Etherchannel on esw520s and intervlan routing

Similar Messages

• No 'ip routing' command on switch and yet intervlan routing.

  Hi,
  In my companies 4500 switch I see there is intervlan routing configured for the 4 Vlans it has but I do not see any 'ip routing' command on it
  to enable routing on the switch. Can a switch route even though the command isnt there?

  Ran the 'show run all' command and it was there. Thought '
  sh run | i ip' would display it but didn't.
  Thanks for the command.
  We just turned enterprise. I keep forgetting that.

• InterVlan Routing and an ASA5520

  Hey Guys,
  I'm having problems getting something to work. First off, let me give you the topology and the configs:
  Config R1
  Vlan Database:
  VLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Fa1/1, Fa1/2, Fa1/3, Fa1/4                                                Fa1/5, Fa1/6, Fa1/7, Fa1/8                                                Fa1/9, Fa1/1010   SERVER                           active    Fa1/1430   CLIENTS                          active    Fa1/13100  Inside                           active101  LIFESIZE                         active    Fa1/12250  Mgmt                             active    Fa1/111000 Outside                          active    Fa1/151002 fddi-default                     active1003 token-ring-default               active1004 fddinet-default                  active1005 trnet-default                    active
  Trunks:
  Port      Mode         Encapsulation  Status        Native vlanFa1/0     on           802.1q         trunking      1Port      Vlans allowed on trunkFa1/0     1-1005Port      Vlans allowed and active in management domainFa1/0     1,10,30,100-101,250,1000Port      Vlans in spanning tree forwarding state and not prunedFa1/0     1,10,30,100-101,250,1000
  Running Config:
  interface FastEthernet1/0 switchport mode trunk
  interface FastEthernet1/11 switchport access vlan 250 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/12 switchport access vlan 101 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/13 switchport access vlan 30 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/14 switchport access vlan 10 duplex full speed 100 spanning-tree portfast!interface FastEthernet1/15 switchport access vlan 1000!interface Vlan1 no ip address!interface Vlan10 description SERVER no ip address!interface Vlan20 description DRUCKER ip address 10.11.20.254 255.255.255.0!interface Vlan30 description CLIENTS ip address 10.11.30.254 255.255.255.0!interface Vlan101 description LifeSize no ip address!interface Vlan250 description Management ip address 10.11.250.254 255.255.255.0!ip default-gateway 10.11.250.251ip forward-protocol ndip route 0.0.0.0 0.0.0.0 10.11.250.251ip route 10.0.0.0 255.0.0.0 10.11.250.251
  Config ASA:
  ASA Version 8.4(2)!hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0 nameif Outside security-level 0 ip address 186.89.54.20 255.255.255.248!interface GigabitEthernet1 description Trunk to SW no nameif no security-level no ip address!interface GigabitEthernet1.10 vlan 10 nameif Server security-level 100 ip address 10.11.10.251 255.255.255.0!interface GigabitEthernet1.30 vlan 30 nameif Clients security-level 100 ip address 10.11.30.251 255.255.255.0!interface GigabitEthernet1.101 vlan 101 nameif DMZ security-level 50 ip address 10.11.101.251 255.255.255.0!interface GigabitEthernet1.250 vlan 250 nameif Mgmt security-level 100 ip address 10.11.250.251 255.255.255.0!interface GigabitEthernet2 shutdown no nameif no security-level no ip address!interface GigabitEthernet3 shutdown no nameif no security-level no ip address!interface GigabitEthernet4 shutdown no nameif no security-level no ip address!interface GigabitEthernet5 nameif Martin security-level 100 ip address 10.11.15.254 255.255.255.0!ftp mode passivesame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceaccess-list global_access extended permit ip any anyaccess-list Clients_access_in extended deny ip any 10.11.101.0 255.255.255.0 inactiveaccess-list Clients_access_in extended permit ip any 10.11.10.0 255.255.255.0 inactiveaccess-list Server_access_in extended permit ip any anyaccess-list Server_access_in extended deny ip 10.11.250.0 255.255.255.0 10.11.250.0 255.255.255.0 inactiveaccess-list Mgmt_access_in extended deny icmp any 10.11.10.0 255.255.255.0 inactiveaccess-list Mgmt_access_in extended permit ip any any inactivepager lines 24logging enablelogging buffered debuggingmtu Outside 1500mtu Server 1500mtu Clients 1500mtu DMZ 1500mtu Mgmt 1500mtu Martin 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-702.binno asdm history enablearp timeout 14400access-group Server_access_in in interface Serveraccess-group Clients_access_in in interface Clientsaccess-group Mgmt_access_in in interface Mgmtaccess-group global_access globalroute Mgmt 10.11.0.0 255.255.0.0 10.11.250.254 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 10.0.0.0 255.0.0.0 Martinhttp 10.11.250.0 255.255.255.0 Mgmtno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstarttelnet timeout 5ssh timeout 5console timeout 0management-access Mgmtthreat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-map global-class match default-inspection-traffic!!policy-map global-policy class global-class  inspect dns  inspect ftp  inspect http  inspect icmp  inspect icmp error  inspect rtsp  inspect sip  inspect snmp  inspect tftp!service-policy global-policy globalprompt hostname contextno call-home reporting anonymouscall-home profile CiscoTAC-1  no active  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService  destination address email [email protected]  destination transport-method http  subscribe-to-alert-group diagnostic  subscribe-to-alert-group environment  subscribe-to-alert-group inventory periodic monthly  subscribe-to-alert-group configuration periodic monthly  subscribe-to-alert-group telemetry periodic dailycrashinfo save disableCryptochecksum:e5a96d671ff3b5453c8f1de5c39f1f63: end
  Problem:
  What I'm planning is, having an InterVlan routed network that is done by the switch and only certain Networks should be protected by the ASA.
  The Networks that should not be protected will have the GW of the L3 SVI
  The protected hosts will have the GW of the ASA and send their traffic there first
  The ASA has a Trunk to the Switch receiving all L2 Vlans from there (E1)
  The ASA has an Interface called Mgmt to which it can send all the traffic back (Asymmetric Routing problem?)
  The Inside (called Mgmt, sorry for the confusion) has a default route pointing to the Switch R1
  Mgmt 10.11.0.0 255.255.0.0 10.11.250.254
  I'm stuck with the basics
  What won't work:
  From R1 i can ping Mgmt and Client Network but not Server and DMZ
  Pinging from R1 (10.11.250.254) to ASA Server (10.11.10.251) Interface gives me this Teardown but i have a global permit any any?
  %ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/20 gaddr 10.11.10.251/0 laddr 10.11.10.251/0%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:03%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:03
  R2 (Server Host) has the ASA Gateway for its interface and it can ping it. But when i'm trying to ping another interface on the ASA that i can ping from R1, it's like it is not even reaching the ASA. I can see no traffic at all.
  Can somebody tell me what what i'm doing wrong and why? I'm kinda getting a little bit frustrated since i've been working on this from quite some time but i fail to get it working properly.
  Cheers

