Let me start by saying this seems like I am missing something obvious. I am trying to add VLAN segmentation to a network that is already up and running so I keep taking baby steps and I am trying to get an end-to-end test before rolling out in a larger way.
We are in a collapsed core configuration with a N4032F acting as the core and for the sake of this test a 5548 and a 3524 connected to it.
On the 3524 I have a client connected to 1/e7 and set to VLAN 12. Another client on the 5548 on gi1/0/6 and set to VLAN 11. Both are simple 24 bit subnets (192.168.70.0 and 192.168.50.0 respectively).
The clients can ping their gateway (192.168.xx.1) and even ping the opposite gateway (192.168.50.10 can ping 192.168.70.1 and vice versa).
However, the clients cannot ping each other. Something is not configured properly to route the packets to the opposite vlan and I am stumped! I am new to VLAN configurations, but thought I was pretty much there because I could ping all related gateways for routing.
Any assistance would be greatly appreciated.
Solved! Go to Solution.
So your 5548 and 3524 are layer 2 devices and can't do inter-vlan routing so the routing must occur on your layer3 device N4032F.
Make sure you have ip routing enabled on the N4032F. "ip routing" from the config prompt.
Your vlan interfaces should have ip addresses associated with them.
interface vlan 11
ip address 192.168.70.1 255.255.255.0
interface vlan 12
ip address 192.168.50.1 255.255.255.0
The ports must be in the proper vlan mode in order to send all appropriate vlans.
The ports that connect from the N4032F to the 5548 and 3524 should be trunk ports.
(Your interface will be different)
switchport mode trunk
switchport trunk native vlan 11
switchport trunk allowed vlan 11-12
The ports with your devices should be either access mode for a single vlan or in general mode if that port is carrying multiple vlans.
interface ethernet gi1/0/6
switchport mode access
switchport access vlan 11
It would help to see your configs. I'm just throwing out the basics at this point.
UPDATE: Since the problem is fixed, I removed my configs.
Thank you for your response. You will notice on the configs below that there are several VLANS that are created, but before we segment in a larger way, I am trying to get communication working end-to-end between VLAN 11 and 12. We are using the 4032 as our core since all switches are connected to it, and we have a combination of switches, most of which do not support layer 3. (And the 4032F is also the fastest of the bunch.)
As you can see, ip routing is turned on and ips are assigned to the VLANs. I cannot change the native VLAN from 1 yet, since that brings everything down (I did that one today). However, all the VLANs in question are allowed.
Thanks again for your help.
To add more detail, I tried moving both clients to the same switch. After some issues with firewalls (rookie mistake!) I can have them ping each other on the same VLAN and on different VLANs. This was all done on the 5548 switch. I am attempting to move one of the clients back to the 3524, since I know the 5548 appears to be configured correctly.
Am I correct to assume that having them on different VLANs means the routing information was polled from the 4032F to know next hop, or does that stay local on the 5548?
UPDATE: Once I move back to the 3524, I cannot get traffic to pass. I'm going through my configs again to make sure, but seem to be stuck.
This seems to be related to an issue with the 3524 switch. If I keep both clients on the same VLAN (and proper subnet) on the 3524 then it is fine. However, if I try to separate them then neither VLAN can ping the gateways or each other. So basically the functionality I was able to do above with the 5548, I cannot duplicate on the 3524.
UPDATE!: It is working! My configs are all good now. So I can ping each client on different switches. It seems that the 3524 may have some limitations on the number of vlans it can send through a trunk. When I just have VLAN1 (for general traffic) and VLAN12 routing works properly.
However, when I try to put VLAN1, VLAN11 AND VLAN12 on the 3324, I am no longer able to send anything through the trunk. (Even though both 11 and 12 are tagged as allowed on the trunk)