Routing between Vlans on Cisco 3550 : Help Needed.

Discussion in 'Cisco' started by Ori, Nov 27, 2003.

  1. Ori

    Ori Guest

    Hi all.
    I have just configured a cisco 3550 switch (SMI) for routing between
    two vlans (1 and 3), but nothing seems to work.
    Subnets 10.0.0.0/16 (vlan 1)and 10.1.0.0/16 (vlan 3) are the two
    subnets i`m interested in seperating, but an internet router and
    firewall physically connected through interface fa0/23(attached to
    vlan 3) cannot be reached by any of the workstations on vlan1, or by
    the switch itself!!!
    All ports are attached to vlan 1 except for fa0/23 which is attached
    to vlan 3.

    Does anyone have an idea or suggestion?
    Thanks.

    This is the config I use:

    !
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname C3550
    !
    enable secret 5 $1$quZs$bRlFgoRZc5pIuub3ZvNSS/
    enable password XXXX
    !
    ip subnet-zero
    ip routing
    !
    !
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    !
    !
    interface FastEthernet0/1
    switchport access vlan 1
    switchport mode access
    no ip address

    !

    interface FastEthernet0/2
    switchport access vlan 1
    switchport mode access
    no ip address

    .........

    interface FastEthernet0/23
    description To_FireWall
    switchport access vlan 3
    switchport mode access
    no ip address

    !
    interface FastEthernet0/24
    switchport access vlan 1
    switchport mode access
    no ip address
    !
    interface GigabitEthernet0/1
    no ip address
    !
    interface GigabitEthernet0/2
    no ip address
    !
    interface Vlan1
    ip address 10.0.10.11 255.255.0.0
    ip access-group 110 in
    ip access-group 110 out
    !
    interface Vlan3
    ip address 10.1.0.99 255.255.0.0
    ip access-group 110 in
    ip access-group 110 out
    !
    ip classless
    ip http server
    !
    !
    access-list 110 permit ip any any
    snmp-server community public RO
    !
    line con 0
    exec-timeout 0 0
    line vty 0 4
    password admin
    login
    line vty 5 15
    password admin
    login
    !
    end
     
    Ori, Nov 27, 2003
    #1
    1. Advertisements

  2. Ori

    PES Guest

    If the firewall is on the 10.1.x.x network, does the firewall have a static
    route back to 10.0.x.x? Does the switch/router have a default gateway
    pointing to the firewall?
     
    PES, Nov 27, 2003
    #2
    1. Advertisements

  3. Ori

    Ori Guest

    Hi there and thanks for your answer.
    I'm pretty sure its not a routing problem in the firewall, because
    when I reset the 3550 to its default config, all workstations can ping
    the firewall. My current config does not include a default gateway
    statement as the firewall is directly connected to fa0/23. The
    weirdest thing is I cant ping the firewall from the switch itself...
     
    Ori, Nov 30, 2003
    #3
  4. Ori

    chris Guest


    I'm pretty sure it IS a routing problem. The fact that the firewall
    is directly connected to a port is irrelevant as the switch just sees
    it in vlan3/subnet 10.1.x.x.

    You need to define the default route on the switch so that
    internet-bound traffic from workstations on vlan 1 gets forwarded to
    the gateway. Otherwise, the switch has no idea where to forward
    traffic bound anywhere but 10.0.x.x and 10.1.x.x and will just return
    a 'no-route' error.

    The vice-versa also applies. The firewall/gateway will also need to
    know where to send traffic destined for the 10.0.x.x subnet. You
    might consider having the firewall route all traffic, including the
    10.1.x.x subnet to the switch as well if you want to enforce any
    accounting or access-lists.

    The workstations on vlan 1 do have the switch address as their
    gateway, right?

    As for why pings don't work, access-list 110 is blocking everything
    but IP. You need to allow ICMP for pings to work. I suggest removing
    the access-list entirely until you get everything working properly.

    -Chris
     
    chris, Nov 30, 2003
    #4
  5. Ori

    Ori Guest

    Hi Chris and thanks for your answer.
    I have disabled the ACL but still cant ping the firewall
    (10.0.0.250/16) from the 3550 (10.0.10.11/16). The switch has a
    defualt gateway of 10.0.0.250, and ALL the ports are now attached to
    VLan1. I simply cant understand why I cant ping the firewall from the
    3550, especially when there is no problem in pinging the firewall from
    any workstation connected to the 3550 that is in the 10.0.0.0/16
    subnet and has 10.0.0.250 as its default gateway. I even tried to
    change the 3550's ip address a few times (thought there might be some
    icmp blocking rules on the firewall to a specific address range) but
    no use.
    Am I missing out something really big, or am I right when I think that
    a Vlan (on the 3550) with an ip address and a default gateway should
    ping and receive replies exactly like a workstation which is in the
    same subnet and has the same defult gateway ???

    -Ori
     
    Ori, Dec 1, 2003
    #5
  6. .....
    May be I am wrong, but youd do NOT have default gateway on 3550.
    Try with default static route.

    i.e:
    ip route 0.0.0.0 0.0.0.0 10.1.0.99

    Jura
     
    Juraj Ljubesic, Dec 1, 2003
    #6
  7. Ori

    Ori Guest

    Hi!
    I do have a default gateway on the 3550. From the switch config:
    ip default-gateway 10.0.0.250
    Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??
    -Ori.
     
    Ori, Dec 1, 2003
    #7
  8. OK, I'm not so familiar with 3550. It can be the same. But default
    gateway is not visible in your sh run configuration.

    And, most inportant. If your firewall is connected to VLAN 3 with IP
    address 10.1.0.0/16, default gateway definitly can't be 10.0.0.250.
    Try with 10.1.0.250.

    Jura
     
    Juraj Ljubesic, Dec 1, 2003
    #8
  9. :ip default-gateway 10.0.0.250
    :Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??

    No; the default-gateway should be used only if ip routing is turned
    off.
     
    Walter Roberson, Dec 1, 2003
    #9
  10. Ori

    PES Guest

    default gateway is not for routing packets in most cases. it is for when ip
    routing is turned off. basically for management traffic that needs to go to
    a remote subnet.

    Hi!
    I do have a default gateway on the 3550. From the switch config:
    ip default-gateway 10.0.0.250
    Isn't it the same as ip route o.o.o.o o.o.o.o 10.0.0.250 ??
    -Ori.[/QUOTE]
     
    PES, Dec 2, 2003
    #10
  11. Ori

    chris Guest

    A few others already pointed out the distinction between a
    default-route entry and a 'ip route 0.0.0.0 0.0.0.' entry.

    Also, verify that the firewall has the proper subnet mask. Can the
    workstations ping the switch now?

    -Chris
     
    chris, Dec 2, 2003
    #11
  12. Ori

    Ori Guest

    Thanks for all comments i'll give it a try soon.
    -Ori.
     
    Ori, Dec 4, 2003
    #12
  13. Ori

    Kenny D Guest

    Have you tried ip subnet-zero? 172.16.0.0 is subnet-zero
     
    Kenny D, Dec 4, 2003
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.