Cannot browse to network shares across vlans

Discussion in 'Computer Support' started by SheddTec, Feb 19, 2007.

  1. SheddTec

    SheddTec Guest

    We have created a new subnet 172.18.x.x on it's own VLAN and I believe
    I have the VLAN setup and routed properly. We have another subnet of
    172.16.x.x which our Windows 2000 servers are on. From a XP client on
    the new 18 subnet, I can ping our servers on the 16 subnet ok, by name
    and by IP address. I can also ping the client's IP and name from the
    16 subnet. What I'm having a problem with is browsing to \\servername
    on the 16 subnet from the client on the 18 subnet. I also cannot
    browse to a share on the client from the server. What could be causing
    this?
     
    SheddTec, Feb 19, 2007
    #1
    1. Advertisements

  2. What's the point of a VLAN here? You have to route VLANs across a
    firewalling router with two virtual vlan interfaces, to get the best out of
    it.
    For different subnets, you rather want a WINS server setup (your 2000
    servers are happy to serve :)) and - most important - propagate the wins
    server best through dhcp "netbios-name-servers" stanza.
    If you have a full AD structure, that should not be necessary.
     
    Walter Mautner, Feb 20, 2007
    #2
    1. Advertisements

  3. SheddTec

    why? Guest

    What's the point of x.x the IP for a private non routable address space?
    You proved this how?
    So what's resolving the name to IP WINS / DNS? Maybe it's all on AD.
    ping isn't browsing, 2 very different things.
    WINS, then again you sisn't say if \\ip-address-of-servername works or
    not? You said ping by name / IP works but you didn't seem to try IP in
    the mapping a drive test.

    Your router (used to communicate between VLANs) of some unknown make /
    model / operating system isn't blocking anything? Maybe it wasn't even
    configured, don't have a router and it's all setup on a switch of some
    unknown make / model / operating system.

    You could change the VLAN number on a port for a 18 client, change it to
    a 16 client address and see if that even works. So the hardware /
    physical path is all the same you simply move a PC to the server VLAN
    for a test.

    Me
     
    why?, Feb 20, 2007
    #3
  4. SheddTec

    SheddTec Guest

    It is setup on separate Vlans in order to keep the broadcast traffic
    separated. This was put in place in order to use a separate dhcp
    server on each subnet. When both were on the same subnet, our dhcp
    server would give an address but you could not ping or access any
    network resources.

    As for WINS, I have now setup a wins server on our DC and registered a
    few servers and clients with it, but that has not fixed the problem, I
    still cannot open any network shares from the 172.18 subnet and
    nothing is in network places.
     
    SheddTec, Feb 20, 2007
    #4
  5. SheddTec

    SheddTec Guest

    I can ping across the subnets with both names and ip addresses.
    I did try the ip in a mapping, same error.
    This is what I am leaning towards, but I can't find anything wrong.
    The layout is wifi client>ap>firewall>cisco 3560>cisco 2960>server. We
    have no ACL on the cisco switches or routers, so the only thing that
    could be in the way is the firewall, but it is set for WLAN>LAN all/
    all/any.
    The client works on the server vlan just fine.
     
    SheddTec, Feb 20, 2007
    #5
  6. SheddTec

    why? Guest

    routing tables, Windows PCs cmd prompt - route print

    All static assigned?
    You are sure? Windows can do funny things, packet sniffers are handy
    here.

    Is there a WINS? It's populated correctly?
    At least you say that now.
    Good stuff 3560/2960 use them a lot. Just did a 2811 router/3560 today.

    In that case your wifi client is the .18 VLAN and you have ip routing on
    the 3560 (since you mention no other router) for 1 VLAN (IOS ver / image
    can help) and all the ports on the 2960 are .16 and the other VLAN.

