Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

router on a stick - intervlan communication

Hello all. I need some assistance with router on a stick configuration. I am currently using a 2651XM router and a 2950 switch. The switch is connected via trunk port to fa0/1 physical interface of the router. i cannot ping a host in VLAN 100 from VLAN 200. both VLAN's can ping their respective gateway on the router but not hosts in the other VLAN, they can also ping each others gatway. I will be starting a CCNA boot camp type course soon and would like to start with at least being able to perform the basics. I have posted some config info below. Any help and any advice is greatly appreciated.

Router config tidbits:

Version 12.4(15)T13

interface FastEthernet0/0
description $FW_OUTSIDE$
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/1.100
description Data$FW_INSIDE$$ETH-LAN$
encapsulation dot1Q 100
ip address 192.168.1.1 255.255.255.0

ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.200
description Voice/Guest$FW_INSIDE$$ETH-LAN$
encapsulation dot1Q 200
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly

Switch Config:

Current configuration : 1912 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch_2950
!
enable secret 5 $1$qNsZ$1zFSv2R.2jTv2jYqI6r0L1
!
ip subnet-zero
!
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
no spanning-tree vlan 1
!
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/3
description Wireless
switchport access vlan 100
switchport trunk native vlan 100
switchport mode trunk
!
interface FastEthernet0/4
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/24
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan100
ip address 192.168.1.254 255.255.255.0
no ip route-cache

Thank you all!

Justin

13 REPLIES
Hall of Fame Super Blue

Re: router on a stick - intervlan communication

Firewall on the hosts?

Community Member

Re: router on a stick - intervlan communication

Hello and thanks for replying! There are no firewalls on the hosts I am trying to ping. I can succuessfully ping hosts that are all in the same VLAN and i have tried pinging multiple different hosts.

Hall of Fame Super Blue

Re: router on a stick - intervlan communication

both VLAN's can ping their respective gateway on the router but not hosts in the other VLAN, they can also ping each others gatway.

So VLANs can ping each other but can't ping other hosts.

Where's your dynamic or static route on your router?

Purple

Re: router on a stick - intervlan communication

  Which port on the switch are you using to connect to the router .  Most of it looks ok.  If from a host on vlan 100 you can ping the vlan 200 gateway address then there should be  no reason you should not be able to ping a host in the other vlan if the trunk is ok .  What kind of host are you trying to ping . Any pc must have the windows firewall turned off to  ping it .

Switch#

conf t

vtp mode transparent

vlan 100

vlan 200

exit

int f0/24

switchmode nonegotiate

switchport mode trunk

switchport trunk native vlan 1    --  shouldn't need this as 1 is default

switchport trunk allowed vlan 1,100,200

Community Member

Re: router on a stick - intervlan communication

That is correct, the vlans can ping one another. Sorry about leaving out the route. There is 1 static route setup in the router and it is simply 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx.

Here is my current sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0

     24.0.0.0/30 is subnetted, 1 subnets
C       xxx.xxx.xxx.xxx is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/1.100
C    192.168.2.0/24 is directly connected, FastEthernet0/1.200
S*   0.0.0.0/0 [1/0] via xxx.xxx.xxx.xxx

IP's removed of course.

Community Member

Re: router on a stick - intervlan communication

I am using f0/24 on the switch to trunk to the router.

Hall of Fame Super Blue

Re: router on a stick - intervlan communication

Glen's right.  Where is your VLAN instance?

Community Member

Re: router on a stick - intervlan communication

I thought i added the vlans to the vlan database on the switch. Here is my sh vlan from the switch.

VLAN Name                             Status    Ports                                                    
---- -------------------------------- --------- -------------------------------                                                                              
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8                                                                         
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12                                                                            
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16                                                                             
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20                                                                             
                                                Fa                                               
                                                Fa                                               
200  VLAN0200                         active    Fa0/22, Fa0/23
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
200  enet  100200     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

EDIT. The text didnt paste properly.

sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Gi0/1, Gi0/2
100  VLAN0100                         active    Fa0/1, Fa0/2, Fa0/4
200  VLAN0200                         active    Fa0/22, Fa0/23
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Message was edited by: Justin Simonson

Purple

Re: router on a stick - intervlan communication

Hi

Can hosts in the same VLAN ping each other?

Have you got  firewall enabled on the router and if so is  a show run | in zone gives an output?

In the affirmative can you post the output from : show run int f0/0.100 and show run int f0/0.200

as well as show class-map type inspect and show policy-map type inspect.

Don't forget to rate helpful posts.
Community Member

Re: router on a stick - intervlan communication

I have attached the results from the sh commands in a text file. I will look over them today to see if i notice anything. Thank you for your help!

yes hosts within the same vlan are able tp ping one another.

Purple

Re: router on a stick - intervlan communication

So you have Zone based firewall configured with sdm and the 2 subinterfaces are in the same security zone so it's not the cause of the problem.

can you put output of sh run | in ip access-group and sh  access-list please.

Also put the output of IP config and arp cache. Which OS are you using? If Windows 7 are your interfaces in public domain? because if so then icmp are blocked both ways, then put these in private domain.

Coul you sniff  the 2 hosts on different vlan while you're doing your ping and post the capture file here.

Regards.

Don't forget to rate helpful posts.
Community Member

Re: router on a stick - intervlan communication

The main host i am trying to ping is a windows 2003 server with its firewall disabled. I attached the txt file with the output results of the commands. The sh run | in ip access-group command did not work for me and i also tried it sh run ip access-group. The host i am pinging from is a windows XP machine and it can send and receive icmp messages with no problem when on the same vlan as the other hosts. Thank you greatly for your help and patience with this. I have much to learn.

I'll sniff the hosts when i get home this evening.

Purple

Re: router on a stick - intervlan communication

ok so to see on which interface these ACLs are used if they are applied to any interface can you do a sh ip interface for each of your subinterfaces and main physical.

When I was speaking about arp I was meaning on hosts not on the router.

But you can do a debug arp when pinging the 2 hosts in each vlan and see if there is no Layer2 problem.

regards.

Don't forget to rate helpful posts.
935
Views
0
Helpful
13
Replies
CreatePlease to create content