InterVLAN Routing-Cant ping between VLAN's from the catalysts

[Tshikoyeni]

i have just started at my new employer 's HQ, where i came to find a flat network with a subnet of 192.168.10.0/24 which was diminishing in IP addressing space. so what i did was to implement a router on a stick setup with one router, five cisco 2960 catalysts, one per floor and five subnets, one per switch per floor. 192.168.10-14.0/24

the users in all five VLAN's are able to access all network resources, email, internet, business system etc. the problem i have is, i cannot ping any host in any VLAN when on any catalyst.

but when i am on a host on VLAN 10 (192.168.10.0/24), i am able to ping all the hosts in the same VLAN as well as in all the other four VLAN's. but when on a a host on VLAN 11 (192.168.11.0/24), i can ping all hosts in the same VLAN but cannot ping all hosts in VLAN 10 of which i am able to ping when on a host in VLAN 10.

i hope my scenario is comprehensive

please assist?

 

[SweetRevelation]

Try an extended ping where you can source your ping from an IP or interface.

instead of typing ping x.x.x.x

just type ping and hit enter and it will walk you through questions, when you get to extended commands type yes, and you can specify the source of your ping.

 

[Tshikoyeni]

Ok, thanks. i ll try that...

 

[Tshikoyeni]

is the source of the ping supposed to be the IP address of the catalyst?

 

[vipergg]

When pinging from the switch make sure whatever device you are pinging has windows firewall off or you will never get a reply. Also make sure your catalyst has the correct default gateway define for the mgt. space address you have on the switch. If there is no gateway you won't be able to ping. For vlan 11 I would check the pc nic cards default gateway setup and make sure they point to the router address for that vlan . the 2960's should have an ip address and also a default gateway to be able to ping from the switch to clients.

 

[VinceWhirlwind]

As Vipergg is saying.
We need to know what the IP configuration of these switches is.

 

[Tshikoyeni]

Like i said, i am able to ping all the hosts when in the subnet .10.0/24 so that tells me the firewalls are off and that the defalt gateway on the nic pc is OK.

the mgt ip is not operational yet,

see config below

RA-HQ4THFLR-S01>
RA-HQ4THFLR-S01>
RA-HQ4THFLR-S01>
RA-HQ4THFLR-S01>en
Password:
RA-HQ4THFLR-S01#sh conf
Using 5040 out of 65536 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RA-HQ4THFLR-S01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$qBfH$ao8UIdF1qgULjvjqgKz05/
!
no aaa new-model
clock timezone sa 2
system mtu routing 1500
ip subnet-zero
!
!
!
crypto pki trustpoint TP-self-signed-3569837568
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3569837568
revocation-check none
rsakeypair TP-self-signed-3569837568
!
!
crypto pki certificate chain TP-self-signed-3569837568
certificate self-signed 01 nvram:IOS-Self-Sig#3801.cer
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/2
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/3
description Justin PC0
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/4
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/5
description Justin PC2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/6
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/7
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/8
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/9
description Network Printer
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/10
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/11
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/12
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/13
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/14
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/15
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/16
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/17
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/18
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/19
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/20
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/21
description Justin PC1
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/22
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/23
description Felix PC0
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface FastEthernet0/24
description Link to PC
switchport access vlan 2
switchport mode access
switchport voice vlan 101
spanning-tree portfast
!
interface GigabitEthernet0/1
description Link to RA-SERVERFARM-S01
switchport mode trunk
speed 1000
duplex full
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan4
ip address 192.168.14.248 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.11.1
ip http server
ip http secure-server

!
control-plane
!
privilege exec level 0 show configuration
privilege exec level 0 show
privilege exec level 0 clear counters
privilege exec level 0 clear
!
line con 0
password job
line vty 0 4
exec-timeout 120 0
password Hedvig
login
transport preferred none
line vty 5 15
password justin
login
!
end

RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#

 

[Cluebird]

Show your topology pls.

For CATs:

sh ip int brief | i up
sh vlan brief
sh int trunk
sh spanning-tree

For ROS:

sh run int f...(whatever the interface doing ROS)

Can switches ping themselves?

Are you using vlan 4 for management?

 

[SweetRevelation]

Your default gateway is not in a network on the switch. Given the IP and mask you have on vlan 4 one would expect your default gateway to be 192.168.14.1, and you'd have to have that gateway on that vlan somewhere.

If 192.168.11.1 is to be your gateway you need to have an interface on that network and on whatever vlan 11.1 is on.

What vlan is 11.1 on?

