VLAN Routing between Interfaces
Please see attached Diagram. With my current setup, it doesn't seem like traffic is moving from FE8 to FE7 on Switch #2. Any suggestions?
My Desired Outcome:
Have Multiple VLANS on FE8 on Switch #2 talk with their respective VLANS on FE7
My current setup:
Switch #1:
FE1 - VLAN 1001 Untagged
FE2 - VLAN 1002 Untagged
FE3 - VLAN 1003 Untagged
FE8 - VLANs 1001 Tagged, 1002 Tagged, 1003 Tagged (Trunk to Wireless Bridge #1)
Wireless Bridge #1 & #2:
Straight Bridge, passes all VLANS (Tested)
Switch #2:
FE8 - VLANs 1001 Tagged, 1002 Tagged, 1003 Tagged (Trunk to Wireless Bridge #2)
FE7 - VLANs 1001 Tagged, 1002 Tagged, 1003 Tagged (Trunk to MultiPoint Antenna #1)
MultiPoint Antenna:
Transmits VLANs, with receivers set to only pickup their individual VLANS.
Hi Brian,
By the look of the description of the problem, you know vlans.
Make sure the switches are using the current firmware, 1.1.2.0
The easiest test to perform is to also put the following on switch two;
FE1 - VLAN 1001 Untagged
FE2 - VLAN 1002 Untagged
FE3 - VLAN 1003 Untagged
And plug a PC on FE1 of both switches, manually set the IP address to be in the same network and see if they can communicate via ping. This will prove if the wireless bridge propagates VLAN tag information.
But, I'm guessing you have a misconfiguration of the tagging of vlans or old old firmware..
You could verify the vlan configuration by looking at the following, to see if the vlan configuration is really there.
A screen shot / capture of the following page from both switches could help me.
But I left the switch ports in the default trunk mode.
This allows for one untagged vlan (default vlan) and multiple tagged vlans to exist on each switch port...perfect.
I also use wireshark to check out vlans, but had to modify my PC, to allow wireshark show me the vlan packets coming into a wireshark trace.
Believe it or not wouldn't wouldn't show me vlans, till I modified my windows registry. You might be luckier. It was a windows issue and not a wireshark issue.
You have the option if you wish to mirror port 8 on switch 1 and 2 to check if vlan tagged packets, even arp frames are coming over to/from the wireless bridge.
To me it seems like you need to do a bit of 'foot work' to see if the vlans are being propagated to wireless bridge #1 through mirroring port 8 of both switches. And then trying to ping between devices on the same vlan.
confirm your switch firmware is version 1.1.2.0
Check your VLAN configuration with a couple of screen capture.
You can mirror switch port 8 on both switches and use wireshark to see if the VLAN frames are propagated between switches.
Seems like there is a lot of steps you could perform to validate if vlans are being propagated.
regards Dave
Similar Messages
-
Cisco 9201 Routing between interfaces
Done
ThanksWe are upgrading our internet gateway to a cisco 9201 router. Two interfaces.
GE0/0 - 67.x.x.98 255.255.255.252
GE0/1 - 184.x.x.217 255.255.255.248
Next hop from GE0/0 is 67.x.x.97
I have a static route of 0.0.0.0 0.0.0.0 67.x.x.97
The problem is that I can not get the two interfaces to route
ping from 184.x.x.220 to 67.x.x.97 fails. Trace route fails.
I am having an off-week. Any help would be greatly appreciated.
This topic first appeared in the Spiceworks Community -
VLAN Routing between 2 Routers
I have a deployment that has changed and they need a few more ports for routing. They have a Cisco router that is full (all ports used) but they need a few more. The have an ISA550 that the configurable ports are not being used. Can I configure those unused ports to route traffic for the VLAN on the main router? If so, I have tried several configs and can't get it to work (no data flow) in fact it locks up the ISA550 so I am either doing something wrong or this is not possible.
Could someone chime in and give me a hand. I need to have this done for tomorrow.
/ThanksHi John, I think it's best to use the right equipment for the job. If you've already got a router in place and you're not in a campus/metro/ISP environment, it's not really prudent to use another router. A simple layer 2 or layer 3 switch can accomplish this and give you plenty of ports at a much better price per port.
You may want to look in to the SG300 series switch if you want something that can handle route load and give ample amount of ports. -
Prevent routing between 2 logical networks without a VLAN
Background: We have some older hubs in our network. As such, we cannot implement a VLAN yet. We have a 10/100 ethernet network across our campus for our production users. We have multiple buildings on the campus and one physical network. We are installing Cisco 1100 WAPs to provide our guests with wireless internet access. Our DHCP server is configured to hand out 192.168.1.x addresses to our guests. Our DHCP server has 192.168.0.x reservations for our production machines.
Questions:
1) Would this ACL prevent traffic from routing between the 192.168.0.x and 192.168.1.x networks?
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
2) Does anyone have a better solution for preventing our guests from accessing our production machines? Once all the hubs are replaced with switches, we plan to implement a VLAN.
TIA,
MarkAre you sure you want to protect your Guest WLAN from your production Network, not the otherway round? Your access-list states that the .0 network (production) is not allowed to access the .1 (wlan) network. Then, i don't see in your config the activation of any of your access-list. They are just defined without being activated on any of your interfaces. Plus there is missing the allow at the end of the access-list, because there is an implicite deny at the end of any access-list.
-
VLAN's on 3524 VLAN enable issue (I don't want to route between them)
I have segmented a 3524 switch into three different VLANs. One is the managment VLAN 1 and the other two are for my Test Lab and Production network. I don't want either VLAN to see the other (router between them). My problem is my VLAN10 and VLAN12 will not come out of a shutdown state. They stay administratively down even after I issue the no shut command from within the VLAN Interface. What am I doing wrong here?
My guess is that you created 3 SVI's instead of creating the layer 2 vlans that you need . Do a show vlan ", do all 3 of your vlans show up ? If you created 3 different layer 3 SVI's , (conf t , interface vlan 10 and or 12 then the switch will only enable 1 because this is strictly used to manage the switch . To create your vlans I believe on this switch you need to use the vlan database. At the switch prompt type vlan database, enter. Then type vlan 10 , hit enter , then type vlan 12 and hit enter . This activates the layer 2 vlans .Exit out to the command line and do a show vlan and see if all 3 show up now.Apply the vlans to the ports as needed . These should now show up when you do a "show vlan" . I think you gettting confused between the layer 3 SVI's and the layer 2 vlans .
-
SG300: How to set up routing between VLANs?
I have recently purchased a Cisco SG300-10. I need it to perform routing between two VLANs on the switch. Seems like this should be quick and easy to do from the built in GUI. When I configure it according to the documentation, it does not ropute between the VLANs.
I have set the system mode to L3 (for level 3 switching).
I have followed the instructions on pages 26 through 33 of the attached PDF (which I obtained from the Cisco site). I used the same ports on the switch and the same IP addresses as shown in the document.
Everything works until I attempt the step "ping 10.1.1.10" on page 33. This is the step to verify the level 3 switching between the 2 PCs (on separate VLANs).
The switch Firmware Version (Active Image): 1.3.5.58
I have attached the running configuration from the switch. It is the file named "running-config.txt".
The 2 PCs that I am using are running Windows 7 and Windows 8.Hi jkst,
There is a very minimum requirement to obtain layer 3 intervlan routing
1- 2 VLAN in layer 3 mode assigned an IP address
config t
vlan database
vlan 2
int vlan 1
ip address 192.168.1.1 /24
int vlan 2
ip address 192.168.2.1 /24
2 - Active link state on each VLAN - Define a port for the second vlan then connect an IP device to that port and another device to another port since the rest of the ports will default to vlan 1
config t
int gi2
switchport mode access
switchport access vlan 2
3 - Assign your device #1 that connects to any port an ip address on the same subnet as vlan 1
Computer in vlan 1 IP info=
192.168.1.100
255.255.255.0
192.168.1.1
Computer in vlan 2 IP info-
192.168.2.100
255.255.255.0
192.168.2.1
Assuming these devices respond to ping and do not have external wireless communication, this will provide basic IP connectivity through the switch across vlans.
-Tom
Please mark answered for helpful posts -
Problem of routing between inside and outside on ASA5505
I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
WAE#ping 10.10.10.250
PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
--- 10.10.10.250 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
WAE#sh arp
Protocol Address Flags Hardware Addr Type Interface
Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.26.18.1 to network 0.0.0.0
C 172.26.18.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.10.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
All other ports are in vlan 1 by default.I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
Thanks a lot -
Cisco ASA 5505 Routing between internal networks
Hi,
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside
2. DMZ
3. ServerNet1
4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
Here is the running conf:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousHi Jouni,
Yep, Finnish would be good also =)
In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
Here is the conf now, still doesnt work:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
object-group network DEFAULT-PAT-SOURCE
description Default PAT source networks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous -
Vlan routing with Linksys sge2000
hi I have a Linksys sge2000 with two vlans, one has interface 192.168.50.10 /18 and the second has 192.168.30.10 /24, I need to get communication between these networks, because few computers must access to other network, so that’s why I ask you for some help, because until now I couldn’t find if its possible in this switch thank you in advanceDaniel
it is not possible for those 2 vlans to communicate with each other unless you hook up a router to those 2 vlans. the device is not capable for inter vlan routing alone so you will need to use layer 3 device.
-
OTV vlans routing on the 1 device and switching on the other
Hi there seems to having OTV issues where the odd vlana are on agg1 is showing as routing and even vlan are using the OTV . and on AGG 2 vice versa
my presumption was that using OTV all vlans configured for access would use OTV instead of routing
agg1# show ip route 10.128.105.133
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.128.105.128/25, ubest/mbest: 1/0
*via 192.168.28.50, Po5, [19/51456], 4d00h, eigrp-128, external
via 10.101.0.25, [200/51712], 4d00h, bgp-65149, internal, tag 65149
agg1# show ip route 10.128.106.133
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.128.106.128/25, ubest/mbest: 1/0, attached
*via 10.128.106.130, Vlan806, [0/0], 4d02h, direct
via 10.101.0.25, [200/51712], 3d20h, bgp-65149, internal, tag 65149
agg2 show ip route 10.128.106.133
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.128.106.128/25, ubest/mbest: 1/0
*via 192.168.28.49, Po5, [19/51456], 4d00h, eigrp-128, external
via 10.101.0.25, [200/51712], 3d20h, bgp-65149, internal, tag 65149
agg2# show ip route 10.128.105.133
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.128.105.128/25, ubest/mbest: 1/0, attached
*via 10.128.105.132, Vlan805, [0/0], 4d00h, direct
via 10.101.0.25, [200/51712], 4d00h, bgp-65149, internal, tag 65149
how otv adjacency
Overlay Adjacency database
Overlay-Interface Overlay1 :
Hostname System-ID Dest Addr Up Time State
MCC-N7K2-OTV 04c5.a4ea.8b42 192.168.26.54 4d12h UP
04c5.a4ea.93c2 192.168.28.42 4d09h UP
LDC-N7K2-OTV 04c5.a4ea.6042 192.168.28.46 1d22h UP
Does the OTV device need to be physically connected to each other
It seem that vlans at layer 2 do no span across the AGG switches
diagramYou did not configure PBR on the CSS since it does not have this function.
You simply configured static routing.
As so, the CSS will route between the vlans.
If you want a firewall to protect every vlan from the other ones, you should have a one-armed design where the firewall does the routing between the vlans and the CSS is doing the loadbalancing.
ie:
........vlan1
..........|
.vlan2 ---FW----- CSS
..........|
........Vlan2
You'll need to do client nat on the css or implement some form of PBR on the firewall.
