Question

Locked

VLANs and routing trouble

By mcooper ·
I set up some new vlans to improve security on my gigantic flat network. We have rental offices on site on the same network as our servers! Not good. I've decided to use 192.168 networks (10 total) in .25 increments (192.168.25.X, 192.168.50.X, etc). I was in the testing phase working with ACLs when I discovered some computers not being able to access computers on different subnets even though they can access others on that subnet. Example, I can successfully ping from 192.168.175.130 to 192.168.25.21. I cannot ping from 192.168.175.130 to 192.168.25.38. I can ping the 192.168.25.38 from anything on the 192.168.25.X network. I have a Cisco 2800 router and turned off the ACLs, problem still persists. I thought maybe it was the no proxy-arp command that was causing the intermittent issues but I turned on proxy-arp and that did not fix it either.
FYI: All subnets do have internet access - All subnets are physically connected to 1 interface with sub-interfaces in use (fa0/0.25, etc) - the ip addresses I'm having trouble with are not accessible from any of the new subnets (.14, .15, .16, .18, ,28 .38 to name a few) but other close numbers are (.7 , .10, .21, .37, etc). These nodes are all connected to the same switch.
I'm stuck on this one, has anyone had similar issues with a cisco 2800 series router?

This conversation is currently closed to new comments.

19 total posts (Page 2 of 2)   Prev   01 | 02
Thread display: Collapse - | Expand +

All Answers

Collapse -

Route table

by mcooper In reply to each subnet should have i ...

Here is the routing table from my router.

gw#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.25.2 to network 0.0.0.0

C 192.168.75.0/24 is directly connected, FastEthernet0/0.75
C 192.168.225.0/24 is directly connected, FastEthernet0/0.225
C 192.168.150.0/24 is directly connected, FastEthernet0/0.150
C 192.168.25.0/24 is directly connected, FastEthernet0/0.25
C 192.168.125.0/24 is directly connected, FastEthernet0/0.125
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, FastEthernet0/0.13
C 172.16.2.0 is directly connected, GigabitEthernet0/0/0.12
C 192.168.200.0/24 is directly connected, FastEthernet0/0.200
C 192.168.250.0/24 is directly connected, FastEthernet0/0.250
C 192.168.175.0/24 is directly connected, FastEthernet0/0.175
10.0.0.0/22 is subnetted, 1 subnets
S 10.1.0.0 is directly connected, GigabitEthernet0/0/0.12
C 192.168.50.0/24 is directly connected, FastEthernet0/0.50
C 192.168.100.0/24 is directly connected, FastEthernet0/0.100
S* 0.0.0.0/0 [1/0] via 192.168.25.2
gw#
gw#

Collapse -

Debug

by NetMan1958 In reply to Route table

Your route table looks fine. Run this debug to see if the router is routing properly:

First, create an extended access list; example:
"access-list 101 permit ip host 192.168.175.130 host 192.168.25.38"
"access-list 101 permit ip host 192.168.25.38 host 192.168.175.130"

Then:
"term mon"
"debug ip packet 101"

Then go to 192.168.175.130 and try to ping 192.168.25.38. Then examine the debug output to see how the router handled the packets.

Collapse -

debugging

by mcooper In reply to Debug

I followed the steps you indicated and did not see any traffic going through the router. I tried pinging and tracert from both sources. Just to make sure I was doing it right, I tried another access-list I created earlier to see if I got any output and I did.
here is what I imputed:
conf t
ip access-list 198 permit ip host 192.168.175.130 host 192.168.25.47
ip access-list 198 permit ip host 192.168.25.47 host 192.168.175.130
exit
term mon
debug ip packet 198

When that didn't work, I tried debug ip packet 101 (acl created for traffic filtering for incoming on .75 network) It showed a bunch of traffic.

Collapse -

Correction

by NetMan1958 In reply to debugging

Try replacing "ip" in the access list with "icmp" and see if that makes a difference since you are pinging. For example:
ip access-list 198 permit icmp host 192.168.175.130 host 192.168.25.47
ip access-list 198 permit icmp host 192.168.25.47 host 192.168.175.130

Collapse -

humm ....

by CG IT In reply to Route table

since the router knows the networks, and you have ip routing enabled ?? along with a routing protocol like RIP/EIGRP/OSPF ???? and your using the right encapsulation...the router should route frames between vlans

when you ping do you get a destination unreachable? or ???

since you can ping one way but not another, sounds like the router doesn't know the route back.

Collapse -

Routing protocals

by mcooper In reply to humm ....

I do not have any routing protocols enabled. I only have static routes configured on the router.

The pings failed with "request timed out"

I was not able to ping one way. I must have not been 100% clear in my posts. I could ping from 192.168.175.130 to most nodes on the 192.168.25.X network, but not all. I was able to ping from most hosts on the 192.168.25.X network to the 192.168.175.130 host.
The nodes I could not ping were not computers; all were other pieces of equipment that did not have ping/tracert functionality. I suppose they must be filtering traffic somehow, that's going to throw a kink in the network design plans.

Thanks for the help with this issue! I think I understand why they are not working; now if I can figure out how to fix it...

Collapse -

Issue is put to rest

by mcooper In reply to VLANs and routing trouble

Thanks to everyone for replying to my problem so quickly! I really appreciate it!

The problem was not in the routing or design, it is in the devices themselves (actually it was a picnic error, but blaming the devices is easier)
Netman1958 told me to disable the firewalls on bother devices and try again. I should have already thought of that since that always caught me years ago in my CCNA courses. Anyway, I found that all the devices have something in common, they are all not computers - they are copiers, WAPs, NAS, etc. If I plugg in a laptop to their switch port, configure it to have the other devices IP address, I can successfully ping. I did not expect this to be the issues and I really did not think copiers would have a firewall (and on that note, I did not see anything like that in the configuration of the copier).
Thanks again for all the help everyone.

Collapse -

another point to make

by mcooper In reply to Issue is put to rest

many of the devices I was trying to ping had the wrong default gateway.
A while ago, we added a internal router to allow for the vlans and I forgot to update some of the configurations of some of the static assignments.
Thanks again for all who assisted me with this issue:)

Collapse -

you should be able to ping hosts whether it's copiers

by CG IT In reply to Issue is put to rest

computers, access points and whatnot. the network card should respond to arp and ping[icmp] requests. the wrong default gateway would account for no return messages....

Glad you got it worked out.....

Back to Networks Forum
19 total posts (Page 2 of 2)   Prev   01 | 02

Related Discussions

Related Forums