Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Routing between Vlans on Cisco 3550 : Help Needed.

Reply
Thread Tools

Routing between Vlans on Cisco 3550 : Help Needed.

 
 
Ori
Guest
Posts: n/a
 
      11-27-2003
Hi all.
I have just configured a cisco 3550 switch (SMI) for routing between
two vlans (1 and 3), but nothing seems to work.
Subnets 10.0.0.0/16 (vlan 1)and 10.1.0.0/16 (vlan 3) are the two
subnets i`m interested in seperating, but an internet router and
firewall physically connected through interface fa0/23(attached to
vlan 3) cannot be reached by any of the workstations on vlan1, or by
the switch itself!!!
All ports are attached to vlan 1 except for fa0/23 which is attached
to vlan 3.

Does anyone have an idea or suggestion?
Thanks.

This is the config I use:

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname C3550
!
enable secret 5 $1$quZs$bRlFgoRZc5pIuub3ZvNSS/
enable password XXXX
!
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
interface FastEthernet0/1
switchport access vlan 1
switchport mode access
no ip address

!

interface FastEthernet0/2
switchport access vlan 1
switchport mode access
no ip address

.........

interface FastEthernet0/23
description To_FireWall
switchport access vlan 3
switchport mode access
no ip address

!
interface FastEthernet0/24
switchport access vlan 1
switchport mode access
no ip address
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface Vlan1
ip address 10.0.10.11 255.255.0.0
ip access-group 110 in
ip access-group 110 out
!
interface Vlan3
ip address 10.1.0.99 255.255.0.0
ip access-group 110 in
ip access-group 110 out
!
ip classless
ip http server
!
!
access-list 110 permit ip any any
snmp-server community public RO
!
line con 0
exec-timeout 0 0
line vty 0 4
password admin
login
line vty 5 15
password admin
login
!
end
 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      11-27-2003
If the firewall is on the 10.1.x.x network, does the firewall have a static
route back to 10.0.x.x? Does the switch/router have a default gateway
pointing to the firewall?

"Ori" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hi all.
> I have just configured a cisco 3550 switch (SMI) for routing between
> two vlans (1 and 3), but nothing seems to work.
> Subnets 10.0.0.0/16 (vlan 1)and 10.1.0.0/16 (vlan 3) are the two
> subnets i`m interested in seperating, but an internet router and
> firewall physically connected through interface fa0/23(attached to
> vlan 3) cannot be reached by any of the workstations on vlan1, or by
> the switch itself!!!
> All ports are attached to vlan 1 except for fa0/23 which is attached
> to vlan 3.
>
> Does anyone have an idea or suggestion?
> Thanks.
>
> This is the config I use:
>
> !
> version 12.1
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname C3550
> !
> enable secret 5 $1$quZs$bRlFgoRZc5pIuub3ZvNSS/
> enable password XXXX
> !
> ip subnet-zero
> ip routing
> !
> !
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> !
> !
> interface FastEthernet0/1
> switchport access vlan 1
> switchport mode access
> no ip address
>
> !
>
> interface FastEthernet0/2
> switchport access vlan 1
> switchport mode access
> no ip address
>
> ........
>
> interface FastEthernet0/23
> description To_FireWall
> switchport access vlan 3
> switchport mode access
> no ip address
>
> !
> interface FastEthernet0/24
> switchport access vlan 1
> switchport mode access
> no ip address
> !
> interface GigabitEthernet0/1
> no ip address
> !
> interface GigabitEthernet0/2
> no ip address
> !
> interface Vlan1
> ip address 10.0.10.11 255.255.0.0
> ip access-group 110 in
> ip access-group 110 out
> !
> interface Vlan3
> ip address 10.1.0.99 255.255.0.0
> ip access-group 110 in
> ip access-group 110 out
> !
> ip classless
> ip http server
> !
> !
> access-list 110 permit ip any any
> snmp-server community public RO
> !
> line con 0
> exec-timeout 0 0
> line vty 0 4
> password admin
> login
> line vty 5 15
> password admin
> login
> !
> end



 
Reply With Quote
 
 
 
 
Ori
Guest
Posts: n/a
 
      11-30-2003
"PES" <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote in message news:<3fc620e7$(E-Mail Removed)>...
> If the firewall is on the 10.1.x.x network, does the firewall have a static
> route back to 10.0.x.x? Does the switch/router have a default gateway
> pointing to the firewall?
>

Hi there and thanks for your answer.
I'm pretty sure its not a routing problem in the firewall, because
when I reset the 3550 to its default config, all workstations can ping
the firewall. My current config does not include a default gateway
statement as the firewall is directly connected to fa0/23. The
weirdest thing is I cant ping the firewall from the switch itself...
 
Reply With Quote
 
chris@nospam.com
Guest
Posts: n/a
 
      11-30-2003
On 29 Nov 2003 21:44:47 -0800, http://www.velocityreviews.com/forums/(E-Mail Removed) (Ori) wrote:

>"PES" <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote in message news:<3fc620e7$(E-Mail Removed)>...
>> If the firewall is on the 10.1.x.x network, does the firewall have a static
>> route back to 10.0.x.x? Does the switch/router have a default gateway
>> pointing to the firewall?
>>

>Hi there and thanks for your answer.
>I'm pretty sure its not a routing problem in the firewall, because
>when I reset the 3550 to its default config, all workstations can ping
>the firewall. My current config does not include a default gateway
>statement as the firewall is directly connected to fa0/23. The
>weirdest thing is I cant ping the firewall from the switch itself...



I'm pretty sure it IS a routing problem. The fact that the firewall
is directly connected to a port is irrelevant as the switch just sees
it in vlan3/subnet 10.1.x.x.

You need to define the default route on the switch so that
internet-bound traffic from workstations on vlan 1 gets forwarded to
the gateway. Otherwise, the switch has no idea where to forward
traffic bound anywhere but 10.0.x.x and 10.1.x.x and will just return
a 'no-route' error.

The vice-versa also applies. The firewall/gateway will also need to
know where to send traffic destined for the 10.0.x.x subnet. You
might consider having the firewall route all traffic, including the
10.1.x.x subnet to the switch as well if you want to enforce any
accounting or access-lists.

The workstations on vlan 1 do have the switch address as their
gateway, right?

As for why pings don't work, access-list 110 is blocking everything
but IP. You need to allow ICMP for pings to work. I suggest removing
the access-list entirely until you get everything working properly.

-Chris


 
Reply With Quote
 
Ori
Guest
Posts: n/a
 
      12-01-2003
(E-Mail Removed) wrote in message news:<(E-Mail Removed)>. ..
> On 29 Nov 2003 21:44:47 -0800, (E-Mail Removed) (Ori) wrote:
>
> >"PES" <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote in message news:<3fc620e7$(E-Mail Removed)>...
> >> If the firewall is on the 10.1.x.x network, does the firewall have a static
> >> route back to 10.0.x.x? Does the switch/router have a default gateway
> >> pointing to the firewall?
> >>

> >Hi there and thanks for your answer.
> >I'm pretty sure its not a routing problem in the firewall, because
> >when I reset the 3550 to its default config, all workstations can ping
> >the firewall. My current config does not include a default gateway
> >statement as the firewall is directly connected to fa0/23. The
> >weirdest thing is I cant ping the firewall from the switch itself...

>
>
> I'm pretty sure it IS a routing problem. The fact that the firewall
> is directly connected to a port is irrelevant as the switch just sees
> it in vlan3/subnet 10.1.x.x.
>
> You need to define the default route on the switch so that
> internet-bound traffic from workstations on vlan 1 gets forwarded to
> the gateway. Otherwise, the switch has no idea where to forward
> traffic bound anywhere but 10.0.x.x and 10.1.x.x and will just return
> a 'no-route' error.
>
> The vice-versa also applies. The firewall/gateway will also need to
> know where to send traffic destined for the 10.0.x.x subnet. You
> might consider having the firewall route all traffic, including the
> 10.1.x.x subnet to the switch as well if you want to enforce any
> accounting or access-lists.
>
> The workstations on vlan 1 do have the switch address as their
> gateway, right?
>
> As for why pings don't work, access-list 110 is blocking everything
> but IP. You need to allow ICMP for pings to work. I suggest removing
> the access-list entirely until you get everything working properly.
>
> -Chris


Hi Chris and thanks for your answer.
I have disabled the ACL but still cant ping the firewall
(10.0.0.250/16) from the 3550 (10.0.10.11/16). The switch has a
defualt gateway of 10.0.0.250, and ALL the ports are now attached to
VLan1. I simply cant understand why I cant ping the firewall from the
3550, especially when there is no problem in pinging the firewall from
any workstation connected to the 3550 that is in the 10.0.0.0/16
subnet and has 10.0.0.250 as its default gateway. I even tried to
change the 3550's ip address a few times (thought there might be some
icmp blocking rules on the firewall to a specific address range) but
no use.
Am I missing out something really big, or am I right when I think that
a Vlan (on the 3550) with an ip address and a default gateway should
ping and receive replies exactly like a workstation which is in the
same subnet and has the same defult gateway ???

-Ori
 
Reply With Quote
 
Juraj Ljubesic
Guest
Posts: n/a
 
      12-01-2003
.....
>Am I missing out something really big, or am I right when I think that
>a Vlan (on the 3550) with an ip address and a default gateway should
>ping and receive replies exactly like a workstation which is in the
>same subnet and has the same defult gateway ???
>
>-Ori


May be I am wrong, but youd do NOT have default gateway on 3550.
Try with default static route.

i.e:
ip route 0.0.0.0 0.0.0.0 10.1.0.99

Jura

 
Reply With Quote
 
Ori
Guest
Posts: n/a
 
      12-01-2003
Juraj Ljubesic <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> ....
> >Am I missing out something really big, or am I right when I think that
> >a Vlan (on the 3550) with an ip address and a default gateway should
> >ping and receive replies exactly like a workstation which is in the
> >same subnet and has the same defult gateway ???
> >
> >-Ori

>
> May be I am wrong, but youd do NOT have default gateway on 3550.
> Try with default static route.
>
> i.e:
> ip route 0.0.0.0 0.0.0.0 10.1.0.99
>
> Jura


Hi!
I do have a default gateway on the 3550. From the switch config:
ip default-gateway 10.0.0.250
Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??
-Ori.
 
Reply With Quote
 
Juraj Ljubesic
Guest
Posts: n/a
 
      12-01-2003
On 1 Dec 2003 05:48:46 -0800, (E-Mail Removed) (Ori) wrote:

>Juraj Ljubesic <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
>> ....
>> >Am I missing out something really big, or am I right when I think that
>> >a Vlan (on the 3550) with an ip address and a default gateway should
>> >ping and receive replies exactly like a workstation which is in the
>> >same subnet and has the same defult gateway ???
>> >
>> >-Ori

>>
>> May be I am wrong, but youd do NOT have default gateway on 3550.
>> Try with default static route.
>>
>> i.e:
>> ip route 0.0.0.0 0.0.0.0 10.1.0.99
>>
>> Jura

>
>Hi!
>I do have a default gateway on the 3550. From the switch config:
>ip default-gateway 10.0.0.250
>Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??
>-Ori.


OK, I'm not so familiar with 3550. It can be the same. But default
gateway is not visible in your sh run configuration.

And, most inportant. If your firewall is connected to VLAN 3 with IP
address 10.1.0.0/16, default gateway definitly can't be 10.0.0.250.
Try with 10.1.0.250.

Jura
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-01-2003
In article <(E-Mail Removed) >,
Ori <(E-Mail Removed)> wrote:
:I do have a default gateway on the 3550. From the switch config:
:ip default-gateway 10.0.0.250
:Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??

No; the default-gateway should be used only if ip routing is turned
off.
--
Tenser, said the Tensor.
Tenser, said the Tensor.
Tension, apprehension,
And dissension have begun. -- Alfred Bester (tDM)
 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      12-02-2003
default gateway is not for routing packets in most cases. it is for when ip
routing is turned off. basically for management traffic that needs to go to
a remote subnet.

"Ori" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Juraj Ljubesic <(E-Mail Removed)> wrote in message

news:<(E-Mail Removed)>. ..
> > ....
> > >Am I missing out something really big, or am I right when I think that
> > >a Vlan (on the 3550) with an ip address and a default gateway should
> > >ping and receive replies exactly like a workstation which is in the
> > >same subnet and has the same defult gateway ???
> > >
> > >-Ori

> >
> > May be I am wrong, but youd do NOT have default gateway on 3550.
> > Try with default static route.
> >
> > i.e:
> > ip route 0.0.0.0 0.0.0.0 10.1.0.99
> >
> > Jura

>
> Hi!
> I do have a default gateway on the 3550. From the switch config:
> ip default-gateway 10.0.0.250
> Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??
> -Ori.



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco 2960 routing between vlans sky Cisco 10 07-25-2012 04:36 AM
integrating new 3550 with routing into existing routing structure? joeblow Cisco 3 03-14-2005 08:50 AM
Cisco 3550 EMI Acl's and VLANs Nick Cisco 1 09-21-2004 01:37 PM
Re: Differences between 3550-24-SMI and 3550-24-EMI Steinar Haug Cisco 0 10-20-2003 02:59 PM
Differences between 3550-24-SMI and 3550-24-EMI JohnNews Cisco 10 10-20-2003 12:33 PM



Advertisments