  I'm sorry very sorry i'm responding so late i've been very busy lately.
  This forum doesn't show the topology diagram i posted so let me try that again first:
  Now, as you can see, R2 has the GW of the ASA which is 10.11.10.251/24. R1 is the L3-Switch and doesn't have an Interface IP for the Server and DMZ but a default-gateway and default-network pointing to 10.11.250.251/24 which is the Mgmt Interface of the ASA. Additionally, it has has a Trunk Port to the ASA to pass all L2-Vlans.
  The ASA can ping all L3-Vlans of the Switch R1 e.g. 10.11.30.254/24 and the host 10.11.30.5/24
  The L3-Switch can only ping the Mgmt to which it is directly connected and in the same Network 10.11.250.0/24 but not all other Interfaces
  Pinging fom 10.11.250.254/24 (L3 Interface of R1) to 10.11.10.251/24 (Server Interface ASA) gives me this logging output:
  %ASA-6-302021: Teardown ICMP connection for faddr 10.11.250.254/3 gaddr 10.11.10.251/0 laddr 10.11.10.251/0%ASA-7-609002: Teardown local-host Mgmt:10.11.250.254 duration 0:00:05%ASA-7-609002: Teardown local-host identity:10.11.10.251 duration 0:00:05
  And that is the major problem for me right now. I don't know what i'm doing wrong.
  Thx

• Fast EtherChannel between Catalyst 3750 and 2821 Router

  Hi Guys
  I'm trying to setup a Fast EtherChannel between a cat3750-smi and a 2821 router that consists of only 2 links.
  I am following instructions per TAC, but I'm getting an error along the way;
  On the cat3750:
  interface port-channel 1
  no switchport
  Command Rejected: Not a convertable port
  Can anyone help???
  Also... do the IP Addresses for the EtherChannel need to be the same for both port-channels? Or do I assign the switch like 192.168.1.1 and the router 192.168.1.2 ?
  Thanks!
  Adam

  Hi Adam,
  The ip address cannot be same but it should belong to same subnet. So one side 192.168.1.1 and other side 192.168.1.2 will work fine.
  Its better to convert your layer 2 port as a layer port fist so what you do the port which you want to be port channel go that that interface and convert with "switchport" command
  once it is a layer 3 port configure with channel group and automatically layer 3 port channel will be created and you can sssign an ip address then.
  Just give a try and update if it works.
  Regards,
  Ankur

• SRP 546W Intervlan Routing and ACL

  Hi,
  how can I configure Access Control Lists to manage the communication between different vlan? As I activate Intervlan Routing, all vlan members can communicate together.
  Thanks a lot.
  Thomas

  Thomas,
  Intervlan Routing on the SRP routers is all or none. You cannot choose which VLAN members can communicate with other VLANs.
  - Marty

• Etherchannel Simultaneous Primary and Sub-Interface Config

  Hello Cisco Experts:
  Question: Can I run layer 2 traffic across EtherChannel and layer 3 traffic simultaneously across the same etherchannel on a subinterface?  If not, and considering the background information below, is there an advisable alternative?  The documentation I've been reading isn't clear on the subject.
  Background
  I'd like to split my VLans across (2x) L3 3560 switches interconnected by EtherChannel.  I'll use SVI's for the routing - but if Switch #1 SVI must route to another SVI on Switch #2, I'd like this traffic to cross the EtherChannel instead of heading to another L3 Device before continuing its route to the destination switch.  (I.E. I prefer direct switch to switch routing.)
  Design Preference:
  I don't want my etherchannel to become a 100% routed channel.  
  I don't want to add another connection between the switches - ports are at a premium and budget is tapped.
  No access level switches are being used at this time.
  Physical Topology
  Thank you for your time,
  Mike

  Hi Jon:
  First, I didn't begin to think you were criticizing my design.  I just wanted to relieve your confusion.
  I tested your ideas this morning, and everything checked out and worked fine.  After some more investigation, I remembered why I was asking the question about using EtherChannel with an encapsulated Subinterface & IP Addr. for switch-to-switch routing.
  Regrettably it had nothing to do with Intervlan routing, which was working fine.  But it does have something to do with routing between the two switches.  
  Link Failure and High Availability
  When I began to consider each case of link failure, I discovered 4 cases of link failure that created problematic results.  Two of the cases led to an extra hop, and two of the cases result in a black hole.  These ideas were tested with packet tracer to verify I had a problem.
  These instances occur because I'm routing 3 vlans out of each switch.  Each problem could be resolved by a complete HSRP fail-over to the other switch.  But maybe the more elegant decision is a switch-to-switch route with an appropriate administrative distance (preferably using the EtherChannel)? 
  Note: Primary is the primary WAN connection and Backup is the backup WAN connection.
  Scenario 1: Extra Hop
  Scenario 2: Extra Hop
  Scenario 3: Black Hole
  Scenario 4: Black Hole
  Let me know what you think the ideal solution is: 1) use HSRP tracking to failover to the other switch, 2) create a direct switch to switch route using EtherChannel Subinterface with IP, or 3) some third option.
  Thank you for your time,
  Mike

• Best practice for intervlan routing?

  are there some best practices for intervlan routing ?
  I've been reading allot and I have seen these scenarios
  router on a stick
  intervlan at core layer
  intervlan at distribution layer.
  or is intervlan needed at all if the switches will do the routing?
  I've done all of the above but I just want to know what's current.

