10-11-2007 11:33 AM - edited 03-05-2019 07:02 PM
I'm trying to configure the 'router on a stick', basically, through one interface, I need to route to 3 subnets. My configuration is a 2811 connected to a 3560, which is connected to an F5 BIG-IP.
Below are my configs (- passwords)
2811
----
Using 1647 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XO-2811
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-17.bin
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
ip cef
!
!
ip domain name yourdomain.com
ip name-server 65.ccc.ccc.196
ip name-server 65.ccc.ccc.196
!
!
!
interface FastEthernet0/0
description WAN interface$ETH-LAN$
ip address xxx.xxx.xxx.37 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex full
speed 100
!
interface FastEthernet0/1
description LAN interface
no ip address
duplex auto
speed 100
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 67.aaa.aaa.129 255.255.255.224
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 67.bbb.bbb.225 255.255.255.224
!
interface FastEthernet0/1.3
encapsulation dot1Q 3
ip address 67.ccc.ccc.225 255.255.255.224
!
ip forward-protocol nd
ip route profile
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 permanent
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
snmp-server community XO RO
snmp-server location XO Data Center Beaverton
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
3560
----
Using 4782 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XO_GB_Switch1
!
logging console critical
!
no aaa new-model
clock timezone Pacific 8
vtp mode transparent
ip subnet-zero
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2-4
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-router
!
interface GigabitEthernet0/2
description Out to F5-1-Pbc
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
interface GigabitEthernet0/3
description Out to F5-2-Pbc
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
!
interface GigabitEthernet0/49
description Out to F5-1-Pvt
switchport access vlan 4
speed nonegotiate
flowcontrol receive desired
!
interface GigabitEthernet0/50
description Out to F5-2-Pvt
switchport access vlan 4
speed nonegotiate
flowcontrol receive desired
!
!
interface Vlan1
description Public side VLAN
ip address 67.aaa.aaa.148 255.255.255.224
!
interface Vlan2
no ip address
!
interface Vlan3
no ip address
!
interface Vlan4
ip address 10.10.10.210 255.255.255.0
!
ip default-gateway 67.aaa.aaa.129
ip classless
ip http server
!
snmp-server community XO RO
!
control-plane
!
!
line con 0
line vty 0 4
password xxx
no login
line vty 5 15
password xxx
no login
!
!
end
I seem to be able to get to the network on FastEthernet 0/1.1 fine, but not the other two.
Can someone please help with my configuration?
10-11-2007 11:45 AM
Your router-on-a-stick seems fine to me.
Perhaps you have not configured vlan 2 and 3 on the switch?
Configure a port in access mode, vlan2 and connect a PC to it. Then try to ping the router. Repeat the same for vlan3.
regards,
Leo
10-11-2007 11:47 AM
Do you have vlan 2 and 3 created? Do a show vlan and check if vlan 2 and 3 show up there. If it doesn't then configure vlan 2 and 3 from the global config as follows and test.
SW1-3550(config)#vlan 2
SW1-3550(config-vlan)#vlan 3
HTH
Sundar
10-11-2007 11:53 AM
Brett
I do not notice any particular issues in the config that you posted about routing to VLANs 2 and 3. Since there is not any particular configuration on your switch about those VLANs and there do not seem to be any ports on the switch in those VLANs would I be correct in assuming that they are on the F5. My guess is that there is some issue on the F5 about these VLANs or about the trunking between F5 and your switch. Can you provide any information about the F5 and its configuration?
Are you able to access addresses in those VLANs from the 2811?
I notice one other thing which I do not believe is related to the current problem but which may be a problem you would face later. Your default route points just to the FastEthernet interface. This means that the router will have to ARP for each destination address. And it will work only if the next hop router enables proxy arp. Since FastEthernet0/0 is configured with a /30 address it should be easy to change the default route so that it points to the next hop address. This would be a significant improvement.
HTH
Rick
10-11-2007 11:59 AM
The 3 subnets are on the F5, so no physical ports on the switch will be used to access them. From the 2811, i can only access the subnet on FastEthernet 0/1.1.
I suspect that the problem lies on the F5 as well. I am in the process of trying to create a trunk on the interface I am using on the F5, but things are a little different over there. It's odd because my tag for the 'external' VLAN where the interface lies right now is 4094, yet seems to be routing the native VLAN 1 traffic from the router/switch. I guess I thought the tag for VLAN 1 would be 1, and would need to match the tag on the F5. Is this not the case?
10-11-2007 12:12 PM
You have set vlan1 to native. This means that the router sends untagged traffic on vlan1.
Traffic can "leak" into another vlan on a trunk when the native vlans are different.
Turn on cdp to check this out quickly.
Leo
10-11-2007 12:35 PM
update:
From the F5, I can ping out to all sub-interfaces on the router, and through the router. So the F5 can find his way back out.
Do I need to enable routing on the switch to tell the Vlan2 and 3 traffic where to go?
On the F5, there is an IP on the interface that is in the subnet of Vlan1, but none for Vlan 2 or 3 subnets.
10-12-2007 12:03 AM
Sorry if I've missed something here, but if you have a 3560, why do you need a router on a stick? The router doesn't seem to have any serial interfaces, so what are you trying to do with it that you cannot do with the internal router of the 3560?
Kevin Dorrell
Luxembourg
10-12-2007 02:43 AM
You should try giving ip address to interface vlan 2,3 of the range you give to interface fastethernet 0/1.2,1.3 .
Only then traffic can be routed between pc of vlan 2 and vlan 3.
yogesh
10-12-2007 12:51 PM
Sorry, I should have been more specific on the architecture. I have a fastE connection to the internet on a /30 address. I am trying to route to 2 F5's (redundant) that support 3 subnets of public IP addresses (all /27). The switch is because i only have 1 interface on my router, and I needed ports for my private subnet (VLAN 4 is the pvt net).
I'm pretty stuck right now. Thank you all for your help so far, but I'm still missing one piece of the puzzle.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: