Question

Locked

VLANs and routing trouble

By mcooper ·
I set up some new vlans to improve security on my gigantic flat network. We have rental offices on site on the same network as our servers! Not good. I've decided to use 192.168 networks (10 total) in .25 increments (192.168.25.X, 192.168.50.X, etc). I was in the testing phase working with ACLs when I discovered some computers not being able to access computers on different subnets even though they can access others on that subnet. Example, I can successfully ping from 192.168.175.130 to 192.168.25.21. I cannot ping from 192.168.175.130 to 192.168.25.38. I can ping the 192.168.25.38 from anything on the 192.168.25.X network. I have a Cisco 2800 router and turned off the ACLs, problem still persists. I thought maybe it was the no proxy-arp command that was causing the intermittent issues but I turned on proxy-arp and that did not fix it either.
FYI: All subnets do have internet access - All subnets are physically connected to 1 interface with sub-interfaces in use (fa0/0.25, etc) - the ip addresses I'm having trouble with are not accessible from any of the new subnets (.14, .15, .16, .18, ,28 .38 to name a few) but other close numbers are (.7 , .10, .21, .37, etc). These nodes are all connected to the same switch.
I'm stuck on this one, has anyone had similar issues with a cisco 2800 series router?

This conversation is currently closed to new comments.

20 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Try this test

by NetMan1958 In reply to VLANs and routing trouble

If you go to the computer at 192.168.175.130 and run a traceroute to 192.168.25.38, is the first hop IP Address the same IP that is assigned to the subinterface on the router that is assigned to the VLAN for 192.168.175.130?

Collapse -

tracert

by mcooper In reply to Try this test

Yes.
If I run tracert as you specified, it shows me 192.168.175.5 (router's IP) for that subnet/vlan, then * * *.
If I run tracert for 192.168.25.37, I get the router's IP 192.168.175.5 and success to 192.168.25.37. I'm wondering if a simple reboot is needed. I'm going to do that now, I'll see if that fixes it.

Collapse -

reboot did not do it

by mcooper In reply to tracert

Nothing changed after the reboot, it must be something in my configuration. I'm going to go home and think some more on this one...

Collapse -

Also

by NetMan1958 In reply to reboot did not do it

You need to try that traceroute in reverse; that is traceroute from 192.168.25.38 to 192.168.175.130 and make sure the first hop is correct. If that test passes, post your router config and we'll take a look.

OH, also before you go too far in this, try disabling the firewall on the affected computer, if it is enabled. Sometimes the Windows firewall will allow same subnet traffic but not from a different subnet.

Collapse -

I should have tried that already - Win Firewall was my downfall in CCNA

by mcooper In reply to Also

Here's an interesting thing, and maybe the answer to my question, I noticed that all the devices I was trying to access/ping were not computers - some were Wireless Access Points, some Printers/copiers, and a NAS. I swapped one of the access point's ports with a laptop, gave it the access point's IP address (.38), and I was able to ping it from the .175.130 ip address. I tried another one too, the .47 and was also successful.
Now for the $100 question, why do all of the access points (all same model and bought at the same time) with the same configuration accept pings/remote admin and one of them does not? What would keep the printers from responding to pings? I know this is probably not a question for this forum.

Thanks for all the help! Once you said to turn off the firewall, it got me thinking about the devices on the other end. I suppose I'm going to have to rethink my design to ensure all appropriate groups can get to the printers/NAS/etc.

Collapse -

Some things to check

by NetMan1958 In reply to I should have tried that ...

Some printers/copiers while they don't exactly have firewalls, do allow you to specify the IP Addresses/subnets that can access them. Also, for security sometimes those devices are configured without a default gateway.

Collapse -

You MUST think more binary!

by TobiF In reply to VLANs and routing trouble

The subnet mask tells each host (computer) on an IP network, what addresses should be directly available.
Although we're used to represent these addresses as 4 numbers, divided by dots, the IP address is, in fact, a binary number, consisting of 32 binary digits.

The subnet mask must begin with only binary "ones", and must finish with only binary "zeroes". Most convenient, is to split the subnet part of the address at 8, 16 or 24 digits. In the usual notation, this will give us typical masks, like 255.255.255.0 etc.

Also, in any subnet, two addresses are reserved for special use, namely "all zeroes" and "all ones".

The smallest possible subnet will have an address space of 2 bits, i.e. 4 addresses, out of which 2 addresses are reserved. So this network can cater only for a connection between two hosts.

If you want to have space for 25 addresses in each subnet, then a subnet with 16 addresses (4 bits) is too small, but a subnet of 32 addresses (5 bits) could work.

This will give you the following structure:
192.168.x.
0 --31
32 -- 63
64 -- 95
96 -- 127
128 -- 159
160 -- 191
192 -- 223
224 -- 255

And remember, that you can't use the first and the last address in each subnet.

Oh, and the subnet mask shall be 255.255.255.224

Collapse -

binary

by mcooper In reply to You MUST think more binar ...

Thank you for the re-fresh course on sub-netting - I took the CCNA courses, but it has been a few years ago. I do not think my LAN design is incorrect. I use PAT to translate anything sent from my router to one outside IP address.
My LAN design is:
192.168.25.X 255.255.255.0
192.168.50.X 255.255.255.0
192.168.75.X 255.255.255.0
192.168.100.X 255.255.255.0
192.168.125.X 255.255.255.0
192.168.150.X 255.255.255.0
192.168.175.X 255.255.255.0
192.168.200.X 255.255.255.0
192.168.225.X 255.255.255.0
192.168.250.X 255.255.255.0
172.16.1.X 255.255.255.0
172.16.2.X 255.255.255.0
Also, I believe you can use the first subnet if you use the ip subnet-zero command.

Let me know if you see a flaw in my design, I appreciate your help:)

Collapse -

My mistake

by TobiF In reply to binary

I read your initial post too quickly, and thought you were incrementing the last group.

All looks fine, which also now have proven, as things started working.

Collapse -

each subnet should have it's own subinterface for router on a stick

by CG IT In reply to VLANs and routing trouble

what's your route table look like?

router has to know how to handle the frames....

Back to Networks Forum
20 total posts (Page 1 of 2)   01 | 02   Next

Hardware Forums