cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3422
Views
0
Helpful
24
Replies

Connecting to Gateway from 2 Vlans

mauricelk
Level 1
Level 1

We have 2 L3 Cisco 3550 switches and a few L2 Cisco 3550 switch. All the switches are in the same domain. There are 3 vlans, one for management, one for internal use (10.x.x.x) and one for guests (172.x.x.x). From the internal vlan, we can access internet, but not from the guest vlan. There is a gateway IP on the L3 switch for each vlan. Though each vlan also has a gateway IP on the router.

My problem is when I am on our 10.x.x.x network, I can ping the gateway IP meant for our 172.x.x.x network. When I am on the 172.x.x.x network I cannot ping it's own gateway IP address. The 10.x.x.x network has no problem getting to it's own gateway IP address. The gateway IP addresses are configured on the gateway Cisco router. Eventually, there should be no communication between both networks.

Could someone help me figure out why I cannot ping the gateway IP for the guest vlan when connected on the guest vlan. Thanks.

2 Accepted Solutions

Accepted Solutions

I am a little confused about your setup. If the gateway for the PCs in both vlans is the router then why have you even bothered to setup HSRP on the switches ?

Because you have no visibility of the router config how do you know whether the NAT is setup correctly or whether the subinterfaces are ? Note i'm assuming the router is using subinterfaces and that it is connected to your switch via a L2 trunk ?

Please don't take this the wrong way but this really isn't how to set this sort of network up. You don't have L3 switches running HSRP only to then completely ignore that and set the default-gateway to the router.

What you should be doing is -

1) routing the vlans off the 3550s so the default-gateways of the clients is the HSRP address of it's respective vlan on the 3550s

2) have a routed P2P link to the router.

3) on the 3550s have a default-route pointing to the router

4) on the router have routes for the internal vlans pointing back to the 3550s

Or instead of 3&4

5) use a dynamic routing protocol between the 3550s and the router

6) the provider who manages the router would have to setup the NAT etc. for the internet.

Currently you have a sort of halfway house.

Could you explain the logic of having HSRP on the 3550s but then not using the VIP as a gateway for the clients ?

Can you get a copy of the router config ?

Jon

View solution in original post

mauricelk wrote:

Sorry, but my hands are tied. I am trying to work with what I have + my novice knowledge of Cisco/switching/routing. The admin who manages the router (contracted), explained that all NAT for internet has been configured. However, they don't don't share the router config. The router's gateway ip (172 subnet) has been routed to 172.72.195.4. But I can have that changed with a phone call.

The router is connected to our network via a L2 switch on a switchport mode access port. I guess I have to change this to trunk, right? When I issue the command (show ip route) on our layer 3 Cisco 3550 switch, I get the following:

Gateway of last resort is not set


172.72.0.0/24 is subnetted, 1 subnets
C       172.72.195.0 is directly connected, Vlan4
172.13.0.0/32 is subnetted, 2 subnets
O       172.13.126.13 [110/2] via 172.72.195.3, 7w0d, Vlan4
[110/2] via 10.126.29.3, 7w0d, Vlan20
C       172.13.126.12 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.126.48.0/22 is directly connected, Vlan100
C       10.126.29.0/24 is directly connected, Vlan20

3. What is the best way to set a default-route that point to the router? or

5. What command can I run to check if there dynamic routing protocol exists between the 3550s and the router?


I configured HSRP on the 3550s because I saw it had been used on the switches for the internal vlan by the previous network admin. I was trying to duplicate configurations to the guest vlan. This responsibility was put in my hands without much choice. I am new at this and I appreciate all the help everyone is giving.

Apologies if i came across a bit stroppy, it wasn't intended

If the link between the switch and the router is an switchport access mode then do you know which vlan it is in ? By the sounds of it i'm guessing your internal lan which is working is the vlan on the L2 link. If this is the case then it just won't work for your guest vlan if both the default-gateways for the internal lan and the guest lan are on the router. You are right in that it would have to be a trunk link but it's not quite that simple. It would also require the router to have subinterfaces.

Where things are a little confusing is that it sounds like you have both default-gateways on the router but the router connects via a switchport access rather than a trunk. This really needs clarifying with your provider who manages the router.

What i can say is that if you are using the router as DG for both vlans then HSRP gives you nothing on the 3550s. There are a number of options you have

1) use subinterfaces on the router and set these as DG for clients. Set the link between the router and the switch to be trunk. However you would only really revert to this solution if you didn't have L3 switch

2) Do as previously suggested ie. route vlans off 3550s and have a routed link to router. This would also give you the ability to control the traffic between the internal lan and the guest lan on your 3550.

3) You could route the guest vlan on the 3550s and have a next-hop IP of the internal LAN subnet IP address on the router. This is messy really but it may work.

However none of the above can be implemented wtithout a full understanding of the current router config. If as suspected it is an access port in your internal LAN vlan and they have definitely set up NAT and a return route to the guest vlan you could implement option 3) above without their intervention. But i would strongly recommend talking it all through with them ie.

ask them if they have setup the NAT for a second range of IPs ie. the guest vlan but they are only connecting to the switch with an access port, how do they expect the other vlan traffic to get to the router ?

Jon

View solution in original post

24 Replies 24

Ganesh Hariharan
VIP Alumni
VIP Alumni

No both vlan can able to ping each other as ip routing is enabled on this L3 devices

,so interlan communication will happen.

Are you able to ping from switch making source a guest vlan and ping one of the guest vlan pc !!

and paste the show spanning tree for guest vlan !!

Regards

Ganesh.H

I can ping any guest vlan PC from switch. The problem is just getting to the gateway ip (172.27.195.1).

Below is the spanning tree for guest vlan from L3 switch:

VLAN0004
  Spanning tree enabled protocol rstp
  Root ID    Priority    8241
             Address     000d.ed29.af80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8241   (priority 8192 sys-id-ext 49)
             Address     000d.ed29.af80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/1            Desg FWD 4         128.1    P2p
Gi0/2            Desg FWD 4         128.2    P2p
Gi0/3            Desg FWD 4         128.3    P2p
Gi0/4            Desg FWD 4         128.4    P2p
Gi0/5            Desg FWD 4         128.5    P2p
Gi0/6            Desg FWD 4         128.6    P2p
Gi0/7            Desg FWD 4         128.7    P2p
Gi0/9            Desg FWD 4         128.9    P2p
Gi0/10           Desg FWD 4         128.10   P2p
Po1              Desg FWD 3         128.65   P2p

Hi,

But your configuration for guest vlan HSRP is states that virtual ip is 172.72.195.4

interface Vlan4
ip address 172.72.195.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
standby 1 ip 172.72.195.4

make pc gateway as 172.72.195.4 and check out is it pinging or not

Hope that helps !!

Regards

Ganesh.H

After changing PC gateway to 172.72.195.4, I was unable to ping anything on Vlan4. But soon as I changed it back to 172.72.195.1, I was able to ping all 172.72.195.x IPs except for 172.72.195.1 (on the router).

This ip 172.72.195.1 is of another switch in same vlan please share the show hsrp for guest vlan

Regards

Ganesh.H

172.72.195.1 is a virtual interface on the router. The switch here is not accepting the show hsrp command.

Use the show standby vlan 4 command to check the hsrp status... & not show hsrp ...

Raj

Vlan49 - Group 1
  State is Active
    2 state changes, last state change 11w3d
  Virtual IP address is 172.72.195.4
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.204 secs
  Preemption enabled
  Active router is local
  Standby router is 172.72.195.2, priority 100 (expires in 8.532 sec)
  Priority 120 (configured 120)
  IP redundancy name is "hsrp-Vl49-1" (default)

Hi

I see the virtual HSRP IP being 172.72.195.4, but the real IPs on both the active and standby routers seems to be 172.72.195.2 !!!! Can you check this? You might have to change the Layer 3 IP in one of the switches probably to 172.72.195.1  and check if it works..

Raj

172.72.195.1 cannot be used on LAN since it's configured on rotuer as the gateway for guest subnet. 172.72.195.2 is interface IP for vlan4 on the L3 switch #1 and I also have 172.72.195.3 for L# switch #2. I have used 172.72.195.4 as standby between the two switches.

Im a bit confused here.. The configuration that you gave on your original post.. is it switch #1 or switch # 2.. it had the following configs:

nterface Vlan4
ip address 172.72.195.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
standby 1 ip 172.72.195.4

and your show standby vlan 4 -> gave the standby IP as 172.72.195.2 ! Is this command taken on the same switch as the config posted, or different switch..

By the way why do you have the router interface on the same subnet as the switch ?

Raj

Sorry for mixing things up. The results for show standby vlan 4 are on Switch #2. I run the same command on Switch #1 and it gave the standby IP as 172.72.195.3.

I don't have the details on how the router is configured, I just know about the GW IP addresses. All I know is there is an IP assigned on it (172.72.195.1) that I intend to use for the guest Vlan.

just to isolate layer 2 issues, can you configure a port on guest vlan directly on the layer 3 switch and see if you are able to ping 172.72.195.2, 3 or 4.. forget the router IP as of now.. we need to have connectivity to layer 3 switch from the PC... is the router connected on guest vlan directly or is it trunked ?

Raj

I finally was able to use one of the 2 ethernet ports on the layer 3 switch that I configured for the guest vlan. Connected a computer to it and I was able to ping 172.72.195.2, 3 and 4. I tried pinging 172.72.195.1 (GW) for the heck of it, and was unable to ping it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco