Internet access for 3550 switch VLANs problem

phonetech · ‎02-23-2012

Hi,

I have a small cisco switch cluster (seven different 2924, 3524cisco switches) with 3550 as a cluster control which does all the inter vlan routing that works fine.

This cluster is in semi production PBX interop testing lab. This is a closed network without internet access and not connected to our corporate network.

However now I have to add this capability so some equipment in the lab can get Microsoft updates over the internet.

I've created a port on a 3550 (fa0/19) and connected it to another network that has internet access. It picked an ip address and when I'm logged in to the 3550 I can ping hosts on the outside network. However I can't ping any hosts on that network from any hosts that are connected to my vlans.

I've tried a few different things, but still can't make it to work.

Thanks

Here is a short version of my 3550 configuration:

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

hostname C3550-1

!

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

ip subnet-zero

ip routing

ip dhcp excluded-address 172.26.100.1 172.26.100.100

!

ip dhcp pool 100

network 172.26.100.0 255.255.255.0

default-router 172.26.100.1

!

ip dhcp pool 101

network 172.26.101.0 255.255.255.0

default-router 172.26.101.1

!

vtp interface 172.26.100.1

!

no file verify auto

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/2

description 2611-1eth00

switchport access vlan 100

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/4

description 2611-2eth00

switchport access vlan 100

switchport mode access

spanning-tree portfast

#---------------Removed other interfaces

!

interface FastEthernet0/19

no switchport

ip address dhcp

no cdp enable

!

interface Vlan1

ip address 10.10.10.2 255.0.0.0

!

interface Vlan100

ip address 172.26.100.1 255.255.255.0

!

interface Vlan101

ip address 172.26.101.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 fa0/19

ip http server

!

control-plane

!

end

andrewswanson · ‎02-23-2012

hello

there's no routing protocol configured on the 3550 - only a default route. on the second network you can add static routes pointing to your 3550 (for subnets 10.0.0.0/8, 172.26.100.0/24 and 172.26.100.101/24). or preferably configure a routing protocol so that the 2 networks can exchange routes.

hth

andy

Karthik Kumar Thatikonda · ‎02-23-2012

Hi,

Can you send the outputs of sh ip route . Also, can you check the vlan 100 and 101 networks are seen on the other side switch using sh ip route. We need to have networks learned for both switches for hosts to talk (using routing protocols such as RIP, OSPF and EIGRP etc..). Also, if you are not willing to use dynamic IGP protocol, you can add static routes to those networks on both switches.

phonetech · ‎02-24-2012

Hi,

Below is sh ip route for the 3550.

I don't know if I can use routing protocols. The other network just gives me a port on their switch. Normally I just have a PC connected to that port. They don't want any integration and I have no control over it. It is just like an ISP at home.

Thanks

Yury

#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

137.135.0.0/24 is subnetted, 1 subnets

C 137.135.128.0 is directly connected, Vlan137

C 172.22.0.0/16 is directly connected, FastEthernet0/19

172.26.0.0/24 is subnetted, 32 subnets

C 172.26.135.0 is directly connected, Vlan135

C 172.26.142.0 is directly connected, Vlan142

C 172.26.140.0 is directly connected, Vlan140

C 172.26.141.0 is directly connected, Vlan141

C 172.26.138.0 is directly connected, Vlan138

C 172.26.139.0 is directly connected, Vlan139

C 172.26.136.0 is directly connected, Vlan136

C 172.26.246.0 is directly connected, Vlan246

C 172.26.247.0 is directly connected, Vlan247

C 172.26.244.0 is directly connected, Vlan244

C 172.26.245.0 is directly connected, Vlan245

C 172.26.242.0 is directly connected, Vlan242

C 172.26.243.0 is directly connected, Vlan243

C 172.26.240.0 is directly connected, Vlan240

C 172.26.241.0 is directly connected, Vlan241

C 172.26.250.0 is directly connected, Vlan250

C 172.26.248.0 is directly connected, Vlan248

C 172.26.249.0 is directly connected, Vlan249

C 172.26.230.0 is directly connected, Vlan230

C 172.26.231.0 is directly connected, Vlan231

C 172.26.229.0 is directly connected, Vlan229

C 172.26.238.0 is directly connected, Vlan238

C 172.26.239.0 is directly connected, Vlan239

C 172.26.236.0 is directly connected, Vlan236

C 172.26.237.0 is directly connected, Vlan237

C 172.26.234.0 is directly connected, Vlan234

C 172.26.235.0 is directly connected, Vlan235

C 172.26.232.0 is directly connected, Vlan232

C 172.26.233.0 is directly connected, Vlan233

C 172.26.102.0 is directly connected, Vlan102

C 172.26.100.0 is directly connected, Vlan100

C 172.26.101.0 is directly connected, Vlan101

C 192.26.81.0/24 is directly connected, Vlan81

C 192.168.65.0/24 is directly connected, Vlan65

C 192.168.20.0/24 is directly connected, Vlan192

C 10.0.0.0/8 is directly connected, Vlan1

C 192.26.82.0/24 is directly connected, Vlan82

S* 0.0.0.0/0 is directly connected, FastEthernet0/19

Karthik Kumar Thatikonda · ‎02-24-2012

Hi,

3550 ======= fa0/19 ==== port on ISP switch

Is the above topology correct?. Also, can you pls paste traceroute using tracert on the host where you are initiating a ping?.

Thanks.

Sent from Cisco Technical Support iPad App

phonetech · ‎02-24-2012

Hi,

Yes, the topology is correct. fa0/19 is connected to a port in ISP switch in DHCP mode.

fa0/19 has 172.22.2.39/16 address, def gw 172.22.1.1

Here is the traceroute. I did it on a host 172.26.100.12 in vlan 100. 172.26.100.1 is a def gw for vlan 100

Thanks

Yury

Tracing route to 172.22.2.2 over a maximum of 30 hops

1 1 ms <1 ms <1 ms 172.26.100.1

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 * * * Request timed out.

15 * * * Request timed out.

16 * * * Request timed out.

17 * * * Request timed out.

18 * * * Request timed out.

19 * * * Request timed out.

20 * * * Request timed out.

21 * * * Request timed out.

22 * * * Request timed out.

23 * * * Request timed out.

24 * * * Request timed out.

25 * * * Request timed out.

26 * * * Request timed out.

27 * * * Request timed out.

28 * * * Request timed out.

29 * * * Request timed out.

30 * * * Request timed out.

Trace complete.

Karthik Kumar Thatikonda · ‎02-24-2012

Hi,

Is def gtw 172.22.1.1 or 2.1?. Your trace shows to 2.2?. Need to know the interface on 3550 connecting to host where ping is initiated. Can you paste sh vlan id 100. Also,moving default gtw on host. Ping 172.26.100.1, also I assume you are not able to go online because sometimes Isp's disable icmp or have firewall rules so ping wont work. If you are not going online on web please try ping default gtw and check configs on host side. Moreover, can you try from another host in different vlan?.

Thanks.

Sent from Cisco Technical Support iPad App

phonetech · ‎02-24-2012

Hi,

def gw is 172.22.1.1 The trace shows 172.22.2.2 which is a host on that network. Trace to 172.22.1.1 shows the same results. Ping 172.26.100.1 works as well as connecting to other vlans. I also tried to ping 172.22.2.2 and 172.22.1.1 from a host in vlan 254. Still no success. As I mentioned earlier I can ping a test host 172.22.2.2 from the 3550 cli.

Here is the printout.

Thanks

Yury

sh vlan id 100

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

100 Management active Fa0/2, Fa0/4, Fa0/6, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Gi0/2

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

100 enet 100100 1500 - - - - - 0 0

Remote SPAN VLAN

----------------

Disabled

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

Karthik Kumar Thatikonda · ‎02-24-2012

Hi,

Can you ping 172.22.1.1 from 3550 switch?. Also, ping 172.26.100.12 from your switch to host that you were trying ping. Let me know. Moreover, can you add another static route specifying ip route 172.2.0.0 255.255.0.0 fa0/19 ?. I know default route is already there but give it a try.

phonetech · ‎02-24-2012

Hi,

I can ping 172.22.1.1 from 3550 switch. I added a static route that you suggested, but that didn't help.

I can ping 172.26.100.12 from 3550.

Karthik Kumar Thatikonda · ‎02-24-2012

Hi,

If you wanted Internet access, one thing I see missing from the config is the Dns server. You need point to dns server provided from ISP. Also, set those on your dhcp pools on 3550 and on hosts. Moreover, you can try ping 172.22.2.2 sourcing from vlan 100. Use ping 172.22.2.2 source vl100. See if that works, then after that dns server settings needs to be corrected. Please, let me know.

Sent from Cisco Technical Support iPad App

phonetech · ‎02-27-2012

Hi,

I tried ping 172.22.2.2 source vlan100 and still can't ping that host.

What I'm going to do is to setup another 3550 that I have in storage. Start with a minimal database and build it up, so I can see at what point it stops working.

Thanks for all your help.

Jon Marshall · ‎02-27-2012

As mentioned earlier if you are not running a routing protocol then the problem is probably not with your 3550 but with the device you have connected the 3550 to.

The reason you can ping from the 3550 is that it has an IP from the same subnet as the device you have connected to. But when you ping from a client connected to the 3550 that is a different subnet. The device you are connecting the 3550 to needs to know about that subnet so for this to work you need to add routes for the 3550 subnets to the L3 device on the other network.

It works with a PC because that PC simply gets an IP from a known subnet when connecting to the ISP device. So it will never work unless you get the subnets on the 3550 added to the other network as the others have said.

NAT can be used as a solutions sometimes where you NAT all the 3550 subnets IPs to the IP the 3550 picked up when connected to the ISP device. But unfortunately the 3550 doesn't support NAT. So i wouldn't bother setting it up on the other 3550 because it still won't work. You can either -

1) get the subnets on the 3550 added as static routes to the rest of the network so return traffic can be sent back to the client connected to the 3550

or

2) run a dynamic routing protocol between the 3550 and the rest of the network.

Jon

phonetech · ‎02-28-2012

Unfortunately, I don't have any control on the outside network. I'll have to research this further, may be I need to add some other equipment. I was trying to create something that would resemble a home network connected to a cable mode.

Thanks for your help.