  The simple answer is it depends because there is no one right solution for everyone. 
  So there are no specific best practices. For example in a small setup where you may only need a couple of vlans you could use a L2 switch connected to a router or firewall using subinterfaces to route between the vlans.
  But that is not a scalable solution. The commonest approach in any network where there are multiple vlans is to use L3 switches to do this. This could be a pair of switches interconnected and using HSRP/GLBP/VRRP for the vlans or it could be stacked switches/VSS etc. You would then dual connect your access layer switches to them.
  In terms of core/distro/access layer in general if you have separate switches performing each function you would have the inter vlan routing done on the distribution switches for all the vlans on the access layer switches. The core switches would be used to route between the disribution switches and other devices eg. WAN routers, firewalls, maybe other distribution switch pairs.
  Again, generally speaking, you may well not need vlans on the core switches at all ie. you can simply use routed links between the core switches and everything else. 
  The above is quite a common setup but there are variations eg. -
  1) a collapsed core design where the core and distribution switches are the same pair. For a single building with maybe a WAN connection plus internet this is quite a common design because having a completely separate core is usually quite hard to justify in terms of cost etc.
  2) a routed access layer. Here the access layer switches are L3 and the vlans are routed at the access layer. In this instance you may not not even need vlans on the distribution switches although again to save cost often servers are deployed onto those switches so you may.
  So a lot of it comes down to the size of the network and the budget involved as to which solution you go with.
  All of the above is really concerned with non DC environments.
  In the DC the traditional core/distro or aggregation/access layer was also used and still is widely deployed but in relatively recent times new designs and technologies are changing the environment which could have a big impact on vlans.
  It's mainly to do with network virtualisation, where the vlans are defined and where they are not only routed but where the network services such as firewalling, load balancing etc. are performed.
  It's quite a big subject so i didn't want to confuse the general answer by going into it but feel free to ask if you want more details.
  Jon

• Meaning of this show IP route output in InterVLAN routing (subnet calculation) - did i get mistaken ?

  Hi all,
  I am reading the configuration of interVLAN routing on 3750 from cisco @
  http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41260-189.html
  There are 3 VLAN created on the L3 switch namely
  VLAN10 - 10.1.10.0/24 network
  VLAN 2 - 10.1.2.0/24 network
  VLAN 3 - 10.1.3.0/24 network
  But on the show IP route results (see bold red), why does it indicate that 10.0.0.0/24 is subnetted. How is it subnetted ?
  10.1.10.0/24, 10.1.2.0/24, 10.1.3.0/24 all belongs to different network are not subnet out from 10.0.0.0/24.
  How does the calculation goes ?
  Cat3550#show ip route
  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
  N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
  E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
  i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
  * - candidate default, U - per-user static route, o - ODR
  P - periodic downloaded static route
  Gateway of last resort is 200.1.1.2 to network 0.0.0.0
  200.1.1.0/30 is subnetted, 1 subnets
  C 200.1.1.0 is directly connected, FastEthernet0/48
  10.0.0.0/24 is subnetted, 3 subnets
  C 10.1.10.0 is directly connected, Vlan10
  C 10.1.3.0 is directly connected, Vlan3
  C 10.1.2.0 is directly connected, Vlan2
  S* 0.0.0.0/0 [1/0] via 200.1.1.2
  Please advise
  Regards,
  Noob

