Inter-VLAN routing with internet access.

oj_amiraoj_amira Posts: 8Member ■□□□□□□□□□
in CCIE
Hi Guys,
I have a 3750 catalyst switch with 4 VLANs, I have configured intervlan routing btw the VLANs and can ping end nodes a well as the ip address 195.153.117.190 (G1/0/1). The switch is connected to a seperate LAN using no switchport on int G1/0/1. However, all nodes on the VLANs cannot ping either the LAN (195.153.117.x) or the internet but the switch can. I'm guessing its a config issue but can seem to get where the error is. I need internet access for the VLANs. Pls help
Config output is listed below (truncated)

Switch#sh run
Building configuration...

Current configuration : 4993 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable password xxxx
!
no aaa new-model
switch 1 provision ws-c3750g-24t
switch 2 provision ws-c3750g-24t
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
no switchport
ip address 195.153.117.190 255.255.255.0
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet2/0/1
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet2/0/12
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet2/0/13
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet2/0/24
switchport access vlan 5
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
!
router eigrp 1
network 192.168.0.0
network 195.153.117.0
auto-summary
!
ip default-gateway 195.153.117.5
ip classless
ip route 0.0.0.0 0.0.0.0 195.153.117.5
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password xxxx
login
line vty 5 15
login
!
end

Comments

  • KelkinKelkin Posts: 261Member ■■■□□□□□□□
    Can you ping 195.153.117.190 from the other vlans?

    Also what is 195.153.117.5 ?
  • oj_amiraoj_amira Posts: 8Member ■□□□□□□□□□
    I can ping 195.153.117.190 from the other VLANs but not the default gateway 195.153.117.5 (Firewall). The switch can however ping this address and can access the internet.
    Route config is...

    Switch#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U - per-user static route
    o - ODR, P - periodic downloaded static route

    Gateway of last resort is 195.153.117.5 to network 0.0.0.0

    C 195.153.117.0/24 is directly connected, GigabitEthernet1/0/1
    C 192.168.3.0/24 is directly connected, Vlan3
    C 192.168.2.0/24 is directly connected, Vlan2
    C 192.168.4.0/24 is directly connected, Vlan4
    S* 0.0.0.0/0 [1/0] via 195.153.117.5
    Switch#
  • networker050184networker050184 Posts: 11,962Mod Mod
    Does the device your switch is plugged into (I'm guessing its your internet router?)know about the subnets you have off of your switch? If not, you may want to run a routing protocol between them.
    An expert is a man who has made all the mistakes which can be made.
  • oj_amiraoj_amira Posts: 8Member ■□□□□□□□□□
    the route to my subnets has been entered into the firewall but still no joy. However, something interesting, when I ping with the dns name e.g. mustang from a VLAN, the node correctly resolved the IP addresses of the machines 195.153.117.51, x.x.x.17, x.x.x.220 and the addresses are not cached.
  • KelkinKelkin Posts: 261Member ■■■□□□□□□□
    The issue could be on the firewall.. I dont see anything wrong with the config on the switch.
  • oj_amiraoj_amira Posts: 8Member ■□□□□□□□□□
    I tried pinging from the LAN 195.153.117.x to the end node on the VLAN 192.168.3.3 and I got an ICMP echo reply.

    Is there a default access list or security measure on the switch that needs to be disabled or did I get get the config wrong somewhere?
  • gojericho0gojericho0 Posts: 1,060Member
    Ok, just want to sure i'm clear, this switch has two boxes connected to it.

    1 - Firewall (used for routing to internet as well)?
    1 - Router to another LAN?


    Does the 195.153.117.190 router have routes for the 192.168.0.0\16 networks?
  • gojericho0gojericho0 Posts: 1,060Member
    oj_amira wrote:
    I tried pinging from the LAN 195.153.117.x to the end node on the VLAN 192.168.3.3 and I got an ICMP echo reply.

    Is there a default access list or security measure on the switch that needs to be disabled or did I get get the config wrong somewhere?

    Do your end machines have firewalls enabled to block ICMP request?
    Is there an IPS that may be blocking them somewhere?
  • oj_amiraoj_amira Posts: 8Member ■□□□□□□□□□ 
    LAN (195.153.117.0 - DG x.x.x.5)
            ||
3750(195.153.117.190 - G1/0/1)
  ||          ||         ||
VLAN2       VLAN3      VLAN4
    The switch is connected to the LAN with default gateway as x.x.x.5 and DNS as x.x.x.2.

    The nodes on the VLAN are connected to the switch and can ping other VLANs as well as the switch IP address x.x.x.190 but cannot ping anyother address on the LAN including the DG x.x.x.5 (Note: the DG being firewalls are configured to ignore ICMP requests anyway)
  • gojericho0gojericho0 Posts: 1,060Member
    Can you post the LAN routers config up as well? I don't think the problem is with your switch
  • oj_amiraoj_amira Posts: 8Member ■□□□□□□□□□
    unfortunately I can't get access to the LAN routers as this is meant to be tried out before deployment
  • gojericho0gojericho0 Posts: 1,060Member
    If you can ping the VLAN host from the LAN router it is routing correctly. I just wasn't sure if there as an ACL in the router that blocked ping requests from the 192 network
  • oj_amiraoj_amira Posts: 8Member ■□□□□□□□□□
    that blocks anything
  • gojericho0gojericho0 Posts: 1,060Member
    I thought you said it doesn't get blocked?
    oj_amira wrote:
    I tried pinging from the LAN 195.153.117.x to the end node on the VLAN 192.168.3.3 and I got an ICMP echo reply.
  • nullrouternullrouter Posts: 52Member ■■□□□□□□□□
    I think you have a return path issue - what do you have as the destination for your vlan subnets on your firewall/internet router - The VLAN SVIs or the L3 interface of your switch?

    See if you can establish a routing protocol between your switch and the firewall/internet router.

    What sort of firewall are we talking about here?
    CCIE R&S All Done :D


    Web Blog of sorts:
    http://blog.nullrouter.com
  • oj_amiraoj_amira Posts: 8Member ■□□□□□□□□□
    I believe it is a return path issue as you suggested. Pinging a machine on the LAN running a packet capture app, from the VLAN, shows the ICMP requests and reply being generated on the LAN machine. This suggests that the request actually get to the LAN but can't find their way back to the VLAN.

    I will have to liaise with the NetAdmin to resolve the issue as it does not look like a Switch config issue anymore. Cheers
  • dtlokeedtlokee Posts: 2,381Member
    Are there NAT rules on the firewall for the source VLANs?
    The only easy day was yesterday!
  • mjobaymjobay Posts: 1Member ■□□□□□□□□□
    I'm Sure you are connected to the firewall on the inside interface. Otherwise, all pings will be blocked until you allow it on the Firewall.
    If you ping the inside interface, it should work. To ping the internet, the firewall will allow you if you are connected to the inside interface unless there's an ACL blocking the ping.
Sign In or Register to comment.