    On the backend of another 3560, it blocks the Windows browse lists by
    default giving no login server available, we simply login the PC on the
    site VLAN, it gets the browse list. Then move it to the VLAN (new IP)
    and then it finds the AD/DC to login to after that. Makes life easier.
    Almost always do any ACLs last.

    An ACL to debugging on ports 137,138,139 and 445 sould like a good place
    to start, you can see what is happening.

    Which routers? Is it the FW acting as your L3 device?

    At least it sounds like there are no trunk or VTP , STP issues then and
    show vlan has no surprises as ping traverses.
    No FW make / model? Is that really a FW rule?

    Take the FW out of the equation then?
    That's when it's positioned as you describe above, off the AP so you
    made the VLAN port on the 3650 or the 2960 the same as the server?

    i.e. doing a - sw a v # for the appropriate int.

    That way it would still traverse the ap-fw-3560-2960-server.

    If that works it's not the FW.

    Or even take out the 2960 and/or FW. Make a port on the 3560 (depending
    where your VLANs are) the VLAN of the server. That's generally what I
    do, split the 3560 into VLANs and then an old Cisco 3000 does the
    routing VLAN1/VLAN2/VLAN3 to VLAN GW1/VLAN GW2 etc.

    There are a couple of cisco newsgroups. You may have to post the IOS
    versions, if it's ipbase or ipservices and some config. Most likely you
    will also be told to simplify the setup as mentioned and perhaps even
    run a packet sniffer off the wifi client / spanned port on the
    3560/2960.


    Packet sniffer time at the client or a spanned port on the 3560. You
    need to see what's happening in the way of login / mapping drive issues.
    If the client is sending out requests and getting no replies.

    Oh and remove the FW to test, some automatically block Windows domain
    traffic by default.

    Me
     
    why?, Feb 21, 2007
    #6
  7. SheddTec

    why? Guest

    Ah, we use 6509 with DHCP server (for 5000+ PCs) offsite (with local
    backups) and the ip helper <ip of dhcp serveR> , IOS command on each
    interface. 12 VLANs (2000 local PCs) and no issues.

    <snip>

    Me
     
    why?, Feb 21, 2007
    #7
  8. SheddTec

    Keme Guest

    SheddTec skrev:[...]

    did try the ip in a mapping, same error.
    [...]
    It seems that ICMP traffic comes through but TCP doesn't. Anything on
    the firewall or 3560 that distinguishes connections (stateful/stateless,
    tcp/udp/icmp)?

    Can the wireless client see a web server on the "inside"? (port blocking?)

    Any over-sensitive "storm control" configured on one of the Catalysts?

    Do you have the same trunk/access mode on interconnection ports, and
    same administrative VLAN across the cisco switches? (VLAN mismatch can
    do unexpected things to connectivity across Cisco infrastructure, and if
    portfast is enabled, it's hard to pinpoint.)
     
    Keme, Feb 21, 2007
    #8
  9. SheddTec

    SheddTec Guest

    Well, I just found out, Sonicwall is having multiple users report a
    similar problem as mine with the 3.5 enhanced firmware. Specifically,
    the firewall rules are not being enforced properly, so netbios was
    being blocked at the firewall. So now the problem is in their labs...
    thank god the services on this subnet aren't in production yet.
     
    SheddTec, Feb 23, 2007
    #9
  10. SheddTec

    why? Guest

    Well that's the first time you mentioned the model of the fw/software
    :)
    Blocking NetBIOS at a FW is always recommended.
    If you need NetBIOS over that connection then you use VPN.

    For all the Cisco PIX FWs we send out with mobile users it's simple,

    Allow DNS (required to make initial connection)
    Allow VPNServer1
    Allow VPNServer2
    Block anything else.

    There is also a FW/IDS on the laptops / PCs. It's rule set is fairly
    simple as well. Allow Mail Server, WINS for login, our software update
    servers and a few applications.

    It (VPN) makes it muck easier to manage what you need to allow over any
    link and deny.

    Me
     
    why?, Feb 24, 2007
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.