Routing from VLANs in 3560/G stack

[jrcanfer]

I'm very new to Catalyst switches and we've just taken over support of our switches from a third party.

We've got three 3560's and a 3560G with two VLAN's configured. One is the default for our Windows domain and the second is configured for our IP phones (VLAN5).

I'm trying to add a second subnet for our Windows domain on a new subnet.

So I've created the VLAN (VLAN2) but I'm now having a problems getting traffic moving across it. Specifically if I use switchmode port access I can get traffic to happily move between the default VLAN and VLAN2 no problem. But no traffic from VLAN2 can find the gateway to the web (which sits in the default VLAN).

There are no hits on the PIX ACL, yet if I allow it VLAN5 traffic can get out no problem to the web.

If I use switchport mode trunk the host cannot send data anywhere - yet my understanding is that this is the mode the ports need to be in.

Clearly I'm missing something here, so could I please have some pointers on how I need to configure the switches to allow traffic between the subnets and out to the web.

Many thanks.

 

[chipk]

Your best bet would be to post a sanitized config so we can take a look at your vlan and routing configurations. I'm suspecting that you have a problem with your vlan2 config (missing gateway or something?) or you have a configuration problem with your routing (are you using static or a routing protocol?)

 

[jrcanfer]

Hi,

Configs as below although I've pulled any changes I made to ports for VLAN 2 as it wasn't working;

3560G;

!
! Last configuration change at 12:35:56 UTC Fri Apr 20 2007
! NVRAM config last updated at 12:35:57 UTC Fri Apr 20 2007
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname TMP_SW01
!
enable password 7
!
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
ip subnet-zero
ip routing
!
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface GigabitEthernet0/1
description MiTel
switchport access vlan 5
switchport voice vlan 5
spanning-tree portfast
..................
!
interface GigabitEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 5
spanning-tree portfast
!
interface GigabitEthernet0/23
speed 1000
spanning-tree portfast
!
interface GigabitEthernet0/24
spanning-tree portfast
!
interface GigabitEthernet0/25
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/26
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/27
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/28
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
description Data
ip address x.x.168.254 255.255.255.0
!
interface Vlan2
description data
ip address x.x.167.1 255.255.255.0
!
interface Vlan5
description Voice
ip address x.x.171.1 255.255.255.0
!
ip default-gateway x.x.168.1
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.168.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password 7 071B2C5C42081704131F
no login
line vty 5 15
no login
!
end

All 3560's;


!
! Last configuration change at 14:26:14 UTC Fri Apr 20 2007
! NVRAM config last updated at 12:35:50 UTC Fri Apr 20 2007
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname TMP_SW02
!
enable password
!
no aaa new-model
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
ip subnet-zero
ip routing
!
!
no file verify auto
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
.........................
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
description Data
ip address x.x.168.2 255.255.255.0
!
interface Vlan2
ip address x.x.167.2 255.255.255.0
!
interface Vlan5
description Voice
ip address x.x.171.2 255.255.255.0
!
ip classless
ip http server
!
!
!
!
control-plane
!
!
line con 0
line vty 0 4
password tmplanadm
login
line vty 5 15
no login
!
!
end

 

[chipk]

On the 3560G, can you ping the ip for vlan2? If you do an extended ping, can you ping the ip for vlan1 from vlan2?

What exactly was not working? Was it your clients that just could not get out of the vlan? How are you assigning addresses? If DHCP, do you have the correct gateway for members of vlan2?

Lastly, are all your FastEthernet pots on the 3560s configured as Trunks? I would think those ports should be in "switchport mode access" and members of data/voice vlans, not trunks.

 

[jrcanfer]

Chipk, with a host connected to a port on the 3560 which was configured for VLAN 2 and switchport mode access I could ping servers on the 3560G in VLAN1 and vice versa.

The host was configured with a static IP for purposes of the test.

I could also do DNS lookups from the host in VLAN 2 to servers in VLAN 1, but the host in VLAN2 could not get out to the web - which was the only problem.

I'd configured access on the PIX but the packets weren't even getting that far.

The host was configured to use x.x.167.1 as the default gateway. I assumed this was fine as hosts connected to any switch in the stack on VLAN1 use x.x.168.254 as their default gateway.

However, if you think that the config checks out, I'll check over the PIX config and logs again.

The entire config is what we took over from a company that supposedly knew what they were doing. So any pointers towards a better config are welcomed!

Thanks

 

[chipk]

Nothing jumps out at me, excuse me as I talk through this. I would think that config and the hosts config'd with the 167.1 for the gateway would work. The only difference is the path to the internet is on the local segment for hosts on the 168.0 network, while the 167.0 network hosts would have to traverse another vlan to get to that, but you've got the default route set to what I assume is your PIX?

If you do a "show ip route connected" on the 3560G, do you see all your vlan networks?

I feel like I'm missing something. Probably need a second set of eyes on this.

 

[vipergg]

do a show vlan command and see if your new vlan shows up , you need to create a layer 2 vlan and also the corresponding layer 3 SVI to make the routing work correctly . A show vlan command should show all the vlans on the box and the corresponding ports that are assigned to that vlan except trunk ports they will not show up.

 

[jrcanfer]

If I do a "show ip route connected" I get all three VLAN's listed.

I'm a little lost with regards to creating the layer 3 SVI for VLAN 2 though. I've been through Cisco's technical docs online and while they touch on SVI's they seem to stop short of going into any detail.

Thanks

 

[jrcanfer]

Sorted it - I'd put a typo into a route on the PIX!

Thanks for the help!

 

[chipk]

glad to know I wasn't crazy. Everything looked correct.