We have 2 L3 Cisco 3550 switches and a few L2 Cisco 3550 switch. All the switches are in the same domain. There are 3 vlans, one for management, one for internal use (10.x.x.x) and one for guests (172.x.x.x). From the internal vlan, we can access internet, but not from the guest vlan. There is a gateway IP on the L3 switch for each vlan. Though each vlan also has a gateway IP on the router.
My problem is when I am on our 10.x.x.x network, I can ping the gateway IP meant for our 172.x.x.x network. When I am on the 172.x.x.x network I cannot ping it's own gateway IP address. The 10.x.x.x network has no problem getting to it's own gateway IP address. The gateway IP addresses are configured on the gateway Cisco router. Eventually, there should be no communication between both networks.
Could someone help me figure out why I cannot ping the gateway IP for the guest vlan when connected on the guest vlan. Thanks.
Sorry, but my hands are tied. I am trying to work with what I have + my novice knowledge of Cisco/switching/routing. The admin who manages the router (contracted), explained that all NAT for internet has been configured. However, they don't don't share the router config. The router's gateway ip (172 subnet) has been routed to 18.104.22.168. But I can have that changed with a phone call.
The router is connected to our network via a L2 switch on a switchport mode access port. I guess I have to change this to trunk, right? When I issue the command (show ip route) on our layer 3 Cisco 3550 switch, I get the following:
Gateway of last resort is not set
22.214.171.124/24 is subnetted, 1 subnets
C 126.96.36.199 is directly connected, Vlan4
188.8.131.52/32 is subnetted, 2 subnets
O 184.108.40.206 [110/2] via 220.127.116.11, 7w0d, Vlan4
[110/2] via 10.126.29.3, 7w0d, Vlan20
C 18.104.22.168 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.126.48.0/22 is directly connected, Vlan100
C 10.126.29.0/24 is directly connected, Vlan20
3. What is the best way to set a default-route that point to the router? or
5. What command can I run to check if there dynamic routing protocol exists between the 3550s and the router?
I configured HSRP on the 3550s because I saw it had been used on the switches for the internal vlan by the previous network admin. I was trying to duplicate configurations to the guest vlan. This responsibility was put in my hands without much choice. I am new at this and I appreciate all the help everyone is giving.
Apologies if i came across a bit stroppy, it wasn't intended
If the link between the switch and the router is an switchport access mode then do you know which vlan it is in ? By the sounds of it i'm guessing your internal lan which is working is the vlan on the L2 link. If this is the case then it just won't work for your guest vlan if both the default-gateways for the internal lan and the guest lan are on the router. You are right in that it would have to be a trunk link but it's not quite that simple. It would also require the router to have subinterfaces.
Where things are a little confusing is that it sounds like you have both default-gateways on the router but the router connects via a switchport access rather than a trunk. This really needs clarifying with your provider who manages the router.
What i can say is that if you are using the router as DG for both vlans then HSRP gives you nothing on the 3550s. There are a number of options you have
1) use subinterfaces on the router and set these as DG for clients. Set the link between the router and the switch to be trunk. However you would only really revert to this solution if you didn't have L3 switch
2) Do as previously suggested ie. route vlans off 3550s and have a routed link to router. This would also give you the ability to control the traffic between the internal lan and the guest lan on your 3550.
3) You could route the guest vlan on the 3550s and have a next-hop IP of the internal LAN subnet IP address on the router. This is messy really but it may work.
However none of the above can be implemented wtithout a full understanding of the current router config. If as suspected it is an access port in your internal LAN vlan and they have definitely set up NAT and a return route to the guest vlan you could implement option 3) above without their intervention. But i would strongly recommend talking it all through with them ie.
ask them if they have setup the NAT for a second range of IPs ie. the guest vlan but they are only connecting to the switch with an access port, how do they expect the other vlan traffic to get to the router ?
I am a little confused about your setup. If the gateway for the PCs in both vlans is the router then why have you even bothered to setup HSRP on the switches ?
Because you have no visibility of the router config how do you know whether the NAT is setup correctly or whether the subinterfaces are ? Note i'm assuming the router is using subinterfaces and that it is connected to your switch via a L2 trunk ?
Please don't take this the wrong way but this really isn't how to set this sort of network up. You don't have L3 switches running HSRP only to then completely ignore that and set the default-gateway to the router.
What you should be doing is -
1) routing the vlans off the 3550s so the default-gateways of the clients is the HSRP address of it's respective vlan on the 3550s
2) have a routed P2P link to the router.
3) on the 3550s have a default-route pointing to the router
4) on the router have routes for the internal vlans pointing back to the 3550s
Or instead of 3&4
5) use a dynamic routing protocol between the 3550s and the router
6) the provider who manages the router would have to setup the NAT etc. for the internet.
Currently you have a sort of halfway house.
Could you explain the logic of having HSRP on the 3550s but then not using the VIP as a gateway for the clients ?
Can you get a copy of the router config ?