07-20-2005 06:54 AM - edited 03-02-2019 11:27 PM
i have a catalyst 4006 with 4232 L3 blade and supervisor engine 2. we are using catos for the supervisor and ios for the L3 portion. we have created a vlan that will connect to another agency network, they have a subnet mask 255.255.255.240. my network vlan uses subnet mask 255.255.255.0. I can ping the outside network's vlan I created on our device, but cannot ping devices on that network. Any suggestions as to how to get across that vlan from my network is greatly appreciated. my vlan info for outside agency: ip 162.140.10.x/255.255.255.0.
Thanks,
Mike
07-20-2005 07:07 AM
If we knew more about the topology (what is connected where) and about their subnet and your subnet then we could give better answers.
But I will give a bit of an answer based on what we know so far. I am assuming that there is a layer 3 device somewhere that is connected to your network and also connected to their network. (If that is not true, if there is some other subnet separating your network from their network then a little of my answer might change.)
Part of what is required for IP connectivity is that you must have a route to their subnet to be able to send requests to them. And it is required that they have a route back to your network for responses to be sent. If you can ping their VLAN then it demonstrates that you do have a route to your subnet. If you can not ping devices within their subnet then it suggests that either they do not have a route back to your subnet (or perhaps it suggests that there is an issue with the configuration of their default gateway).
Can you verify that you do have a route to their subnet? and can you find out whether they have a route back to your subnet?
HTH
Rick
07-20-2005 07:28 AM
the outside agency has a 1720 router directly connected to our L3 blade. the address of the 1720 is 162.143.16.225/255.255.255.240. I made vlan 162 on my 4232 L3 blade (actually a port-channel1.162) with ip 162.143.16.227/255.255.255.0. My network is 10.10.26.x/255.255.255.0 on port-channel1.26. I have used both 255.255.255.0 and 255.255.255.240 subnet masks on my port-channel1.162. I can ping 162.143.16.227 from the L3 and L2 blades. I can ping the 1720 router only from the L3 blade in a console session. We have set up static routes 162.143.0.0 255.255.0.0 162.143.16.225 to send traffic to the 1720. I also have network 162.143.0.0 set in eigrp along with network 10.0.0.0.
07-20-2005 08:25 AM
The information that you have provided does clarify some things and leaves some things still to be investigated.
As I commented, it is necessary that you have a route to their subnet and you have shown that you have a route to them. In fact the route to them is overly generous, but I do not think this is the problem. Based on their 1720 interface of 162.143.16.225 255.255.255.240 their subnet starts at 162.143.16.224 and goes through 162.143.16.239. Your static route includes the entire class B address space which is way more than they have. This might cause some other issues but it is not causing your present issue.
I believe that what you have told us confirms that they do not have routes back to your address space. Especially the fact that you can ping the 1720 from the console of the layer 3 blade but not from other addresses show that they do not have routes back to you.
I believe that the issue can be resolved either by their configuring a static route to get from their 1720 to your address space or it can be resolved by running some dynamic routing protocol between your networks.
As a side note: their address space of 162.143.16.224 255.255.255.240 seems pretty small. Is that all of their address space or is it perhaps a subnet that they use to connect to you and the rest of their network is a different address space. If the rest of their network is a different address space then you will need routes to those addresses also.
HTH
Rick
07-20-2005 09:38 AM
I will ask if they can enter routes back to our network. The answer is yes to your final statement, they have allocated a specific number of ips for our organization to access resources directly on their network. What we are trying to accomplish is to get access to other resources via their network that doesn't involve such tight security. It is a bit convaluted.
thanks for the advice.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide