Any explanation on why this simple 'router on a stick' does not work?

Answered Question
Feb 15th, 2010

Imagine I have:

client1: IP=10.0.0.1/12, default-gateway=10.15.255.254

connected to switch1, port fa0/2.

client2: IP=10.31.255.1/12, default-gateway=10.31.255.254

connected to switch1, port fa0/3.

From client1 and client2, I can ping respective default-gateways OK.

However, neither client1 nor client2 can ping each other.

It seems this router on a stick config is not working. Based on the output of the show tech for both rotuer and switch, do you have any idea why this does not work?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 9 months ago

news2010a wrote:

Once I powered on devices and client machines in the rack to work on this again, everything worked fine.

One thing that I learned though:
I thought that placing an IP address (which belongs to vlan 298 network range) under vlan 1 for example could let me establish IP communications. I see that I had to place it under vlan 298. Interesting.


Thanks everyone for all your help.

Marlon

Glad you got it working.

The reason you need to use an SVI for vlan 298 is because the connection between the switch and the router is an 802.1q trunk so the vlan packets will be tagged. And the router expects to see vlan tags for vlans 298, 442, 503 and 550. So if it receives a packet with a vlan 1 tag it doesn't know what to do. And if the native vlan is vlan 1 and so the packet is sent untagged it still doesn't know what to do as you have not explicitly configured any of the subinterfaces as the native vlan.

Jon

Correct Answer by Jon Marshall about 6 years 9 months ago

news2010a wrote:

From the router, ping to each PC times out.

When I added an IP address to SVI on the switch int vlan 1 (only did this for a ping test), I can't ping the router default-gateways either from the switch.

From the switch, I can't ping the PC's either.

Marlon

For a ping test you would need to configure the vlan interface on the switch to be in vlan 298 not vlan 1 ie.

int vlan 298

ip address 10.15.255.253 255.240.0.0

Can you do this and then ping router from switch and switch from router.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 02/15/2010 - 13:04

news2010a wrote:

Imagine I have:

client1: IP=10.0.0.1/12, default-gateway=10.15.255.254

connected to switch1, port fa0/2.

client2: IP=10.31.255.1/12, default-gateway=10.31.255.254

connected to switch1, port fa0/3.

From client1 and client2, I can ping respective default-gateways OK.

However, neither client1 nor client2 can ping each other.

It seems this router on a stick config is not working. Based on the output of the show tech for both rotuer and switch, do you have any idea why this does not work?

Marlon

Can you check to see if there are any personal firewalls running on the PC's that would block an incoming ICMP request ?

Jon

news2010a Mon, 02/15/2010 - 13:24

I checked that; I turned off Microsoft firewall thing and I am familiar with the PC's and I know there are no firewalls blocking ICMP.

news2010a Mon, 02/15/2010 - 13:33

From the router, ping to each PC times out.

When I added an IP address to SVI on the switch int vlan 1 (only did this for a ping test), I can't ping the router default-gateways either from the switch.

From the switch, I can't ping the PC's either.

Correct Answer
Jon Marshall Mon, 02/15/2010 - 13:40

news2010a wrote:

From the router, ping to each PC times out.

When I added an IP address to SVI on the switch int vlan 1 (only did this for a ping test), I can't ping the router default-gateways either from the switch.

From the switch, I can't ping the PC's either.

Marlon

For a ping test you would need to configure the vlan interface on the switch to be in vlan 298 not vlan 1 ie.

int vlan 298

ip address 10.15.255.253 255.240.0.0

Can you do this and then ping router from switch and switch from router.

Jon

news2010a Mon, 02/15/2010 - 13:44

Ding, I click 'correct' instead of clicking on 'reply'.

True, OK Jon, please give me few days and I will have access to  hardware rack again. I will post the result back.

Leo Laohoo Mon, 02/15/2010 - 13:47

Checked your config.  I have one question:  Where is your VLAN instance?

vlan 298
vlan 442
vlan 503
vlan 550

news2010a Mon, 02/15/2010 - 13:55

I am not sure if I understand your question ab out "instance". The respective Vlans were created on vlan.dat as shown below.

Port        Mode         Encapsulation  Status        Native vlan
Fa0/24      on           802.1q         trunking      1

Port      Vlans allowed on trunk
Fa0/24      1-4094

Port        Vlans allowed and active in management domain
Fa0/24      1-3,298,442,503,550

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/24      1-3,298,442,503,550

------------------ show cdp neighbors ------------------


Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Router1          Fas 0/24           170         R S I     2811      Fas 0/0

------------------ show spanning-tree summary ------------------

Switch is in pvst mode
Root bridge for: VLAN0001-VLAN0003, VLAN0298, VLAN0442, VLAN0503, VLAN0550
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          1          1
VLAN0002                     0         0        0          1          1
VLAN0003                     0         0        0          1          1
VLAN0298                     0         0        0          2          2
VLAN0442                     0         0        0          2          2
VLAN0503                     0         0        0          1          1
VLAN0550                     0         0        0          1          1
---------------------- -------- --------- -------- ---------- ----------
7 vlans                      0         0        0          9          9

Leo Laohoo Mon, 02/15/2010 - 14:01

Maybe I'm running a different IOS but what is the result with the "sh vlan"?  Do you see your VLANS there and ports associated to the VLANs?

news2010a Mon, 02/15/2010 - 14:11

Yes it is assigned correctly.

------------------ show vlan ------------------

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23
2    VLAN2                            active   
3    VLAN#                            active   
298  KELLY                            active    Fa0/2
442  MRBROWN                         active    Fa0/3

503  CHRIS                            active    Fa0/4
550  DAN                              active    Fa0/5
1002 fddi-default                     act/unsup

buchholr Mon, 02/15/2010 - 16:08

Can you post the output of  a "show ip route" command from the router?

I have seen on rare occasions I have seen routing turned off on a router.  If that is the case, the output of the above command is different than normal.  It can be turned back on with the "ip routing" command.

It is a long shot, but I just don't see anything immediately wrong with your configs.

Robert

nqtran1979 Mon, 02/15/2010 - 16:29

From the configs you've attached, it looks like vlan 1 is in the same subnet as vlan 298. I would suggest changing this or even removing it altogether. You also don't really need the ip default-gateway configuration on the switch aswell. Just make sure the vlans are allowed on the trunk ports. best way to check this out is a "show int fa0/24 trunk"

On Switch:

interface Vlan1
ip address 10.15.255.253 255.240.0.0
no ip route-cache

On Router:

interface FastEthernet0/0.298
description KELLY
encapsulation dot1Q 298
ip address 10.15.255.254 255.240.0.0
no snmp trap link-status

news2010a Tue, 02/16/2010 - 07:02

Yes, initially I had no SVI whatsoever and no default-gateway configured on the switch. So I added

the SVI IP address for a quick test. Yes, this can be removed. I will have access to the gear tonight and I will update you.

news2010a Wed, 02/17/2010 - 08:34

Once I powered on devices and client machines in the rack to work on this again, everything worked fine.

One thing that I learned though:
I thought that placing an IP address (which belongs to vlan 298 network range) under vlan 1 for example could let me establish IP communications. I see that I had to place it under vlan 298. Interesting.


Thanks everyone for all your help.

Correct Answer
Jon Marshall Wed, 02/17/2010 - 08:45

news2010a wrote:

Once I powered on devices and client machines in the rack to work on this again, everything worked fine.

One thing that I learned though:
I thought that placing an IP address (which belongs to vlan 298 network range) under vlan 1 for example could let me establish IP communications. I see that I had to place it under vlan 298. Interesting.


Thanks everyone for all your help.

Marlon

Glad you got it working.

The reason you need to use an SVI for vlan 298 is because the connection between the switch and the router is an 802.1q trunk so the vlan packets will be tagged. And the router expects to see vlan tags for vlans 298, 442, 503 and 550. So if it receives a packet with a vlan 1 tag it doesn't know what to do. And if the native vlan is vlan 1 and so the packet is sent untagged it still doesn't know what to do as you have not explicitly configured any of the subinterfaces as the native vlan.

Jon

Actions

This Discussion