VLAN Not Routing Traffic

Unanswered Question
Mar 5th, 2009

I have a layer 3 switch with two routers connected to it. When I trace from one WAN site to another through this switch I hit vlan 31 and just stop. I can get on the switch and trace to the 10.175.0.0/24 network but from our other WAN connection I can't get past it. If I source the IP of vlan 31 on that same switch I cannot get to the 10.175.0.0/24 network. I have a static route for the 10.175.x.x net on the switch pointing to the router that is connected via an access port. The router's gi0/1 interface has 10.10.1.250 address which is a part of the vlan 710 on the layer3 switch. Any ideas why I can't route past that 10.210.31.3 address?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
xcz504d1114 Thu, 03/05/2009 - 20:57

Your description is pretty hard to follow, so I will start with the "low hanging fruit"

what type of layer 3 switch are you using? 3750? 6509?

Is ip routing enabled on your layer 3 switch?

anthonymd Thu, 03/05/2009 - 21:07

It's a 6513 with routing enabled.

WAN Router to 6513 to 3845 to 10.175.0.0

Both routers are connected to this switch via access ports on different vlans.

xcz504d1114 Thu, 03/05/2009 - 21:12

Are there any other static routes, default routes, or routing protocols running?

What's the output of your "show ip route" look like?

try using the "show ip cef exact-route " command on your L3 switch

anthonymd Thu, 03/05/2009 - 21:16

multiple static routes, a default route, and eigrp.

show ip route is very huge routing table but here is the particular network I want to get to.

SERVER2#sh ip route 10.175.0.2

Routing entry for 10.175.0.0/24

Known via "static", distance 1, metric 0

Redistributing via eigrp 100

Advertised by eigrp 100

Routing Descriptor Blocks:

* 10.10.1.250

Route metric is 0, traffic share count is 1

SERVER2#sh ip cef exact-route 10.210.31.3 10.175.0.2

10.210.31.3 -> 10.175.0.2 : Vlan710 (next hop 10.10.1.250)

xcz504d1114 Thu, 03/05/2009 - 21:21

What about from the 10.10.1.250 router? What's the "show ip route 10.210.31.3" look like?

Your L3 switch looks fine, looks like the problem is more than likely the 10.10.1.250 router not knowing how to reach the 10.210.31.0 subnet.

anthonymd Thu, 03/05/2009 - 21:25

RTR#sh ip route 10.210.31.3

% Subnet not in table

Yeah I see now. The problem is this router has two connections into it, one for data and one for voice only. I can't put a static route to that network in the router to go out this interface or I'll get an asymetric route, this vlan is a data vlan not a voice one.

xcz504d1114 Thu, 03/05/2009 - 22:01

I'm a little confused at how the network is setup, but I assume there is a reason :)

But aside from that, there are several options you can do, but I would need quite a bit more information about your configuration and traffic patterns.

Asymmetric routing isn't bad, just as long as you expect it and the results are desirable, and care should be given because it does increase complexity and limit future designs.

So my first question is a design question, why do you have your voice and data going out 2 separate physical ports? Do they terminate to the same L3 switch?

What does the "voice network" look like, traffic patterns, routing, source / destination, call managers, h323 gateways etc.

Why not just run EIGRP 100 on your edge routers to participate with your L3 switch?

Why configure static routes? In the event of a link failure, all of your static routes (unless you configure floating static routes etc.) mean nothing.

You can't get to the network no matter what, asymmetric routing isn't a factor here, undeliverable packets is the factor. If you have voice vlan 1.1.1.0/24 and data vlan 2.2.2.0/24, you can write route policies to determine traffic patterns. We will say that the voice traffic should go to the router with the IP of 10.1.1.1 and data should go to the router with the IP of 10.2.2.2.

IE

ip access-list extended Voice

permit ip 1.1.1.0 0.0.0.255 any

ip route-map Voice

match ip address Voice

set ip next-hop 10.1.1.1

interface gi 0/1 (policy routing is placed on the inbound interface)

ip policy route-map Voice

ip route 0.0.0.0 0.0.0.0 10.2.2.2

This configuration will send all traffic that come in interface Gi0/1 with a source IP of 1.1.1.0/24 (voice traffic) to the voice network, all other traffic will be sent to 10.2.2.2.

anthonymd Thu, 03/05/2009 - 22:22

I'll try to answer your questions the best I can.

This is a very hard to explain network design. We have a DS3 between two offices connected by two 3845s. On either side of those we have firewalls then Layer3 switches 4500 series. We have the corporate VRF and Engineering VRF routing thru the firewalls via the Gi0/0 interfaces on the routers. Then to bypass the firewalls for voice we connect them off of Gi0/1 directly into the switches (the HQ side were we are working now goes into a different switch than the corp and eng traffic).

The source voice network is in site B the 10.210.31.x network is at the HQ office.

The remote site voice network is the 10.175.0.0/24 and the destination network is another remote office routing thru the HQ network to another WAN connection. The CMs live at the HQ on the 10.10.1.x network. So voice traffic leaves the 4500 at site B goes to Gi0/1 on the 3845 across the 45MB p2p into s1/0 on the HQ 3845 then out the Gi0/1 int to the 6513 to another 3845 (managed by WAN provider) then out to the other remote office.

All other layer3 devices on the network participate in EIGRP except this router b/c we don't want it to learn all the data networks via the Gi0/1 int. The firewalls can't do EIGRP so we're doing statics from the 4500 to the FW for all data and statics to the 3845 for voice traffic.

There is a default route on the 3845 for all traffic coming in from site B and a static route for traffic destined to our 10.10.1.x network.

How is the route map going to enable the HQ 3845 to learn how to get to the 10.210.31.x network?

How is that route map going to

xcz504d1114 Thu, 03/05/2009 - 23:23

Gotcha, so you just connect a second physical cable to bypass your FW for voice.

The route-map sets the next hop value to whatever the destination (just like a static route but it allows you (in this case) to specify a source, a destination, and how to get there (next hop) where a static route just allows you to specify destination and how to get there (next hop)). The route-map allows you to separate voice and data traffic based on the source IP, the router will still need to know how to get to the next-hop that you specify in the route map, either via a routing protocol or a static route.

I attached a "diagram" drawn in paint(I don't have visio at home!) to make sure I was clear with your setup. If you can fill in the data network IP's and correct anything I got wrong that would help me with an overview if you still need it.

Attachment: 
anthonymd Thu, 03/05/2009 - 22:35

Let's see if this diagram shows up.

Site B

4510

| |

FW | (voice)

| |

3845

| (DS3)

3845

| |

FW |

| --6513 -- WAN Router to other site

4507 |

| |

6513 (core)

xcz504d1114 Thu, 03/05/2009 - 23:47

What is the data network on the 10.10.1.250 router, and what is the voice network?

what link do you want the voice traffic to go out of and what link do you want the data traffic to go out of?

anthonymd Fri, 03/06/2009 - 07:55

The data network for site B is 10.175.1.0/24 and the voice is 10.175.0.0/24 so basically any 10.175.x.x traffic is destined for site B.

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname RTR

!

boot-start-marker

boot-end-marker

!

card type t3 1

logging message-counter syslog

logging buffered 51200 warnings

enable secret 5 XXXXXXXXX

!

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication login Console local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default

action-type start-stop

group tacacs+

!

aaa accounting commands 0 default

action-type start-stop

group tacacs+

!

aaa accounting commands 15 default

action-type start-stop

group tacacs+

!

!

!

aaa session-id common

clock timezone PST -8

clock summer-time PDT recurring

!

dot11 syslog

ip source-route

ip cef

!

!

!

!

no ip bootp server

ip domain name is.ad.igt.com

ip name-server 10.210.41.190

multilink bundle-name authenticated

!

!

!

!

!

!

archive

log config

hidekeys

!

!

controller T3 1/0

cablelength 10

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh logging events

ip ssh version 2

!

!

!

interface Loopback0

ip address 10.1.1.2 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description To FW Port 1

ip address 10.254.1.70 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

media-type rj45

no mop enabled

!

interface GigabitEthernet0/1

description To Server2 Gi3/4

ip address 10.10.1.250 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

media-type rj45

no mop enabled

!

interface Serial1/0

ip address 10.254.1.73 255.255.255.252

encapsulation ppp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

dsu bandwidth 44210

!

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.254.1.69

ip route 10.1.1.175 255.255.255.255 10.254.1.74

ip route 10.1.1.176 255.255.255.255 10.254.1.74

ip route 10.10.0.0 255.255.0.0 10.10.1.1

ip route 10.175.0.0 255.255.255.0 10.254.1.74

ip route 10.175.1.0 255.255.255.0 10.254.1.74

ip route 10.175.2.0 255.255.255.0 10.254.1.74

ip route 10.175.4.0 255.255.252.0 10.254.1.74

ip route 10.175.8.0 255.255.255.0 10.254.1.74

ip route 10.210.44.221 255.255.255.255 10.10.1.1

ip route 10.210.44.222 255.255.255.255 10.10.1.1

ip route 10.254.1.76 255.255.255.252 10.254.1.74

!

ip http server

no ip http secure-server

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 100

!

ip tacacs source-interface Loopback0

!

logging history informational

logging trap debugging

logging 10.210.41.145

logging 10.210.41.75

access-list 23 permit 10.210.104.0 0.0.0.255

access-list 23 deny any log

snmp-server enable traps tty

!

!

control-plane

!

xcz504d1114 Fri, 03/06/2009 - 10:16

So from the 10.10.1.250 RTR anything destined for 10.175.x.x send out the DS3 (to 10.254.1.74)

From the 10.10.1.250 RTR, traffic destined for 10.210.13.x, where should it be sent to? I'm assuming that 10.210.13 is a voice network, is there a data network as well?

Actions

This Discussion