Dear Ankur;

The current situation is Vlan 2 is not connected to Vlan 3.. only picking ips from DHCP server witch connected to Vlan 3 but no ather communication.. and this is running without access lists.

The problem now I noticed that, after creating Vlan 4 by command “set vlan 4 3/25” port No. 1/2 come as member of all Vlans (1,2,3,4) but before this port was only member of Vlan 1 !! I don’t know why this is happened..

Any way I attached for you basic diagram for my network and how the connection is going, and what I want to do is making Vlan 4 like Vlan2 exactly can picking ip from DHCP witch connected in vlan 3 but can’t communicate with other computers in Vlan3, also if there is a communication between Vlan 4 and Vlan 2 it will be better for me so no need to place one extra network card in server witch connected to vlan 2 (student server)

Best Regard’s

.

.

Hi,

As per your router config users in vlan 2 and vlan 3 should talk to each other as we cannot stop routing between them unless accesslist is not configured on router.

Do me a favour update me whats the gateway address on user machine which are in vlan 2 and vlan 3.

Ankur

Dear Ankur,

I have update my diagram with both vlans gateways. also I attached zip file enclouding

1- show vlan (before creating vlan 4)

2- show vlan (after creating vlan 4)

3- show run (before creating vlan 4)

4- show run (after creating vlan 4)

5- show run from module 2 (before creating Vlan 4)

6- show run from module 2 (after creating Vlan 4)

7- show IP route from routing module after creating vlan 4

Please advice..

Hi,

If 172.16.2.9 and 172.16.3.6 are yiur gateways that means they are not going to your cat4000 routing blade for routing.

I am guessing these are your ip addresses on PIX am I right? If not can you confirm whose ip addresses are these I mean which device.

What gateway your DHCP server is assigning to vlan 4 if it is assigning 172.16.4.1 as gateway to your vlan 4 pc's it will definetely talk to all your vlans.

Find out which is the device whose ip address you have used as a gateway for vlan 2 and vlan 3 and use ip adress from samwe device for vlan 4 also.

I hope you understand.

Ankur

OO i am sorry your gateways are 172.16.2.10 and 172.16.3.8 and still my points hold true as these are not the ip's of your interfaces from routing blade on 4000 so thats the reason they are not talking. Please find the device whose ip are these.

Ankur

no problem ankur .. yes 172.16.2.10 is a isa server witch is connected to vlan2 and also it's a getway for this vlan computers, same as for 172.16.3.8 is my gateway to vlan 3 and also it's isa server witch connected to vlan3..

in DHCP configuration for vlan 4 i give 172.16.1.5 as gateway (it's our enternal interface of pix), do u think this is the resone of routing problem ??

but we have some computers in both vlans 2,3 using this gateway to bypass the isa server and can't access other vlans.

in the show ip route from routing blade file I have sent it to you I noticed that..

default

U - per-user static route, o - ODR

Gateway of last resort is 172.16.1.5 to network 0.0.0.0

172.16.0.0/24 is subnetted, 3 subnets

C 172.16.1.0 is directly connected, GigabitEthernet3.1

C 172.16.2.0 is directly connected, GigabitEthernet3.2

C 172.16.3.0 is directly connected, GigabitEthernet3.3

S* 0.0.0.0/0 [1/0] via 172.16.1.5

there is no subnetting shown for GigabitEthernet3.4 !!

also in show run I have no ip redirects for GigabitEthernet3.1 , 3.2 3.3 Only.. and it's not shown in 3.4

Please check and advice

(I'm so sorry for disturbing but realy i'm in truble)

Hi,

Hey no problem please do not feel like you are disturbing me.

1) in DHCP configuration for vlan 4 i give 172.16.1.5 as gateway (it's our enternal interface of pix), do u think this is the resone of routing problem ??

As your question goes your vlan 4 is having a network of 172.16.4.0 and you are defining the gateway for vlan 1 network which is 172.16.1.0 which is a problem as it will go to pix and i am not sure what all policies are defines on PIX for what all network. It is possible that you pix looking at the network is routing the packets accordingly. Might be it see 172.16.2.0 and 172.16.3.0 and route them accordingly and it see172.16.4.0 it is routing it back or something like that but it is 100% pix policies which is making this behaviour.

You will surely see vlan 4 network in your routing table once your pc will come up on vlan 4 on switch.

please check your PIX policies and make the policies same for vlan 4 network as you have defined for vlan 2 and vlan 3 network or change the gateway for vlan 4 devices to IDSA server like you have done for vlan 3 and 4.

HTH

Regards,

Ankur

Thanks Ankur,

now I got your idea .. any way I'll try and let you know.. but how I can make routing between Vlan2 and 4 so I can use the same ISA server witch connected to Vlan 2 as a gatway for VLAN4 and also user in VLAN 4 can access them files witch in student server in VLAN2 but sure without any communication with vlan 3 ..

best regards

Hi,

I am not sure how it can be done on ISA server. But as per what I can think reading you last update you want to have communication between vlan 2 and vlan 4 but you do not want vlan 2 and 4 to talk to vlan2.

Am I right?

Check is you can have routing done on ISA server. I am really sorry as I am not sure about how it is done on ISA servers. But it was best to have gateways of the interfaces which are there on 4000 routing blade and them implemment access list but you might have a different network requirement so please check if you can have routing done for vlan 4 and 2 on ISA server.

HTH

Ankur

HI,

I have got a very good idea for you. Now when you are aware that why vlan 2 and vlan 3 are not talking to each other you can simply use vlan 4 network address as a gateway for vlan 4 pc's (the ip which you will assign on your routing blade on cat4000 switch). It will let you get an ip address from DHCp server and then you can implement an access list on your routing blade to stop vlan 4 talking to vlan 3 but you can allow it to talk to vlan 2.

I mean you can simple play with access list then.

HTH

Ankur

Hi ankur,

for ISA there is no problem to manage 2 IP range it's just a rule and we can add any range of IPs no problem.. but forget about ISA I need full communication between VLAN2 and 4 only and the current situation is no communication between 2 and 3 also I need to be same for 4 and 3 no communication..

I mean just I need full routing between VLAN2 and VLAN4 but without any communicate with VLAN3 .. I hope you can understand my idea ...

Thank you very much and waiting for reply

Hi,

Let your current network like that only as currently vlan 2 and vlan 3 are not talking and also picking an ip address.

1) Now simply assign the gateway address for vlan 4 machines as 172.16.4.1 which will be the ip address which you will configure on your router card for vlan 4 network on 4232-L3 blade.

2) Once this is done vlan 4 machine will start talking to vlan 2 and 3 both.

3) Apply an extended access list on router card (4232-L3 blade) on vlan 4 network to block source ip from vlan 4 to destination ip on vlan 3 and your work will be done.

HTH

Ankur