255.0

interface Vlan3
ip address 192.168.1.1 255.255.255.0

interface Vlan10
ip address 192.168.0.1 255.255.255.0

interface GigabitEthernet1/0/1
ip address 192.168.10.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.10.1

2960 -
interface Vlan100
ip address 192.168.100.2 255.255.255.0
ip default-gateway 192.168.10.2

ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 192.168.0.0 255.255.0.0 192.168.10.2

Disable ip routing on the 2960 and make sure the L2 switch has L2 vlan connectivity back to the core
For mgt purposes, Remove that vlan 100 on the 2960 and put that switch into one of the vlans configure on the 3860

On 2960
no ip routing
no interface Vlan100

int vlan 3
ip address 192.168.1.xx

Ip default-gateway 192.168.1.1

vlan 2,3,10
exit

As for internet reachability , This all depends on how users in your 3 vlans are being delt with by you next-hop device, The reason you have internet from the 3850 is that switch has a connected interface to the nexthop device - 192.168.10.1

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

GRANT3779 · ‎07-22-2017

Hi,

I would help to see all the configs or I would basing a lot on assumptions.

On the 2960x switch itself - Do you have a virtual interface/ip configured on it which is reachable from the core?

Sounds possible that you have not enabled the command ip routing on the 3850 switch but only a guess based on the available info.

nmwenda01 · ‎07-23-2017

Hi Grant,

NO virtual interface s set on the 2960.

Below is the whole config on 3850:

Building configuration...

Current configuration : 5605 bytes
!
! Last configuration change at 15:29:22 UTC Sat Jul 22 2017
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname CORE_SWITCH
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable password 7 02351D481F030201494D05160304071B1C0B383F
!
no aaa new-model
switch 1 provision ws-c3850-12s
!
!
!
!
!
ip routing
!
no ip domain-lookup
ip dhcp conflict resolution
ip dhcp excluded-address 192.168.1.10
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.1.251
ip dhcp excluded-address 192.168.1.252
ip dhcp excluded-address 192.168.1.253
ip dhcp excluded-address 192.168.1.250
ip dhcp excluded-address 192.168.1.245 192.168.1.250
!
ip dhcp pool vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254 255.255.255.0
dns-server 41.203.208.18 41.203.208.19 8.8.8.8
!
ip dhcp pool vlan3
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 41.203.208.18 8.8.8.8
!
ip dhcp pool vlan10
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 41.203.208.18 41.203.208.19 8.8.8.8
!
!
qos queue-softmax-multiplier 100
!
crypto pki trustpoint TP-self-signed-1196880361
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1196880361
revocation-check none
rsakeypair TP-self-signed-1196880361

diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.10.2 255.255.255.0
ip nat outside
!
interface GigabitEthernet1/0/2
switchport mode trunk
!
interface GigabitEthernet1/0/3
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport mode trunk
!
interface GigabitEthernet1/0/5
switchport mode trunk
!
interface GigabitEthernet1/0/6
switchport mode trunk
!
interface GigabitEthernet1/0/7
switchport mode trunk
!
interface GigabitEthernet1/0/8
switchport mode trunk
!
interface GigabitEthernet1/0/9
switchport mode trunk
!
interface GigabitEthernet1/0/10
switchport mode trunk
!
interface GigabitEthernet1/0/11
switchport mode trunk
!
interface GigabitEthernet1/0/12
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.254 255.255.255.0
!
interface Vlan3
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.0.1 255.255.255.0
!
!
router eigrp 1
network 192.168.0.0
redistribute connected
passive-interface default
no passive-interface GigabitEthernet1/0/1
eigrp stub connected summary
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
ip access-list extended VLAN3
permit udp any any eq 5060
permit udp any host 192.168.0.10 eq 5060
!
!
!
!
line con 0
password 7 14341D051F0B262E042D30392D1514031311594B4C
logging synchronous
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 1331121E0509100A2E27243C33310617060C1342
login
line vty 5 15
password 7 03305E07080A356C4B0A150A11011E1C14253930
login
!
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group
end

nmwenda01 · ‎07-23-2017

Below is for the access switch:

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ACCESS_SWITCH1
!
boot-start-marker
boot-end-marker
!
enable password 7 03374218120A2C6C4B0A150A11011E1C14253930
!
no aaa new-model
switch 1 provision ws-c2960x-48lps-l
ip routing
!
!
no ip domain-lookup
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3520341632
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3520341632
revocation-check none
rsakeypair TP-self-signed-3520341632
!
!

spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!

