I hesitate to post here -- I know that I should know my job. But here goes...
Small business wants to use an ASA 5505 firewall on the edge connected to VDSL modem, and then an 881 to route internally (see attachment). The 881 has a downstream link to a 2960.
Want the following "blocks": VLAN 33 - CLIENTS VLAN 55 - SERVERS VLAN 101 - CDLAB
The lab is for testing, and will be connected via Cisco 2500 series router. The server farm (Server 2008 domain +) will be connected via layer 2 switch over VLAN. A DMZ is anticipated after basic connectivity is established. Connectivity is already verified from a client connected to the INSIDE interface of the ASA going to the OUTSIDE and back.
Before I started I wiped the devices in order to start clean. Both the router and the switch are in vtp mode transparent.
To build a trunk link, I connected the 881 and the 2960 using a crossover cable from int fa0 to int fa0/8 respectively.
On both devices' interfaces I set switchport mode trunk.
I configured the 3 VLANs on the 881, assigned IP addresses to them, and used switchport trunk allowed vlan add 33,55,101 to assign them to the trunk but that doesn't appear in the sh run output under the interface.
I set both devices' to switchport nonegotiate (best practices?). Once again, on the 881 this command doesn't appear in the running config.
I configured the 3 VLANs on the 2960, then used the same switchport commands as above to assign them to the trunk.
Here's the deal. From a client connected to a VLAN 33 access port on the 2960, I can't ping, for example, the VLAN 55 IP address. I can ping the VLAN 33 IP address. I also can't ping the IP address of the interface on the far side of the router headed to the ASA (int fa4).
What am I doing wrong? I'll gladly post the running configs if anyone wants to see. I've spent most of the day on this racking my brain and literally scouring the Internet. I'd be very grateful for some assistance.
Yeah, I might not have been too clear. But on the router, each VLAN was created using the vlan 33 command (for example) and given a name. Then I went to int vlan 33 (for example) and used ip address 10.0.33.xx 255.255.255.0 for the address and subnet mask. Those have been in place since I started. And like I said, I can ping the SVI for VLAN 33, which is mapped to the client access port I'm on.
The problem is, I still can't ping inter-VLAN and I still can't ping the far side interface.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...