  Noob
  Jon is quite correct that in modern usage we tend to treat network and subnet as almost interchangeable. But technically there is a difference and that difference becomes significant for the kind of question that you are asking. There is no "network" 10.0.0.0/10. 10.0.0.0/10 is a subnet of the class A network 10.0.0.0/8. You are correct that 10.0.0.0/10 can be further subnetted but that does not make 10.0.0.0/10 into a "network".
  To go a step further in explaining this perhaps we can think of designing a network for a company that has offices in several cities. We might assign 10.0.0.0/10 as the network for the Chicago office, and 10.64.0.0/10 as the network for the New York office, and 10.128.0.0/10 as the network for the Atlanta office and 10.192.0.0/10 as the network for the Los Angeles office. (Note that while I called them network here they are actually subnets of class A 10.0.0.0/8) Within each city we might further subnet their block of addresses to create multiple subnets for each city.
  It might help to think about how Cisco organizes the routing table to support the routing function. When a router receives a packet and needs to make a forwarding decision it searches the routing table looking for the longest match. In functional terms what it is doing is to identify what network the packet belongs to and then to determine whether that network has been subnetted, and if so to which subnet does the packet go. So Cisco organizes the routing table to identify the network on one line and then to identify the subnets on lines below the network line. So in your original post the line in red
   10.0.0.0/24 is subnetted, 3 subnets
  is telling us about the network and the lines below it are telling us about the subnets that it knows of that network.
  It also seems that you are looking at 10.0.0.0/24 as if that were a single piece of information indicating that 10.0.0.0/24 is present in the routing table. That is not what is actually indicated. There are two separate and distinct pieces of information in that.
  1) the network is 10.0.0.0 (a class A network)
  2) the network is subnetted consistently using a /24 mask
  HTH
  Rick

• Need help InterVlan Routing on SF300-24P? .

  Hello
  I really need help with Inter vlan routing via Kerio Controll 7.4.1.
  I have several SF300-24P switches (IOS 1.3.0.62) and i have created a several VLAN's.
  Vlans: Vlan 10, 100, 200 and interface vlan 213 (for management).
  I can ping hosts in the same Vlan via this switches. From switch to host, port is in access mode and between switches ports is in Trunk mode
  (also i had a problem here, trunk wasn't working untill i used command: switchport trunk allowed vlan add all).
  Also port is in Trunk mode between KERIO and SW1 (switch). interface is in TRUNK mode from switch's side because i don't know how configure interface TRUNK mode on kerio.
  On kerio i have configed one physical interface with IP - 172.16.0.1 255.255.255.0 and on the same interface i have created
  VLAN 10, VLAN 100 and VLAN 200.
  static IP's for this interfaces:
  10.0.0.1 255.255.255.0 VLAN 10
  192.168.100.1 255.255.255.0 VLAN 100
  192.168.200.1 255.255.255.0 VLAN 200
  On KERIO i have created DHCP Lease for each VLAN, but i cannot get IP's from DHCP. So i assigned static IP's  to computers
  (for example for VLAN100 PC, VLAN 200 PC and so on) but they cannot ping each other when they are in different vlans, so inter vlan routing itsnot working. but with static IP on the PC, i can ping every VLAN's IP address on KERIO.
  so pls tell me how i must configure inter vlan routing on kerio, is it possible?
  or what must i do? where is my mistake? maybe when i put IP on pysical interface?
  here is my configs and pls help and give me config example.
  config-file-header
  SW1
  v1.3.0.62 / R750_NIK_1_3_647_260
  CLI v1.0
  set system mode switch
  file SSD indicator plaintext
  vlan database
  vlan 10,100,200,213
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  hostname SW1
  username administrator password encrypted 7fc3774d79570c81cda124d5dcf80b8ae0fcdd6c privilege 15
  username cisco password encrypted 1defefd1f4a214009775b2c2b6b961a77da384b5 privilege 15
  interface vlan 10
  name Staff
  interface vlan 100
  name Cards
  interface vlan 200
  name AP's
  interface vlan 213
  name Management
  ip address 172.16.213.1 255.255.255.0
  no ip address dhcp
  interface fastethernet1
  description MANAGEMENT-VLAN
  spanning-tree disable
  switchport mode access
  switchport access vlan 213
  interface fastethernet2
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet3
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet4
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet5
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet6
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface fastethernet7
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface gigabitethernet1
  description Direction-To-SW2       <--- This port is Trunk, but its not showing here for some reason.
  spanning-tree disable
  interface gigabitethernet2
  description Direction-To-KERIO  <--- This port is Trunk also.   i used: switchport mode trunk on both interfaces
  spanning-tree disable
  exit
  banner login 
  SW1
  config-file-header
  SW2
  v1.3.0.62 / R750_NIK_1_3_647_260
  CLI v1.0
  set system mode switch
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  vlan database
  vlan 10,100,200,213
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  hostname SW2
  username administrator password encrypted 7fc3774d79570c81cda124d5dcf80b8ae0fcdd6c privilege 15
  username cisco password encrypted 1defefd1f4a214009775b2c2b6b961a77da384b5 privilege 15
  interface vlan 10
  name Staff
  interface vlan 100
  name Cards
  interface vlan 200
  name AP's
  interface vlan 213
  name Management
  ip address 172.16.213.2 255.255.255.0
  no ip address dhcp
  interface fastethernet1
  description MANAGEMENT-VLAN
  spanning-tree disable
  switchport mode access
  switchport access vlan 213
  interface fastethernet2
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet3
  spanning-tree disable
  switchport mode general
  switchport general acceptable-frame-type untagged-only
  interface fastethernet4
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet5
  spanning-tree disable
  switchport mode access
  switchport access vlan 200
  interface fastethernet6
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface fastethernet7
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface fastethernet8
  spanning-tree disable
  switchport mode access
  switchport access vlan 100
  interface gigabitethernet1
  description Direction-To-SW1    <--- This port is Trunk also.   i used: switchport mode trunk
  exit
  banner login 
  SW2
  i have excluded many interfaces because hey have same configs.

  Yes Kerio is capable for routing. i wanted to make InterVlan routing via kerio Ccontroll, but i can't and that's i asked here, i need to know reason.
  I have modified 1 switch to L3, and inter vlan routing its now working (without Kerio) and i hope this switches dont have problem when they are DHCP server also.
  thanx for help. I Hope i didnot have much mistakes in config.

• SGE2010 layer 3 problem with intervlan routing setup

  I am new to the small business switches and could use some assistance in configuring intervlan routing between multiple vlans on the switch. I have changed the mode to layer 3 and setup the vlans. When I enter an IP address for VLAN2, I am disconnecting from the configuration interface (VLAN1 ip) on the switch and I cannot access the switch unless I reset it. I have tried this several times and each time it behaves the same. Is there something else I need to setup before configuring the ip address for the other VLANs?

  Hi Jacqueline,
  Thank you for participating in the Small Business support community. My name is Nico Muselle from Cisco Sofia SBSC.
  This is the normal way for the switch to behave. There are 2 ways to work around this.
  You assign a port to VLAN2. After configuration of the IP address, you connect your PC to this port and make sure it is in the same subnet as the VLAN 2 IP address.
  You assign a static IP to the default vlan first and make sure your connected PC is in the same subnet.
  The reason for this behaviour is, that the switch has it's DHCP client enabled, if no DHCP server is available it will revert to it's default IP 192.168.1.254 (through which I assume you connect for configuration).
  However, once you configure a static IP on the switch, the DHCP client and the default IP are disabled, which means that the IP address obtained from the DHCP or the default IP of 192.168.1.254 are no longer reachable.
  I would go with step 2, as this is the easiest workaround for your issue and you would want a static IP in the default VLAN anyway I suppose.
  Hope this helps !
  Best regards,
  Nico Muselle
  Sr. Network Engineer - CCNA

• OSPF with InterVlan Routing

  Dear All,
  Please help me about it ...
  The same network I have designed and working fine on the RIPV2 but I want it on the OSPF but it works on the packet tracer but not on the GNS3. In this diagram there are multiple areas and there are three ABRs connected to the backbone area. The others interfaces are in the area1, area2 and area3 respectfully and in that side I need the intervlan routing.
  Is it possible in the ospf the same like in the diagram ?
  What type of OSPF (Point to Point or Point to Multipoint ) will be required as the R1 is the backbone router further connected with the Internet on the BGP. ?
  Please sir, advise me about it.
  Thanks
  Best Regards
  Ali Khan

  Hi Jon,
  Thank you very much,
  1) The link between the ABRs and R1 is the wireless 1.4gig bridge link on the 5Km distand and the interface is configured with IP ospf network point-to-point.
  2) On the packet tracer all the neibour displayed with its router-id, even on GNS3 but it does not show the route of other interface like area 1 or area 2.. Means the backbone router do not show the routes of other areas..(area 1 or area 2 and area 3)
  3) i have tried alot and i dont think that i missed any route but the backbone area do not show the routes of subnterface (for Vlan, Router on the Stack).
  Thanks
  Ali

• HSRP over Intervlan routing

  I am really having problem with the implementation of HSRP over intervlan routing.
  I configured the HSRP for multiple Vlans (10 &20), but both of the routers are in Active stage. I couldn't figure out where the
  probem lies.
  I have two routers (Cisco AS5300) and a Cisco 2950 Switch.
  The brief configuration is as follows:
  ROUTER1:
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.2 255.255.255.0
  standby 1 ip 192.168.0.1
  standby 1 priority 110
  standby 1 preempt
  interface FastEthernet0/0.20
  encapsulation dot1Q 20
  ip address 192.168.1.2 255.255.255.0
  standby 2 ip 192.168.1.1
  ROUTER2:
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  encapsulation dot1Q 10
  ip address 192.168.0.3 255.255.255.0
  standby 1 ip 192.168.0.1
  interface FastEthernet0/0.20
  encapsulation dot1Q 20
  ip address 192.168.1.3 255.255.255.0
  standby 2 ip 192.168.1.1
  standby 2 priority 110
  standby 2 preempt
  SWITCH:
  In the trunk ports, I have configured,
  (config-if)# switchport trunk encapsulation dot1q  native vlan 1
  (config-if)# switchport mode trunk 
  Hoping for  favourable responses from you mentors.
  Regards,
  Ganesh Dhungana

  Ganesh Dhungana wrote:I have two routers which are connected to the switch. Cisco 2950 is just there for the intervlan routing.Doesnt it support the intervlan routing??I have configured the HSRP on two Cisco AS5300 Routers.Darren, I am not clear with your logic, would you please clarify me ?Regards, Ganesh
  Sorry, I mis-read your original post - I thought you were trying to use the 2950 in the HSRP group. And I thought you types ASA5530, not AS5530. Two strikes for me. Mea Culpa.
  Have you actually created VLAN 10 and VLAN 20 on your switch? I don't believe the switch will trunk tagged frames unless the VLAN's actually exist.
  Also, the documentation I've found on the AS5300 (I've never used one) seems to indicate you should put a the command "standby name " into your configuration - although that may only be needed for IPSec VPN configurations on the AS5300 - see
  http://www.cisco.com/en/US/docs/ios/12_1/12_1e9/feature/guide/ft_ipsha.html for what I'm talking about.
  Sorry for the original screw up - teach me to read and try to reply coherently after a 12 hour shift!
  Cheers.

• Etherchannel between 2900 and 7200

  Hello,
  We have Etherchannel trunk set up between Catalyst 2924 switch and 7200 router. The trunk consists of 2 links with source-based forwarding, STP disabled on switch and on the router. For some reason, we can't achieve load-balancing on the trunk, that is, one link is currently used at 100%, another at 20%. We would like to achieve 50/50 utilization. Is it possible to do?
  Thanks !
  Konstantine

  The Etherchannel trunk consists of 0/11 and 0/12 interfaces.Here's the output from "Show interface" command on a switch:
  FastEthernet0/11 is up, line protocol is up
  Hardware is Fast Ethernet, address is 0001.96bb.51cb (bia 0001.96bb.51cb)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
  reliability 255/255, txload 219/255, rxload 49/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 2w6d, output 00:00:40, output hang never
  Last clearing of "show interface" counters 5w0d
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 19376000 bits/sec, 7347 packets/sec
  5 minute output rate 86004000 bits/sec, 8 packets/sec
  FastEthernet0/12 is up, line protocol is up
  Hardware is Fast Ethernet, address is 0001.96bb.51cc (bia 0001.96bb.51cc)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
  reliability 255/255, txload 22/255, rxload 58/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:08, output 00:00:01, output hang never
  Last clearing of "show interface" counters 5w0d
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 22747000 bits/sec, 7947 packets/sec
  5 minute output rate 8678000 bits/sec, 2548 packets/sec
  As you can see, the output rate on interface 0/11 is 300 times lower than on 0/12 and that is our main problem. We have a web farm here (around 100 servers), which is connected via Layer 4 switch to 2924 and then, via Etherchannel trunk, to 7200 router which is default gateway. We tried to use destination-based forwarding (on a switch), but that didn't change anything. The router AFAIK doesn't have any settings to change the forwarding.