Do you have a router at 192.168.14.1? If so change your default gateway to 192.168.14.1

 

[Tshikoyeni]

Cluebird, the switches cannot ping themselves, yes, vlan 4 is for management

sweetrevelation, 11.1/0 is on vlan 2 which is configured for this cat with an exception of some ports which i put into the native vlan which has 10.0/24

the 192.168.14.0/24 is my mgt vlan and it is vlan 14, i have a subinterface on the router with a gateway of 14.1/24

 

[Cluebird]

Pls post the output from the commands I previously listed.

I suspect you aren't identifying your vlan4 as the native vlan on the trunk link. Your default gateway for the switch should be on the same network as the Interface vlan4 you're using to manage the switches. That address should be the address on the router side. The router needs the native vlan on the main interface OR you can identify is as the native on a subinterface.

Additionally, the router should be attached to the switch that is the root bridge for your vlans.

Will give more when I see the output from the listed commands.

 

[SweetRevelation]

Change your default gateway to 192.168.14.1

 

[Tshikoyeni]

but one more thing, if i change the default gateway to 192.168.14.1 where will the traffic in VLAN 2 be forwarded to? this switch is on VLAN 2 and its subnet is 192.168.11.0/24 hence, the default gateway of 192.168.11.1

the thing here is i tried to separate the the mgt vlan from the servers and wkstn vlans

vlan 4 with a subnet of 192.168.14.0/24 is not the native but the management. the native is vlan 1 with a subnet of 192.168.10.0/24


RA-HQ4THFLR-S01>
RA-HQ4THFLR-S01>
RA-HQ4THFLR-S01>
RA-HQ4THFLR-S01>en
Password:
RA-HQ4THFLR-S01#sh ip int br
Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM up up

Vlan4 192.168.14.248 YES NVRAM up up

FastEthernet0/1 unassigned YES unset down down

FastEthernet0/2 unassigned YES unset up up

FastEthernet0/3 unassigned YES unset down down

FastEthernet0/4 unassigned YES unset down down

FastEthernet0/5 unassigned YES unset up up

FastEthernet0/6 unassigned YES unset down down

FastEthernet0/7 unassigned YES unset up up

FastEthernet0/8 unassigned YES unset down down

FastEthernet0/9 unassigned YES unset down down

FastEthernet0/10 unassigned YES unset down down

FastEthernet0/11 unassigned YES unset up up

FastEthernet0/12 unassigned YES unset up up

FastEthernet0/13 unassigned YES unset down down

FastEthernet0/14 unassigned YES unset down down

FastEthernet0/15 unassigned YES unset down down

FastEthernet0/16 unassigned YES unset down down

FastEthernet0/17 unassigned YES unset down down

FastEthernet0/18 unassigned YES unset down down

FastEthernet0/19 unassigned YES unset up up

FastEthernet0/20 unassigned YES unset down down

FastEthernet0/21 unassigned YES unset up up

FastEthernet0/22 unassigned YES unset down down

FastEthernet0/23 unassigned YES unset up up

FastEthernet0/24 unassigned YES unset up up

GigabitEthernet0/1 unassigned YES unset up up

GigabitEthernet0/2 unassigned YES unset administratively down down

RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#sh vlan br

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/5, Fa0/9, Fa0/19
Fa0/21, Fa0/23, Gi0/2
2 ICT active Fa0/1, Fa0/2, Fa0/4, Fa0/6
Fa0/7, Fa0/8, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/20
Fa0/22, Fa0/24
3 MAINTANANCE,HR,AUDIT,WHKREG active
4 MANAGEMENT active
101 VLAN0101 active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
RA-HQ4THFLR-S01#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi0/1 1-4094

Port Vlans allowed and active in management domain
Gi0/1 1-4,101

Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1-4,101
RA-HQ4THFLR-S01#sh spanning-tree

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32768
Address 000b.acda.cb40
Cost 23
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address a8b1.d4c7.6600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

Fa0/5 Desg FWD 100 128.5 P2p Edge
Fa0/19 Desg FWD 100 128.19 P2p Edge
Fa0/21 Desg FWD 19 128.21 P2p Edge
Fa0/23 Desg FWD 19 128.23 P2p Edge
Gi0/1 Root FWD 4 128.25 P2p


VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 0019.3061.6e00
Cost 23
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address a8b1.d4c7.6600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

Fa0/2 Desg FWD 19 128.2 Shr Edge
Fa0/7 Desg FWD 19 128.7 P2p Edge
Fa0/11 Desg FWD 19 128.11 Shr Edge
Fa0/12 Desg FWD 19 128.12 P2p Edge
Fa0/24 Desg FWD 19 128.24 P2p Edge
Gi0/1 Root FWD 4 128.25 P2p


