2

I need help moving over to using our layer 3 switch as the inter vlan routing device rather than our cisco router. I've mostly got it working but I've got stuck near the end and need some advice (I think I just need a bit of education on the subject really). Cur

I have a Dell PowerConnect 7048 connecting to a Cisco 1841 router. I've got a few key excerpts from the configs to provide the key information. On the powerconnect I have the following:

ip routing
ip default-gateway 172.31.14.1
ip route 0.0.0.0 0.0.0.0 172.31.14.1 253
!
interface vlan 1
ip address 172.31.14.254 255.255.255.0
exit
interface vlan 2
ip address 172.31.19.254 255.255.255.0
exit
interface vlan 4
ip address 172.31.16.254 255.255.255.0
!
interface Gi1/0/1
description 'Link to L7Router01'
switchport mode trunk
switchport trunk allowed vlan except 3,7-4093
exit
!

and on the Cisco the following:

 interface FastEthernet0/0
  ip address 172.31.14.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
 !
 interface FastEthernet0/0.2
  description Accounts VLAN
  encapsulation dot1Q 2
  ip address 172.31.19.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
 !
 interface FastEthernet0/0.4
  description Voice VLAN
  encapsulation dot1Q 4
  ip address 172.31.16.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
 !

So what I'm doing is moving clients over so that their default gateway is a 172.31.x.254 address rather than a 172.31.x.1 address. This works great for inter-vlan routing, I have no issues with this. The switch can also access the router no worries, and users on the 172.31.14.0/24 network can access all interfaces and sub-interfaces on the router, including 172.31.14.1. They can also access all of the interfaces that the router connects off to, no worries there.

The problem I have is that users on the 172.31.16.0/24 and 172.31.19.0/24 subnets cannot access either 172.31.14.1 or any of the subnets the router connects to. They can, however, connect to BOTH of the sub interfaces on the router from either subnet.

What am I missing here? Why can't the vlans connect to the non-sub interface on the router? Are tagged packets being sent to this interface?

