Internet Access from 2 Mutually Exclusive VLANs

jbrunsting · ‎06-14-2006

I would like any help I can get with this one. I have a network split into 2 VLANs. VLAN 1 has full rights to everything, can get out to the internet, etc. No problem. VLAN 2 is not supposed to have any access to VLAN other than the bare minimum that it needs. So I've put some access lists in place to do that. Again, no problem. But here's the kicker: for some reason, VLAN 2 can't reach the internet! If I take down the ip access-group on the subinterfaces, the two VLANs can communicate back and forth no problem. However, even then, VLAN 2 can't reach the internet.

The network topology is this: I have a bunch of computers on VLAN 2, they're all connected to an HP ProCurve 2524 switch (yeah, I know, why not a Cisco one?!). That switch has the port connected to the root bridge (commander in HP terms) set to tag frames with a VLAN 2 header if they're coming from VLAN 2 or to leave them untagged if they're coming from VLAN 1. I have the same setup on the root bridge. The ports going to the VLAN 2 switch and the router are both set to tag VLAN 2 frames and to leave VLAN 1 untagged.

So, given all this information and the config from the router I've included below, does anyone here have ANY idea why I can't get VLAN 2 talk to the internet? Thanks!!

Current configuration : 1989 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname FV

!

boot-start-marker

boot-end-marker

!

enable secret xxx

enable password 7xxx

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

ip cef

!

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.2

ip dhcp excluded-address 192.168.1.3

ip dhcp excluded-address 192.168.1.4

ip dhcp excluded-address 192.168.1.5

!

ip dhcp pool DHCPPool1

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 192.168.254.100

netbios-name-server 192.168.254.100

!

no ftp-server write-enable

!

interface FastEthernet0

no ip address

speed auto

!

interface FastEthernet0.1

encapsulation dot1Q 1 native

ip address 192.168.254.17 255.255.255.0

!

interface FastEthernet0.2

encapsulation dot1Q 2

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

!

interface Serial0

ip address 10.254.0.2 255.255.255.252

no fair-queue

service-module t1 remote-alarm-enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.254.0.1 permanent

no ip http server

!

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.254.100 eq domain

access-list 100 permit udp 192.168.1.0 0.0.0.255 host 192.168.254.100 eq domain

access-list 100 permit udp 192.168.1.0 0.0.0.255 host 192.168.254.100 eq netbios-ns

access-list 100 permit udp 192.168.1.0 0.0.0.255 host 192.168.254.100 eq netbios-dgm

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 100 permit ip any any

snmp-server community prcomm RW

snmp-server enable traps tty

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password xxx

login

!

end

Roberto Salazar · ‎06-14-2006

Without the ip access-group 100 in unde the sub-int fa0.2 does it work? Internet is public but looking at the config there are no NAT but again fa0.1 does nto have any NAT either and it works so, try removing the access-group 100 in from that interface see if that works. If it does then we know it is something to do with the access-list.

Plese rate helpful posts.

jbrunsting · ‎06-14-2006

Unfortunately, I already tried that and no, it still doesn't work. VLAN 1 ha a DHCP and DNS server in it, so it doesn't need NAT, as it's being handled from the server side.

I've been doing some reading, however, and I've seen mention of needing the PLUS version of the IOS. The router I have is a 1721 running the image "c1700-ipbase-mz.123-6c.bin".

Does anyone think this could be the problem? Or does this only apply to switches?

Roberto Salazar · ‎06-14-2006

IP Plus was required to do dot1q encalsulation on sub-interfaces in old IOS. I check the software feature and there is IEEE 802.1Q VLAN Support on IP Base feature set which is what you are running. After all, if it is not supported you will not be able to configure the "encap dot1q x" at all. From the host in vlan 2, are you able to ping it's default gateway which should be the ip address on fa0.2, if yes, can you ping the ip address of the fa0.1, see if it the router is able to switch packets between interface, then finally, do hosts in vlan 2 able to ping the gateway of last resort which I think according to your configuration should be 10.254.0.1. It's a methodical steps to find where the failure is happening.

jbrunsting · ‎06-14-2006

Well, without the access list enabled, I can ping machines in 192.168.254.x no problem and get a response. It actually works both ways. And yes, I can ping the address of fa0.1. However, I don't know about the gateway of last resort. I'll have to give that one a try. Unfortunately, I'm outside my maintenance window anow and won't be able to try that until Friday. So help me out here: assuming I can NOT ping that gateway of last resort, what could the trouble be?

Roberto Salazar · ‎06-14-2006

IP traffic is two way, it could mean that router used as last resort does not have a route back to vlan 2's network. If you can ping it and everyone else in the internal network and the only thing you cannot ping are the ip addresses in the Internet, then I would check again on how the vlan 1 is able to get to the Internet and who is doing the translation for it. Vlan 2 will require the same thing as the ip addresses for vlan 2 is part of private ip addresses range.