• Help with simple interVlan routing on L3 switch

  Hi all - I just can't get my head around this really simple interVlan routing issue.  I have two VLANs (1 & 6) on a 3560 L3 switch.  I simply need to route between them.  Here is how I have it set up:
  Firewall is the VLAN1 client's default gateway:
  10.10.22.1 /255.255.255.0
  3560switch config:
  ip subnet-zero
  ip routing
  VLAN1:
  (hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
  int vlan1
  ip address 10.10.22.254 255.255.255.0
  no shutdown
  VLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
  ip address 192.168.25.1 255.255.255.0
  no shutdown
  ip classless
  int gi0/31 (an available unused port)
  no switchport
  ip address ?.?.?.?
  no shutdown
  Is the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying to find 192.168.25.x, when they would need to go to 10.10.22.254; then the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then give the router on gi0/31 the 10.10.22.254 address?
  (as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)
  Thanks for any help!

  Hi all - I just can't get my head
  around this really simple interVlan routing issue.  I have two VLANs (1
  & 6) on a 3560 L3 switch.  I simply need to route between them.
  Here is how I have it set up:Firewall is the VLAN1 client's default gateway:
  10.10.22.1 /255.255.255.03560switch config:
  ip subnet-zero
  ip routingVLAN1:
  (hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
  int vlan1
  ip address 10.10.22.254 255.255.255.0
  no shutdownVLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
  ip address 192.168.25.1 255.255.255.0
  no shutdownip classlessint gi0/31 (an available unused port)
  no switchport
  ip address ?.?.?.?
  no shutdown***Is
  the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying
  to find 192.168.25.x, when they would need to go to 10.10.22.254; then
  the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then
  give the router on gi0/31 the 10.10.22.254 address?(as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)Thanks for any help!
  Hi,
  With the above configuuration vlan 1 users will be going to firewll and if they want to reach vlan 6 firewall should have rule to permit for vlan 6 subnet and route towards vlan 6 interface and which is not there is your network.
  Just clarify few things you want firewall to come into picture for every traffic which goes between vlan or not and in interface gi0/31 you will be connecting router also is this router is sending traffic to outside world if yes then you need to change some design configuration to route tha traffic from vlans to outside world.
  If you want only inter vlan routing between vlan 1 and vlan 6 via firewall then make another zone in firewall and place that in vlan 6 with ip address as given in vlan 1 so that vlan 6 users can point traffic towards vlan 6 interface of firewall and in firewall just permit the vlan 6 communication with vlan 1 and drop a route for vlan 6 towards switch vlan 6 interface.
  and if between vlans you dont want firewall to come into picture then the best is create three vlan one for vlan 1,vlan 6 and outside vlan between router and firewall and drop a default route towards firewall.In this case inter vlan routing will be taken care by switch and traffic towards outside world will scaaned as per rule given in firewall.
  Hope to help
  If helpful do rate the post
  Ganesh.H

• Using Remote app on iPhone 5 without a separate internet connection and wifi router.

  Hi,
  I need to be able to control iTunes within my MacBook Pro remotely. Using my mobile broadband service and wireless router I've been able to get the Remote app to allow my iPhone 5 to do the job nicely through Home Share.  So I went and bought a separate WiFi router and tried to do the same thing. Of course when it didn't work, I discovered that I need an internet connection and WiFi network to make the Home Sharing work.
  So I got to thinking, can I create a WiFi hotspot using the Personal HotSpot functionality of my iPhone, set up Home Sharing on phone and MacBookPro and then use the Remote app. Ideally this would work as it seems all the key components are in place.
  The MacBook Pro accepts the iPhone hotspot as a means of Home Sharing, however the iPhone won't use the personal hotspot to Home Share and I can't connect to the iPhone personal hotspot on the iPhone itself.
  Does anyone know how to make this work for me? It would be such as neat solution if I can get it to work - not to mention the potential to save me about $200 (I need to set this model up for two people).
  Cheers
  Kathy

  Same trouble here, iPad 2 with latest OS and remote app, iPod with latest OS and app.