Solved: Re: Communicate between two VLANs - Page 2

normanzhang · ‎08-06-2004

I've two VLANs on a C3550. One with 192.168.99.0/24 and the other with 192.168.11.0/26. How do I route traffic between the two VLANs?

Regards,

Norman

normanzhang · ‎08-09-2004

I added a route for 192.168.99.0/24 with gateway 192.168.11.4 to 192.168.11.1 but ping still unsuccessful. I've attached routing tables for 192.168.11.1, 192.168.11.5 with this post. Config for 3550 and 192.168.99.2 will follow in a new mail, because of size limit. Please tell me what I am doing wrong?

Regards,

Norman

normanzhang · ‎08-09-2004

Please find the config for C3550 and routing table for 192.168.99.2 in following attachments. TIA.

Regards,

Norman

normanzhang · ‎08-09-2004

On 192.168.11.1, I can ping 192.168.99.2 and 192.168.11.5 no problem. This is very strange, it seems the reply from 192.168.11.5 to 192.168.99.2 is routed to a black hole, despite I have a static route on 192.168.11.1 saying 192.168.99.0/24 should be routed through 192.168.11.4. Would someone please give me more hints?

Regards,

Norman

normanzhang · ‎08-09-2004

I think I know why the packet is being dropped. Echo request goes from C3550 directly to 192.168.11.5, but echo reply is routed through 192.168.11.1. 192.168.11.1 has firewall features, since it didn't see an echo request; thus it drops echo reply. Is there a way I fix the route?

Regards,

Norman

a.awan · ‎08-09-2004

Have you verified in the logs of the firewall software that it is indeed causing issues?

There are three ways this can be fixed. One is to research more on the firewall workstation (192.168.11.1) and try to ensure it is not dropping packets.

Second is to add a static route in 192.168.11.5 for 192.168.99.0/24 pointing to 192.168.11.4.

Third is to change the default gateway on 192.168.11.5 to point to 192.168.11.4 instead of 192.168.11.1. In this particular case you might want to disable icmp redirects on the 3550 in case you run into intermittent connectivity issues.

normanzhang · ‎08-09-2004

The firewall log indeed shows echo reply being dropped. I'm going to try option 1 as you recommended, because 2 & 3 will require a lot of work as 192.168.11.5 is only a testing destination. My goal is to be able to route packets (DNS, NetBIOS, Exchange) between the 2 VLANs. In general do you think this is good design as I need to route the mentioned packets?

Regards,

Norman

a.awan · ‎08-09-2004

Glad to hear that the source of your problem is finally found; i was suspecting it to be a software firewall issue but more so from an ip redirect point of view.

There is another approach you can take to avoid having to change the default-gateway setting on all the hosts. You can isolate 192.168.11.5 in its own new VLAN (new subnet) and change the 3550 ip address to 192.168.11.5. Then you configure the 3550 with a default route pointing to the new ip address of the internet connected workstation. Without knowing too much detail about your topology and exact requirements i believe this sounds like a viable and implementable solution.

normanzhang · ‎08-10-2004

Sorry, I wasn't detail enough with topology setup. Users in 192.168.99.0/24 need to access other servers in 192.168.11.0/26, such as Exchange server, DNS, Samba, Symantec AV, ..., etc. Those server are setup to access internet directly through 192.168.99.1. Some of these server are also multi-homed and their default gateway points to another interface, 192.168.22.1. Is it plausible for me to good them in a different VLAN as recommended by your previous post?

Regards,

Norman

normanzhang · ‎08-10-2004

On second thought can I make the servers as members of both VLAN1 (192.168.99.0/24) & VLAN2 (192.168.11.0/26) without breaking anything?

Regards,

Norman

a.awan · ‎08-10-2004

The details of your topology are still very sketchy, at least for me. I do not believe you should just go ahead and make the servers part of both VLANs, the only way you can do that is to either have one NIC on the server per VLAN or to run trunking between the servers and the 3550. You mentioned there are servers with 192.168.22.1 as their default gateway and that they are dual homed. For such servers unless their default-gateway knows how to reach 192.168.99.0 they will not be able to talk to this subnet; you could add a persistent route to them but that is an administrative overhead and should be avoided unless absolutely necessary.

It is hard at this point to suggest anything as I personally think there are more subtle details that need to be brought to light. A detailed topology map coupled with a detailed description of traffic flow requirements might help.

normanzhang · ‎08-10-2004

Thank you for your patience. I just added the static route to the servers as I think tweaking with the firewall settings may jeopardize network security. Now ping works. I have got a related question on routing; which I will start on a new thread. Thank you and everyone for your great help.

Regards,

Norman

mark-obrien · ‎08-08-2004

The 3550 has a connected route to 192.168.11.0/26, so the default gateway is not involved. It ARPs directly for 192.168.11.5, and send the echo request, with both the MAC destination and IP destination set to those of the host.

For the echo reply, the host recognizes 192.168.11.4 as being on its subnet, so it also doesn't involve the default gateway. The reply is sent with the MAC destination and IP destination (192.168.11.4) of the 3550.

When 192.168.99.2 pings 192.168.11.5, the packet gets to the 3550, and again the 3550 sends the packet directly to 192.168.11.5. However, that host, recognizing that 192.168.99.2 is not on its subnet, sends the reply to its default gateway. The default gateway does not have 192.168.99.2, or a subnet containing that address, in its routing table, so the reply never gets back to 192.168.99.2.

Mark

zubairrehan · ‎03-03-2020

MGMT VLAN can only talk to itself (the PC, switch and router) ?