Inter-VLAN routing with internet access.

oj_amira · June 2008

Hi Guys,
I have a 3750 catalyst switch with 4 VLANs, I have configured intervlan routing btw the VLANs and can ping end nodes a well as the ip address 195.153.117.190 (G1/0/1). The switch is connected to a seperate LAN using no switchport on int G1/0/1. However, all nodes on the VLANs cannot ping either the LAN (195.153.117.x) or the internet but the switch can. I'm guessing its a config issue but can seem to get where the error is. I need internet access for the VLANs. Pls help
Config output is listed below (truncated)

Switch#sh run
Building configuration...

Current configuration : 4993 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable password xxxx
!
no aaa new-model
switch 1 provision ws-c3750g-24t
switch 2 provision ws-c3750g-24t
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
no switchport
ip address 195.153.117.190 255.255.255.0
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet2/0/1
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet2/0/12
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet2/0/13
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet2/0/24
switchport access vlan 5
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
!
router eigrp 1
network 192.168.0.0
network 195.153.117.0
auto-summary
!
ip default-gateway 195.153.117.5
ip classless
ip route 0.0.0.0 0.0.0.0 195.153.117.5
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password xxxx
login
line vty 5 15
login
!
end

Kelkin · June 2008

Can you ping 195.153.117.190 from the other vlans?

Also what is 195.153.117.5 ?

oj_amira · June 2008

I can ping 195.153.117.190 from the other VLANs but not the default gateway 195.153.117.5 (Firewall). The switch can however ping this address and can access the internet.
Route config is...

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 195.153.117.5 to network 0.0.0.0

C 195.153.117.0/24 is directly connected, GigabitEthernet1/0/1
C 192.168.3.0/24 is directly connected, Vlan3
C 192.168.2.0/24 is directly connected, Vlan2
C 192.168.4.0/24 is directly connected, Vlan4
S* 0.0.0.0/0 [1/0] via 195.153.117.5
Switch#

networker050184 · June 2008

Does the device your switch is plugged into (I'm guessing its your internet router?)know about the subnets you have off of your switch? If not, you may want to run a routing protocol between them.

oj_amira · June 2008

the route to my subnets has been entered into the firewall but still no joy. However, something interesting, when I ping with the dns name e.g. mustang from a VLAN, the node correctly resolved the IP addresses of the machines 195.153.117.51, x.x.x.17, x.x.x.220 and the addresses are not cached.

Kelkin · June 2008

The issue could be on the firewall.. I dont see anything wrong with the config on the switch.

oj_amira · June 2008

I tried pinging from the LAN 195.153.117.x to the end node on the VLAN 192.168.3.3 and I got an ICMP echo reply.

Is there a default access list or security measure on the switch that needs to be disabled or did I get get the config wrong somewhere?

gojericho0 · June 2008

Ok, just want to sure i'm clear, this switch has two boxes connected to it.

1 - Firewall (used for routing to internet as well)?
1 - Router to another LAN?

Does the 195.153.117.190 router have routes for the 192.168.0.0\16 networks?

gojericho0 · June 2008

oj_amira wrote:

I tried pinging from the LAN 195.153.117.x to the end node on the VLAN 192.168.3.3 and I got an ICMP echo reply.

Is there a default access list or security measure on the switch that needs to be disabled or did I get get the config wrong somewhere?

Do your end machines have firewalls enabled to block ICMP request?
Is there an IPS that may be blocking them somewhere?

oj_amira · June 2008

LAN (195.153.117.0 - DG x.x.x.5)
            ||
3750(195.153.117.190 - G1/0/1)
  ||          ||         ||
VLAN2       VLAN3      VLAN4

The switch is connected to the LAN with default gateway as x.x.x.5 and DNS as x.x.x.2.

The nodes on the VLAN are connected to the switch and can ping other VLANs as well as the switch IP address x.x.x.190 but cannot ping anyother address on the LAN including the DG x.x.x.5 (Note: the DG being firewalls are configured to ignore ICMP requests anyway)

gojericho0 · June 2008

Can you post the LAN routers config up as well? I don't think the problem is with your switch

oj_amira · June 2008

unfortunately I can't get access to the LAN routers as this is meant to be tried out before deployment

gojericho0 · June 2008

If you can ping the VLAN host from the LAN router it is routing correctly. I just wasn't sure if there as an ACL in the router that blocked ping requests from the 192 network

oj_amira · June 2008

that blocks anything

gojericho0 · June 2008

I thought you said it doesn't get blocked?

oj_amira wrote:

I tried pinging from the LAN 195.153.117.x to the end node on the VLAN 192.168.3.3 and I got an ICMP echo reply.

nullrouter · June 2008

I think you have a return path issue - what do you have as the destination for your vlan subnets on your firewall/internet router - The VLAN SVIs or the L3 interface of your switch?

See if you can establish a routing protocol between your switch and the firewall/internet router.

What sort of firewall are we talking about here?

oj_amira · June 2008

I believe it is a return path issue as you suggested. Pinging a machine on the LAN running a packet capture app, from the VLAN, shows the ICMP requests and reply being generated on the LAN machine. This suggests that the request actually get to the LAN but can't find their way back to the VLAN.

I will have to liaise with the NetAdmin to resolve the issue as it does not look like a Switch config issue anymore. Cheers

dtlokee · June 2008

Are there NAT rules on the firewall for the source VLANs?

mjobay · June 2008

I'm Sure you are connected to the firewall on the inside interface. Otherwise, all pings will be blocked until you allow it on the Firewall.
If you ping the inside interface, it should work. To ping the internet, the firewall will allow you if you are connected to the inside interface unless there's an ACL blocking the ping.

Inter-VLAN routing with internet access.

Comments