Routing between Vlans on Cisco 3550 : Help Needed.

Discussion in 'Cisco' started by Ori, Nov 27, 2003.

  1. Ori

    Ori Guest

    Hi all.
    I have just configured a cisco 3550 switch (SMI) for routing between
    two vlans (1 and 3), but nothing seems to work.
    Subnets 10.0.0.0/16 (vlan 1)and 10.1.0.0/16 (vlan 3) are the two
    subnets i`m interested in seperating, but an internet router and
    firewall physically connected through interface fa0/23(attached to
    vlan 3) cannot be reached by any of the workstations on vlan1, or by
    the switch itself!!!
    All ports are attached to vlan 1 except for fa0/23 which is attached
    to vlan 3.

    Does anyone have an idea or suggestion?
    Thanks.

    This is the config I use:

    !
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname C3550
    !
    enable secret 5 $1$quZs$bRlFgoRZc5pIuub3ZvNSS/
    enable password XXXX
    !
    ip subnet-zero
    ip routing
    !
    !
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    !
    !
    interface FastEthernet0/1
    switchport access vlan 1
    switchport mode access
    no ip address

    !

    interface FastEthernet0/2
    switchport access vlan 1
    switchport mode access
    no ip address

    .........

    interface FastEthernet0/23
    description To_FireWall
    switchport access vlan 3
    switchport mode access
    no ip address

    !
    interface FastEthernet0/24
    switchport access vlan 1
    switchport mode access
    no ip address
    !
    interface GigabitEthernet0/1
    no ip address
    !
    interface GigabitEthernet0/2
    no ip address
    !
    interface Vlan1
    ip address 10.0.10.11 255.255.0.0
    ip access-group 110 in
    ip access-group 110 out
    !
    interface Vlan3
    ip address 10.1.0.99 255.255.0.0
    ip access-group 110 in
    ip access-group 110 out
    !
    ip classless
    ip http server
    !
    !
    access-list 110 permit ip any any
    snmp-server community public RO
    !
    line con 0
    exec-timeout 0 0
    line vty 0 4
    password admin
    login
    line vty 5 15
    password admin
    login
    !
    end
    Ori, Nov 27, 2003
    #1
    1. Advertising

  2. Ori

    PES Guest

    If the firewall is on the 10.1.x.x network, does the firewall have a static
    route back to 10.0.x.x? Does the switch/router have a default gateway
    pointing to the firewall?

    "Ori" <> wrote in message
    news:...
    > Hi all.
    > I have just configured a cisco 3550 switch (SMI) for routing between
    > two vlans (1 and 3), but nothing seems to work.
    > Subnets 10.0.0.0/16 (vlan 1)and 10.1.0.0/16 (vlan 3) are the two
    > subnets i`m interested in seperating, but an internet router and
    > firewall physically connected through interface fa0/23(attached to
    > vlan 3) cannot be reached by any of the workstations on vlan1, or by
    > the switch itself!!!
    > All ports are attached to vlan 1 except for fa0/23 which is attached
    > to vlan 3.
    >
    > Does anyone have an idea or suggestion?
    > Thanks.
    >
    > This is the config I use:
    >
    > !
    > version 12.1
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > no service password-encryption
    > !
    > hostname C3550
    > !
    > enable secret 5 $1$quZs$bRlFgoRZc5pIuub3ZvNSS/
    > enable password XXXX
    > !
    > ip subnet-zero
    > ip routing
    > !
    > !
    > spanning-tree mode pvst
    > spanning-tree extend system-id
    > !
    > !
    > !
    > interface FastEthernet0/1
    > switchport access vlan 1
    > switchport mode access
    > no ip address
    >
    > !
    >
    > interface FastEthernet0/2
    > switchport access vlan 1
    > switchport mode access
    > no ip address
    >
    > ........
    >
    > interface FastEthernet0/23
    > description To_FireWall
    > switchport access vlan 3
    > switchport mode access
    > no ip address
    >
    > !
    > interface FastEthernet0/24
    > switchport access vlan 1
    > switchport mode access
    > no ip address
    > !
    > interface GigabitEthernet0/1
    > no ip address
    > !
    > interface GigabitEthernet0/2
    > no ip address
    > !
    > interface Vlan1
    > ip address 10.0.10.11 255.255.0.0
    > ip access-group 110 in
    > ip access-group 110 out
    > !
    > interface Vlan3
    > ip address 10.1.0.99 255.255.0.0
    > ip access-group 110 in
    > ip access-group 110 out
    > !
    > ip classless
    > ip http server
    > !
    > !
    > access-list 110 permit ip any any
    > snmp-server community public RO
    > !
    > line con 0
    > exec-timeout 0 0
    > line vty 0 4
    > password admin
    > login
    > line vty 5 15
    > password admin
    > login
    > !
    > end
    PES, Nov 27, 2003
    #2
    1. Advertising

  3. Ori

    Ori Guest

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message news:<3fc620e7$>...
    > If the firewall is on the 10.1.x.x network, does the firewall have a static
    > route back to 10.0.x.x? Does the switch/router have a default gateway
    > pointing to the firewall?
    >

    Hi there and thanks for your answer.
    I'm pretty sure its not a routing problem in the firewall, because
    when I reset the 3550 to its default config, all workstations can ping
    the firewall. My current config does not include a default gateway
    statement as the firewall is directly connected to fa0/23. The
    weirdest thing is I cant ping the firewall from the switch itself...
    Ori, Nov 30, 2003
    #3
  4. Ori

    Guest

    On 29 Nov 2003 21:44:47 -0800, (Ori) wrote:

    >"PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message news:<3fc620e7$>...
    >> If the firewall is on the 10.1.x.x network, does the firewall have a static
    >> route back to 10.0.x.x? Does the switch/router have a default gateway
    >> pointing to the firewall?
    >>

    >Hi there and thanks for your answer.
    >I'm pretty sure its not a routing problem in the firewall, because
    >when I reset the 3550 to its default config, all workstations can ping
    >the firewall. My current config does not include a default gateway
    >statement as the firewall is directly connected to fa0/23. The
    >weirdest thing is I cant ping the firewall from the switch itself...



    I'm pretty sure it IS a routing problem. The fact that the firewall
    is directly connected to a port is irrelevant as the switch just sees
    it in vlan3/subnet 10.1.x.x.

    You need to define the default route on the switch so that
    internet-bound traffic from workstations on vlan 1 gets forwarded to
    the gateway. Otherwise, the switch has no idea where to forward
    traffic bound anywhere but 10.0.x.x and 10.1.x.x and will just return
    a 'no-route' error.

    The vice-versa also applies. The firewall/gateway will also need to
    know where to send traffic destined for the 10.0.x.x subnet. You
    might consider having the firewall route all traffic, including the
    10.1.x.x subnet to the switch as well if you want to enforce any
    accounting or access-lists.

    The workstations on vlan 1 do have the switch address as their
    gateway, right?

    As for why pings don't work, access-list 110 is blocking everything
    but IP. You need to allow ICMP for pings to work. I suggest removing
    the access-list entirely until you get everything working properly.

    -Chris
    , Nov 30, 2003
    #4
  5. Ori

    Ori Guest

    wrote in message news:<>...
    > On 29 Nov 2003 21:44:47 -0800, (Ori) wrote:
    >
    > >"PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message news:<3fc620e7$>...
    > >> If the firewall is on the 10.1.x.x network, does the firewall have a static
    > >> route back to 10.0.x.x? Does the switch/router have a default gateway
    > >> pointing to the firewall?
    > >>

    > >Hi there and thanks for your answer.
    > >I'm pretty sure its not a routing problem in the firewall, because
    > >when I reset the 3550 to its default config, all workstations can ping
    > >the firewall. My current config does not include a default gateway
    > >statement as the firewall is directly connected to fa0/23. The
    > >weirdest thing is I cant ping the firewall from the switch itself...

    >
    >
    > I'm pretty sure it IS a routing problem. The fact that the firewall
    > is directly connected to a port is irrelevant as the switch just sees
    > it in vlan3/subnet 10.1.x.x.
    >
    > You need to define the default route on the switch so that
    > internet-bound traffic from workstations on vlan 1 gets forwarded to
    > the gateway. Otherwise, the switch has no idea where to forward
    > traffic bound anywhere but 10.0.x.x and 10.1.x.x and will just return
    > a 'no-route' error.
    >
    > The vice-versa also applies. The firewall/gateway will also need to
    > know where to send traffic destined for the 10.0.x.x subnet. You
    > might consider having the firewall route all traffic, including the
    > 10.1.x.x subnet to the switch as well if you want to enforce any
    > accounting or access-lists.
    >
    > The workstations on vlan 1 do have the switch address as their
    > gateway, right?
    >
    > As for why pings don't work, access-list 110 is blocking everything
    > but IP. You need to allow ICMP for pings to work. I suggest removing
    > the access-list entirely until you get everything working properly.
    >
    > -Chris


    Hi Chris and thanks for your answer.
    I have disabled the ACL but still cant ping the firewall
    (10.0.0.250/16) from the 3550 (10.0.10.11/16). The switch has a
    defualt gateway of 10.0.0.250, and ALL the ports are now attached to
    VLan1. I simply cant understand why I cant ping the firewall from the
    3550, especially when there is no problem in pinging the firewall from
    any workstation connected to the 3550 that is in the 10.0.0.0/16
    subnet and has 10.0.0.250 as its default gateway. I even tried to
    change the 3550's ip address a few times (thought there might be some
    icmp blocking rules on the firewall to a specific address range) but
    no use.
    Am I missing out something really big, or am I right when I think that
    a Vlan (on the 3550) with an ip address and a default gateway should
    ping and receive replies exactly like a workstation which is in the
    same subnet and has the same defult gateway ???

    -Ori
    Ori, Dec 1, 2003
    #5
  6. .....
    >Am I missing out something really big, or am I right when I think that
    >a Vlan (on the 3550) with an ip address and a default gateway should
    >ping and receive replies exactly like a workstation which is in the
    >same subnet and has the same defult gateway ???
    >
    >-Ori


    May be I am wrong, but youd do NOT have default gateway on 3550.
    Try with default static route.

    i.e:
    ip route 0.0.0.0 0.0.0.0 10.1.0.99

    Jura
    Juraj Ljubesic, Dec 1, 2003
    #6
  7. Ori

    Ori Guest

    Juraj Ljubesic <> wrote in message news:<>...
    > ....
    > >Am I missing out something really big, or am I right when I think that
    > >a Vlan (on the 3550) with an ip address and a default gateway should
    > >ping and receive replies exactly like a workstation which is in the
    > >same subnet and has the same defult gateway ???
    > >
    > >-Ori

    >
    > May be I am wrong, but youd do NOT have default gateway on 3550.
    > Try with default static route.
    >
    > i.e:
    > ip route 0.0.0.0 0.0.0.0 10.1.0.99
    >
    > Jura


    Hi!
    I do have a default gateway on the 3550. From the switch config:
    ip default-gateway 10.0.0.250
    Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??
    -Ori.
    Ori, Dec 1, 2003
    #7
  8. On 1 Dec 2003 05:48:46 -0800, (Ori) wrote:

    >Juraj Ljubesic <> wrote in message news:<>...
    >> ....
    >> >Am I missing out something really big, or am I right when I think that
    >> >a Vlan (on the 3550) with an ip address and a default gateway should
    >> >ping and receive replies exactly like a workstation which is in the
    >> >same subnet and has the same defult gateway ???
    >> >
    >> >-Ori

    >>
    >> May be I am wrong, but youd do NOT have default gateway on 3550.
    >> Try with default static route.
    >>
    >> i.e:
    >> ip route 0.0.0.0 0.0.0.0 10.1.0.99
    >>
    >> Jura

    >
    >Hi!
    >I do have a default gateway on the 3550. From the switch config:
    >ip default-gateway 10.0.0.250
    >Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??
    >-Ori.


    OK, I'm not so familiar with 3550. It can be the same. But default
    gateway is not visible in your sh run configuration.

    And, most inportant. If your firewall is connected to VLAN 3 with IP
    address 10.1.0.0/16, default gateway definitly can't be 10.0.0.250.
    Try with 10.1.0.250.

