Hi, I could use some help with an issue I'm experiencing setting up a lab environment, just getting into learning some networking. Using a 2960S-24PD-L switch, running the 'lanbase-routing' template and IOS is 15.2.
I have created a few VLANs (vlan10, vlan 20 & vlan100) & SVIs, 'ip routing' has been run and all, well most, inter-vlan routing is working. VLAN100 (IP 10.100.0.254/16) is on G1/0/24, connected to a TMG server IP 10.100.0.1/16. On the TMG server I added the routes and can connect to all vlans on the switch. The problem is any hosts on vlan10 or vlan20 can't connect to the TMG server; I can ping the SVI 10.100.0.254, but not the TMG at 10.100.0.1. All ports are configured as access ports and routing between the vlans is otherwise working. So in summary, TMG-->switch is working, switch-->TMG not so much :0).
Not sure what I'm missing but wouldn't be surprised if it's something simple I overlooked, still very much a network noob!! Any help is appreciated, I can post configs tomorrow when I get back to the switch.
Thanks Reza. The hosts are using the SVI address, so hosts on VLAN10 use 172.16.10.254/24 for the GW, and hosts on VLAN20 use 172.16.20.254/24 for the GW. VLAN100 GW is 10.100.0.254/16. From the switch itself I'm unable to ping the TMG at 10.100.0.1/16. I thought it might be a firewall on the TMG but Windoze fwall is off and I've added a rule to allow incoming pings from the internal side. I can't seem to get this working :0(
sw01#sh run Building configuration...
Current configuration : 3139 bytes ! ! Last configuration change at 23:21:36 EST Sat Jul 12 2014 ! NVRAM config last updated at 23:08:52 EST Sat Jul 12 2014 ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service sequence-numbers ! hostname sw01 ! boot-start-marker boot-end-marker ! enable secret enable password ! no aaa new-model clock timezone EST -5 0 switch 1 provision ws-c2960s-24pd-l ip routing ! ! ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! ! ! ! ! ! ! ! ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0 no ip address no ip route-cache shutdown ! interface GigabitEthernet1/0/1 - 21 ! interface GigabitEthernet1/0/22 switchport access vlan 10 switchport mode access ! interface GigabitEthernet1/0/23 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/0/24 switchport access vlan 100 switchport mode access ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface TenGigabitEthernet1/0/1 ! interface TenGigabitEthernet1/0/2 ! interface Vlan1 no ip address shutdown ! interface Vlan10 ip address 172.16.10.254 255.255.255.0 ! interface Vlan20 ip address 172.16.20.254 255.255.255.0 ! interface Vlan100 ip address 10.100.0.254 255.255.0.0 ! ip http server ip http secure-server ! ip route 0.0.0.0 0.0.0.0 10.100.0.1 ! ! ! line con 0 line vty 0 4 password login line vty 5 15 password login ! end
sw01# sw01# sw01# sw01# sw01#ping 172.16.10.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.10.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/5 ms sw01#ping 172.16.20.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.20.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms sw01#ping 10.100.0.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.100.0.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/5 ms sw01#ping 10.100.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.100.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) sw01#
It's a Forefront TMG 2010 server, and looks like it is the cause. I removed it and put a Win8 host on the port and had full connectivity. So I think my switch config is good, it's my TMG config that's not!
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...