dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3727
share rss forum feed

WarBuxX9

join:2012-03-30
Livonia, MI

[Config] Cisco 1921 problems communicating between VLANs

My network looks like this
Router
GI0/0 (routed interface/WAN Link) IP Dynamic
GI0/1 (routed interface/LAN link) Network 192.168.1.0 255.255.255.0
GI0/0/0 (VLAN1 192.168.101.1 255.255.255.240)

Switch
G24 (VLAN1 192.168.101.2 255.255.255.240)

From the routers GI0/1 interface I can ping the switch and anything attached to the switch. When I attempt to ping GI0/0/0 from a workstation attached to GI0/1 it fails.

Here is my router config. I really dont know how to troubleshoot this any further. Any insight into this problem will be huge for me!

Building configuration...

Current configuration : 13130 bytes
!
! Last configuration change at 21:08:10 NewYork Wed Apr 4 2012 by dave
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Bulldog
!
boot-start-marker
boot system usbflash0:c1900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
no logging buffered

!
no aaa new-model
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.101.1 192.168.101.9
!
ip dhcp pool Noc
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
!
ip dhcp pool VLAN1
network 192.168.101.0 255.255.255.240
default-router 192.168.101.1
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4227729276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4227729276
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-4227729276
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323237 37323932 3736301E 170D3132 30343033 32303531
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32323737
32393237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD97 9407A326 2B2C5E3E 1BEE848C 9DBA6E5E 359E481A 125294BA 19CCF853
7CEE2B90 58275061 CAD3EEB6 F89CB220 15343AE9 B1BAF818 C94D3036 568EF9F8
4280497F D1C3579F B8D2AB67 F523FE6A E651DC48 C60E85FC 5361997C 77ACF34A
F344A000 5E8CDBC9 AB557E60 FC456A08 35B252AC C4CAD14C 181EB7AC AE75CA50
7A9D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1483B6F0 CE5D321D CBA30EF9 A22617C3 04676E73 4C301D06
03551D0E 04160414 83B6F0CE 5D321DCB A30EF9A2 2617C304 676E734C 300D0609
2A864886 F70D0101 04050003 8181006E AC04C200 463C1A22 9445217D 232CEB83
859A8C81 20DD0B83 849BF420 E0933847 68ECBFC6 68E3C48F 05E1E115 F34E0075
38F1EEDF B839596D 256F0A92 2BCC329F F102E370 3DBE4D75 BF9BED15 419053CE
346A0386 B95CC5E2 8743186D B65048E7 8A9FA7F3 76D5704A 80185786 DFE6251D
27EB2D99 F56390DF 7F657B1C B40EFD
quit
license udi pid CISCO1921/K9 sn FTX1448Y05L
!
!
!
redundancy
!
!
!
!
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-any AdminServices
match protocol ssh
match protocol telnet
match protocol icmp
match protocol http
match protocol https
match protocol tftp
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-any NOC-MGMT
match protocol tcp
match protocol udp
match protocol icmp
match protocol ssh
match protocol telnet
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-policy-NOC-MGMT
class type inspect NOC-MGMT
pass
class class-default
drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone security Int-servers
zone security Ext-Servers
zone security App-Servers
zone security Usr-Desktops
zone security Admin-Prots
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-zone-Admin-Prots source in-zone destination Admin-Prots
service-policy type inspect ccp-policy-NOC-MGMT
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.255
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description NOC Link$FW_INSIDE$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0/0
switchport mode trunk
!
interface GigabitEthernet0/0/1
switchport mode trunk
!
interface GigabitEthernet0/0/2
switchport mode trunk
!
interface GigabitEthernet0/0/3
switchport mode trunk
!
interface Vlan1
ip address 192.168.101.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security Admin-Prots
!
interface Vlan5
ip address 192.168.5.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security Int-servers
!
interface Vlan10
ip address 192.168.10.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security Ext-Servers
!
interface Vlan25
ip address 192.168.25.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security App-Servers
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security Usr-Desktops
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 192.168.101.0 255.255.255.240 192.168.101.2
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0816720B000A0C0346
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
end

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

1 recommendation

Isn't this the 3rd or 4th time you've asked essentially the same question? Remove the zbf "crap" and make sure end-to-end IP works. THEN worry about getting the security elements added -- one at a time so you know what change is causing what problem(s). If you don't understand every line of that config, buy some books and learn -- or pay a CCIE to set it up. What you're poking with a stick is complex. (and I don't have access to your brain... I don't know what your intentions or expectations are, or what you're trying to accomplish.)

Your first assignment... tell my why "ip route 192.168.101.0 255.255.255.240 192.168.101.2" is complex nonsense. (The router shouldn't even allow it.) Why does it never show up in the routing table?

(please, learn to use the code.../code formatting tags so your configs are actually readable)


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to WarBuxX9
+1 to what cramer said. Start simple, then build up your configuration bit by bit. When something stops working you know exactly what caused it and you can target your troubleshooting efforts.

If you go in all guns blazing there is bound to be confusion, or its going to take a lot longer to debug.

said by cramer:

(please, learn to use the code.../code formatting tags so your configs are actually readable)

Big +1 to that!

WarBuxX9

join:2012-03-30
Livonia, MI
reply to cramer
Obviously you have not followed the topics. The ZBF "crap" caused the first problem. However the 2nd issue had nothing to do with being put in a zone it was just a missing ACL and I dont believe this has anything to do with a zone either.

I do have a couple books and I read a lot of web material. This is my 2nd time setting up a cisco device.

ip route 192.168.101.0 255.255.255.240 192.168.101.2
What do you mean complex nonsense? If I remove that route from the route table I am unable to communicate with the switch at all.

Without that route how does the router know where to send the packets for the 192.168.101.0 network?

WarBuxX9

join:2012-03-30
Livonia, MI
reply to TomS_
I thought I was starting simple. I got the router working and everything put on the same subnet. I setup the VLANs got communication working between the router and switches. I implemented the firewall communication is still okay between router and switch. I moved over the first server to go on the new VLAN and thats when I realized I couldnt communicate with devices attached to the switch.


RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1

1 edit

1 recommendation

reply to WarBuxX9
the reason why that route isnt proper is because you would have to be on the same connected network as 192.168.101.2 to forward packets to it and your saying send 192.168.101.0/28 to the .2 address when that route is already local or connected. If removing it breaks something you got worse problems going on....

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

WarBuxX9

join:2012-03-30
Livonia, MI
My Cisco 1921 EHWIC I have a 4 port switch. One of those switch ports is assigned the address 192.168.101.1 attached to that switch is another HP procurve 3500yl switch that has the address of 192.168.101.2

Are you saying I shouldnt need to add any route to route traffic between those two devices?


RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
reply to WarBuxX9
They are on the same subnet and directly connected. There should be no reason to have a route to point to it. In addition, the router should not even add that route to the routing table as you are essentially saying "route this already connected network to my neighbor that is also on the same connected network"
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

WarBuxX9

join:2012-03-30
Livonia, MI
I removed the route and there is still connectivity. I thought adding this route is what gave me connectivity between switches yesterday but that cant be right. I added the route in the first place because the old router config looks to have had some similar routes to connect the VLANs and I have been using this old config to help setup the router. I was told that these routes were added by Cisco's TAC.


ip nat pool Public 74.219.79.2 74.219.79.2 netmask 255.255.255.192
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 3 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 74.219.79.1
ip route 74.219.79.8 255.255.255.248 74.219.79.10
ip route 74.219.79.16 255.255.255.240 74.219.79.10
ip route 74.219.79.32 255.255.255.224 74.219.79.10
[/code]

It seems like the below route is also invalid.

ip route 74.219.79.8 255.255.255.248 74.219.79.10


RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
That output is different than what you pasted above in the first post.

The default route 0.0.0.0/0 shouldnt be needed if you are using DHCP on Gi0/0; The default gateway should be set from the reply from the DHCP server.

You are correct, that is also an invalid route as per what i said above and the other 2 routes wouldnt be added either as there is no connected route but at least the next-hop and the subnet you are routing are not the same. In addition where is 74.219.79.10? Is this another router? Also, you are doing overload NAT at the internet facing port so why are you routing these IPs internally like this?

No offense but your config is a mess, i highly suggest you 'write erase' and 'reload' and start from scratch and do simple connectivity first. Im also a little scared that TAC had you add routes like that...

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to WarBuxX9

ip route 192.168.101.0 255.255.255.240 192.168.101.2
What do you mean complex nonsense? If I remove that route from the route table I am unable to communicate with the switch at all.

If that's true, you have much bigger problems.

That route says to send 101.0-15 to 101.2, which is inside that range. In other words... send 101.2's traffic to 101.2.

That route will not be valid until a path for 101.2 is available. That path isn't available until the interface for network 101.0 is online. Once the interface is up, there's a CONNECTED route in the table that has higher priority. (and cannot be removed.) So, the route does absolutely nothing.