    Jura
    Juraj Ljubesic, Dec 1, 2003
    #8
  9. In article <>,
    Ori <> wrote:
    :I do have a default gateway on the 3550. From the switch config:
    :ip default-gateway 10.0.0.250
    :Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??

    No; the default-gateway should be used only if ip routing is turned
    off.
    --
    Tenser, said the Tensor.
    Tenser, said the Tensor.
    Tension, apprehension,
    And dissension have begun. -- Alfred Bester (tDM)
    Walter Roberson, Dec 1, 2003
    #9
  10. Ori

    PES Guest

    default gateway is not for routing packets in most cases. it is for when ip
    routing is turned off. basically for management traffic that needs to go to
    a remote subnet.

    "Ori" <> wrote in message
    news:...
    > Juraj Ljubesic <> wrote in message

    news:<>...
    > > ....
    > > >Am I missing out something really big, or am I right when I think that
    > > >a Vlan (on the 3550) with an ip address and a default gateway should
    > > >ping and receive replies exactly like a workstation which is in the
    > > >same subnet and has the same defult gateway ???
    > > >
    > > >-Ori

    > >
    > > May be I am wrong, but youd do NOT have default gateway on 3550.
    > > Try with default static route.
    > >
    > > i.e:
    > > ip route 0.0.0.0 0.0.0.0 10.1.0.99
    > >
    > > Jura

    >
    > Hi!
    > I do have a default gateway on the 3550. From the switch config:
    > ip default-gateway 10.0.0.250
    > Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??
    > -Ori.
    PES, Dec 2, 2003
    #10
  11. Ori

    Guest

    On 30 Nov 2003 21:05:22 -0800, (Ori) wrote:

    > wrote in message news:<>...
    >> On 29 Nov 2003 21:44:47 -0800, (Ori) wrote:
    >>
    >> >"PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message news:<3fc620e7$>...
    >> >> If the firewall is on the 10.1.x.x network, does the firewall have a static
    >> >> route back to 10.0.x.x? Does the switch/router have a default gateway
    >> >> pointing to the firewall?
    >> >>
    >> >Hi there and thanks for your answer.
    >> >I'm pretty sure its not a routing problem in the firewall, because
    >> >when I reset the 3550 to its default config, all workstations can ping
    >> >the firewall. My current config does not include a default gateway
    >> >statement as the firewall is directly connected to fa0/23. The
    >> >weirdest thing is I cant ping the firewall from the switch itself...

    >>
    >>
    >> I'm pretty sure it IS a routing problem. The fact that the firewall
    >> is directly connected to a port is irrelevant as the switch just sees
    >> it in vlan3/subnet 10.1.x.x.
    >>
    >> You need to define the default route on the switch so that
    >> internet-bound traffic from workstations on vlan 1 gets forwarded to
    >> the gateway. Otherwise, the switch has no idea where to forward
    >> traffic bound anywhere but 10.0.x.x and 10.1.x.x and will just return
    >> a 'no-route' error.
    >>
    >> The vice-versa also applies. The firewall/gateway will also need to
    >> know where to send traffic destined for the 10.0.x.x subnet. You
    >> might consider having the firewall route all traffic, including the
    >> 10.1.x.x subnet to the switch as well if you want to enforce any
    >> accounting or access-lists.
    >>
    >> The workstations on vlan 1 do have the switch address as their
    >> gateway, right?
    >>
    >> As for why pings don't work, access-list 110 is blocking everything
    >> but IP. You need to allow ICMP for pings to work. I suggest removing
    >> the access-list entirely until you get everything working properly.
    >>
    >> -Chris

    >
    >Hi Chris and thanks for your answer.
    >I have disabled the ACL but still cant ping the firewall
    >(10.0.0.250/16) from the 3550 (10.0.10.11/16). The switch has a
    >defualt gateway of 10.0.0.250, and ALL the ports are now attached to
    >VLan1. I simply cant understand why I cant ping the firewall from the
    >3550, especially when there is no problem in pinging the firewall from
    >any workstation connected to the 3550 that is in the 10.0.0.0/16
    >subnet and has 10.0.0.250 as its default gateway.


    A few others already pointed out the distinction between a
    default-route entry and a 'ip route 0.0.0.0 0.0.0.' entry.

    Also, verify that the firewall has the proper subnet mask. Can the
    workstations ping the switch now?

    -Chris
    , Dec 2, 2003
    #11
  12. Ori

    Ori Guest

    wrote in message news:<>...
    > On 30 Nov 2003 21:05:22 -0800, (Ori) wrote:
    >
    > > wrote in message news:<>...
    > >> On 29 Nov 2003 21:44:47 -0800, (Ori) wrote:
    > >>
    > >> >"PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message news:<3fc620e7$>...
    > >> >> If the firewall is on the 10.1.x.x network, does the firewall have a static
    > >> >> route back to 10.0.x.x? Does the switch/router have a default gateway
    > >> >> pointing to the firewall?
    > >> >>
    > >> >Hi there and thanks for your answer.
    > >> >I'm pretty sure its not a routing problem in the firewall, because
    > >> >when I reset the 3550 to its default config, all workstations can ping
    > >> >the firewall. My current config does not include a default gateway
    > >> >statement as the firewall is directly connected to fa0/23. The
    > >> >weirdest thing is I cant ping the firewall from the switch itself...
    > >>
    > >>
    > >> I'm pretty sure it IS a routing problem. The fact that the firewall
    > >> is directly connected to a port is irrelevant as the switch just sees
    > >> it in vlan3/subnet 10.1.x.x.
    > >>
    > >> You need to define the default route on the switch so that
    > >> internet-bound traffic from workstations on vlan 1 gets forwarded to
    > >> the gateway. Otherwise, the switch has no idea where to forward
    > >> traffic bound anywhere but 10.0.x.x and 10.1.x.x and will just return
    > >> a 'no-route' error.
    > >>
    > >> The vice-versa also applies. The firewall/gateway will also need to
    > >> know where to send traffic destined for the 10.0.x.x subnet. You
    > >> might consider having the firewall route all traffic, including the
    > >> 10.1.x.x subnet to the switch as well if you want to enforce any
    > >> accounting or access-lists.
    > >>
    > >> The workstations on vlan 1 do have the switch address as their
    > >> gateway, right?
    > >>
    > >> As for why pings don't work, access-list 110 is blocking everything
    > >> but IP. You need to allow ICMP for pings to work. I suggest removing
    > >> the access-list entirely until you get everything working properly.
    > >>
    > >> -Chris

    > >
    > >Hi Chris and thanks for your answer.
    > >I have disabled the ACL but still cant ping the firewall
    > >(10.0.0.250/16) from the 3550 (10.0.10.11/16). The switch has a
    > >defualt gateway of 10.0.0.250, and ALL the ports are now attached to
    > >VLan1. I simply cant understand why I cant ping the firewall from the
    > >3550, especially when there is no problem in pinging the firewall from
    > >any workstation connected to the 3550 that is in the 10.0.0.0/16
    > >subnet and has 10.0.0.250 as its default gateway.

    >
    > A few others already pointed out the distinction between a
    > default-route entry and a 'ip route 0.0.0.0 0.0.0.' entry.
    >
    > Also, verify that the firewall has the proper subnet mask. Can the
    > workstations ping the switch now?
    >
    > -Chris

    Thanks for all comments i'll give it a try soon.
    -Ori.
    Ori, Dec 4, 2003
    #12
  13. Ori

    Kenny D Guest

    Have you tried ip subnet-zero? 172.16.0.0 is subnet-zero
    Kenny D, Dec 4, 2003
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnNews
    Replies:
    10
    Views:
    6,640
    One Step Beyond
    Oct 20, 2003
  2. Steinar Haug
    Replies:
    0
    Views:
    610
    Steinar Haug
    Oct 20, 2003
  3. joeblow
    Replies:
    3
    Views:
    1,223
    Philip D'Ath
    Mar 14, 2005
  4. JF Mezei

    871W: Routing between VLANs

    JF Mezei, Nov 29, 2009, in forum: Cisco
    Replies:
    4
    Views:
    3,112
    Curtis Starnes
    Dec 28, 2009
  5. sky
    Replies:
    10
    Views:
    6,909
    Doug McIntyre
    Jul 25, 2012
Loading...

Share This Page