I don't think my routing configuration is working properly on my multilayer swtich, the switches directly connected to it, and my 2811 router.
My 2948G switches uplink to each other and a multilayer 3560 switch, which then leads to a 2811 router and the WAN. The problem is, without static routes on the 2811 pointing to the multilayer switch as the gateway for the vlan subnets, there is no connection.
Network setup is:
2811 Router - IP 10.4.0.1
3560 Switch - IP 10.4.0.84
2948 Switch - IP 10.4.0.85
2948 Switch - IP 10.4.0.86
2948 Switch - IP 10.4.0.87
routing table for 2948 Switch: (The default is the only one I added, the rest propagated automatically)
routing table for 3560 Switch:
10.4.0.0 directly connected, native vlan
10.4.5.0 directly connected, vlan 100
10.4.6.0 directly connected, vlan 110
10.4.7.0 directly connected, vlan 120
0.0.0.0 0.0.0.0 10.4.0.1
A trace to 10.4.0.1 from a client who is connected to let's say, the 10.4.5.0 vlan, when there is NO static route on the 2811 router pointing back to the 3560 as that subnet's gateway, starts at 10.4.5.1, and times out after that. However, after configuring that static route on the 2811 router, the trace goes from 10.4.5.1 to 10.4.0.1. It's almost like the 3560 switch sends all it's traffic to the 2811 router to get routed, instead of routing the traffic itself. I thought if I'm connected to the vlan 10.4.5.0, my gateway should be 10.4.5.1, and if trying to get to any of the defined vlans on the 3560, I would go to the 3560 and no further since all those subnets are directly connected to the 3560. Attached are the configs for the 3560 and the 2948 switches
I have looked at the two config files that you posted. I see that the switch points to the 3560 as its default gateway. I see that the 3560 points to the 2811 with its default route. I see that the 3560 can route among its VLANs. I see that there is no active routing protocol on the 3560.
I am slightly confused about what works and what does not. You clearly describe that a trace to the 2811 from a client on one of the switches does not work without a static route on the 2811. Beyond that I am not sure whether you are saying that client to client does work or does not work.
It would be much easier if you would post the config of the 2811 and also the output of show ip route on the 2811. My guess at this point is that the 2811 does not have routes to the VLANs defined on the various switches.
Client to client doesn't work either, between vlans anyway. Someone on the payroll vlan was unable to get to a printer on a separate vlan, or the file server on a separate vlan. The router's routing table:
Gateway of last resort is 192.168.64.2 to network 0.0.0.0
S 192.168.88.0/24 [1/0] via 10.3.0.1
S 192.168.15.0/24 [1/0] via 10.0.4.2
S 172.16.0.0/16 [1/0] via 126.96.36.199
188.8.131.52/30 is subnetted, 1 subnets
C 184.108.40.206 is directly connected, Serial0/0/0.1
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
S 10.4.6.0/24 [1/0] via 10.4.0.84
S 10.4.7.0/24 [1/0] via 10.4.0.84
S 10.0.0.0/8 [1/0] via 220.127.116.11
S 10.4.5.0/24 [1/0] via 10.4.0.84
S 10.4.2.0/24 [1/0] via 10.0.4.2
S 10.4.3.0/24 [1/0] via 10.4.0.84
C 10.4.0.0/24 is directly connected, FastEthernet0/0
C 10.0.4.0/30 is directly connected, Serial0/1/0
S* 0.0.0.0/0 [1/0] via 192.168.64.2
S 192.168.0.0/16 [1/0] via 18.104.22.168
I've also attached the 2811's config.
Thanks for the additional information. Based on this I think that we have answers for part of the question. The 2811 needs static routes for the subnets that are on the switches because otherwise it has no knowledge of them. They are not connected subnets on the 2811 and there is no dynamic routing protocol between the 3560 and the 2811. So static routes are needed for connectivity from the 2811 to anything in those VLANs connected through the switches.
I am not clear why client to client does not work. Looking at the 3560 it sees those subnets as connected and I would expect it to route between the VLANs. I am not sure why it would be forwarding to the 2811, but from your description that appears to be what is happening. Can you verify how the clients are configured? In particular I am interested in the mask that they have and their default gateway. I am wondering if there is some aspect of the client config that is sending traffic to the 2811.
Also in a brief look at the documentation for the 3560 there is a statement that which version of software (standard version or enhanced) is running impacts the options for routing. Which version of software is the 3560 running? It might be helpful if you post the output of show protocol and of show ip protocol on the 3560.
An example of a client's ip config for the payroll vlan, would be
gateway is 10.4.5.1
One odd thing I noticed is I can ping fine from hyperterminal on the switch without the static routes on the 2811, but the clients connected to the switch get lost. Here's also a sample of the routing table on one of my switches.
