address not accessible

Answered Question
Jul 28th, 2007
User Badges:

Hello,


I have a 4507r and have added a new interface vlan 75 with an ip address of 10.75.0.1. I have created an ospf route for the 10.75.0.0 network in the 0 area but for some reason I cannot ping it.


Here is the config in question...


interface Vlan75

ip address 10.75.0.1 255.255.0.0

no ip redirects

!

router ospf 2

log-adjacency-changes

redistribute static metric 200 subnets

network 10.50.0.0 0.0.255.255 area 0

network 10.75.0.0 0.0.255.255 area 0


When I do a show ip route 10.50.0.0 I get..


Routing entry for 10.50.0.0/16

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Vlan23

Route metric is 0, traffic share count is 1


but for 10.75.0.0 I get


% Subnet not in table


Any ideas?

Correct Answer by mohammedmahmoud about 9 years 8 months ago

William,


The problem is on the 4948 (vlan 75 is down), please do the following, and please make sure that vlan 75 is present on the 4948:


no ip default-gateway 10.75.0.1

ip route 0.0.0.0 0.0.0.0 10.75.0.1


ip routing



HTH,

Mohammed Mahmoud.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ankbhasi Sat, 07/28/2007 - 06:27
User Badges:
  • Cisco Employee,

Hi William,


Can you issue a command "sh interface vlan 75" and make sure interface is up and up? If interface is in line protocol down state then route will not exist in routing table.


Also if the interface is in line protocol down state can you make sure if you have any device connected physically to vlan 75 or any trunk port which allows this vlan?


Regards,


Ankur

william.briere Sat, 07/28/2007 - 07:11
User Badges:

It does show down and down... Weird as the two interfaces I added to the vlan show up and up...


I have created a portchannel with the following config...


interface Port-channel2

switchport

switchport access vlan 75

switchport mode access

switchport nonegotiate


I have added two interfaces...


interface GigabitEthernet3/31

description Grouped with port37 To VMWARE In Lab

switchport access vlan 75

switchport mode access

switchport nonegotiate

channel-group 2 mode on


interface GigabitEthernet3/37

description Grouped with port31 To VMWARE In Lab

switchport access vlan 75

switchport mode access

switchport nonegotiate

channel-group 2 mode on


Other end is a 4948 with ports 1 & 2 having


channel-group 2 mode auto




mohammedmahmoud Sat, 07/28/2007 - 07:28
User Badges:
  • Green, 3000 points or more

hi,


Can you please make sure that you've added the VLAN itself to the switch.


HTH,

Mohammed Mahmoud.

mohammedmahmoud Sat, 07/28/2007 - 07:46
User Badges:
  • Green, 3000 points or more

Hi William,


On the switch that you've created the SVI interface (interface vlan) please make sure that you've added the vlan to the switch (either via the vlan database mode or the global configuration mode).


HTH,

Mohammed Mahmoud.

william.briere Sat, 07/28/2007 - 07:54
User Badges:

I have created interface vlan 75 on both devices. I can ping 10.75.0.1 from my desk (10.50. network) but cannot ping 10.75.0.2? ... I can do it from the 4507 (10.75.0.1) to the 4948 (10.75.0.2) and the reverse, but I cannot ping 10.75.0.2 from another network.

mohammedmahmoud Sat, 07/28/2007 - 07:59
User Badges:
  • Green, 3000 points or more

Hi,


You have said that the interface vlan 75 is down/down then how can you ping it, can you please provide us with a "show ip interface brief" and a "show vlan" from the 4507, and can you please elaborate more on your network topology.


HTH,

Mohammed Mahmoud.

william.briere Sat, 07/28/2007 - 08:08
User Badges:

Hello,


Sorry... Forgot to mention that I can now ping the Vlan 75 ip from anywhere. I noticed the Vlan 75 was shutdown...


On the 4948 the ip I put on the interface vlan 75 is 10.75.0.2 and I cannot ping it from another network.


sh ip int brief from 4507


Vlan75 10.75.0.1 YES manual up up


show vlan from 4507


75 VMWARE active Po2


sh vlan from the 4948


VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/37, Gi1/38, Gi1/39, Gi1/40

Gi1/41, Gi1/42, Gi1/43, Gi1/44

Gi1/45, Gi1/46, Gi1/47, Gi1/48

75 VMWARE active Gi1/1, Gi1/2, Gi1/3, Gi1/4

Gi1/5, Gi1/6, Gi1/7, Gi1/8

Gi1/9, Gi1/10, Gi1/11, Gi1/12

Gi1/13, Gi1/14, Gi1/15, Gi1/16

Gi1/17, Gi1/18, Gi1/19, Gi1/20

Gi1/21, Gi1/22, Gi1/23, Gi1/24

Gi1/25, Gi1/26, Gi1/27, Gi1/28

Gi1/29, Gi1/30, Gi1/31, Gi1/32

Gi1/33, Gi1/34, Gi1/35, Gi1/36



mohammedmahmoud Sat, 07/28/2007 - 08:32
User Badges:
  • Green, 3000 points or more

Hey William,


The point here is why would you need interface VLAN 75 on both switches.


HTH,

Mohammed Mahmoud.

william.briere Sat, 07/28/2007 - 08:40
User Badges:

Two questions...


If I don not have the second vlan, by that I mean vlan 75 on the 4948, then how can I get around the vlan mismatch error I get when they are connected?


Also why can I not ping the ip I put on the interface vlan 75 on the 4948? I can only do it from the directly connected Core 4507 and from no where else? I put a default gateway on the 4948 pointing to 10.75.0.1 but no dice...





mohammedmahmoud Sat, 07/28/2007 - 08:49
User Badges:
  • Green, 3000 points or more

William,


Can you elaborate more on your topology (how is your devices connected and from where are you doing the tests).


Can you please post the error you've talked about and attach the complete configuration of both switches.


HTH,

Mohammed Mahmoud.



william.briere Sat, 07/28/2007 - 09:37
User Badges:

I have modified the config as you said... Removed the Vlan 75 on the 4948 and am just going with native Vlan 1... Problem is now none of it works...


Here si the config as it is now... After the changes described...


The 4507r is the core and has many distribution switches connected to it, now including this 4948.


What I'm looking to do it create a 10.75.0.0/16 network and channel-group 2 ports together to connect from the 4507 to two channel-grouped ports on the 4948 distribution switch. The 4948 would have a management IP of 10.75.0.2 and all the ports on Vlan 1 would be on the 10.75.0.0/16 network.


You will notice another vlan on the 4948 which I just want to be a private grouping of ports on the same vlan and not accessible to anything else.




william.briere Sat, 07/28/2007 - 10:16
User Badges:

My two ports on the 4507 are now in err-disabled status. And it won't reset them if I shut and then no shut.

mohammedmahmoud Sat, 07/28/2007 - 10:19
User Badges:
  • Green, 3000 points or more

William,


Your main problem is that your channel group configuration is inconsistent, you need the configuration to be as follows on BOTH switches, second in order for different vlans to intercommunicate between both switches your channel group should be a trunk not an access port:


interface Port-channel2

no ip address

switchport

switchport mode trunk


interface GigabitEthernetx/y1

no ip address

switchport

switchport mode trunk

channel-group 2 mode on


interface GigabitEthernetx/y2

no ip address

switchport

switchport mode trunk

channel-group 2 mode on


interface vlan 75

ip address n.n.n.n m.m.m.m



HTH,

Mohammed Mahmoud.

william.briere Sat, 07/28/2007 - 10:39
User Badges:

Setting the interfaces to trunk is not allowed... See below...


VMWARE-SW1(config-if)#switchport mode trunk

Command rejected: An interface whose trunk encapsulation is "Auto" can not be co

nfigured to "trunk" mode.


mohammedmahmoud Sat, 07/28/2007 - 10:58
User Badges:
  • Green, 3000 points or more

William,


No you must do the following first:


VMWARE-SW1(config-if)#switchport trunk encapsulation dot1q


HTH,

Mohammed Mahmoud.



william.briere Sat, 07/28/2007 - 11:28
User Badges:

The config is now done as you describe... I can ping 10.75.0.1 but not 10.75.0.2, the ip address of vlan on the 4948.

william.briere Sat, 07/28/2007 - 11:38
User Badges:

Here are the configs as they are now. I have added only the parts that have changed...


On 4507


interface Port-channel2

switchport

switchport access vlan 75

switchport trunk encapsulation dot1q

switchport mode trunk


interface GigabitEthernet3/31

description Grouped with port37 To VMWARE In Lab

switchport access vlan 75

switchport trunk encapsulation dot1q

switchport mode trunk

speed 1000

duplex full

channel-group 2 mode on


interface GigabitEthernet3/37

description Grouped with port31 To VMWARE In Lab

switchport access vlan 75

switchport trunk encapsulation dot1q

switchport mode trunk

speed 1000

duplex full

channel-group 2 mode on


interface Vlan75

ip address 10.75.0.1 255.255.0.0

no ip redirects


On 4948


interface Port-channel1

description To CORE ROUTER

switchport

switchport trunk encapsulation dot1q

switchport mode trunk


interface GigabitEthernet1/1

switchport trunk encapsulation dot1q

switchport mode trunk

speed 1000

duplex full

channel-group 1 mode on


interface GigabitEthernet1/2

switchport trunk encapsulation dot1q

switchport mode trunk

speed 1000

duplex full

channel-group 1 mode on


interface Vlan75

description VMWARE PRIVATE

ip address 10.75.0.2 255.255.0.0



mohammedmahmoud Sat, 07/28/2007 - 11:44
User Badges:
  • Green, 3000 points or more

Hi,


Please attach the final configuration, show ip int brief for both switches and show interfaces trunk.


HTH,

Mohammed Mahmoud.

william.briere Sat, 07/28/2007 - 12:45
User Badges:

Wow.. a second page...


The Vlan 75 is down as you can see... Not sure why?

Correct Answer
mohammedmahmoud Sat, 07/28/2007 - 12:55
User Badges:
  • Green, 3000 points or more

William,


The problem is on the 4948 (vlan 75 is down), please do the following, and please make sure that vlan 75 is present on the 4948:


no ip default-gateway 10.75.0.1

ip route 0.0.0.0 0.0.0.0 10.75.0.1


ip routing



HTH,

Mohammed Mahmoud.

william.briere Sat, 07/28/2007 - 13:06
User Badges:

It works now...


Why can I not use the default-gateway command to get things to go back to the router?

mohammedmahmoud Sat, 07/28/2007 - 13:20
User Badges:
  • Green, 3000 points or more

Hi William,


I am really glade that it works now :)


default-gateway is effective only when the switch is working as a layer 2 switch, but just when enabling ip routing on the switch, the default-gateway command is of no use, and thus you must replace it with a default route.


Thank you for using the rating system.


Goodnight, or may be have a nice day according to your time zone.


HTH,

Mohammed Mahmoud.


william.briere Sat, 07/28/2007 - 13:27
User Badges:

That is weird because it seemed as though we were unable to get it working unless going to layer 3... We should have been able to accomplish the tasks done on the 4948 by staying at layer 2 and connecting to a layer 3 device (4507)


Is this not correct?

manmeetmarwah Sun, 07/29/2007 - 06:43
User Badges:

Hi William,


I feel that you would have able to achieve the results while working on layer 2 for 4948 switch, but in that case why you would have chosen to put a default-gateway even i.e. If your 4948 switch is being used as layer 2 switch only, then probably all the clients or end users ( Iam not aware about your topology) would have a gateway for 4507 switch only. And in case you have users/end devices pointing to 4948 switch as gateway then that itself means that you are using it as layer 3 switch.


Manmeet

william.briere Sun, 07/29/2007 - 08:33
User Badges:

I had already put the default gateway on the layer 2 switch, as the 4507 was an acceptable default gateway, but for some reason it didn't work. Any suggestions for me to be able to host multiple vlans on a layer 2 switch where there is a channel-group of ports going back to the layer three device?

mohammedmahmoud Sun, 07/29/2007 - 10:16
User Badges:
  • Green, 3000 points or more

Hi William,


Sure you can make it work in layer 2 (i only thought that you were trying to make it work in layer 3), just do the following:


no ip routing

no ip route 0.0.0.0 0.0.0.0 10.75.0.1

ip default-gateway 10.75.0.1



and all the PCs connected to the 4948 and members in VLAN 75 must use the 10.75.0.1 as their gateway.


HTH,

Mohammed Mahmoud.

william.briere Sun, 07/29/2007 - 11:46
User Badges:

What if I were to want to have a vlan on the 4948 that has 12 ports on it, but I don't want traffic to leave that vlan?

mohammedmahmoud Sun, 07/29/2007 - 12:03
User Badges:
  • Green, 3000 points or more

William,


You can use whatever VLANs you require on the 4948 and by default the traffic don't leave the VLAN unless inter-VLAN routing is configured by using SVI interfaces (interface vlan x and interface vlan y and so on) on a layer 3 switch, and accordingly in the context of a layer 2 switch the VLAN traffic can't be seen by another VLAN.


HTH,

Mohammed Mahmoud.

william.briere Sun, 07/29/2007 - 12:11
User Badges:

So your saying as long as I only use...


vlan XX


and not use interface vlans then the traffic will stay within that vlan?

mohammedmahmoud Sun, 07/29/2007 - 12:27
User Badges:
  • Green, 3000 points or more

Hi,


Yes thats right, by default if the switch is layer 2 switch with just vlan configuration there can be no communication between the vlans, unless the switch is converted to layer 3 functionality (ip routing) and SVI interfaces are configured (interface vlan).


HTH,

Mohammed Mahmoud.

william.briere Sun, 07/29/2007 - 12:35
User Badges:

I have heard about vlans not being secure... Can you comment on this? something like "vlan snooping????"

Actions

This Discussion