VLAN – VLANs on Switch Can’t Reach Router

ciscoroutingswitchubiquitivlan

I can’t get my lab switch non-primary VLANs to be able to ping my lab router. Only switch VLAN 1 (default) is able to ping the router interface.

I have a home lab with a Cisco SG300-10 switch and an EdgeRouter-X router, which is connected to the rest of the home network. I can only reach the lab router, and thus the Internet, only from VLAN 1; non of the other VLANs can ping the switch but can each other. I’m under the assumption that the lab switch which is in L3 mode should route the VLAN traffic to the router. What’s wrong with my setup or configuration? Note, i tried to set the lab router eth1 to 10.10.1.1/16.

Router configuration:

    firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.254/24
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.10.1.1/24
        description "Cisco SG-300 Switch"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description PC
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description "Wifi AP"
        duplex auto
        poe {
            output pthru
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.2.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
protocols {
    static {
        route 10.10.0.0/16 {
            next-hop 10.10.1.254 {
                description "cisco sg300 switch"
                disable
                distance 1
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    domain-name xxx
    gateway-address 192.168.1.1
    host-name xxx
    login {
       xxx
        }
    }
    name-server 192.168.1.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.1.4939092.161214.0702 */

Switch configuration:

config-file-header
xxx
v1.4.7.6 / R800_NIK_1_4_194_194
CLI v1.0
set system mode router 
file SSD indicator excluded
@
vlan database
vlan 2-11 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp pool network "VLAN2"
address low 192.168.2.200 high 192.168.2.220 255.255.255.0 
dns-server 8.8.8.8
exit
bonjour interface range vlan 1
ip access-list extended "iSCSI Isolation"
deny ip any any ace-priority 1
exit
hostname xxx
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
ip ssh server

sntp source-interface vlan 1 
ip name-server  192.168.1.1 8.8.8.8
ip telnet server
!
interface vlan 1
 ip address 10.10.1.254 255.255.255.0 
 no ip address dhcp 
!
interface vlan 2
 name "VMG 2" 
 ip address 10.10.2.1 255.255.255.0 
!
interface vlan 3
 name "VMG 3" 
 ip address 10.10.3.1 255.255.255.0 
!
interface vlan 11
 name iSCSI 
 ip address 10.10.11.1 255.255.255.0 
!
interface gigabitethernet1
 description nuc1-onboard
 switchport trunk allowed vlan add 2-4 
!
interface gigabitethernet2
 description nuc2-onboard
 switchport trunk allowed vlan add 2-4 
!
interface gigabitethernet3
 description nuc1-usb
 switchport trunk native vlan 11 
!
interface gigabitethernet4
 description nuc2-usb
 switchport trunk native vlan 11 
!
interface gigabitethernet5
 description "nas1-lag2 Public Home VLAN"
 channel-group 2 mode auto 
!
interface gigabitethernet6
 description "nas2-lag2 Public Home VLAN"
 channel-group 2 mode auto 
!
interface gigabitethernet7
 description "nas3-iscsi-lag1 VMware iSCSI network"
 channel-group 1 mode auto 
 switchport mode access 
!
interface gigabitethernet8
 description "nas4-iscsi-lag1 VMware iSCSI network"
 channel-group 1 mode auto 
 switchport mode access 
!
interface gigabitethernet9
 description Unused
 switchport mode access 
!
interface gigabitethernet10
 description "Router Uplink"
 switchport mode general 
!
interface Port-channel1
 description ISCSI
 switchport trunk native vlan 11 
!
interface Port-channel2
 description "Synology Home Network Pair"
 switchport mode access 
!
exit

macro auto processing type router enabled 
ip default-gateway 10.10.1.1

Best Answer

You are using the switch as a layer-3 switch (router), but the ip default-gateway 10.10.1.1 command is for a layer-2 switch for the 10.10.1.1/24 network on VLAN 1. You do not use that command with IP routing. Cisco has a document that explains the differences: Configuring a Gateway of Last Resort Using IP Commands.

As a router, the layer-3 switch needs to know to send traffic for other destinations to the router. It can learn routes in three ways:

Directly connected networks
Statically configured routes
Dynamically through a routing protocol

You either need to set up a default route on the layer-3 switch (probably what you want to do), or set up static routes on the layer-3 switch, or run a routing protocol between the layer-3 switch and the router.

You also probably want to make the link between the layer-3 switch and the router as a routed link, rather than a VLAN.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Vlan – Setting up PIM Sparse mode

My questions are:

Should we setup on our core network switch OSPF with a router ID of 1.1.1.1 and then not set any OSPF settings on any other switch?

OSPF is not necessary for this implementation.

Would PIM Sparse Mode only need to be enabled on the core switches or on all of the switches in the network?

Pim-SM needs to be enabled on each L3 interface on which you want to allow the multicast traffic. For example, if you wish to contain the traffic to Vlans 15 and 14, you would have to do the following on your core:

configure
ip multicast
ip igmp
ip pim sparse
interface vlan 14
ip igmp
ip pim
interface vlan 15
ip igmp
ip pim
exit

If you want the traffic to traverse all Vlans, then you will need the appropriate interface configuration under each Vlan. Your L2 switches will need IGMP snooping turned on (ideally on all interfaces via the global configuration).

configure
ip igmp snooping 
bridge multicast filtering

For a very basic multicast setup like this, these should be the only features that you would need.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Vlan – Setting up PIM Sparse mode

Related Topic