(cisco only allows such nonsense because there are oddball methods to create a more specific path to 101.2 -- tunnel, ptp link, vpn, etc.)

WarBuxX9

join:2012-03-30
Livonia, MI
reply to RyanG1
The output I pasted above is from an old config and is not actually being ran anywhere. I was using it as a sort of reference. I was just verifying that the routes I pasted above are also invalid. I am using DHCP now and I do not have a default route.

I did a write erase / reload on Sunday. I got a basic config working below.

I have a pretty basic config loaded. I was told that the TAC spent several hours with the old admin getting the router working properly. Until just a little while ago I had thought that the config file I have been using as a sort of cheat sheet was created by the TAC. After finding out about these routes being invalid I am no longer sure that they came from the TAC.

Here is my basic router config. Which I am using to build off of. I can reload the router once more to get rid of all of the class/policy maps ect.



Building configuration...

Current configuration : 11420 bytes
!
! Last configuration change at 17:03:12 NewYork Tue Apr 3 2012 by dave
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Bulldog
!
boot-start-marker
boot system usbflash0:c1900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$9.66$Gn5H6gg3ZdokfjwMvZ6NK1
enable password 7 053C384A285F471D4D
!
no aaa new-model
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool Noc
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4227729276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4227729276
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-4227729276
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323237 37323932 3736301E 170D3132 30343033 32303531
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32323737
32393237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD97 9407A326 2B2C5E3E 1BEE848C 9DBA6E5E 359E481A 125294BA 19CCF853
7CEE2B90 58275061 CAD3EEB6 F89CB220 15343AE9 B1BAF818 C94D3036 568EF9F8
4280497F D1C3579F B8D2AB67 F523FE6A E651DC48 C60E85FC 5361997C 77ACF34A
F344A000 5E8CDBC9 AB557E60 FC456A08 35B252AC C4CAD14C 181EB7AC AE75CA50
7A9D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1483B6F0 CE5D321D CBA30EF9 A22617C3 04676E73 4C301D06
03551D0E 04160414 83B6F0CE 5D321DCB A30EF9A2 2617C304 676E734C 300D0609
2A864886 F70D0101 04050003 8181006E AC04C200 463C1A22 9445217D 232CEB83
859A8C81 20DD0B83 849BF420 E0933847 68ECBFC6 68E3C48F 05E1E115 F34E0075
38F1EEDF B839596D 256F0A92 2BCC329F F102E370 3DBE4D75 BF9BED15 419053CE
346A0386 B95CC5E2 8743186D B65048E7 8A9FA7F3 76D5704A 80185786 DFE6251D
27EB2D99 F56390DF 7F657B1C B40EFD
quit
license udi pid CISCO1921/K9 sn FTX1448Y05L
!
!
username dave privilege 15 secret 5 $1$..eY$HWHhw0Eyx3hmCUKxRj4Tw1
!
redundancy
!
!
!
!
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.255
!
interface GigabitEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0/0
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description NOC Link$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0/0
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/0/2
!
interface GigabitEthernet0/0/3
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0816720B000A0C0346
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
end


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to WarBuxX9

My Cisco 1921 EHWIC I have a 4 port switch. One of those switch ports is assigned the address...

Incorrect. The port does not have an address. If you attempt to enter an ip address for any of those ports, you'll get an error. You assigned an address to a VLAN that includes that port. (in fact, in your config, all vlans are active on all ports)

WarBuxX9

join:2012-03-30
Livonia, MI

1 edit
I removed the zones totally. I should have done it earlier I understand that now but I am still having the same issue as before.

The interface GE0/1 has workstations that need to be able to see out to the vlans and the switches on the vlans. I can see workstations on the vlan but I cannot see the switches. I cant SSH/telnet and the switches dont seem to have the router in its arp table. When I ping from the switch to the routers interface it gets a response, the same goes for the other way. IE when I ping the switch from a router interface. I feel like its something stupid that I am missing.

WarBuxX9

join:2012-03-30
Livonia, MI
reply to WarBuxX9
I realize I forgot to post the config file.


Building configuration...

Current configuration : 11725 bytes
!
! Last configuration change at 18:46:29 NewYork Thu Apr 5 2012 by dave
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Bulldog
!
boot-start-marker
boot system usbflash0:c1900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.101.1 192.168.101.9
!
ip dhcp pool Noc
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
!
ip dhcp pool VLAN1
network 192.168.101.0 255.255.255.240
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.101.1
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4227729276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4227729276
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-4227729276
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323237 37323932 3736301E 170D3132 30343035 31393030
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32323737
32393237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD97 9407A326 2B2C5E3E 1BEE848C 9DBA6E5E 359E481A 125294BA 19CCF853
7CEE2B90 58275061 CAD3EEB6 F89CB220 15343AE9 B1BAF818 C94D3036 568EF9F8
4280497F D1C3579F B8D2AB67 F523FE6A E651DC48 C60E85FC 5361997C 77ACF34A
F344A000 5E8CDBC9 AB557E60 FC456A08 35B252AC C4CAD14C 181EB7AC AE75CA50
7A9D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1483B6F0 CE5D321D CBA30EF9 A22617C3 04676E73 4C301D06
03551D0E 04160414 83B6F0CE 5D321DCB A30EF9A2 2617C304 676E734C 300D0609
2A864886 F70D0101 04050003 81810087 11F5E6C6 3026AA12 9E0CDB6F F70A9674
57F3BF34 D3C08438 F6091E21 5E10FD90 40FBB199 66DB1C7D 2CA457BE 498557E9
C35569C4 095E6A0F BE09B863 AA973AEB A0A051E6 5DEFB65B 91809164 7C5C434F
1E5DEE6E 607D623A 3685A0CC E67AD456 F1977550 AD3E077D 3779667A 75D04439
BE67530F ABCDD970 F43F7903 38001B
quit
license udi pid CISCO1921/K9 sn FTX1448Y05L
!
!
!
redundancy
!
!
!
!
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.255
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description NOC Link$FW_INSIDE$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0/0
switchport mode trunk
!
interface GigabitEthernet0/0/1
switchport mode trunk
!
interface GigabitEthernet0/0/2
switchport mode trunk
!
interface GigabitEthernet0/0/3
switchport mode trunk
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.101.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0816720B000A0C0346
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
end



RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
reply to WarBuxX9
If your switch is not a layer 3 switch you will need to do all the intervlan routing at the router. Right now you only have 1 VLAN and that ip is the 192.168.101.x subnet. You will need to have a vlan interface for each vlan added on the switch (unless you are doing all the routing at the switch itself).

If you cant talk to the router and the switch from each other and vice-versa that means you are either using the wrong IPs (or wrong subnet) or the vlans are not configured properly.

What you need to do is remove the zone associations from the interfaces and get basic connectivity between your devices. You have been told this time and time again but it never happens.

The problem here is that you have an over-complicated configuration and you arent sure on exactly what you are doing (this is not bad as everyone starts out somewhere). Theres been good advice in all of your threads from various posters but alot of it seems to be ignored based off of each successive posting of your config.

On top of this, your config files seem to drastically change between postings and it proves hard to follow.

Sorry to be blunt and please dont take this as being rude because inflection and tone is often misread in text but whats been said is an honest depiction of the posts ive seen.

Your check list:

make sure your switch has the correct vlans
make sure the host machines ports are in the right vlan
make sure the trunk between your router and the switch allows all of said vlans
make sure that the vlan interfaces on the router are configured properly and up/up

THEN test connectivity and after it succeeds, start securing the interfaces and networks. This is to save you time and us a migraine.

With all that, I wish you luck. Let us know how it turns out.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

WarBuxX9

join:2012-03-30
Livonia, MI
It is a layer 3 switch and will be doing some of the routing itself. VLANS 5 and 100 will be on a separate switch that is not a layer 3 switch. I will add these to the config I just wanted to get VLAN 1 working first.

I know something is not configured properly thats why I am posting. The workstations on 192.168.1.0 cannot see the switch at 192.168.101.2

I removed the zone associations. I dont know what you mean it never happens.

Unfortunately the overly complicated configuration is out of my hands. Your right there has been a lot of good advice on the threads. I dont feel I have ignored it. I reloaded the router instead of using their old config and I have a basic setup implemented without the firewall so I can setup the rest of the network.

The config files changed drastically because I took the advice of a previous poster and scrapped the config with a lot of un needed services configured for a earlier one with just 1 vlan configured.

Blunt is fine by me. I just want to get this up and running so I can forget about it. I have completed all the steps in your checklist but I am still experiencing the same problem as before.


RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
reply to WarBuxX9
If VLAN1 is not working it means that the switch is not configured properly or the ip/subnets are incorrect or the vlan isnt being trunked across (which shouldnt be the case as most switches treat vlan1 as native).
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams