Solved: Re: 3550: blocked traffic-routed ports to switch ports

jdory99 · ‎11-03-2006

I have 3 switches: 2-2950's and 1 3550. The 3550 has about 4 ports configured as routed and others are switchports.

Port 1 on 3550 is configured as gateway and plugs into a 2950. The firewall, clients, and servers plug into these 2950s. 3 other ports on 3550 are incoming routed ports from other departments, using port 1 for a gateway. I also have a cable connected from the 2950 to a switchport on the 3550.

Things basically are working except I cannot ping through the routed ports to servers plugged into the switchports on the 3550. I can ping servers on the 2950s. So for traffic coming into routed port 2, it would go out port 1 to the 2950 but doesn't see anything on the switchports of the 3550, even though they are connected via cat5. I can ping from a client on any 2950 to the servers on the 3550. So basically, anything coming into the 3550 through a routed port cannot access anything on the 3550 switchports.

If I telnet in port 1 I cannot ping the other routed ports or anything on the switchports. I'll post the config if need be but maybe I'm missing something really simple - I don't do this stuff enough to get good at it.

attached is a image of our lan. Thanks for looking! cheers, JD

3550 2950

rwyates_2 · ‎11-06-2006

You wil have to treat VLAN 1 as another network on the switch. Bascially it will be another routed interface with another IP address range. That is why the switch will not allow to assign an address that is the same as one already configured.

The command you were given is correct you just have to use a different subnet for VLAN 1. then you will be able to route to the other interfaces.

This link should help with the question.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml

View solution in original post

glen.grant · ‎11-06-2006

You must have devices on the switchports , see what address range they are using and use that , if they have a default gateway defined in their nic cards then use that address as your SVI address for vlan 1 .

View solution in original post

amit-singh · ‎11-07-2006

Hi Jim,

For the same class I meant assinging the address in 192.168.x range not the same range of Ip address. So on your Vlan 1 you can out an Ip like 192.168.20.1/24 and have this as the gateway for your vlan 1 clients.

As you port 1 is already using 192.168.10 range so the same Ip cannot be given to any other layer-3 interface.

HTH, Please rate if it does.

-amit singh

View solution in original post

glen.grant · ‎11-03-2006

Think seeing the config would help , it obviously a config issue .

jdory99 · ‎11-06-2006

Hi Glen - thanks for responding.

show run

Building configuration...

Current configuration : 2495 bytes

!

! NVRAM config last updated at 16:43:06 AKDT Fri Jul 14 2006

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

hostname CHsw3550

!

enable secret xxx

!

clock timezone AKDT -9

clock summer-time AKDT date Apr 3 2005 2:00 Oct 30 2005 2:00

ip subnet-zero

ip routing

ip name-server xxx.xxx.1.21

!

spanning-tree extend system-id

!

interface FastEthernet0/1

no switchport

ip address xxx.xxx.1.1 255.255.255.0

!

interface FastEthernet0/2

no switchport

ip address xxx.xxx.100.12 255.255.255.0

!

interface FastEthernet0/3

no switchport

ip address yyy.yyy.100.1 255.255.255.0

!

interface FastEthernet0/4

no switchport

no ip address

no ip route-cache

no ip mroute-cache

!

interface FastEthernet0/5

no switchport

ip address xxx.xxx.5.1 255.255.255.0

!

interface FastEthernet0/6

no ip address

!

interface FastEthernet0/7

no ip address

!

interface FastEthernet0/8

no ip address

!

interface FastEthernet0/9

no ip address

!

interface FastEthernet0/10

no ip address

!

interface FastEthernet0/11

no ip address

!

interface FastEthernet0/12

no ip address

!

interface FastEthernet0/13

no ip address

!

interface FastEthernet0/14

no ip address

!

interface FastEthernet0/15

no ip address

!

interface FastEthernet0/16

no ip address

!

interface FastEthernet0/17

no ip address

!

interface FastEthernet0/18

no ip address

!

interface FastEthernet0/19

no ip address

!

interface FastEthernet0/20

no ip address

!

interface FastEthernet0/21

no ip address

!

interface FastEthernet0/22

no ip address

!

interface FastEthernet0/23

no ip address

!

interface FastEthernet0/24

no ip address

!

interface GigabitEthernet0/1

no ip address

!

interface GigabitEthernet0/2

no ip address

!

interface Vlan1

no ip address

shutdown

!

router rip

network 10.0.0.0

network yyy.yyy.100.0

!

ip default-gateway xxx.xxx.1.26

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.1.26

ip route xxx.xxx.1.0 255.255.255.0 FastEthernet0/1

ip route xxx.xxx.2.0 255.255.255.0 xxx.xxx.1.26

ip route xxx.xxx.3.0 255.255.255.0 xxx.xxx.100.13

ip route xxx.xxx.5.0 255.255.255.0 FastEthernet0/5

ip route xxx.xxx.9.0 255.255.255.0 xxx.xxx.100.13

ip route xxx.xxx.10.0 255.255.255.0 xxx.xxx.100.13

ip route xxx.xxx.100.0 255.255.255.0 xxx.xxx.1.26

ip route yyy.yyy.100.0 255.255.255.0 xxx.xxx.1.26

ip http server

!

line con 0

line vty 0 4

password xxxxxx

login

line vty 5 15

password xxxxxx

login

!

end

amit-singh · ‎11-06-2006

Hi Friend,

The reason you are unable to ping to the hosts plugged into the switchports of the 3550 is becasue you have all the hosts connected in Vlan 1 and the Switch virtual interface of Vlan 1 is shutdown and doesnot have an IP address defiend on it os that's why the intervlan routing is not working betwen Vlan1 and the other router ports. Do like this :

conf t

interface vlan 1

ip address x.x.x. y.y.y.y

no shut

This will work for you.

Another question I have for you is why your are running RIP on this switch. Are you running rip on other different routers in the network and wants to exchange the routing table. If yes, then its OK. If no then you can remoce the rip config and as all the interfaces are directly connected to the switch the inter-vlan routing will work for you.

HTH, please rate if it does.

-amit singh

jdory99 · ‎11-06-2006

Thank you very much for the help, Amit!

"conf t

interface vlan 1

ip address x.x.x. y.y.y.y "

I'm studying the manual to see if I can find the answer, but I'm not sure what ip addresses to add in this command you show. I tried adding the 4 non-switch port ip addresses but the command only takes two addresses at once - so I'm thinking I don't understand. I am thinking I should add the 4 ip addresses, but perhaps not?

I'll try removing rip and see what happens. I don't think I need it.

[edit] I see that it maybe is supposed to be an ip address and a netmask. Also, if I try to add the ip address of one of the 4 interfaces, it says that it overlaps with the particular port of the ip address I'm adding. If I enter a network address, such as 192.168.1.0 255.255.255.0, I get "Bad mask /24 for address" [/edit]

thanks, Jim

rwyates_2 · ‎11-06-2006

You wil have to treat VLAN 1 as another network on the switch. Bascially it will be another routed interface with another IP address range. That is why the switch will not allow to assign an address that is the same as one already configured.

The command you were given is correct you just have to use a different subnet for VLAN 1. then you will be able to route to the other interfaces.

This link should help with the question.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml

jdory99 · ‎11-06-2006

Thank you very much rwyates. I tried assigning a different subnet to the vlan and it took - but if I telnet into the 3550 x.x.1.1 address I cannot ping devices on the 3550 switchports. Same if I console into servers on the x.x.100.1 interface.

The link you provided was over my head - if I get any time I'll try studying it more but it seemed to be not close enough to my case I have here. Appreciate the link though.

Glen suggested something and I'll try to further explore that.

jdory99 · ‎11-06-2006

Maybe it is starting to sink in. I think that it is not possible to have communication between switchports and routed interfaces on the one 3550 device if the switchports are in the same subnet as any one of the routed ports? Although that does not seem right and I'm probably wrong.

Though I cannot seem to put the switchports into a vlan that has the same subnet as any routed interface on the 3550, I can assign the Vlan 1 a new subnet number and ping that. If the devices on the switchports then are in that new subnet of the vlan, I would be in business. Since I do not want to change the ip address of these servers - I think at this point it would just be easier (since I do not have a firm grasp of this stuff) to abandon the switchports and buy a new switch (as the others are full). Or I could put devices on the switchports that do not need to access or be accessed from anything on the routed ports of the 3550.

Then if I get any new devices I can put them on the vlan subnet, and put in a route to show the new subnet on the firewall lan interface, since it is the default gw of the 3550. So now I've confessed my ignorance.

cheers, Jim

glen.grant · ‎11-06-2006

You must have devices on the switchports , see what address range they are using and use that , if they have a default gateway defined in their nic cards then use that address as your SVI address for vlan 1 .

jdory99 · ‎11-06-2006

Much appreciated Glen. I'm using the 3550 Switch Software Config Guide -Cisco IOS Release 12.1(13)EA1 March 2003.

In that guide it shows an example config with a gb eth interface with an ip address that is the same as the vlan 1 interace. My 3550 will not allow it to have the same address.

Port 1 on the 3550 is x.x.1.1, and has x.x.1.26 as its default gateway - the lan interface of the ASA5510 firewall. Most devices hooked into the switches are on the x.x.1.0 subnet, as are a couple servers plugged into the switchports of the 3550. Those servers default gw's are configured for x.x.1.26.

So I'm too dense to understand what you are suggesting - hope you are patient.? I have two servers on the switchports now (I would have more but need to solve this riddle first). All those switchports are for the x.x.1.0 subnet.

It sounds like you are suggesting I use an ip address for the vlan 1 in the x.x.1.0 subnet. But this does not work - says it overlaps with port 1.

I'm trying to find out how to assign an SVI address. I searched in the Guide and found several instances where it mentions SVI. One says that an SVI is created by default for Vlan 1 - but I have not yet found how to assign one. I've a ton more instances of SVI to check out in that guide so it may be there - I'm back to do some more reading.

thanks, Jim

amit-singh · ‎11-06-2006

Jim,

You can assign any private range IP address to vlan 1.

conf t

int vlan 1

ip address 192.168.1.1 255.255.255.0

no shut

The two servers which are plugged into vlan 1 will use the vlan 1 ip address as the default-gateway. For example, one of the server will have an ip 192.168.1.10 subnetmask 255.255.255.0 and the defualt gateway

192.168.1.1. Once that is done you will be able to workthis out.

If you want more precise configuration, please let us know the ip addresses used on the switch ports and you can assign the same class of ip address on the vlan interface.

HTH, Please rate if it does.

-amit singh

jdory99 · ‎11-07-2006

Thanks again Amit-singh - you folks have been very kind. Big help.

Lets say the ip addresses are, on port 1 is 192.168.1.1, port 2 is 192.168.100.1, port 3 is 172.20.100.1, and port 5 is 192.168.5.1, all with /24 netmasks.

The servers and would-be clients on the switchports now are in the 192.168.1.0 subnet. So I tried assigning a vlan ip address within that 192.168.1.0 subnet, but says it overlaps with port 1, (vlan must act like a routed port?). But you say you can assign the same class of ip address on vlan interface?

cheers, Jim

amit-singh · ‎11-07-2006

Hi Jim,

For the same class I meant assinging the address in 192.168.x range not the same range of Ip address. So on your Vlan 1 you can out an Ip like 192.168.20.1/24 and have this as the gateway for your vlan 1 clients.

As you port 1 is already using 192.168.10 range so the same Ip cannot be given to any other layer-3 interface.

HTH, Please rate if it does.

-amit singh

jdory99 · ‎11-07-2006

Ok, it has sunk in now. I think I understand.

Thanks! /jd