PBR means routing based on another factore than the destination ip address. In this case, it is necessary to route based on the source port.
That might be too complex, so an easier choice would be
..vlan1(ext).....vlan2(ext)
....|...............|
....+-------FW------+
.............|
..........+-CSS-+
..........|.....|
........vlan3 vlan4
there is no protection between internal vlan but you don't need policy routing or client nat.
Gilles. -
I'm interested in best practice design for the following:
lan1 --- switch1 --(g1/0/28)-- GigaMAN Link --(g1/0/28)-- switch2 --- lan2
lan1 and lan2 are different subnets. I would like to know the best way to configure the ports/VLANS/etc so that traffic can be routed between them. both switch1 and switch2 support routing.Treat the sw1 and sw2 just like a router. Make the link between them a L3 interface and then you can use routing to get the lan 1 talking to lan 2. For example:
sw1:
conf t
int g 1/0/1 >> to a PC in lan 1
switchport
interface g 1/0/28
no switchport
ip address 10.1.1.1 255.255.255.252
interface vlan 1
ip address 1.1.1.1 255.255.255.0
ip route 2.1.1.0 0.0.0.255 10.1.1.2
sw2:
conf t
interface gig 1/0/1 >> to PC in Lan2
switchport
inter gig 1/0/28
ip address 10.1.1.2 255.255.255.252
inter vlan 1
ip address 2.1.1.1 255.255.255.0
ip route 1.1.1.0 0.0.0.255 10.1.1.1 -
Two quick VLAN routing questions
lets say I have a L3 switch routing 4 VLANs
VLAN 1 is 192.168.10.0/24, the switch's virtual interface is 192.168.10.254 inside this vlan
VLAN 2 is 192.168.20.0/24, the switch's virtual interface is 192.168.20.254 inside this vlan
VLAN 3 is 192.168.30.0/24, the switch's virtual interface is 192.168.30.254 inside this vlan
VLAN 4 is 192.168.40.0/24, the switch's virtual interface is 192.168.40.254 inside this vlan
there is only one router going out from this switch to the net, and lets say it is in VLAN 1 and it's address is 192.168.10.1
first question-- inside of the L3 switch I will need to add a default route of 0.0.0.0 0.0.0.0 192.168.10.1
so that all traffic not corresponding to a 192.168.x.x address knows where to get out to the net, correct?
secondly- when configuring that router, is there a difference if I use the following static route:
192.168.20.0 255.255.255.0 192.168.10.254
instead of
192.168.20.0 255.255.255.0 192.168.20.254
either way, the packet gets to the L3 switch, but in one case it gets there via the VLAN interface inside of VLAN 1, and in the other case, it gets there via the VLAN interface inside of the VLAN for which the traffic is destined anyway. what im trying to figure out is, will this make any difference at all? especially in terms of broadcast packets?
if it makes no difference, then is it safe to say that the following static route would be optimal?
192.168.0.0 255.255.0.0 192.168.10.254
Solved!
Go to Solution.Re "firstly". Correct. The L3 switch will route traffic according to its routing table. By default it knows all IP subnets to which it is directly connected to, i.e. all the VLAN subnets. If you have to add a default route manually or not depends on the exact implementation. It may well be that the L3 switch will use the any default gateway for routing which you use for the IP settings of the switch itself (if there is an option in the web interface to set a default gateway). If you cannot define a default gateway on the L3 switch you probably have to add a static route manually. The easiest way should be to check the current routing table and see if there is a default gateway or not.
Re "secondly". A router can only forward packets to the next hop router. The next hop router must be connected to that router. The route "192.168.20.0 255.255.255.0 192.168.10.254" is correct for a router with IP address 192.168.10.1 and subnet mask 255.255.255.0 as 192.168.10.254 is connected to the router. "192.168.20.0 255.255.255.0 192.168.20.254" is not correct. The router cannot learn the path to a specific subnet 192.168.20.0/255.255.255.0 by using a gateway in that subnet. It is not correct to use that kind of a route and you should not use it even if it might even work (because the router does a plain ARP request to find the MAC address of 192.168.20.254 and your L3 switch will respond to the ARP request even if it is on the internet of 192.168.10.254). The very moment when there would be another router between the 10 and 20 subnets it would not work anymore...
Re your conclusion: I would recommend to keep four static routes for the existing subnets on the L3 switch instead of putting everything into a larger single subnet which includes a lot of addresses which are not connected there. Technically it works if you only use working IP addresses. But you will see some loops if you send something to 192.168.55.50 or similar. The gateway router will send it to the L3 switch which will send it back to the gateway. They should figure it's a loop but still I would not recommend this kind of setup... Add routes for each of the L3 switch subnet... -
I am connecting a 4503 to a 2950. I have native Vlan 1 between them on the trunk. On that vlan 1 the subnet is 172.16.138.0. The default gateway on the 2950 is 172.16.138.1. There are devices attached to the 2950 that are all subnet 172.16.98.0. I need to be able to get those devices to talk to the 4503. The only vlan I had on the 2950 is vlan 1. I made another vlan on the 2950 but when I try to no sh it I get kicked out of the switch. Any ideas?
The 2950 is a L2 switch and can only have a single vlan interface for management. When you're creating a new vlan, it's kicking you out because the 4500 doesn't have the vlan configured to support the new vlan that you're creating. That being said, you should be able to do the following to route your other subnet:
If the 4500 vlan 1 subnet is 172.16.138.0/24, and you're wanting to create 172.16.98.0/24, you'll need to do it on the 4500.
4500: (Assuming you want to create vlan 10)
vlan 10
int vlan 10
ip address 172.16.98.1 255.255.255.0
Then you'll need to trunk the port that leads to the 2950 - assume that's fa0/1
int fa0/1
switchport trunk encaps dot1q
switchport mode trunk
Then on the 2950, you'll need to keep your vlan 1 interface:
int vlan 1
ip address 172.16.138.2 255.255.255.0
ip default-gateway 172.16.138.1 <-- this is to get to the management vlan interface above from another subnet
Then create your vlan that matches on the 4500 (vlan 10)
vlan 10
Trunk the port that leads to the 4500 (assuming f0/1)
int fa0/1
switchport trunk encaps dot1q
switchport mode trunk
Then the ports that you want on vlan 10, you'll put in the vlan:
int range fa1/2-48
switchport mode access
switchport access vlan 10
Your hosts will use 172.16.98.1 as a default gateway, but that traffic will be routed at the 4500 series switch. The 2950 cannot do the routing for you, but it can carry the vlan information that you need.
HTH,
John
*** Please rate all useful posts *** -
Inter VLAN Routing for IEC 61850
Hello,
Hoping someone can help me with this query. I'm in the process of configuring two CGS2520 switches located in two electrical substations. Each of these switches have Protection Relays and Remote Terminal Units (RTUs) connected to them. These devices communicate with each other as follows:
IEC 61850 GOOSE: http://en.wikipedia.org/wiki/Generic_Substation_Events
IEC 61850 MMS: http://en.wikipedia.org/wiki/IEC_61850
- Protection Relay to Protection Relay communication within either substation (Using IEC 61850 GOOSE - VLAN 11 and VLAN 21)
- Protection Relay to Protection Relay communication between substations (Using IEC 61850 GOOSE - VLAN 50)
- RTU to Protection Relay (Using IEC 61850 MMS - VLAN 10 and VLAN 20)
I've attached an image (hope that clears things out). Basically GOOSE traffic is VLAN tagged and and the MMS traffic is untagged.
I need to be able to route between VLAN 10 and VLAN 20 between the substations and I want to allow VLAN 50 between the substations. How do I go about configuring this?
So far I've configured the interfaces as follows:
Switch A2:
Fa0/5 and Fa0/7 (Protection Relay Ports)
port type nni
switchport trunk native vlan 10
switchport trunk allowed vlan 11, 50
switchport mode trunk
Fa0/3 (RTU Port)
port type nni
switchport access vlan 10
Switch B1
Fa0/4 and Fa0/5 (Protection Relay Ports)
port type nni
switchport trunk native vlan 20
switchport mode allowed vlan 21, 50
switchport mode trunk
Fa0/3 (RTU Port)
port type nni
switchport access vlan 20
Locally at each substation this seems to work (I can ping the Protection Relays from the RTU port and the Protection Relays send each other GOOSE messages). However I don't know how to configure the inter vlan routing (I want to be able to ping a Protection Relay Substation B from the RTU Port at Substation A) at and how to configure the switch interfaces that connect to each other?
Any help is much appreciated.
Thanks
DarshHello DarshanaD,
Could you fix this? Im asking because I have the same problem right now.
I'll appreciated if you can tell me how did you configure the inter VLAN routing.
Thanks
Ali -
Inter-VLAN routing, Auto-Voice VLAN and IP Address-Helper
Hope that somebody can help me with the setup in the screenshot.
Planning to use Auto-Voice VLAN and Smartports to configure VOIP
LLDP-MED will be enabled on the switch to detect the IP phones so they will be moved to the Voice VLAN (If not the first 6 signs will be added to the OID table). The Voice VLAN ID will be 2 >> Voice VLAN will be automatically enabled once a device is recognized as a IP phone right?
Workstations will be connected to the Cisco switch, VLAN data will be untagged and will remain on the native VLAN.
Smartports will be used to configure the ports (Macro's) >> Should configure the ports as trunks as assigns the correct VLANs right?
But how do i configure the IP Helper-Address? Do i have to create the Voice VLAN on both switches and then run the command "IP Helper Address" to specify a DHCP server? From what i've been reading it's required, when using Inter-VLAN routing, to configure the VLAN interface with an IP address. But it's going to give problems when both switches are connected to eachother and both have the same VLAN configured including the same IP address assigned to their VLAN interface?
Normal data should pass the ASA firewall, VOIP traffic should go through the Vigor modem to a hosted VOIP provider. The best way, i assume, is to configure 2 separate scopes on the DHCP server?
Still confused on how to set it up, hope that someone can point me in the right directionIf you're sending voice to only the Vigor modem then there is no need for a trunk between the SF-300 and the Vigor modem. You can just set that to an untag packet for the VLAN 2 between that switch and the Vigor modem.
On the 'edge' SF300 where the IP phone/PC is it is obviously going to interoute there and of course the phone port is tagged and PC port is untagged.
For the IP helper, it uses UDP-RELAY and it should be enabled on the port itself and enabled on the global configuration. You may also need option 82. Also keep in mind, depending how your DHCP server works, it may need option 82 configured as well or at least a route to understand the subnets in the layer 3 environment to get traffic across the VLANS.
Maybe you are looking for
-
How to find out that particular structure is used in which tables
Hello Friends, Most of the times through techinal information we come to know the table name for a particular field.And in se16 when i give that table name than system says its structure and not the table.So in se11 when i give that structure name in
-
What's the path and file name for the program to make window xp recovery cd?
I need to replace a hard drive, so I have to make a set of CDs to install windows XP, but in ACCESS IBM, I cannot find the program to make window xp recovery cd as instructed on the website. where can I find it? Thanks solved, thanks anyway. mine i
-
For example, I chose to open a .pdf document I received as an attachment with Adobe Reader or iBooks, and now the document is available anytime I open Adobe Reader or iBooks. My question is if these applications are able to open the document anytime
-
Error opening document beta2 in Beta3
Hello friends, has been updated to Beta3 beta the Siena Project, which sounds good in principle, but ... I HAVE A MAJOR PROBLEM! It turns out that when trying to open an application made with Beta2 gives an error when trying to open it: IS NOT OPEN
-
Even upgrading to the beta of Firefox 9.0 did not remedy this.