Can't access my switches from my router

Answered Question
Sep 3rd, 2010

Hi all,

Can someone put through on how to solve this connectivity problem?

I do have about 10 switches inside my  LAN with private IP address like. 192.168.12.2 - 11 . The switch is connected on the same network with my router local interface. I am running 7 VLANs and my core switch connection to my router is a trunk port. All the 5 VLANs are working from within. I can get DHCP address from the router and all the VLANs can be seen on all other switches.

If I assign my laptop and ip address (e.g 192.168.12.15) on the same VLAN 1, I can access any of the 10 switches from within the LAN. I can also access the switches the core switch if i connect to the core through a console cable.

I can access the router from a remote location through the WAN port using the public ip address. I can also access the router LAN port (e.g 192.168.12.1) if i am within the LAN.

My problem is now how to access the switches from the router when I connect to to router from a remote location. I cannot ping any of the swtches from the router and I do have to be local to acess the switches all the time. my partial config is as below:

Config:

Router:
===============
interface GigabitEthernet0/0.1
description ADMIN-VLAN1$FW_INSIDE$
encapsulation dot1Q 1 native
ip address 192.25.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status

interface GigabitEthernet0/1
description WAN Uplink$ETH-WAN$$FW_OUTSIDE$
ip address 97.54.218.170 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
negotiation auto
!
ip http server
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
access-list 1 permit 192.25.10.0 0.0.0.255
access-list 1 permit 192.25.20.0 0.0.0.255
access-list 1 permit 192.25.30.0 0.0.0.255
access-list 1 permit 192.25.40.0 0.0.0.255
access-list 1 permit 192.25.50.0 0.0.0.255
access-list 1 permit 192.25.60.0 0.0.0.255
access-list 1 permit 192.25.70.0 0.0.0.255
access-list 1 permit 192.25.80.0 0.0.0.255
access-list 1 permit 192.25.90.0 0.0.0.255
access-list 1 permit 192.25.1.0 0.0.0.255
access-list 2 permit 97.54.208.17
access-list 2 permit 97.54.0.0 0.0.255.255
access-list 2 permit 97.54.218.0 0.0.0.255
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 97.54.218.259
!
!
!
line vty 0 4
access-class 2 in
exec-timeout 60 0
privilege level 15
password 7 13dfetgghrrtbferddefffee
logging synchronous
transport input telnet ssh
line vty 5 15
access-class 2 in
exec-timeout 60 0
password 7 eettfgetdtg335636346
logging synchronous
transport input telnet ssh


===================
Switch:
===================
interface Vlan1
ip address 192.25.1.2 255.255.255.0
no shut
no ip redirects
no ip route-cache
no ip mroute-cache
!
!
line vty 0 4
exec-timeout 30 0
password 7 0523053B11437A3C2A44
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 30 0
password 7 132D14263B03301F1865
logging synchronous
transport input ssh

Thanks

I have this problem too.
0 votes
Correct Answer by sgnaidudg about 6 years 3 months ago

Look like need to concentrate on NAT config under Router interfaces.
How about NAT translations ? will show any thing useful stuff ?


I mean because of landing using WAN connection and applied "access-class 2 in"
Please compare the ip address when you are accessing Local and trying to access by WAN remotely.

if it does not make sense please ignore. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 09/03/2010 - 07:56

canakweze wrote:

Hi all,

Can someone put through on how to solve this connectivity problem?

I do have about 10 switches inside my  LAN with private IP address like. 192.168.12.2 - 11 . The switch is connected on the same network with my router local interface. I am running 7 VLANs and my core switch connection to my router is a trunk port. All the 5 VLANs are working from within. I can get DHCP address from the router and all the VLANs can be seen on all other switches.

If I assign my laptop and ip address (e.g 192.168.12.15) on the same VLAN 1, I can access any of the 10 switches from within the LAN. I can also access the switches the core switch if i connect to the core through a console cable.

I can access the router from a remote location through the WAN port using the public ip address. I can also access the router LAN port (e.g 192.168.12.1) if i am within the LAN.

My problem is now how to access the switches from the router when I connect to to router from a remote location. I cannot ping any of the swtches from the router and I do have to be local to acess the switches all the time. my partial config is as below:



===================
Switch:
===================
interface Vlan1
ip address 192.25.1.2 255.255.255.0
no shut
no ip redirects
no ip route-cache
no ip mroute-cache
!
!
line vty 0 4
exec-timeout 30 0
password 7 0523053B11437A3C2A44
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 30 0
password 7 132D14263B03301F1865
logging synchronous
transport input ssh

Thanks

Add this to your switches-

switch(config)# ip default-gateway 192.25.1.1

Jon

canakweze Fri, 09/03/2010 - 08:41

I just added (ip default-gateway 192.25.1.1) and I am still not able to get to it from the router. I cannot even ping the swtich from the router. Do I need to define an access list since I have none? Thanks

This is the config I have now on the switch:

CoreSwitch#sho run
Building configuration...

Current configuration : 7613 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CoreSwitch
!
!
username xxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxxxxx
no aaa new-model
switch 1 provision ws-c3750g-48ts
system mtu routing 1500
ip subnet-zero
!
ip igmp snooping querier
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet 0/1
description UPLINK CONNECTION
switchport trunk encapsulation dot1q
duplex full
storm-control action shutdown
!
interface GigabitEtherne0/2
description UPLINK CONNECTION
duplex full
storm-control action shutdown

.

.

interface Vlan1
ip address 192.25.1.2 255.255.255.0

!
ip default-gateway 192.25.1.1

ip classless
ip http server

!

control-plane
!
!
line con 0
exec-timeout 15 0
password 7 xxxxxxxxxxxxxxxxx
logging synchronous
login
stopbits 1
line vty 0 4
exec-timeout 60 0
password 7 xxxxxxxxxxxxxxxxx

logging synchronous
login
transport input telnet
line vty 5 15
exec-timeout 60 0
password 7 xxxxxxxxxxxxxxxxx

logging synchronous
login
transport input telnet
!
ntp clock-period 36029218
ntp server xxx.xx.x.x
ntp server xxx.xx.xx.xx
end

Nagaraja Thanthry Fri, 09/03/2010 - 09:00

Hello,

Can you issue "show arp" on the router and see if it has an entry for

192.25.1.2 address? If not, then I guess there is some issue with the native

vlan configuration on the switch connected to the router. Please make sure

that the native vlan is 1 and you have not enabled tagging for native vlan

on the switch.

Regards,

NT

Richard Burts Fri, 09/03/2010 - 09:12

While I agree with Jon that having default-gateway is a best practice and should be added to the switch, since the switches and the router all appear to be within the same subnet then default-gateway is not the issue that is impacting connectivity here.

I very much like  the suggestion from NT about checking the ARP table. This is an excellent check to see if there is layer 2/layer 3 connectivity. I would also suggest that show cdp neighbor would be another good check to verify whether or not there is connectivity (and this would focus on layer 2 connectivity).

To the original poster - I notice that the switch vty is configured with transport input ssh. So the only remote access to the switches is via SSH. Can you verify that SSH is enabled on the switches?  (what is the output from show ip ssh )

HTH

Rick

canakweze Fri, 09/03/2010 - 09:14

I do not see entry for 192.25.1.2 address. I am able to see entries for other devices on other VLANs that have access to internet. What can I do to reslove this?

Thanks

Nagaraja Thanthry Fri, 09/03/2010 - 09:19

Hello,

Can you post the configuration of the switch interface that connects to the

router? Also, post the corresponding router interface configuration once

again here.

Regards,

NT

canakweze Fri, 09/03/2010 - 16:47

Router WAN Port:

===========

interface GigabitEthernet0/1
description WAN Uplink$ETH-WAN$$FW_OUTSIDE$
ip address 97.54.218.170 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
negotiation

Router LAN Port:

=============

interface GigabitEthernet0/0.700
description Network Switches-VLAN 70$FW_INSIDE$
encapsulation dot1Q 700
ip address 172.16.70.1 255.255.255.192
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!


Core Switch Uplink Port to the Router:

======================
interface GigabitEthernet 0/1
description UPLINK CONNECTION
switchport trunk encapsulation dot1q
duplex full

All of the switches are connected on trunk ports like the one above.

Correct Answer
sgnaidudg Sun, 09/05/2010 - 00:42

Look like need to concentrate on NAT config under Router interfaces.
How about NAT translations ? will show any thing useful stuff ?


I mean because of landing using WAN connection and applied "access-class 2 in"
Please compare the ip address when you are accessing Local and trying to access by WAN remotely.

if it does not make sense please ignore. Thanks.

canakweze Sun, 09/05/2010 - 06:11

Thanks Guys.

I had to look at my ip addresses again and the VLAN mapping. I was actually off in my int ip assignment. All the switches are are in the native VLAN 1 while the interface on the router with the same ip address was on vlan 700. I have moved the ip address on VLAN 700 to VLAN 1 and everything works now.

Thanks so much for your suggesstions.

Actions

This Discussion