Router on a Stick

Unanswered Question
Oct 11th, 2007
User Badges:

I'm trying to configure the 'router on a stick', basically, through one interface, I need to route to 3 subnets. My configuration is a 2811 connected to a 3560, which is connected to an F5 BIG-IP.


Below are my configs (- passwords)

2811

----


Using 1647 out of 245752 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XO-2811

!

boot-start-marker

boot system flash c2800nm-advsecurityk9-mz.124-17.bin

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

!

ip cef

!

!

ip domain name yourdomain.com

ip name-server 65.ccc.ccc.196

ip name-server 65.ccc.ccc.196

!

!

!

interface FastEthernet0/0

description WAN interface$ETH-LAN$

ip address xxx.xxx.xxx.37 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex full

speed 100

!

interface FastEthernet0/1

description LAN interface

no ip address

duplex auto

speed 100

!

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 67.aaa.aaa.129 255.255.255.224

!

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 67.bbb.bbb.225 255.255.255.224

!

interface FastEthernet0/1.3

encapsulation dot1Q 3

ip address 67.ccc.ccc.225 255.255.255.224

!

ip forward-protocol nd

ip route profile

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 permanent

!

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

snmp-server community XO RO

snmp-server location XO Data Center Beaverton

!

!

control-plane

!

!

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet

line vty 5 15

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

!

end


3560

----


Using 4782 out of 524288 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname XO_GB_Switch1

!

logging console critical

!

no aaa new-model

clock timezone Pacific 8

vtp mode transparent

ip subnet-zero

!


!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 2-4

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

macro description cisco-router

!

interface GigabitEthernet0/2

description Out to F5-1-Pbc

switchport trunk encapsulation dot1q

switchport mode trunk

duplex full

speed 100

!

interface GigabitEthernet0/3

description Out to F5-2-Pbc

switchport trunk encapsulation dot1q

switchport mode trunk

duplex full

speed 100

!

!

interface GigabitEthernet0/49

description Out to F5-1-Pvt

switchport access vlan 4

speed nonegotiate

flowcontrol receive desired

!

interface GigabitEthernet0/50

description Out to F5-2-Pvt

switchport access vlan 4

speed nonegotiate

flowcontrol receive desired

!

!

interface Vlan1

description Public side VLAN

ip address 67.aaa.aaa.148 255.255.255.224

!

interface Vlan2

no ip address

!

interface Vlan3

no ip address

!

interface Vlan4

ip address 10.10.10.210 255.255.255.0

!

ip default-gateway 67.aaa.aaa.129

ip classless

ip http server

!

snmp-server community XO RO

!

control-plane

!

!

line con 0

line vty 0 4

password xxx

no login

line vty 5 15

password xxx

no login

!

!

end



I seem to be able to get to the network on FastEthernet 0/1.1 fine, but not the other two.


Can someone please help with my configuration?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
lgijssel Thu, 10/11/2007 - 11:45
User Badges:
  • Red, 2250 points or more

Your router-on-a-stick seems fine to me.

Perhaps you have not configured vlan 2 and 3 on the switch?

Configure a port in access mode, vlan2 and connect a PC to it. Then try to ping the router. Repeat the same for vlan3.


regards,

Leo

sundar.palaniappan Thu, 10/11/2007 - 11:47
User Badges:
  • Green, 3000 points or more

Do you have vlan 2 and 3 created? Do a show vlan and check if vlan 2 and 3 show up there. If it doesn't then configure vlan 2 and 3 from the global config as follows and test.


SW1-3550(config)#vlan 2

SW1-3550(config-vlan)#vlan 3


HTH


Sundar

Richard Burts Thu, 10/11/2007 - 11:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brett


I do not notice any particular issues in the config that you posted about routing to VLANs 2 and 3. Since there is not any particular configuration on your switch about those VLANs and there do not seem to be any ports on the switch in those VLANs would I be correct in assuming that they are on the F5. My guess is that there is some issue on the F5 about these VLANs or about the trunking between F5 and your switch. Can you provide any information about the F5 and its configuration?


Are you able to access addresses in those VLANs from the 2811?


I notice one other thing which I do not believe is related to the current problem but which may be a problem you would face later. Your default route points just to the FastEthernet interface. This means that the router will have to ARP for each destination address. And it will work only if the next hop router enables proxy arp. Since FastEthernet0/0 is configured with a /30 address it should be easy to change the default route so that it points to the next hop address. This would be a significant improvement.


HTH


Rick

brettedelen Thu, 10/11/2007 - 11:59
User Badges:

The 3 subnets are on the F5, so no physical ports on the switch will be used to access them. From the 2811, i can only access the subnet on FastEthernet 0/1.1.


I suspect that the problem lies on the F5 as well. I am in the process of trying to create a trunk on the interface I am using on the F5, but things are a little different over there. It's odd because my tag for the 'external' VLAN where the interface lies right now is 4094, yet seems to be routing the native VLAN 1 traffic from the router/switch. I guess I thought the tag for VLAN 1 would be 1, and would need to match the tag on the F5. Is this not the case?




lgijssel Thu, 10/11/2007 - 12:12
User Badges:
  • Red, 2250 points or more

You have set vlan1 to native. This means that the router sends untagged traffic on vlan1.

Traffic can "leak" into another vlan on a trunk when the native vlans are different.

Turn on cdp to check this out quickly.


Leo

brettedelen Thu, 10/11/2007 - 12:35
User Badges:

update:

From the F5, I can ping out to all sub-interfaces on the router, and through the router. So the F5 can find his way back out.


Do I need to enable routing on the switch to tell the Vlan2 and 3 traffic where to go?


On the F5, there is an IP on the interface that is in the subnet of Vlan1, but none for Vlan 2 or 3 subnets.

Kevin Dorrell Fri, 10/12/2007 - 00:03
User Badges:
  • Green, 3000 points or more

Sorry if I've missed something here, but if you have a 3560, why do you need a router on a stick? The router doesn't seem to have any serial interfaces, so what are you trying to do with it that you cannot do with the internal router of the 3560?


Kevin Dorrell

Luxembourg


csc010854800 Fri, 10/12/2007 - 02:43
User Badges:

You should try giving ip address to interface vlan 2,3 of the range you give to interface fastethernet 0/1.2,1.3 .


Only then traffic can be routed between pc of vlan 2 and vlan 3.



yogesh




brettedelen Fri, 10/12/2007 - 12:51
User Badges:

Sorry, I should have been more specific on the architecture. I have a fastE connection to the internet on a /30 address. I am trying to route to 2 F5's (redundant) that support 3 subnets of public IP addresses (all /27). The switch is because i only have 1 interface on my router, and I needed ports for my private subnet (VLAN 4 is the pvt net).


I'm pretty stuck right now. Thank you all for your help so far, but I'm still missing one piece of the puzzle.

Actions

This Discussion