VLAN0003
Spanning tree enabled protocol ieee
Root ID Priority 32771
Address 0019.3061.6e00
Cost 23
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32771 (priority 32768 sys-id-ext 3)
Address a8b1.d4c7.6600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

Gi0/1 Root FWD 4 128.25 P2p


VLAN0004
Spanning tree enabled protocol ieee
Root ID Priority 32772
Address 0019.3061.6e00
Cost 23
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32772 (priority 32768 sys-id-ext 4)
Address a8b1.d4c7.6600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

Gi0/1 Root FWD 4 128.25 P2p


VLAN0101
Spanning tree enabled protocol ieee
Root ID Priority 32869
Address 0019.3061.6e00
Cost 23
Port 25 (GigabitEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32869 (priority 32768 sys-id-ext 101)
Address a8b1.d4c7.6600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------

Fa0/2 Desg FWD 19 128.2 Shr Edge
Fa0/5 Desg FWD 100 128.5 P2p Edge
Fa0/7 Desg FWD 19 128.7 P2p Edge
Fa0/11 Desg FWD 19 128.11 Shr Edge
Fa0/12 Desg FWD 19 128.12 P2p Edge
Fa0/19 Desg FWD 100 128.19 P2p Edge
Fa0/21 Desg FWD 19 128.21 P2p Edge
Fa0/23 Desg FWD 19 128.23 P2p Edge
Fa0/24 Desg FWD 19 128.24 P2p Edge
Gi0/1 Root FWD 4 128.25 P2p

RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#
RA-HQ4THFLR-S01#sh run int
% Incomplete command.

RA-HQ4THFLR-S01#sh run int

 

[SweetRevelation]

Your routing is not being done on your switch, that is only so the switch itself can communicate. So, since you have the management IP on vlan4 and an ip of 192.168.14.248 you need to change your default gateway.

It will not affect anything but your ability to get from and to your switch.

 

[Tshikoyeni]

ok, i ll try that out. thanks

 

[Cluebird]

You are getting confused with the way the switches forward traffic (L2) and the IP connectivity you need to ping.

You want to use VLAN4 for management. Your L2 switches can only have a single IP address on them used for management. Right now you have both the interface vlan 1 SVI and the interface vlan 4 SVI competing. Only one can be operational. The SVI on the switches lets you place an IP on the switch to make the switch a host on the network so you can manage it through the network. The default-gateway points to the router for the management network.

I suggest this on all your switches:

interface vlan 1
shutdown

interface vlan 4
ip add 192.168.14.xx 255.255.255.0 (Replace xx with a unique host ID for each switch.)

ip default-gateway 192.168.14.1

If your trunks are working properly and your ROS is properly configured you will be able to ping the switches now.

Also, I suggest you nail down your root bridge so the L2 forwarding path ends on the switch attached to your ROS. On that switch ONLY run the macro:

spanning-tree vlan2-4,101 root primary

On ALL switches, change them to RSPT:

spanning-tree mode rapid-pvst

Again, posting the output from the original commands I suggested would really be helpful.

 

[Tshikoyeni]

what is SVI? i posted the output, check my reply just before sweetrevelation

i will shut int vlan 1 and change the DG, will let you know. thanks guys

 

[SweetRevelation]

You just need to change the default gateway, vlan 1 is not "competing" with vlan 4.

Just change the default gateway and you'll be fine, it doesn't matter if vlan 1 is up/up in SVI or not.

 

[Cluebird]

SweetRevelation,

I have seen issues on L2 switches when the vlan1 SVI is left up and the mgmt IP is placed on a different SVI, so best practice is to shut down the interface vlan 1 when you want to use another SVI for management on a L2 switch. Yes, they can "compete". Don't know how many years you have with Cisco but you may run into this issue at some point. I demo this behavior to students in CCNP switch class.

Tshikoyeni,
An SVI is a Switched Virtual Interface. L2 ports don't accept IP addresses since they aren't functioning at L3, L2 switches get a management ip on a logical interface called an SVI. That is what you configure with the "interface vlan X" command. By default, switches are invisible to the users, hence they are referred to as transparent bridges. So the IP address you place on the SVI makes the switch a pingable host on the network.

Also, please post the running-config of the router.

 

[VinceWhirlwind]

What kind of issues?

I've just checked through some of my old stored configs and it looks like I almost always shutdown VLAN1 interface, so I've probably robbed myself of the opportunity of observing these "issues", whatever they are.