2960 switch and 2851 router 802.1q vlan routing

Unanswered Question
Feb 21st, 2007

I have 2 vlans on a 2960 switch. I also have the encapsulation on the 2851 router. I am able to ping the other WAN site from the router but not the 2960 switch even if I source the pings from a vlan. Does anybody know why this is happening?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
devang_etcom Wed, 02/21/2007 - 14:01

will you please post the show run of switch and router... and it will be good if you post topology...



glen.grant Wed, 02/21/2007 - 19:25

On the router side add this under the subinterface "encapsulation dot1Q 20 native" , on the switch side add " switchport trunk native vlan 20 " . retest .

peter.williams@... Thu, 02/22/2007 - 05:50

Thank you for your reply -

I have 2 vlans on the switch. I have added your suggestions but I am still unable to ping from the switch across the network to the other side.

Just to be sure you wanted me to put the switchport trunk native vlan 20 on fa0/1 on the switch correct? What do I do with vlan 101?

Thank you for your help

glen.grant Thu, 02/22/2007 - 07:03

That command goes on the subinterface for vlan 20 not the regular interface and nothing would change under the vlan 101 subinterface .

peter.williams@... Thu, 02/22/2007 - 07:29

so this would go under the sub interface of the router not the switch?

int g0/1.20 but not g0/1.101?

peter.williams@... Fri, 02/23/2007 - 07:54

Thank you for your response - it worked, however now when I try to ping which is a computer on the other end of the tunnel from my switch it does not ping, do you have any ideas why this is happening. I am able to ping the from the router. Thank you fro your help

mark_gardner Fri, 02/23/2007 - 10:58

I would look at your nat statement which you are overloading out the external interface, looks like everything is being natted at the moment.. and not going down the tunnel.

access-list 101 permit ip any

access-list 101 permit ip any

try adding at the top of your acl the following two statements, and leaving in the two statements above at the bottom of your access-list 101

access-list 101 deny ip x.x.x.x mask

access-list 101 deny ip x.x.x.x mask

where x.x.x.x mask equals the network on the other side of the tunnel.

effectively saying dont nat anything going to the x.x.x.x mask network, but nat everything else.

hope this helps

peter.williams@... Fri, 02/23/2007 - 12:06

I have added this, but it still doesn't work, is there anything else I can do?

access-list 100 deny ip

access-list 100 deny ip host host

access-list 100 permit ip any

access-list 100 permit ip any

mark_gardner Fri, 02/23/2007 - 12:41

Hi peter

you should of applied the statements to access-list 101 not 100.

you are referencing route-map SDM_RMAP_3 in your nat overload statement, SDM_RMAP_3 matches access-list 101 not 100.

ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0/0 overload

route-map SDM_RMAP_3 permit 1

match ip address 101

Try it again on access-list 101.

Hope this helps


This Discussion