Maddening DHCP superscope issue

[BigD1108]

Running into a brick wall troubleshooting this issue, was hoping some of you who are far more knowledgeable than I would have some helpful ideas. Here goes:

We have a client who originally had a Class C subnet (10.1.1.0/24) for their network and outgrew it. To solve the issue of the dwindling IP addresses, we created a DHCP superscope for them to include another subnet(10.1.2.0/24).

The Server 2003 DHCP server itself has two NICs, one with IP address 10.1.1.4 and the other with IP address 10.1.2.1, both connected to their LAN.

Their network environment is all Cisco (3x 3560G 48-port PoE switches, a 24-port 2960 PoE switch, and a ASA 5510). As far as I can tell, there isn't anything in the switch configs that would cause the issue we're having.

The problem we're having is that whenever a client is assigned an address from the second scope (10.1.2.0 network) it has no network or Internet access. DHCP Scope Options are as follows:

Primary:

003 Router: 10.1.1.252
006 DNS Servers: 10.1.1.4
015 DNS Domain Name: domain.local
044 WINS/NBNS: 10.1.1.4

Primary2

003 Router: 10.1.2.252
006 DNS Servers: 10.1.1.4
015 DNS Domain Name: domain.local
044: WINS/NBNS: 10.1.1.4


10.1.1.252 and 10.1.2.252 are two interfaces on the same switch, one of their 3650G's. I can post switch configs if requested.

I'll be monitoring this thread closely to answer any questions you may have. Thank you all in advance for your help.

 

[Quikstrumental]

The problem we're having is that whenever a client is assigned an address from the second scope (10.1.2.0 network) it has no network or Internet access.

So you can verify that the computer in the 10.1.2.X subnet does indeed receive a DHCP address?

 

[BigD1108]

Yes, a PC will receive an IP address from the 10.1.2.0 subnet.

 

[cyr0n_k0r]

how are you routing for your DNS?

Your DNS servers are on the first subnet (10.1.1.4).
so how is the 10.1.2.x subnet getting to 10.1.1.4?

Are you doing static routes?

EDIT: also, why dont you just switch to a /23? Then you don't need to have 2 different DHCP scopes.

 

[Volcanon]

how are you routing for your DNS?

Your DNS servers are on the first subnet (10.1.1.4).
so how is the 10.1.2.x subnet getting to 10.1.1.4?

Are you doing static routes?

EDIT: also, why dont you just switch to a /23? Then you don't need to have 2 different DHCP scopes.

A bullet proof solution if there ever was one. I always recommend /23's bare minimum.

DNS is a good first start, but I'm going to go ahead and assume that you don't have any kind of layer 3 access.

Off the top of my head, your subnets are not being routed. Since the DHCP server is actually on the 10.1.2.x network that's why it's able to dish out IP addresses, but they can't leave the network.

Check your primary router and default gateway. Ensure that it has interfaces/vlans on that new network and has routes to and from said networks.

 

[Database]

This seems to be a routing issue, not a DHCP issue, you got the address you wanted via DHCP. Now you just need to get routing setup properly to send the traffic where it needs to go from another subnet.

 

[Jay_2]

The 3560 is a L3 switch so that must be doing the interVlan routing (he says they are the default gateways for the subnets and also on the switch)

Can you post up your switch config?

 

[BigD1108]

Switch #1:

Current configuration : 10051 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname 3560G-48-PoE-Switch1
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-2,20 priority 24576
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 description ASA Interface
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/2
 description ShoreTel System
 switchport access vlan 20
 switchport trunk allowed vlan 1,2,20
 spanning-tree portfast
!
interface GigabitEthernet0/3
 description ShoreTel System
 switchport access vlan 20
 switchport trunk allowed vlan 1,2,20
 spanning-tree portfast
!
interface GigabitEthernet0/4
 description ShoreTel System
 switchport access vlan 20
 switchport trunk allowed vlan 1,2,20
 spanning-tree portfast
!
interface GigabitEthernet0/5
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/6
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/7
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/8
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/9
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/10
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/11
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/12
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/13
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/14
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/15
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/16
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/17
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/18
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/19
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/20
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/21
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/22
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/23
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/24
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/25
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/26
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/27
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/28
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/29
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/30
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/31
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/32
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/33
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/34
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/35
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/36
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/37
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/38
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/39
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/40
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/41
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/42
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/43
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/44
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/45
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/46
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/47
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/48
 description DHCP Server
 spanning-tree portfast
!
interface GigabitEthernet0/49
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/50
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/51
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/52
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface Vlan1
 ip address 10.1.1.252 255.255.255.0
 ip helper-address 10.1.1.4
!
interface Vlan2
 ip dhcp relay information trusted
 ip address 10.1.2.252 255.255.255.0
 ip helper-address 10.1.1.4
!
interface Vlan20
 ip address 10.1.20.252 255.255.255.0
 ip helper-address 10.1.1.4
!
ip default-gateway 10.1.1.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
ip http server
!
!
control-plane

Switch #2:

Current configuration : 10169 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3560G-48-PoE-Switch2
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1,20 priority 24576
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/2
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/3
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/4
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/5
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/6
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/7
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/8
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/9
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/10
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/11
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/12
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/13
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/14
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/15
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/16
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/17
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/18
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/19
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/20
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/21
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/22
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/23
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/24
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/25
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/26
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/27
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/28
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/29
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/30
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/31
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/32
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/33
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/34
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/35
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/36
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/37
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/38
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/39
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/40
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/41
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/42
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/43
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/44
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/45
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/46
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/47
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/48
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/49
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/50
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/51
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/52
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface Vlan1
 ip address 10.1.1.253 255.255.255.0
 ip helper-address 10.1.1.4
!
interface Vlan2
 ip address 10.1.2.253 255.255.255.0
 ip helper-address 10.1.1.4
!
interface Vlan20
 ip address 10.1.20.253 255.255.255.0
 ip helper-address 10.1.1.4
!
ip default-gateway 10.1.1.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
ip http server
!
!
control-plane
!
!
end

Switch #3:

Current configuration : 10205 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname 3560G-48-PoE-Switch3
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-2,20 priority 24576
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/2
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/3
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/4
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/5
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/6
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/7
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/8
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/9
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/10
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/11
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/12
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/13
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/14
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/15
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/16
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/17
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/18
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/19
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/20
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/21
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/22
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/23
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/24
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/25
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/26
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/27
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/28
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/29
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/30
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/31
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/32
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/33
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/34
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/35
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/36
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/37
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/38
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/39
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/40
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/41
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/42
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/43
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/44
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/45
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/46
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/47
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/48
 description Data+Voice
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/49
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/50
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/51
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/52
 description Fiber
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,20
 switchport mode trunk
 spanning-tree portfast
!
interface Vlan1
 ip address 10.1.1.251 255.255.255.0
 ip helper-address 10.1.1.4
!
interface Vlan2
 ip address 10.1.2.251 255.255.255.0
 ip helper-address 10.1.1.4
!
interface Vlan20
 ip address 10.1.20.251 255.255.255.0
 ip helper-address 10.1.1.4
!
ip default-gateway 10.1.1.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
ip http server
!
!
control-plane
!
!

 

[cyr0n_k0r]

What is 10.1.1.254?
Is that a router? Where is the config for it?

All your switches are using x.254 as their default gateway and your static routes are pointing to it,but none of your switches vlan's are x.254.

 

[BigD1108]

10.1.1.254 is an ASA 5510. Config is below:

ASA Version 8.2(1)
!
hostname ciscoasa
domain-name domain.local
enable password mnRKMNfMQkAim3S6 encrypted
passwd mnRKMNfMQkAim3S6 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 24.106.22.2 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.254 255.255.255.0
!
interface Ethernet0/1.1
 vlan 1
 nameif vlan1
 security-level 100
 ip address 10.1.20.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 nameif Shoretel
 security-level 100
 ip address dhcp
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 duplex full
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
access-list outside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1
.6.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1
.3.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1
.100.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 10.1.100.0 255.255.255.0 10
.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.6
.0 255.255.255.0
access-list inbound extended permit tcp any any eq smtp
access-list inbound extended permit ip 10.1.1.0 255.255.255.0 10.1.6.0 255.255.2
55.0
access-list inbound extended permit ip 10.1.6.0 255.255.255.0 10.1.1.0 255.255.2
55.0
access-list inbound extended permit tcp any any eq pptp
access-list inbound extended permit gre any any
access-list inbound extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.2
55.0
access-list inbound extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.2
55.0
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit tcp host 10.1.1.4 host x.x.x.x eq ldap
access-list inbound extended permit tcp host x.x.x.x host 10.1.1.4 eq ldap
access-list inbound extended permit tcp any any eq ldap
access-list inbound extended permit tcp host x.x.x.x host x.x.x.x eq
ssh
access-list inbound extended permit icmp host x.x.x.x host x.x.x.x

access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.3
.0 255.255.255.0
access-list vpn-acl extended permit ip 10.1.100.0 255.255.255.0 10.1.1.0 255.255
.255.0
access-list vpn-acl extended permit ip 10.1.1.0 255.255.255.0 10.1.100.0 255.255
.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu vlan1 1500
mtu Shoretel 1500
mtu management 1500
ip local pool clientpool 10.1.100.1-10.1.100.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Shoretel) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.1.1.4 smtp netmask 255.255.255.255

static (inside,outside) tcp interface www 10.1.1.4 www netmask 255.255.255.255
static (inside,outside) tcp interface ldap 10.1.1.4 ldap netmask 255.255.255.255

static (inside,outside) x.x.x.x 10.1.1.72 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route outside 10.1.3.0 255.255.255.0 x.x.x.x 1
route outside 10.1.6.0 255.255.255.0 x.x.x.x 1
route inside 10.1.20.0 255.255.255.0 10.1.1.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.1.1.4
 key cisco111
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
http x.x.x.x 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set TUNNEL_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set emt-trans esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set TUNNEL_ESP_3DES_SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set transform-set emt-trans TUNNEL_ESP_3DES_SHA
crypto map outside_map 3 ipsec-isakmp dynamic cisco
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no vpn-addr-assign dhcp
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 1440
ssh timeout 60
console timeout 0
management-access management
dhcp-client client-id interface Shoretel
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy xxxvpn internal
group-policy xxxvpn attributes
 wins-server value 10.1.1.4
 dns-server value 10.1.1.4
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-acl
 default-domain value domain.local
 split-dns value domain.local
 nem enable
username administrator password W1NJq99u.TwCcYDY encrypted privilege 3
username admin password LzoOSRL/gr3SvhZu encrypted
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
tunnel-group xxxvpn type remote-access
tunnel-group xxxvpn general-attributes
 address-pool (inside) clientpool
 address-pool clientpool
 authentication-server-group vpn
 authentication-server-group (inside) vpn
 authorization-server-group (inside) vpn
 default-group-policy xxxvpn
tunnel-group xxxvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:08ed85db905ed9165e994a257bdbacec
: end

Thank you to all for your assistance.

 

[Jay_2]

Why are all ports set to trunk?

 

[BigD1108]

Is there a disadvantage to having the ports configured this way?

 

[Jay_2]

I think this would go against the purpose of VLANs really.

for inter Vlan routing you normally have 1 trunk between switches and let what ever is doing the routing sort out the traffic between VLANs (this also needs to be on a trunk)

 

[cyr0n_k0r]

so your ASA is your router?

 

[Volcanon]

Your ASA does not seem to be aware of VLAN2.

If it functions like a core router in any capacity, it should be aware of that VLAN.

I'm also seeing that the ASA does not have any information in any of its access lists about the new subnet.

Those 3560G's are capable of doing extended commands on pings. Use this to try to ping other devices on the network using an address in VLAN2.

 

[BigD1108]

So you're saying that it would be a good idea to create another subinterface on the ASA like there is for the 10.1.20.x (phone) network and then also define a static route for it via "route inside 10.1.2.0 255.255.255.0 10.1.2.252 255.255.255.0" or something of the like?

 

[Soldier101]

I would make sure your ASA knows of VLAN2 and I would convert all ports cept for the ones that connect to switches into regular ports....the way you have them setup right now....makes vlans essentially useless IMO

 

[Jay_2]

you can put a static route into the ASA for VLAN 2 bit it isn't what is doing your inter VLAN routing, your switches are doing that.

I am guessing you have a VoIP system and you daisy chain your PCs off your VoIP phones hency all ports are members of all vlans?

 

[BigD1108]

I am guessing you have a VoIP system and you daisy chain your PCs off your VoIP phones hency all ports are members of all vlans?

You are correct sir.

 

[Jay_2]

what is on each VLAN?

normally for VLANs with voice I use....

interface FastEthernet0/1
switchport mode access
switchport voice vlan 20 (or what ever your voice VLAN is)

I would just switch to a /16

 

[Volcanon]

I would agree with the easiest way to solve this is to make your subnet bigger.

What I don't like about your setup is how the ASA's ACL's have no mention of the new VLAN. That could be causing problems, but you should still be able to ping addresses in VLAN 1 from VLAN 2.

I would begin by doing some traces on devices within VLAN 2 and see how far they make it. If you are hooked up to switch 3 and have IP address of 10.1.2.100 and you can ping 10.1.2.251 but not 10.1.1.251, then your switches aren't doing the routing like they should. Assuming we're still hooked up to switch 3, can we ping 10.1.2.253? How about 10.1.2.252?

If you have to keep your subnet at a /24, this is the process you'll need to use to narrow the problem down to switch config vs ASA config vs host config. I find myself wondering about the default gateway for the hosts. Perhaps these devices can't reach it for some reason?

 

[Database]

Did he say that he couldn't ping across the vlans between computers? My guess is that works. He is receiving a DHCP address so traffic is flowing internally it would seem.

My guess is that the ASA doesn't know how to route traffic back from the internet to the new subnet therefore internet does not work. You need to create a return route for that new subnet/vlan in the ASA.

 

[Jay_2]

As I said above a static route should do the trick

 

[BigD1108]

Alright gents, I've added the following lines to the ASA config:

route inside 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

interface Ethernet0/1.2
  nameif vlan2
  security-level 100
  ip address 10.1.2.254 255.255.255.0

However, the problem persists. When a workstation receives an IP address from the 10.1.2.x subnet (or is statically assigned one) I can't even ping the gateway address of the 10.1.2.x subnet (10.1.2.252) or any other network addresses.

 

[Volcanon]

What are the results from pings on the switches? Can you ping using a 10.1.2.x interface as the source on the switch?

Try doing a show ip route 10.1.2.0 on the switches and look for any strangeness.

Your STP configuration seems kind of strange also, you seem to be letting root bridge elections go where ever they may fall. Not that this would necessarily cause the issues you're seeing, but just an observation.

We may want to back this up to the host as well, how does the hosts routing table look. Are we sure that 10.1.2.252 is the gateway of last resort on those hosts?

 

[BigD1108]

What are the results from pings on the switches?

I am able to ping addresses from the 10.1.1.0 subnet from the switches using a source address in the 10.1.2.0 subnet.

Try doing a show ip route 10.1.2.0 on the switches and look for any strangeness.

On Switch 2&3, the result of this command is as follows:

Default gateway is 10.1.1.254

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty

However, on switch #1, entering the command yields this result:

Routing entry for 10.1.2.0/24
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Vlan2
      Route metric is 0, traffic share count is 1

I did notice, though, whilst reviewing configs for discrepancies for the nth time that this command existed in the ASA configuration: route inside 10.1.2.0 255.255.255.0 10.1.1.251 1". It occurred to me that if IP routing was disabled on switches 2 and 3, how would the switch at 10.1.1.251 know what to do with a packet forwarded to it from the 10.1.2.0 network if IP routing was disabled?

Does this line of thinking make sense?

 

[BigD1108]

Hmm...though when attempting to issue the "no route inside ..." command to remove the incorrect static route on the 5510, I get an error message that says "ERROR: Cannot remove connected route". A Google search of the text did not return anything particularly useful.

Murphy's Law is in full effect, it seems.

 

[Volcanon]

Well its probably telling you that that route is directly connected so it knows its right.

Doesn't look like ip routing is turned off on any of your switches either.

All of your switches should have a route to 10.1.2.0 that is directly connected like switch 1, it is strange that they don't. show int vlan2 will tell you more information about whats going on there.

You kind of need to take this one step by step. I don't know your topology so I assume that every switch is trunked back to the ASA. In that case you should connect a host to a switch and see if you can ping that switch. If not, you've narrowed it down to the host and that switch config.

You said this: "When a workstation receives an IP address from the 10.1.2.x subnet (or is statically assigned one) I can't even ping the gateway address of the 10.1.2.x subnet (10.1.2.252) or any other network addresses." If you can't ping a switch that is supposed to be on the same VLAN as the device you're pinging, you're hosed. Try hooking up to switch 1, since it seems to know more about the 10.1.2.0 network.

I'd also like to mention that if you don't have an interface on a particular VLAN you need to specifically name the VLAN so that tagging occurs. Your config suggests that that isn't an issue but I figured I'd mention it anyway.