Solved: 3550 emi routing problem!!

hhaochen · ‎04-28-2003

hi

this is my network

10.84.0.10 (pix 515)

|

10.84.0.9 (c3550 emi)

/ \

(host) (host)

i have a problem with vlan routing,i set up svi(Switch Virtual

Interfaces), vlan 1 ip:10.84.0.9 vlan 2 ip:10.84.255.1 .but the

vlan routing isn't work. i can't ping pass 10.84.255.1 in the

switch .why? i want the traffic can be across the vlans.

thanks

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

ip subnet-zero

ip routing

spanning-tree extend system-id

interface FastEthernet0/1

no ip address

duplex half

speed 10

interface FastEthernet0/2

no ip address

duplex half

speed 10

interface FastEthernet0/3

no ip address

speed 100

interface FastEthernet0/4

no ip address

duplex half

speed 10

interface FastEthernet0/5

no ip address

duplex full

speed 100

interface FastEthernet0/6

no ip address

interface FastEthernet0/7

no ip address

interface FastEthernet0/8

no ip address

interface FastEthernet0/9

no ip address

interface FastEthernet0/10

no ip address

interface FastEthernet0/11

no ip address

duplex half

speed 10

interface FastEthernet0/12

no ip address

interface FastEthernet0/13

no ip address

interface FastEthernet0/14

no ip address

duplex half

speed 10

interface FastEthernet0/15

no ip address

interface FastEthernet0/16

no ip address

duplex half

speed 10

interface FastEthernet0/17

no ip address

interface FastEthernet0/18

no ip address

interface FastEthernet0/19

no ip address

interface FastEthernet0/20

no ip address

interface FastEthernet0/21

no ip address

interface FastEthernet0/22

no ip address

interface FastEthernet0/23

no ip address

interface FastEthernet0/24

no ip address

interface FastEthernet0/25

no ip address

duplex half

speed 10

interface FastEthernet0/26

no ip address

interface FastEthernet0/27

no ip address

interface FastEthernet0/28

no ip address

interface FastEthernet0/29

no ip address

interface FastEthernet0/30

no ip address

interface FastEthernet0/31

no ip address

interface FastEthernet0/32

no ip address

duplex half

speed 10

interface FastEthernet0/33

no ip address

duplex half

speed 100

interface FastEthernet0/34

no ip address

duplex half

speed 10

interface FastEthernet0/35

no ip address

duplex half

speed 10

interface FastEthernet0/36

no ip address

interface FastEthernet0/37

no ip address

duplex half

speed 10

interface FastEthernet0/38

no ip address

interface FastEthernet0/39

no ip address

duplex half

speed 10

interface FastEthernet0/40

no ip address

interface FastEthernet0/41

no ip address

duplex half

speed 10

interface FastEthernet0/42

no ip address

interface FastEthernet0/43

no ip address

interface FastEthernet0/44

no ip address

duplex half

speed 10

interface FastEthernet0/45

no ip address

interface FastEthernet0/46

no ip address

duplex half

speed 10

interface FastEthernet0/47

no ip address

interface FastEthernet0/48

no ip address

interface GigabitEthernet0/1

no ip address

interface GigabitEthernet0/2

no ip address

interface Vlan1

ip address 10.84.0.9 255.255.255.0

no ip mroute-cache

interface Vlan2

ip address 10.84.255.1 255.255.255.0

no ip mroute-cache

ip classless

ip route 10.84.0.0 255.255.255.0 Vlan2

ip route 10.84.255.0 255.255.255.0 Vlan1

ip http server

end

konigl · ‎04-30-2003

The router at 10.84.0.1 on your VLAN1 changes the network picture. It is probably the default gateway for your 10.84.0.0/24 VLAN1 users.

The router probably has a default route that points to the PIX Firewall inside IP address 10.84.0.9 for Internet access. Also, the router probably has a static route or routes pointing to the intranet 10.*.*.* and reaches them through other interfaces, for example serial.

The router does not know that subnet 10.84.255.0/24 on your VLAN2 is reached via 10.84.0.9. We need to change some of the steps I outlined in my earlier post, to fix this.

On the switch:

2a. Remove static default route that points to the PIX Firewall inside interface:

no ip route 0.0.0.0 0.0.0.0 10.84.0.10 1

2b. Add static default route that points to that router's LAN interface:

ip route 0.0.0.0 0.0.0.0 10.84.0.1 1

2c. Save the config.

On the router:

2d. Add static route to VLAN2's subnet via the switch's VLAN1 IP address:

ip route 10.84.255.0 255.255.255.0 10.84.0.9 1

This tells the router where to send traffic destined for VLAN2 hosts.

2e. Save the config.

Now try to ping between the PCs on VLAN1 and those on VLAN2. If my guess about the router's configuration is correct, this should work.

Next, ping in the opposite direction, from VLAN2 back to VLAN1 PCs. This should work, too.

