Cat 3560 routing question

Answered Question
Dec 9th, 2011

The last few days I've been exploring options in getting rid of some old routers accross a wan connections.  I have a cat 3560 to play with and I thought I would try and use the no switchport command test out routing with switch.  I've got some type of route issue and I tried a few things which I thought would fix the issue but had no effect.  I'll post the config and a few commands so you can see what the basic setup is.  I imagine there is a very simple solution I am overlooking.

I have a 10.3.x.x network which is what this switch is in (IP 10.3.3.110)

To test no switchport I used FE0/15 and gave it 10.7.1.1, then plugged in a cat 2960 into that port.

I have a laptop plugged into the 2960 switch which has a ip of 10.7.1.2, and gateway of 10.7.1.1.

The laptop can ping all devices on the lan and even devices across the WAN connected on FE0/5. (10.1.1.1 and 10.2.2.1)

I however cannot ping the default gateway 10.3.3.254 (ASA)

PC (10.7.1.2) <--> cat 2960 <--> (10.7.1.1 no switchport) Cat 3560 <-- X --> ASA (10.3.3.254) <--> Internet

3560 config

!

ip routing

!

interface FastEthernet0/1 (ASA here, ASA goes to the ISP)

!

interface FastEthernet0/13  (routing port created to make a 10.7.x.x lan for this test)

no switchport

ip address 10.7.1.1 255.255.0.0

!

interface Vlan1

ip address 10.3.3.110 255.255.0.0

!

router eigrp 1

network 10.3.3.110 0.0.0.0

redistribute connected

!

ip route 0.0.0.0 0.0.0.0 10.3.3.254

!

There are a few other things going on in the switch but nothing which should effect this.  That is the basic config more or less.  Below is the routes via eigrp, 10.3.3.254 (ASA) is the default.

#show ip route

Gateway of last resort is 10.3.3.254 to network 0.0.0.0

     10.0.0.0/16 is subnetted, 4 subnets

D       10.2.0.0 [90/28928] via 10.3.3.1, 06:00:16, Vlan1

C       10.3.0.0 is directly connected, Vlan1

D       10.1.0.0 [90/28672] via 10.3.3.1, 06:00:16, Vlan1

C       10.7.0.0 is directly connected, FastEthernet0/13

     192.168.1.0/30 is subnetted, 2 subnets

D       192.168.1.8 [90/3072] via 10.3.3.1, 06:00:16, Vlan1

D       192.168.1.4 [90/3328] via 10.3.3.1, 06:00:16, Vlan1

S*   0.0.0.0/0 [1/0] via 10.3.3.254

#show arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.3.3.10               0   000e.0c31.f806  ARPA   Vlan1

Internet  10.3.3.3                0   0050.569b.1bc9  ARPA   Vlan1

Internet  10.3.3.1                0   0013.19d3.5340  ARPA   Vlan1

Internet  10.7.1.1                -   001f.9eb3.fc41  ARPA   FastEthernet0/13

Internet  10.7.1.2                0   0025.645c.69cd  ARPA   FastEthernet0/13

Internet  10.3.3.4                0   0050.569b.0b2d  ARPA   Vlan1

Internet  10.3.3.20               7   0022.1912.0c2f  ARPA   Vlan1

Internet  10.3.3.21               0   001c.2359.0b5d  ARPA   Vlan1

Internet  10.3.3.41               0   0014.3887.ef8f  ARPA   Vlan1

Internet  10.3.3.39              24   000e.7f3b.6887  ARPA   Vlan1

Internet  10.3.11.61              0   0021.70f8.dbae  ARPA   Vlan1

Internet  10.3.3.110              -   001f.9eb3.fc40  ARPA   Vlan1

Internet  10.3.3.254              0   0013.c482.5665  ARPA   Vlan1

Here we can see in the arp that it knows about both 10.7.1.2 (PC unable to ping 10.3.3.254) as well as 10.3.3.254 (ASA).

I tried adding in a ip route of 10.7.0.0 255.255.0.0 10.3.3.110 as well as 10.3.3.254.  Neither produced the results I wanted allowing 10.7.1.2 (PC) to ping the ASA (10.3.3.254).

Thoughts?

I have this problem too.
0 votes
Correct Answer by JohnTylerPearce about 2 years 4 months ago

If you don't have a route back the command that mvsheik123 is correct.

route 10.7.0.0 0.0.255.255 10.3.3.110   (The one will be there by default so don't worry about it)

If it's going to the inside interface (which I'm assuming it is)

route inside 10.7.0.0 255.255.0.0 10.3.3.110

Once you enter that command (seeing as if there is no route back to 10.7.0.0 on your ASA) you should

have full bidirectiona IP connectivity.

Correct Answer by mvsheik123 about 2 years 4 months ago

Hello,

As mentioned in your other posting (if i remember it correct), you need routes on the ASA to reach the 10.7.x.x network.

Something like - route 10.7.0.0 255.255.0.0 10.3.3.110 1.

hth

MS

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
JohnTylerPearce Fri, 12/09/2011 - 12:10

Does the ASA have a route back to 10.7.x.x/16??

Edit:

Also, can I assume that the 10.3.3.254 is the inside interface on the ASA?

Correct Answer
mvsheik123 Fri, 12/09/2011 - 12:11

Hello,

As mentioned in your other posting (if i remember it correct), you need routes on the ASA to reach the 10.7.x.x network.

Something like - route 10.7.0.0 255.255.0.0 10.3.3.110 1.

hth

MS

Correct Answer
JohnTylerPearce Fri, 12/09/2011 - 12:22

If you don't have a route back the command that mvsheik123 is correct.

route 10.7.0.0 0.0.255.255 10.3.3.110   (The one will be there by default so don't worry about it)

If it's going to the inside interface (which I'm assuming it is)

route inside 10.7.0.0 255.255.0.0 10.3.3.110

Once you enter that command (seeing as if there is no route back to 10.7.0.0 on your ASA) you should

have full bidirectiona IP connectivity.

forgetoo Fri, 12/09/2011 - 12:53

Yes currently there is no route back from the inside ASA port.  I imagine this will fix it and I will test later this afternoon.  I figured this was a very simple oversight.

edit: I imagine what I will end up doing is setting up eigrp on the inside asa port.

Actions

Login or Register to take actions

This Discussion

Posted December 9, 2011 at 11:47 AM
Stats:
Replies:4 Avg. Rating:5
Views:636 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
155
77
70
69
50