The primary gateway: 10.4.0.84
Destination Gateway RouteMask Flags Use Interface
--------------- --------------- ---------- ----- -------- ---------
default 10.4.0.84 0x0 UG 2 sc0
10.4.0.0 10.4.0.86 0xffffff00 U 15678 sc0
192.168.6.0 10.4.0.1 0xff000000 UGD 0 sc0
sh ver for 3560
Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(25)SEB1, RELEA
SE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 29-Apr-05 22:25 by yenanh
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEB, RELEASE SOFTWAR
Humm3560 uptime is 1 week, 2 days, 21 hours, 21 minutes
System returned to ROM by power-on
System image file is "flash:c3560-ipbase-mz.122-25.SEB1/c3560-ipbase-mz.122-25.S
cisco WS-C3560-48TS (PowerPC405) processor (revision A0) with 118784K/12280K byt
es of memory.
Processor board ID CAT0905R0PW
Last reset from power-on
5 Virtual Ethernet interfaces
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:13:1A:F5:61:00
Motherboard assembly number : 73-9898-05
Power supply part number : 341-0097-01
Motherboard serial number : CAT09050BRV
Power supply serial number : DCA085301E2
Model revision number : A0
Motherboard revision number : A0
Model number : WS-C3560-48TS-S
System serial number : CAT0905R0PW
SFP Module assembly part number : 73-7757-02
SFP Module revision Number : A0
SFP Module serial number : CAT09050FDZ
Top Assembly Part Number : 800-26162-01
Top Assembly Revision Number : A0
Version ID : V01
CLEI Code Number : COMMJ00ARA
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3560-48TS 12.2(25)SEB1 C3560-IPBASE-M
Configuration register is 0xF
sh protocol is
Internet Protocol routing is enabled
Vlan1 is up, line protocol is up
Internet address is 10.4.0.84/24
Vlan100 is up, line protocol is up
Internet address is 10.4.5.1/24
Vlan110 is up, line protocol is up
Internet address is 10.4.6.1/24
Vlan120 is up, line protocol is up
Internet address is 10.4.7.1/24
Vlan130 is up, line protocol is up
Internet address is 10.4.3.1/24
FastEthernet0/1 is down, line protocol is down
sh ip proto
Humm3560#sh ip proto
*** IP Routing is NSF aware ***
One other note I wanted to add, a client, for example from the payroll vlan, is able to ping all the vlan ip addresses as defined on the 3560, 10.4.5.1, 10.4.6.1, etc, but is unable to ping any hosts on those vlan subnets, or the 2811 router, 10.4.0.1
You added the layer 3 information , did you ever create the layer 2 side of it . Do all vlans show active and show up when you do a "show vlan" ? Do all ports look like they are in the correct vlan when you do this command ?
Thanks for the additional information. The output from the 3560 pretty much looks like what I was expecting. The config looks right to me and I would expect the 3560 to route for the local VLANs, but it is not. I have sometimes observed that when the config looks right but the behavior is not what is expected, that a reboot will sometimes produce the correct behavior. Is there an chance that you could reboot the 3560?
I am trying to figure what we can learn from what you mention that a client can ping the several VLAN interfaces on the 3560 but can not ping hosts within the VLAN. I believe that this demonstrates that the IP addressing and default gateway on the client are correct since it is able to ping a "remote" destination. I think it suggests that the 3560 is not routing/forwarding directly between the VLANs but is forwarding to the 2811 for this traffic. I am puzzled why this would be happening this way.
I will reload it tonite and try again in the morning. Will let you know the results. It does look like even though the 3560 has the vlans directly attached, it is forwarding to teh 2811 to get to hosts inside the various vlans.
Rick, I rebooted, but still the same behaviour. I did a few traceroutes again, and notice clients are able to get to other clients, even if they are in different vlans, as long as they are on the same switch, but not other switches. I also tried changing the default gateway to the 3560, 10.4.0.84, but a trace still went to the vlan address first, 10.4.8.1, and got lost after that. I still don't get why I'm able to ping everywhere from the swtich while connected to the switch through hyperterminal, but not clients connected to the switch. Something has to be missing from the 3560 to prevent correct routing.
I think it is very strange that clients can get to other clients in other VLANs as long as they are on the same switch but can not get to clients on other switches. My understanding is that to get to other VLANs would require getting to the 3560 and at that point it should not matter whether the destination is on another switch or not. It makes me wonder about the switch connections to the 3560 and their trunking.
When you say that you can ping everywhere when connected to the switch via hyperterm, are you talking about being connected to the 3560 or to the other switches?
Should I have configured the port on the 3560 that uplinks to the 2811 to be a layer 3 port with an IP address on the same subnet as the fast ethernet port of the 2811?
I would think that it should work ok either way. But while we are trying things, it might be worth a try to configure the 3560 port as layer 3 and put the IP address there.
while I'm not sure exactly what I did to resolve this, it is no longer an issue. One thing I did have wrong, on some of my static clients like servers, I had them using the 2811 as their gateway instead of the 3560. I think my understanding of how things were supposed to work was skewed by that misconfiguration. Anyway, thank you very much for your help, I appreciate it.
It would be nice if we could really know what caused the problem. But if we do not know quite what was wrong and what really fixed it, at least we know that it is now working. Congratulations on getting it to work.