Solved: Issue when adding sub-interfaces to a router

jeff6strings · ‎01-06-2012

We have a 2811 router (IOS v 12.4(25)) which currently port F0/0 is connected to a 6509-E switch (6509-E1, IOS v 12.2(18)) via port f4/43 configured as a switchport in VLAN 502. Port f0/1 on the 2811 has a public IP address for PAT. Our public wireless goes thru a 4402 WLC which is on another 6509-E switch (6509-E2, IOS v 12.2(18)). The current IP network on VLAN 502 is 10.50.2. The setup of this network is working fine now but we do need to expand by adding more VLANs for other guest wireless networks.

My goal is to create sub interfaces on port F0/0 on the 2811 for different VLANs for our different guest wireless networks and change VLAN 502 IP addressing to 172.31. When I implement the configuration below from the 4402 WLC I cannot ping IP address 172.31.255.254 which is subinterface f0/0.502 on the 2811. I setup the configuration in GNS3 which worked without a problem, minus the 4402 which I substituted a router.

Appreciate any help.

Jeff

2811 Router:

ip dhcp pool 502

network 172.31.0.0 255.255.0.0

dns-server 66.155.216.122 8.8.8.8

default-router 172.31.255.254

lease 0 1

ip dhcp pool 600

network 10.60.0.0 255.255.255.0

dns-server 66.155.216.122 8.8.8.8

default-router 10.60.0.254

lease 14

access-list 1 permit 172.31.0.0 0.0.255.255

access-list 1 permit 10.60.0.0 0.0.0.255

ip nat inside source list 1 interface FastEthernet0/1 overload

int f0/0

no ip address 10.50.2.254 255.255.252.0

no ip nat inside

no ip virtual-reassembly

int f0/0.502

ip nat inside

encapsulation dot1q 502

ip address 172.31.255.254 255.255.0.0

no shut

int f0/0.600

ip nat inside

encapsulation dot1q 600

ip address 10.60.0.254 255.255.255.0

no shut

6509E-1:

int f4/43

switchport

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 502

switchport trunk allowed vlan add 600

6509E-2:

int g3/2

switchport

switchport mode trunk

switchport trunk encapsulation dot1q

4402 WLC:

Interface Public_Wireless

VLAN 502

IP Address: 172.31.255.250

Peter Paluch · ‎01-11-2012

Jeff,

Let's make a smaller config change. The 2811 should be modified as follows (the commands are ready to be directly pasted to your config):

interface FastEthernet0/0

no ip address

no ip nat inside

interface FastEthernet0/0.502

encapsulation dot1q 502

ip address 10.50.2.254 255.255.255.0

ip nat inside

The 6509 should be modified as follows:

interface FastEthernet4/43

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 502

spanning-tree portfast trunk

This reconfiguration should retain the same functionality as you currently have, yet change the communication with the router to a 802.1q-tagged traffic on the VLAN 502. If everything is OK, this configuration should not cause any longer-term connectivity issues without adding any additional functionality.

If this works, we can proceed in adding new VLANs and readdressing your VLAN502. Can you try to implement this intermediary step please?

Best regards,

Peter

View solution in original post

jeff6strings · ‎01-11-2012

Bumping in the hopes someone could provide some feedback.

Thank you,

Jeff

Peter Paluch · ‎01-11-2012

Hi Jeff,

Currently, the configuration does not contain any obvious errors.

Let's start from something that currently works: can you please post the current configuration of:

Fa0/0 on your 2811 router (I also assume there are no subinterfaces under the Fa0/0 presently)
Fa4/43 on your C6509

Thanks!

Best regards,

Peter

jeff6strings · ‎01-11-2012

Peter,

Yes there are no subinterfaces on the 2811 at this time. Here is the current config on both units interface.

Thanks again,

Jeff

2811:

Int f0/0

ip address 10.50.2.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex full

speed 100

6509E:

Fa4/43

switchport

switchport access vlan 502

no ip address

speed 100

duplex full

spanning-tree portfast

Peter Paluch · ‎01-11-2012

Jeff,

Let's make a smaller config change. The 2811 should be modified as follows (the commands are ready to be directly pasted to your config):

interface FastEthernet0/0

no ip address

no ip nat inside

interface FastEthernet0/0.502

encapsulation dot1q 502

ip address 10.50.2.254 255.255.255.0

ip nat inside

The 6509 should be modified as follows:

interface FastEthernet4/43

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 502

spanning-tree portfast trunk

This reconfiguration should retain the same functionality as you currently have, yet change the communication with the router to a 802.1q-tagged traffic on the VLAN 502. If everything is OK, this configuration should not cause any longer-term connectivity issues without adding any additional functionality.

If this works, we can proceed in adding new VLANs and readdressing your VLAN502. Can you try to implement this intermediary step please?

Best regards,

Peter

jeff6strings · ‎01-11-2012

Peter,

I will set a time window within the coming week to work on this but the only difference with your proposal and what I have is the spanning-tree portfast trunk command on the f4/43 interface and not changing the IP. That is the only troubleshooting step I did not do was keep the existing IP network when we did this in production a week ago.

Again,

Thanks for the help.

Jeff

Peter Paluch · ‎01-11-2012

Jeff,

My suggestion is not quite identical, although strongly similar. I am suggesting creating only a single subinterface on the router, not two. Also, I have changed the order of switchport trunk encapsulation dot1q and switchport mode trunk commands, as only this order will be correctly accepted (reversed order will result in the switch merely complaining that it cannot set a port to static trunk if the encapsulation is auto - and the port will remain running as an access port which may very well have happened). In addition, only a single VLAN is allowed on the trunk port, not two. And also, I am retaining the IP addressing to keep the number of changes possibly minimal.

Please understand that you have originally quoted only your alleged configuration modifications but not the real configurations from the devices at the time you experienced the connectivity problems. That understandably makes me to consider those configuration additions with a little reservation whether they have indeed been input exactly as you indicated them. That is also the reason why I am suggesting these additions to be input again, in smaller steps.

Best regards,

Peter

jeff6strings · ‎01-11-2012

Peter, thanks for the response and explanation. I will setup a time window to implement and let you know how things go.

Jeff

jeff6strings · ‎02-03-2012

Peter, your configuration worked just fine. Thank you for your help.

Jeff