yoshiwaan
  • 300
  • 2
  • 9
  • What are the port configurations to which your clients are connected? Are the ports tagged, untagged or trunked (client does the encapsulation/tagging and can access multiple vlans)? I need this data because VLAN 1 is the default VLAN. But other VLANs require tagging from the client end or forced tagging from the switch's end. – nearora Jun 12 '12 at 04:00
  • The client ports are access ports on whatever vlan they are assigned to. The clients do no tagging themselves, the switch takes care of that. – yoshiwaan Jun 12 '12 at 05:17
  • Can you print the routing table on the L3 switch and the router and post it here? – nearora Jun 12 '12 at 05:29
  • Switch: Default Gateway is 172.31.14.1 S 0.0.0.0/0 [253/0] via 172.31.14.1, Vl1 S 10.200.200.0/24 [1/0] via 172.31.14.1, Vl1 S 10.200.201.0/24 [1/0] via 172.31.14.1, Vl1 S 10.210.200.0/24 [1/0] via 172.31.14.1, Vl1 S 10.210.201.0/24 [1/0] via 172.31.14.1, Vl1 C 172.31.14.0/24 [0/1] directly connected, Vl1 C 172.31.16.0/24 [0/1] directly connected, Vl4 C 172.31.18.0/24 [0/1] directly connected, Vl6 C 172.31.19.0/24 [0/1] directly connected, Vl2 – yoshiwaan Jun 12 '12 at 06:01
  • Router (Trimmed): Gateway of last resort is 10.255.255.1 to network 0.0.0.0 C 172.31.19.0 is directly connected, FastEthernet0/0.2 C 172.31.18.0 is directly connected, FastEthernet0/0.6 C 172.31.17.0 is directly connected, FastEthernet0/0.5 C 172.31.16.0 is directly connected, FastEthernet0/0.4 C 172.31.21.0 is directly connected, FastEthernet0/0.7 S 172.31.20.0 [1/0] via 172.31.14.248 C 172.31.14.0 is directly connected, FastEthernet0/0 – yoshiwaan Jun 12 '12 at 06:11
  • Actually posting that makes me wonder if there is a reverse route issue... Or rather it's going in 1 interface and trying to go out another. – yoshiwaan Jun 12 '12 at 06:12
  • You'll have to explain your suspicions. You see, you have two routers for each VLAN, which isn't wrong for the transition period as long as both the devices can communicate to each other in layer 2 that they should be able to because they are trunked. So, I'd suggest that the next debugging steps be: 1) Connect a device to the L3 switch and another to the router. Put both on the same VLAN and make sure they can see to each other. Do that for each VLAN on the L3 switch. Change VLAN on both ends to be the same when doing so. Contd... – nearora Jun 12 '12 at 06:20
  • Contd... 2) Do the same test, but now with both clients on different VLANs (not VLAN 1). Test that each can get to the next logical hop and progress hop to hop. 3) Put one device on VLAN 1 and do the hop to hop test both ways. – nearora Jun 12 '12 at 06:21
  • @Yoshiwaan, what vesion of Cisco IOS are you running? – Mike Pennington Jun 12 '12 at 12:00
  • @Yoshiwaan - Have you tried running a traceroute to be sure of where it drops off? I would do this from both a client, and from the PowerConnect using a source of VLAN 2 and/or 4. – Paul Kroon Jun 12 '12 at 19:01
  • Mike, the IOS version says 12.4 in running config. Everyone else, I didn't actually see the 'show more comments' button so I hadn't realised others had replied. I'll test and come back asap – yoshiwaan Jun 14 '12 at 02:29
  • Did you get around to doing some testing to resolve this issue? – nearora Jun 19 '12 at 22:39
  • I did a bit yesterday actually. When a client with a 254 gateway does a tracert to another subnet, it hits the default gateway address then times out to anything after this. – yoshiwaan Jun 20 '12 at 01:21
  • However, if I disable the subinterface on the router associated with that vlan it works. So e.g. my client is 172.31.16.2 with a DG of 172.31.16.254. I can't access outside the subnet. If I disable 172.31.16.1 on the router it all starts to work. This tied in with my thinking that the packets were going into the 172.31.14.1 interface (the default route for the switch), but on the return as the router had an interface on the return subnet (eg 172.31.16.0/24 in this case) it would go out that one. I know an ASA will block that for sure, but I didn't think a router would, if that is the case. – yoshiwaan Jun 20 '12 at 01:28
  • In the end I just disabled the virtual interfaces on the router, so it operates like a router on a stick essentially, just with the vlan 1 network being the default network in a way. Not a bad solution I suppose but I don't like not having a proper answer for the problem! – yoshiwaan Jul 05 '12 at 03:08
  • @Yoshiwaan, please post your solution as an answer so it doesn't show up in unanswered questions :-) – Mike Pennington Jul 07 '12 at 08:28

2 Answers2

0

If you'd like the switch to be performing inter-VLAN routing then why are you still running an 802.1q trunk back to the router? You need an L3 link between the router and the switch, the default route on the switch to the router via that gateway and then return routes on the router pointing back to the switch's L3 interface.

rnxrx
  • 8,103
  • 3
  • 20
  • 30
  • I think the OP is migrating machines from having the router as the gateway to the L3 switch as the gateway. What you say seems to be the OP's ultimate goal. However, from purely a functional perspective, I don't see anything wrong with the OP having the router and the L3 switch on all the same VLANs. – nearora Jun 12 '12 at 04:32
  • Correct Nearora, In addition, according to this guide: http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml (step-by-step instructions, step 6, the note) it seems to indicate that if you connect to the router via a vlan it should work, at least for a cisco device (but why would the Dell differ on that?). – yoshiwaan Jun 12 '12 at 05:20
0

As I stated in the comment above I didn't find a proper solution for this, the only option was to disable the additional virtual interfaces on the router so there was only 1 path.

yoshiwaan
  • 300
  • 2
  • 9