View solution in original post

t.baranski · ‎04-28-2003

What's the purpose of the two static routes? They appear to be backwards, and aren't necessary anyway since so-called "connected" routes will be created by default for the two VLAN interfaces.

hhaochen · ‎04-28-2003

also when i show the interface

Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is 0009.e8fd.6280 (bia 0009.e8fd.6280)

Internet address is 10.84.0.9/24

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1

Queueing strategy: fifo

Output queue :0/40 (size/max)

5 minute input rate 1000 bits/sec, 1 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

59465 packets input, 8183243 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

1356 packets output, 143983 bytes, 0 underruns

0 output errors, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Vlan2 is up, line protocol is down

Hardware is EtherSVI, address is 0009.e8fd.6280 (bia 0009.e8fd.6280)

Internet address is 10.84.255.1/24

MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 51

Queueing strategy: fifo

Output queue :0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

why the vlan 2 line protocol is down ???

t.baranski · ‎04-29-2003

I didn't notice this before, but none of the switch's ports are in VLAN2. Hence, the VLAN2 interface is down.

konigl · ‎04-29-2003

On the switch:

1. Remove the two static routes that are in your original config:

no ip route 10.84.0.0 255.255.255.0 Vlan2

no ip route 10.84.255.0 255.255.255.0 Vlan1

They are confusing the switch.

2. Add a static default route that points to the PIX Firewall inside interface:

ip route 0.0.0.0 0.0.0.0 10.84.0.10 1

This lets VLAN1 and VLAN2 traffic go out the PIX to the Internet.

3. Move at least one port (FastEthernet or GigabitEthernet) into VLAN2. For example:

interface FastEthernet0/48

switchport access vlan 2

Interface VLAN2 should come up now.

4. Save the config.

On the PIX:

5. Make sure there's a static route to VLAN2's subnet via the switch's VLAN1 IP address:

route inside 10.84.255.0 255.255.255.0 10.84.0.9 1

This tells the PIX where to send traffic destined for VLAN2 hosts.

6. Make sure there are no other static routes on the PIX which could affect traffic headed to the VLAN2 subnet.

7. Save the config.

Back to the switch:

8. Plug a computer into that Ethernet port, give it an IP address and mask for VLAN2 (10.84.255.something), give it 10.84.255.1 as the default gateway.

9. Find a PC on VLAN1, and make sure the PC's default gateway is the switch's VLAN1 IP address and NOT the PIX's inside IP address.

10. From the VLAN2 PC, ping to the PC on VLAN 1. This tests Layer 3 across the switch to a VLAN1 host.

11. From the VLAN2 PC, ping the PIX inside IP address. This tests whether you can reach the Internet from VLAN2.

12. From the VLAN1 PC, ping the PC on VLAN2. This tests Layer 3 across the switch to a VLAN2 host.

13. From the VLAN1 PC, ping the PIX inside IP address. This tests whether you can reach the Internet from VLAN1.

Hope this helps.

hhaochen · ‎04-30-2003

thanks.

i have a router :10.84.0.1 it is connet to intranet(10.*.*.*).i want any machine can visit the internet,also can visit the intranet.how can i do?

i have put a port int vlan2.and the vlan2 come up.and i Remove the two static routes that are in my original config. and i have not do the 4-13 step.

butmachine in vlan 2 can ping pass the vlan 1 ip:10.84.0.9. but i can't ping any machine in vlan 1.and any machine in vlan 1can't ping the vlan 2 ip:10.84.255.0.

konigl · ‎04-30-2003

The router at 10.84.0.1 on your VLAN1 changes the network picture. It is probably the default gateway for your 10.84.0.0/24 VLAN1 users.

The router probably has a default route that points to the PIX Firewall inside IP address 10.84.0.9 for Internet access. Also, the router probably has a static route or routes pointing to the intranet 10.*.*.* and reaches them through other interfaces, for example serial.

The router does not know that subnet 10.84.255.0/24 on your VLAN2 is reached via 10.84.0.9. We need to change some of the steps I outlined in my earlier post, to fix this.

On the switch:

2a. Remove static default route that points to the PIX Firewall inside interface:

no ip route 0.0.0.0 0.0.0.0 10.84.0.10 1

2b. Add static default route that points to that router's LAN interface:

ip route 0.0.0.0 0.0.0.0 10.84.0.1 1

2c. Save the config.

On the router:

2d. Add static route to VLAN2's subnet via the switch's VLAN1 IP address:

ip route 10.84.255.0 255.255.255.0 10.84.0.9 1

This tells the router where to send traffic destined for VLAN2 hosts.

2e. Save the config.

Now try to ping between the PCs on VLAN1 and those on VLAN2. If my guess about the router's configuration is correct, this should work.

Next, ping in the opposite direction, from VLAN2 back to VLAN1 PCs. This should work, too.

hhaochen · ‎05-01-2003

konigl

thank you really !

i will test it!

hhaochen · ‎05-01-2003

thank you!

i have resolve the problem!

i want to know ,

1).why the rip and ospf protocol have no use.

2).if i have many vlan routing,

how can i do?

3).if i have no pix or router

how can i resolve the vlan routing