I have a PC6248 running with 4 vlans. Routing is enabled globally on the switch and on the vlan interfaces. All ports are access ports.
vlan 2 ip 188.8.131.52.2 /24vlan 3 ip 184.108.40.206.1 /24vlan 4 ip 220.127.116.11.1 /24vlan 5 ip 172.16.22.2 /24
I'm not using vlan 1. All vlans talk to each other. Vlan 2 is connected to the firewall (192.168.2.1) and vlan 3 and 4 routes to the firewall with the default route. Vlan 2,3 and 4 have internet connection. Vlan 5 is connected to a router (172.16.22.1 /24) that connects to a foreign network (172.16.33.0 /24).
computers belonging to vlan 5 have no problem accessing the foreign network since I added a static route to that network on the PC6248
ip route 172.16.33.0 255.255.255.0 172.16.22.1
The question is how do I get the other computers on the other three vlans to access the 172.16.33.0 network. I thought, since the clients on vlans 2,3,4 all have the PC6248 as their gateway and the PC6248 knows the way to the 172.16.33.0 network, they could access it but that is not the case. The PC6248 seems to only route for the clients residing in vlan 5. Why?
On the router with the 172 network, does it have the VLANs in it's database? Next we should try the Trunk mode. The physical port connected to the router should eb changed to Trunk mode and allow the VLAN across it.
• console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 2,3,4,5
Daniel Covey Dell EMC | Enterprise Support ServicesGet support on Twitter: @DellCaresPRO
Download our QRL app: iOS, Android, Windows
I found the problem. It was not lying on the switch. The PC6248 was indeed fowarding the destination address of 172.16.33.0 to it's default gateway which was the router, and the router was in turn forwarding the request to the right destination. The problem was that ping requests went all the way to the destination but they couldn't find their way back giving ping timeouts or host unreacheables.
So as soon I told me ISP to add static routes to the router, all other vlans started to talk with the 33.0 network
ip route 192.168.2.0 255.255.255.0 172.16.22.2
ip route 192.168.3.0 255.255.255.0 172.16.22.2
ip route 192.168.4.0 255.255.255.0 172.16.22.2
Thank you for your help!
VLAN 5 is able to access the other network because of the static route you gave it. With VLAN routing enabled the VLANs can communicate with each other on the 6248, but that does not mean that it will carry over the static route from VLAN 5 to the other VLANs.
In order to get all VLANs on the 6248 to traverse over the connection to the other devices, you will need to either continue adding static routes for each VLAN. Or change the switchport mode for the connection to the other networking devices to a Trunk mode, and allow those VLANs across the Trunk.
So you would want to navigate to the interface for the port that uplinks to the other router. Then set that interface to a Trunk mode and allow the VLANs across that Trunk.
console(config-if)# switchport mode trunk
On the other router you will need to ensure it has these VLANs in it's VLAN database.
Here are some whitepages that do a good job of describing this some more and show some examples on how it could be setup.
Keep us updated,
Thanks for the reply. My idea was to let the PC6248 handle the vlans because it routes between vlans faster than the firewall would (ASA 5520).
How do I add static routes to the 172.16.33.0 network on each vlan?
Page 725 starts the explanation of static route, what the command is and how to use it.
For the static routes to be visible, you must:
• Enable ip routing globally.
• Enable ip routing for the interface.
• Confirm that the associated link is also up.
The following example identifies the ip-address subnet-mask, next-hop-ip
and a preference value of 200.
console(config)#ip route 192.168.10.10 255.255.255.0 192.168.20.1 metric 200
I know how to enter a static route. I just didn't understand your statement and was hoping you could clarify it.
"In order to get all VLANs on the 6248 to traverse over the connection to the other devices, you will need to either continue adding static routes for each VLAN."
Does this mean I can enter specific routes to specific vlan interfaces? If so how do I do that?
Each VLAN has an IP address, so when you add a static route you are defining the next hop for a specific IP address. Which in this case you are wanting to be the other router.
• console(config)#ip route (Enter IP address of VLAN) (Subnet ) (The next hop you want the traffic to take)
So with the static route in place if the switch cannot resolve the request coming from a VLAN it looks at that static route that is in place and forwards it.
Either you are not understanding my question or I am not understanding you..
The problem is that the switch only forward the traffic for the clients that resides on the vlan that is physically connected to the next hop router. In my case that is vlan 5
E.g. a client PC from vlan 4 trying to reach a host on 172.16.33.0 with ping command gets "destination host unreacheable" as an answer from the PC6248
So my conclusion is that the switch do NOT look in it's routing table when traffic coming from vlans other than vlan 5 which is physically connected to the router. It just drops the packets.
Or am I wrong here?
I apologize for any misunderstanding or miscommunication. VLAN 5 is able to communicate because of the direct connection you have made with the static route. That static route is just for VLAN 5, and is not going to carry any other VLAN traffic across it.
So right now any client connected to VLAN 2,3,4, sends out a request for the 172 network, and since there is no Trunk or Static route set for those VLANs, you will not be able to access that network, because the VLAN does not know where to send the request.
Clients on VLAN 5 send out a request for the 172 network, and if VLAN 5 cannot find it, the VLAN then looks at it's default route and sends the unknown traffic to that pre set route, which gets you the connection you need.
To allow VLAN 2,3,4 to communicate to the 172 network you would generally setup a Trunk link between the switch and the other VLAN aware device. You set the Trunk on the physical port connecting the two devices. So if port 5 on the 6248 is physically connected to the other network devices, you would set that port to Trunk modes, and allow VLAN 2,3,4,5 across the trunk. Set the other network device to Trunk mode as well.
With the Trunk set, when any of those VLANs request access to a location the 6248 is not able to resolve, it will forward those packets across the Trunk to the other device. Then that device knows where that request should go, because it has those network destinations on it.
If you do not want to do the Trunk, then you need to enter the Static routes for each of the VLANs. Once set each VLAN will know where to forward unresolved requests.
Thanks for your clear answer.
Could you enlight me on how to enter static routes for each of the VLANs?
The following examples should work.
ip route 192.168.2.2 255.255.255.0 172.16.22.1
ip route 192.168.3.1 255.255.255.0 172.16.22.1
ip route 192.168.4.1 255.255.255.0 172.16.22.1
If they do not, then you may change it up and do something more like this.
ip route 192.168.2.0 255.255.255.0 172.16.22.1
ip route 192.168.3.0 255.255.255.0 172.16.22.1
ip route 192.168.4.0 255.255.255.0 172.16.22.1
Keep us updated.
I added the static routes and it didn't make any difference. Funny thing is that when entering show ip route command doesn't show those static routes. When issuing show running-config though it shows the static routes but nether less it doesn't make any difference.
#sh ip route
S 0.0.0.0/0 [1/0] via 192.168.2.1, vlan 2
S 172.16.33.0/24 [1/0] via 172.16.22.1, vlan 5
C 172.16.22.0/24 [0/1] directly connected, vlan 5
C 192.168.3.0/24 [0/1] directly connected, vlan 3
C 192.168.4.0/24 [0/1] directly connected, vlan 4
C 192.168.2.0/24 [0/1] directly connected, vlan 2
ip route 0.0.0.0 0.0.0.0 192.168.2.1
Just to clarify for others, I marked DELL-Daniel Co's post as an answer because his question "On the router with the 172 network, does it have the VLANs in it's database?" woke me up realizing the router also needed a route back to the vlans even though he was referring to vlan databases.
Great work sticking with this and finding the issue. I am glad to hear you got it working.