cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
10213
Views
8
Helpful
27
Replies
normanzhang
Beginner

Communicate between two VLANs

I've two VLANs on a C3550. One with 192.168.99.0/24 and the other with 192.168.11.0/26. How do I route traffic between the two VLANs?

Regards,

Norman

1 ACCEPTED SOLUTION

Accepted Solutions

The details of your topology are still very sketchy, at least for me. I do not believe you should just go ahead and make the servers part of both VLANs, the only way you can do that is to either have one NIC on the server per VLAN or to run trunking between the servers and the 3550. You mentioned there are servers with 192.168.22.1 as their default gateway and that they are dual homed. For such servers unless their default-gateway knows how to reach 192.168.99.0 they will not be able to talk to this subnet; you could add a persistent route to them but that is an administrative overhead and should be avoided unless absolutely necessary.

It is hard at this point to suggest anything as I personally think there are more subtle details that need to be brought to light. A detailed topology map coupled with a detailed description of traffic flow requirements might help.

View solution in original post

27 REPLIES 27
mark-obrien
Enthusiast

Norman,

Set up VLAN interfaces in the C3550. Be sure to use the actual VLAN numbers:

interface VLAN1

ip address 192.168.99.x 255.255.255.0

interface VLAN2

ip address 192.168.11.x 255.255.255.192

Have the hosts on each VLAN use the C3550's address on their VLAN as the default gateway, and the C3550 will route between the two VLANs

Good Luck.

Mark

Hi Mark,

I have created the

VLAN ID VLAN Name VLAN Status

1 default active

2 VLAN2 active

Interface Configuration

Interface Name Routed IP Address Subenet Mask

Vlan1 x 192.168.99.1 255.255.255.0

Vlan2 x 192.168.11.4 255.255.255.192

Device Configuration

Default Gateway: 192.168.11.1

However, when I connect a PC to VLAN1 with 192.168.99.2/24 and gateway 192.168.99.1, and tried to ping 192.168.11.5 in VLAN2, I get no reply. Ping from C3550 is fine. Am I doing something very stupid?

Regards,

Norman

You need to turn on ip routing in global configuration mode by typing "ip routing". This is disabled by default.

Daniel

IP Routing is aleady enabled. And the Default Route Forwarding IP is 192.168.11.1. But I'm still not seeing the desired results. 8( What am I doing wrong?

Regards,

Norman

Use the interface address for the VLAN as the next hop address for the other VLAN with static routes.

Example:

VLAN 1 interface address: 192.168.11.1

VLAN 2 interface address: 192.168.99.1

Global config mode:

On VLAN 2:

ip route 192.168.11.0 255.255.255.0 192.168.99.1

On VLAN 1:

ip route 192.168.99.0 255.255.255.0 192.168.11.1

That should direct traffic between the two VLANs without using a dynamic protocol, and without using a default route ... which can cause routing loops later on if not done properly.

Thet are both directly connected, so they should route without the statics if routing is turned on.

Give the statics a shot and see what effect it has.

Also, post your routing table (sh ip route) so we can see what your routing process thinks it's s'posed to do with the traffic.

FWIW

Scott

Is the Default gateway of the hosts on VLAN 2 192.168.11.4, or 192.168.11.1? If the latter, make sure the router with IP address of 192.168.11.1 has a route pointing 192.168.99.0/24 to 192.168.11.4.

Mark

My default gateway for hosts in VLAN2 is 192.168.11.1. But on C3550 (VLAN1=192.168.99.1, VLAN2=192.168.11.4), I can ping 192.168.11.5 no problem. I did a tracert from 192.168.99.2, and I can't get pass the switch. Below is my ip route.

Gateway of last resort is 192.168.11.1 to network 0.0.0.0

192.168.11.0/26 is subnetted, 1 subnets

C 192.168.11.0 is directly connected, Vlan2

C 192.168.99.0/24 is directly connected, Vlan1

S* 0.0.0.0/0 [1/0] via 192.168.11.1

I tried adding route

ip route 192.168.11.0 255.255.255.192 192.168.11.4

but I get %Invalid next hop address (it's this router). Could you please point me to the right direction?

Regards,

Norman

The C3550 does not need the route pointing 192.168.11.0 255.255.255.192 to 192.168.11.4. This is a connected route and the C3550 knows how to get there without a static pointing to itself. You have not given any information about the router with the IP address 192.168.11.1, but this router needs the static route "ip route 192.168.99.0 255.255.255.0 192.168.22.4" in order for the packets to get back to the C3550.

Hope this helps,

Mark

Thanks Mark. I did add the route on 192.168.11.1, but nothing changed. 192.168.11.1 is router for internet access.

internet

|

*--*

| | 192.168.11.1/26

*--*

| *--* 192.168.11.5/26

|---------------------| | gw: 192.168.11.1

| 192.168.11.4/26 *--*

*--*

| | gw: 192.168.11.1

*--*

| 192.168.99.1/24

|

|

*--* 192.168.99.2/24

| | gw: 192.168.99.1

*--*

ping 192.168.99.2 to 192.168.11.5 can't get pass c3550.

< 1ms < 1ms < 1ms 192.168.99.2

* * * timeout

Do I need to change the gw on c3550?

Regards,

Norman

Sorry my drawing did not show up correctly in the forum. I have attached the drawing in the following text document.

Lets try to take it step by step.

1.Provide a show ip route from the internet router (192.168.11.1). What route did you exactly add in this router?

2. From 3550 can you ping 192.168.11.1 ?

3. From 192.168.99.2 can you ping 3550 (both 192.168.99.1 and 192.168.11.4) ?

4. From 192.168.99.2 can you ping 192.168.11.1?

5. Are there any access-lists configured on the 3550?

6. Is ip redirect turned on on the 192.168.11.1 interface ?

7. Provide configuration of the 3550 and internet router if possible.

8. The 192.168.11.5 workstations, does it have a firewall software on it?

If all the above mentioned connectivity related questions have a positive answer (i mean everything works) then try turning putting the command no ip redirect on the internet router (192.168.11.1) and see what happens.

Norman,

I'm sorry, I mis-typed the static route that the internet router will need. Instead of "ip route 192.168.99.0 255.255.255.0 192.168.22.4" in the internet router, that needs to be "ip route 192.168.99.0 255.255.255.0 192.168.11.4".

Here's what is happening. The ping packet from 192.168.99.2 to 192.168.11.5 goes from that host to the host's default gateway, 192.168.99.1. The C3550 has a connected route to 192.168.11.0/26, and sends the packet directly to that host. 192.168.11.5 sends its response, with destination address 192.168.99.2, towards its default gateway, 192.168.11.1, or the internet router. That router has no route to 192.168.99.2 (thanks to my prevous mistake). If you put the static route in that I gave above, it should work.

HTH

Mark

What I can't understand is why a ping from C3550 to 192.168.11.5 produces result? Is it because C3550 has a IP 192.168.11.4; thus, ignoring the forwarding to its default gateway 192.168.11.1? I thought the default gateway on C3550 is meant as default route for unknown network.

192.168.11.1 has firewall capabilities and will drop ICMP echo packets. I need a rule to allow ICMP packets besides the static route for 192.168.99.0/24. I was hoping the routing between 2 VLANs will be transparent to the 192.168.11.1 as I need to route NetBIOS, DNS, SMTP, Exchange packets between them.

I don't have access to C3550 and 192.168.11.1 now, but will report back when I try your suggestions on Monday. Thanks for your help and patience.

Regards,

Norman

The ping from 3550 to 192.168.11.5 is successfull because it is a directly connected network for the 3550 and the 3550 does not need to send it to the default gateway as it already knows how to reach it.

The routing between the two VLANs would have been transparent to the 192.168.11.1 gateway provided all your hosts on both VLANs had their default gateway set to 3550 (on the appropriate VLAN interface of course). Since this is not the case we cannot overlook the 192.168.11.1 configuration.

Is 192.168.11.1 another Cisco router? If you are unsuccessful by Monday then go ahead and post your configurations for both 3550 and 192.168.11.1 and we will try to help you out.