!
interface GigabitEthernet1/0/1 -1/0/48
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/49
description CONNECTION TO CORE SWITCH
switchport mode trunk
!
interface GigabitEthernet1/0/50
switchport mode trunk
!
interface GigabitEthernet1/0/51
switchport mode trunk
!
interface GigabitEthernet1/0/52
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 192.168.100.2 255.255.255.0
!
ip default-gateway 192.168.10.2
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 192.168.0.0 255.255.0.0 192.168.10.2
!
!
!
!
line con 0
password 7 0625002F5F41051C251211070302393E34383C2736
logging synchronous
login
line vty 0 4
password 7 1423170702013E0B212B3F3A24001206130E444D
login
line vty 5 15
password 7 073B2440400C0D251211070302393E34383C2736
login
!
end

GRANT3779 · ‎07-23-2017

On the 2960 - you have vlan 100 interface in the 192.169.100.x network, which is what will be used as source when trying to reach anything physically from the switch itself. E.G if you were telnet/ssh on.

You have the ip default-gateway command pointing to 192.168.10.1. How does the switch know how to get there? If the 3850 is to be the gateway for management based traffic for the 2960 then it will need either an address on the 192.168.10.x network or you need to create another svi on the 3850 for vlan 100 and the point the ip default-gateway on the 2960 to this.

I also see some layer 3 config on the 2960 which is not required if it is being used for acces layer.

With regards to NAT, I don't think the 3850 can support NAT, although the commands are available.

nmwenda01 · ‎07-23-2017

weird thing is from my pc connected to the machine i can ping the core switch and telnet to it. I cannot however get internet. but from the core switch i can get to any internet service. also from the access switch i cannot ping any machine connected directly to the ports but from the core switch i can ping anyone

GRANT3779 · ‎07-23-2017

Your PCs have a gateway which is one if the SVIs on the core switch so they can reach it and your esse tia directly connected network in the eyes of the core switch. This is why you telnet/ping it from a PC.

From the 2960 itself, you won't be able to ping anything with the current setup. The default gateway for the 2960 needs to point to either a newly created SVI on the same address space, e.g on the 3850

int vlan 100

ip adress 192.168.100.1 255.255.255.0

on 2960

ip default-gateway 192.168.100.1

Regarding Internet - what device is doing all your NATing? What hangs off gi1/0/1?

If the 3850 is not doing the actual NAT then try adding the following commands under your vlan interfaces

ip nat inside

nmwenda01 · ‎07-23-2017

Hi Grant,

I have changed to all this. when i try to ping from the 2960 it says Unrecognized host or address, or protocol not running. what could i be missing.

Also from core switch with the new slv 100 i am unable to reach 192.168.10.1 from the pc

GRANT3779 · ‎07-23-2017

What is output of

show ip int brief

on the 2960?

nmwenda01 · ‎07-23-2017

The interfaces are up and protocol is up

GRANT3779 · ‎07-23-2017

You may need to create vlan 100 on the 2960 if it is not already there.

Show vlan

is 100 there?

nmwenda01 · ‎07-23-2017

yes vlan 100 is there and active. though no ports assigned to it

GRANT3779 · ‎07-23-2017

If it is allowed over the trunk then it should be OK. Don't need ports assigned to it as such.

show int trunk

nmwenda01 · ‎07-23-2017

ACCESS_SWITCH1#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi1/0/49 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi1/0/49 1-4094

Port Vlans allowed and active in management domain
Gi1/0/49 1-3,10,100

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/49 1-3,10,100

nmwenda01 · ‎07-23-2017

one thing i have noticed is if i do a tracert from my pc it reaches the default gateway 192.168.1.1 then it doesnt knw where to take the traffic so i think the 3850 might be the one with an issue