cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1204
Views
0
Helpful
14
Replies

adding a router to vlan

acceleratebiz
Level 1
Level 1

For one of our networks, we have the following path:

Internap (fiber)-> 7206vxr -> 3750g -> 3550 -> ds3 router -> customer

connected to the 3750g and 3550 are many servers and switches in different vlans. Everything works great. We are going to be modifying this network to have an additional 7206vxr and 3750g. iBGP between the 7206vxrs, GLBP between the 3750gs and EIGRP between the 7206vxrs and 3750gs. Spanning tree between the switches, like the 3550, attached to the 3750gs. I need to prepare for this in the next couple weeks.

But for right now, everything is incredibly simple. No IGP or EGP, no spanning tree, no gateway failover/load balancing. I'm now making sure all the vlans and static routes are setup properly. It's been very easy and quick. Except for this ds3 router. The ds3 router works perfect. But when I put it into vlan 5, it stops responding. What am I doing wrong? Normally, I create the vlan and its gateway address in the 7206vxr (soon it will be created on the 3750gs). Then I set the vlan for the proper ports on the 3550 (in this case) to the vlan id I setup. The difference here is that I'm trying to add a router to the vlan, not just a simple server. I would imagine the process is exactly the same, but it appears not :(. Can anybody help please?

Relevant portions of our router/switch configs:

3550

----

no spanning-tree vlan 5

!

!

vlan 5

!

interface FastEthernet0/39

switchport mode access

switchport access vlan 5

duplex full

speed 100

3750g

-----

no spanning-tree vlan 1-4094

! (to the 7206vxr)

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

duplex full

! (to the 3550)

interface GigabitEthernet1/0/22

switchport trunk encapsulation dot1q

switchport mode trunk

7206vxr

-------

interface GigabitEthernet3/0

ip address 216.52.162.66 255.255.255.252

no negotiation auto

!

interface FastEthernet0/0.5

encapsulation dot1Q 5

ip address 204.10.104.2 255.255.255.252

!

ip route 204.14.104.0 255.255.254.0 204.10.104.1

14 Replies 14

glen.grant
VIP Alumni
VIP Alumni

try making sure the native vlan is the same on each end of your connecting links , add "encapsulation dot1Q 5 native "

Hi Glen, thanks for your response. I only specify the native vlan to be vlan 1 in the subinterface where I have "encapsulation dot1Q 1 native" on the 7206vxr. I don't specify the native vlan anywhere else, so it should all default to vlan 1 as the native vlan. Again, everything works great... have many servers hanging off the 3550 in different vlans and they're all running perfect. It's the ds3 router that won't work in a vlan.

Hi,

What is the Ip of that DS3 router.Is there any other device on the same switch on vlan 5 and that works OK.

Paste the configuration of that DS3 router and also let us know the physical connectivity.

regards,

-amit singh

Hi Amit, thank you for responding. I actually don't have control of that ds3 router. All I know is it works perfectly right now while it's not declared to be in any vlan (so vlan 1) and its /30 counterpart (the 7206vxr) is in vlan 1. Moving it to vlan 5 makes it so my 7206vxr can't even ping its side of the /30. Physically, I have a cat5e cable plugged from port 39 on the 3550 to the ds3 router. It then has a ds3 connection to progress telecom.

Excellent suggestion about trying another device on vlan 5. That seems to work just fine. But I haven't tried any other routers on vlan 5 or any vlan in this similar way. I imagine that there's just one extra step to putting a router on a vlan as opposed to a server. Or I have to configure something a little different...

dwulff
Level 1
Level 1

Hi,

If the DS3 router forwards with vlan tagging based on VL1 it will never be handled by an interface encapsulating VL5. So I'm not talking native handling. If the packets, coming from the DS3, are untagged there should be no problem. But if it encapsulates in VL1 your interface should be in the same Vlan. That's what came up my mind at first...

What does "vlan tagging based on VL1" and "encapsulates in VL1" mean? That VL1 is the native vlan? Not really understanding.. I'm pretty inexperienced.

The ds3 is meant to connect just as a simple access port: (3550 config, port 39 is the ds3)

interface FastEthernet0/39

switchport mode access

switchport access vlan 5

duplex full

speed 100

So no vlan tagging or trunk port going to the ds3. Just a simple untagged port.

a regular host is not capable of VLAN tagging, it just sends its packets towards the switchport. A networking device like a switch or router is capable of tagging, it places a VLAN tag in the header. Because of that other network devices are able to diferentiate interesting and non-interesting traffic.

If the DS3 router forwards traffic with such a tag in the headers your switchport should ignore the traffic since it only should accept traffic marked with VLAN-tag 5 or non-tagged traffic and tag the non-tagged traffic with the VLAN5 marking. Traffic coming from the network towards the DS3-router switchport originating VLAN5 or routed from another VLAN into VLAN5 is marked as soon as it enters the VLAN and the tag is stripped as soon as it leaves the switchport towards the DS3 router. The behavior of stripping the tag would be gone if the port is configured as trunk. I would suggest to be sure that the DS3 router doesn't do any encapsulation so it can be connected as a access-port. Otherwise you should be contacting the administrator of that router and have the port reconfigured encapsulating the traffic as VLAN5

Ok, so you're suggesting that although my 3550 has the port as an access port and not a trunk port, the ds3 router might be trying to connect as a trunk port. Sounds like a possibility. I also think that might be a good idea to have the ds3 router configured as a trunk port, but only use vlan 5. However, is there an easy way to limit them only to vlan 5 on my side? So they can't take an IP on someone else's vlan and cause any trouble.

Now if the ds3 router was configured as a trunk port, would it still be able to connect to the 3550 port configured as an access port? I just need to put the access port on the 3550 to vlan 1 (and the corresponding gateway addresses on the 7206vxr to vlan 1) and the ds3 router works perfect. It's when I move to vlan 5 that I can't ping it.

If the DS3 router forwards with VLAN1 tags it can be handled by default native interfaces and interfaces manually configured as VLAN1 interface.

You will be able to configure a trunk with only VLAN5.

Configure the port as trunk and add config allowed vlans 5.

when you look at the sh trunk output you will se that the particular interface only trunks VLAN5

The idea of only allowing them access to vlan 5 and then they can have a trunk port sounds like it should work.

If the ds3 router is configured for trunking, but is only using vlan 1, then you're saying that it'll work even though my 3550's port is configured for not-trunking but is in vlan 1. Shouldn't it still work then if my 3550's port is configured for not-trunking but is in vlan 5? As the vlan tags get stripped at that point regardless.

Kevin Dorrell
Level 10
Level 10

What device is actually at 204.10.104.1 ? You say that "its counterpart (the 7206vxr) is in vlan 1". Just to make sure that I understood right, does that mean you have the 7206vxr F0/0.5 subinterface on 204.10.104.2 in VLAN 5, and the DS3 router on 204.10.104.1 also in VLAN 5 by virtue of the switchport access configuration?

Make sure your DS3 router is on 204.10.104.1, and not accidentally on 204.14.104.1, otherwise the 7206 will not be able to reach it.

Go to your switch and try a show mac-address-table vlan 5. Can you see the MAC addresses of both your 7206 and your DS3 router? That will tell you whether your problem is layer 2 or layer 3.

Let us know if any of this helps.

Kevin Dorrell

Luxembourg

Hi Kevin, 204.10.104.1 is actually just a server, I picked one of our IPs at random without giving the actual IP of this customer. But you're right about your assumptions. I gave the configuration in my original post.

The ds3 router actually works fine in vlan 1. It's only when I declare that port on the 3550 to be in a particular vlan (and change the 7206vxr accordingly) that it stops pinging. I did actually try showing the arp cache and mac table and neither turned up anything after clearing them and putting the ds3 on vlan 5. So I'm assuming the reason it doesn't work and other servers on that 3550 work fine when moving them into their vlans is that you have to do something extra that I'm missing when routing through a vlan.

204.14.104.1 is also one of our ip addresses, but this isn't the issue here as, like I said above, the ds3 router works perfect (and is working right now) in vlan 1.

Please bear with me as I try to understand this configuration. 204.14.104.0/23 is the customer's network, right. So looking at the config of the 7206, I am expecting the next hop router to be 204.10.104.1, and I suppose that is the DS3, is that so?

Perhaps it would be useful to see your VLAN 1 configs before the change, to work out what is different.

Kevin Dorrell

Luxembourg

yes, you are correct kevin. Here's exactly what I change on each router to make the ds3 work:

7206vxr

-------

interface FastEthernet0/0.5

no ip address 204.10.104.2 255.255.255.252

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 204.10.104.2 255.255.255.252

3550

----

interface FastEthernet0/39

no switchport access vlan 5

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: