4 Replies Latest reply: Mar 21, 2019 7:49 AM by Trevor RSS

    Understanding ARP, VLANs, sub-interfaces, router-on-a-stick setup

    Trevor

      Hello Learning Community,

       

      I think I'm missing the boat on something here. I'm studying for my ICND1 and trying to setup a lab on VLANs before I move onto routing protocols.

       

      The problem as I see it is that I can't ping a VLAN IP address assigned to a VLAN on a switch, but I can ping the VLAN gateway on the router. To elaborate...

       

      I've got a home laptop connected to fa0/1 on my 2950-24 Catalyst. It's configured with address 172.16.10.33/24 and I have a route added in windows for all traffic on that net to point to 172.16.10.1/24, the VLAN gateway IP assigned to a subinterface on the router.

       

      On the 2950-24 Catalyst, I have fa0/1 set to access VLAN 10, VLAN10 is defined, and I've assigned an IP address to the VLAN interface (which is not shutdown) so that hosts on the VLAN can access the switch. VLAN 10 on the switch is for the 172.16.10.0/24 network so the interface IP of VLAN 10 is set to 172.16.10.2.

       

      On the 2950-24 Catalyst, I also have fa0/24 connected to my router on port fa0/1, configured as a trunk, and VLAN 10 has been added to the trunk as an allowed VLAN with the native VLAN set to 1 (the default). VLAN 1 is configured with an interface IP address of 172.16.0.10/30.

       

      On the 2801 Router, I have port fa0/1 connected to port fa0/24 on the switch, it is configured with 1 IP address for the native VLAN of 172.16.0.9/30, as well as a sub-interface for VLAN 10 on the switch the port connects to. fa0/1.10 is assigned 172.16.10.1/24.

       

      From my laptop, I can ping the 172.16.10.1 gateway on the router and my laptop shows up on the router ARP table. However, I can not ping the 172.16.10.2 address on the switch, nor does my laptop show up in the ARP table on the switch.

       

      How can this be? Shouldn't the laptop arp at least show up on the switch arp table? I'm not sure if I'm confusing something about Layer 3 switching (given that I've configured an IP address on the VLAN interface on the switch)...? The ping is OBVIOUSLY traversing the switch as there is ARP for my laptop on the router...

       

      Attached is a diagram to help illustrate the setup... Thanks in advance for any help offered. See abbreviated switch and router configs below:

       

      CLN-question-01.png

       

      Switch-01#show run

      Building configuration...

       

      Current configuration : 2847 bytes

      !

      version 12.1

      no service pad

      service timestamps debug uptime

      service timestamps log uptime

      service password-encryption

      !

      hostname Switch-01

      !

      enable secret

      !

      username

      ip subnet-zero

      !

      ip ssh time-out 120

      ip ssh authentication-retries 3

      !

      spanning-tree mode pvst

      no spanning-tree optimize bpdu transmission

      spanning-tree extend system-id

       

      !!!!!

       

      interface FastEthernet0/1

      switchport access vlan 10

      switchport mode access

       

      !!!!!

       

      interface FastEthernet0/24

      switchport mode trunk

       

      !!!!!

       

      interface Vlan1

      ip address 172.16.0.10 255.255.255.252

      no ip route-cache

      shutdown

      !

      interface Vlan10

      ip address 172.16.10.2 255.255.255.0

      no ip route-cache

      shutdown

       

      !!!!!

       

      end

       

       

      Router-01#show run

      Building configuration...

       

      Current configuration : 1568 bytes

      !

      ! Last configuration change at 17:14:55 UTC Fri Mar 15 2019

      version 15.1

      service timestamps debug datetime msec

      service timestamps log datetime msec

      service password-encryption

      !

      hostname Router-01

      !

      boot-start-marker

      boot-end-marker

      !

      !

      enable secret

      !

      no aaa new-model

      !

      dot11 syslog

      ip source-route

       

      !!!!!

       

      ip cef

      no ipv6 cef

      !

      multilink bundle-name authenticated

       

      !!!!!

       

      voice-card 0

      !

      crypto pki token default removal timeout 0

      !

      license

      username

      !

      redundancy

       

      !!!!!

       

      interface FastEthernet0/0

      no ip address

      shutdown

      duplex auto

      speed auto

      !

      interface FastEthernet0/1

      ip address 172.16.0.9 255.255.255.252

      duplex auto

      speed auto

      ipv6 address autoconfig

      !

      interface FastEthernet0/1.10

      encapsulation dot1Q 10

      ip address 172.16.10.1 255.255.255.0

      !

      interface FastEthernet0/1.11

      encapsulation dot1Q 11

      ip address 172.16.11.1 255.255.255.0

      !

      interface FastEthernet0/1.12

      encapsulation dot1Q 12

      ip address 172.16.12.1 255.255.255.0

      !

      interface Serial0/1/0

      ip address 172.16.0.1 255.255.255.252

      encapsulation ppp

      !

      interface Serial0/3/0

      ip address 172.1.0.5 255.255.255.252

      encapsulation ppp

      !

      ip forward-protocol nd

      no ip http server

      no ip http secure-server

       

      !!!!!

       

      control-plane

       

      !!!!!

       

      mgcp profile default

       

      !!!!!

       

      line con 0

      password

      login

      line aux 0

      transport output none

      line vty 0 4

      login local

      transport input ssh

      !

      scheduler allocate 20000 1000

      end

        • 1. Re: Understanding ARP, VLANs, sub-interfaces, router-on-a-stick setup
          Ing_Percy

          Hi!

           

          If your Switch is pure layer 2, then you only can have one interface vlan in up/up state.

          Trevor escribió:

          Switch-01#show run

          interface Vlan1

          ip address 172.16.0.10 255.255.255.252

          no ip route-cache

          shutdown

          !

          interface Vlan10

          ip address 172.16.10.2 255.255.255.0

          no ip route-cache

          shutdown

           

          The detail is both interfaces is in "shutdown", you must enabled one interface vlan.

           

          Best regards!

          • 2. Re: Understanding ARP, VLANs, sub-interfaces, router-on-a-stick setup
            Trevor

            Ing_Percy,

             

            Thank you for your reply. Omitted from my original message was the configuration for the other VLAN interfaces on the switch, the last one I configured being VLAN 12, which is NOT in a shutdown state. Maybe I should just post the whole configs in the future instead of trying to save space...


            I can see now that the switch IOS automatically shuts down other interfaces when another is assigned an IP and issued a no shut. After issuing the no shut on Vlan1 interface, I see the console LINE and LINEPROTO messages change the state of VLANs 1 and 12 to up and down, respectively.


            On more question as a follow up:


            In this instance, I'm trying to consider how a network administrator can remotely investigate switch/router configuration when he/she is at a workstation with an end user. Maybe when there is port-security enabled and a fault needs to be cleared... It looks as though I will need to connect to the switch over the native VLAN (#1) from the router. To do this, I'd have to use telnet/ssh to access the router at the gateway for the VLAN from the workstation (my laptop), and then to telnet/ssh to the switch?


            Thanks again,

            • 3. Re: Understanding ARP, VLANs, sub-interfaces, router-on-a-stick setup
              Ing_Percy

              Hi!

               

              One interface vlan will be in up/up state with these requeriments:

              - You must have created the vlan (vlan vlan-number command)

              - You must configure the interface vlan and apply "no shutdown"

              - You must have as minimal one switchport (access/trunk) enabled with this vlan (up/up state)

               

              About your question. if you want to access remotely, then you must configure in the Layer 2 Switch with the "ip default-gateway" command to access by SSH/telnet (The ip address of the default-gateway must be of the router in its same subnet)

               

              Regards!

              • 4. Re: Understanding ARP, VLANs, sub-interfaces, router-on-a-stick setup
                Trevor

                Ing_Percy,

                 

                I now understand what you meant by "If your Switch is pure layer 2;" the Catalyst 2950's I am using in my home LAN are not L3 capable. Because of the feature limitation of the hardware, I can't route between VLANs on these switches. I can only assign a management IP for the switch.

                 

                Now I just need to come up with a topology using this hardware (3x 2950x24 Catalyst switches and 3x 2801 routers) to play around with multiple VLANs and spanning-tree.

                 

                Thanks again Percy,