Inter-VLAN routing with internet access.
Hi Guys,
I have a 3750 catalyst switch with 4 VLANs, I have configured intervlan routing btw the VLANs and can ping end nodes a well as the ip address 195.153.117.190 (G1/0/1). The switch is connected to a seperate LAN using no switchport on int G1/0/1. However, all nodes on the VLANs cannot ping either the LAN (195.153.117.x) or the internet but the switch can. I'm guessing its a config issue but can seem to get where the error is. I need internet access for the VLANs. Pls help
Config output is listed below (truncated)
Switch#sh run
Building configuration...
Current configuration : 4993 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable password xxxx
!
no aaa new-model
switch 1 provision ws-c3750g-24t
switch 2 provision ws-c3750g-24t
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
no switchport
ip address 195.153.117.190 255.255.255.0
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet2/0/1
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet2/0/12
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet2/0/13
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet2/0/24
switchport access vlan 5
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
!
router eigrp 1
network 192.168.0.0
network 195.153.117.0
auto-summary
!
ip default-gateway 195.153.117.5
ip classless
ip route 0.0.0.0 0.0.0.0 195.153.117.5
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password xxxx
login
line vty 5 15
login
!
end
I have a 3750 catalyst switch with 4 VLANs, I have configured intervlan routing btw the VLANs and can ping end nodes a well as the ip address 195.153.117.190 (G1/0/1). The switch is connected to a seperate LAN using no switchport on int G1/0/1. However, all nodes on the VLANs cannot ping either the LAN (195.153.117.x) or the internet but the switch can. I'm guessing its a config issue but can seem to get where the error is. I need internet access for the VLANs. Pls help
Config output is listed below (truncated)
Switch#sh run
Building configuration...
Current configuration : 4993 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable password xxxx
!
no aaa new-model
switch 1 provision ws-c3750g-24t
switch 2 provision ws-c3750g-24t
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
no switchport
ip address 195.153.117.190 255.255.255.0
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet2/0/1
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet2/0/12
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet2/0/13
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet2/0/24
switchport access vlan 5
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
!
router eigrp 1
network 192.168.0.0
network 195.153.117.0
auto-summary
!
ip default-gateway 195.153.117.5
ip classless
ip route 0.0.0.0 0.0.0.0 195.153.117.5
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password xxxx
login
line vty 5 15
login
!
end
Comments
-
Kelkin
Member Posts: 261 ■■■□□□□□□□
Can you ping 195.153.117.190 from the other vlans?
Also what is 195.153.117.5 ? -
oj_amira
Member Posts: 8 ■□□□□□□□□□
I can ping 195.153.117.190 from the other VLANs but not the default gateway 195.153.117.5 (Firewall). The switch can however ping this address and can access the internet.
Route config is...
Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 195.153.117.5 to network 0.0.0.0
C 195.153.117.0/24 is directly connected, GigabitEthernet1/0/1
C 192.168.3.0/24 is directly connected, Vlan3
C 192.168.2.0/24 is directly connected, Vlan2
C 192.168.4.0/24 is directly connected, Vlan4
S* 0.0.0.0/0 [1/0] via 195.153.117.5
Switch# -
networker050184
Mod Posts: 11,962 Mod
Does the device your switch is plugged into (I'm guessing its your internet router?)know about the subnets you have off of your switch? If not, you may want to run a routing protocol between them.An expert is a man who has made all the mistakes which can be made. -
oj_amira
Member Posts: 8 ■□□□□□□□□□
the route to my subnets has been entered into the firewall but still no joy. However, something interesting, when I ping with the dns name e.g. mustang from a VLAN, the node correctly resolved the IP addresses of the machines 195.153.117.51, x.x.x.17, x.x.x.220 and the addresses are not cached.
-
Kelkin
Member Posts: 261 ■■■□□□□□□□
The issue could be on the firewall.. I dont see anything wrong with the config on the switch.
-
oj_amira
Member Posts: 8 ■□□□□□□□□□
I tried pinging from the LAN 195.153.117.x to the end node on the VLAN 192.168.3.3 and I got an ICMP echo reply.
Is there a default access list or security measure on the switch that needs to be disabled or did I get get the config wrong somewhere? -
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
Ok, just want to sure i'm clear, this switch has two boxes connected to it.
1 - Firewall (used for routing to internet as well)?
1 - Router to another LAN?
Does the 195.153.117.190 router have routes for the 192.168.0.0\16 networks? -
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
oj_amira wrote:I tried pinging from the LAN 195.153.117.x to the end node on the VLAN 192.168.3.3 and I got an ICMP echo reply.
Is there a default access list or security measure on the switch that needs to be disabled or did I get get the config wrong somewhere?
Do your end machines have firewalls enabled to block ICMP request?
Is there an IPS that may be blocking them somewhere? -
oj_amira
Member Posts: 8 ■□□□□□□□□□
LAN (195.153.117.0 - DG x.x.x.5) || 3750(195.153.117.190 - G1/0/1) || || || VLAN2 VLAN3 VLAN4The switch is connected to the LAN with default gateway as x.x.x.5 and DNS as x.x.x.2.
The nodes on the VLAN are connected to the switch and can ping other VLANs as well as the switch IP address x.x.x.190 but cannot ping anyother address on the LAN including the DG x.x.x.5 (Note: the DG being firewalls are configured to ignore ICMP requests anyway) -
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
Can you post the LAN routers config up as well? I don't think the problem is with your switch
-
oj_amira
Member Posts: 8 ■□□□□□□□□□
unfortunately I can't get access to the LAN routers as this is meant to be tried out before deployment
-
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
If you can ping the VLAN host from the LAN router it is routing correctly. I just wasn't sure if there as an ACL in the router that blocked ping requests from the 192 network
-
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
I thought you said it doesn't get blocked?oj_amira wrote:I tried pinging from the LAN 195.153.117.x to the end node on the VLAN 192.168.3.3 and I got an ICMP echo reply.
-
nullrouter
Member Posts: 52 ■■□□□□□□□□
I think you have a return path issue - what do you have as the destination for your vlan subnets on your firewall/internet router - The VLAN SVIs or the L3 interface of your switch?
See if you can establish a routing protocol between your switch and the firewall/internet router.
What sort of firewall are we talking about here? -
oj_amira
Member Posts: 8 ■□□□□□□□□□
I believe it is a return path issue as you suggested. Pinging a machine on the LAN running a packet capture app, from the VLAN, shows the ICMP requests and reply being generated on the LAN machine. This suggests that the request actually get to the LAN but can't find their way back to the VLAN.
I will have to liaise with the NetAdmin to resolve the issue as it does not look like a Switch config issue anymore. Cheers -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Are there NAT rules on the firewall for the source VLANs?The only easy day was yesterday! -
mjobay
Member Posts: 1 ■□□□□□□□□□
I'm Sure you are connected to the firewall on the inside interface. Otherwise, all pings will be blocked until you allow it on the Firewall.
If you ping the inside interface, it should work. To ping the internet, the firewall will allow you if you are connected to the inside interface unless there's an ACL blocking the ping.
