Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1383
Views
0
Helpful
5
Replies

RV345p vlans and static routes

Go to solution
Geert Gerrits
Level 1
Level 1

‎08-31-2019 02:56 AM

Hello,

 

Having some problems creating a static route between 2 vlans.

 

I have the following vlans, vlan1 is default and vlan100 is for ipcams. (ignore lag8, it's a trunk to a switch)

vlan.PNG

The goal is that I can access the ip cams on vlan100 from devices on vlan1, but vlan100 should not be able to access anything. That is why I have disabled intervlan routing, when it was on for both vlans, I could ping from a laptop connected on vlan100 to a pc on vlan1, but not from the pc to the laptop, so the opposite of what I want.

 

Tried to create a static route so that vlan1 could access vlan100, but this thing remains a mystery to me.

Both laptop (vlan100) and pc (vlan1) are connected directly to the router. Pinging 11.0.0.1 from the pc works, but can not ping the laptop.

static routes.PNG

Have tried it with interface set to vlan1 and 100, lots of values for metric, I must be missing something...

 

Also, is it normal that I don't see that static route in the routing table?

routing table.png

 

Anyone willing to help me out with this, that would be great.

 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Geert Gerrits

‎08-31-2019 12:15 PM

I am not entirely clear about image 2. But there are a couple of things that I would say:

- it is odd to have a static route for a subnet that is a locally connected subnet.

- specifying 11.0.0.1 as the next hop for the subnet is probably not what the router expects for a static route.

- if you have disabled inter vlan routing then even a static route would not allow you to route from vlan 1 to vlan 100.

 

If I am understanding correctly you were able to ping from laptop to pc but not able to ping from pc to laptop. I am sure that it did not have anything to do with dhcp relay. I would guess that the laptop has some type of firewall or other security policy that does not allow ping.

 

Yes I believe that what you need is to enable routing between vlans and then to configure access lists to restrict access.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎08-31-2019 10:44 AM

There are several things in your post that are not clear to me:

- the route table shows that 11.0.0.0 is associated with interface vlan 1

- you describe a PC and a laptop but do not tell us anything about how they are connected or how they are configured.

- you talk about a static route but provide no details about that static route.

 

But one thing should be pretty clear. If you have disabled inter vlan routing then you will not be able to route from either vlan to the other vlan. I believe that to achieve your requirements that you will need to enable inter vlan routing and then to establish some type of security policy that will restrict what each vlan can initiate traffic to.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Geert Gerrits
Level 1
Level 1
In response to Richard Burts

‎08-31-2019 10:58 AM

Image 2 is the static route, tried with vlan1 and 100 set for interface.

 

The pc an laptop are both using dhcp, laptop plugged into port 1 (vlan100) and PC into port 4 ( vlan1).

 

When I had intervlan-routing on, i could ping from vlan100 (laptop) to vlan1 (pc). But not from vlan1 to vlan100, I guess because of the dchp relay on vlan1?

I could enable it again and block vlan100 from accessing vlan1 with acl I guess, but would still need a way to enabled access from vlan1 to vlan100.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Geert Gerrits

‎08-31-2019 12:15 PM

I am not entirely clear about image 2. But there are a couple of things that I would say:

- it is odd to have a static route for a subnet that is a locally connected subnet.

- specifying 11.0.0.1 as the next hop for the subnet is probably not what the router expects for a static route.

- if you have disabled inter vlan routing then even a static route would not allow you to route from vlan 1 to vlan 100.

 

If I am understanding correctly you were able to ping from laptop to pc but not able to ping from pc to laptop. I am sure that it did not have anything to do with dhcp relay. I would guess that the laptop has some type of firewall or other security policy that does not allow ping.

 

Yes I believe that what you need is to enable routing between vlans and then to configure access lists to restrict access.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Geert Gerrits
Level 1
Level 1
In response to Richard Burts

‎09-03-2019 01:04 AM

I managed to solve it:

Vlan1 - management lan, tagged for all trunks

Vlan10 - public access, tagged for all trunks (no firewall, direct access to internet)

Vlan100 - internal lan, untagged for all trunks

Vlan1000 = ipcams, tagged for all trunks


enabled intervlan-routing for vlan 100 and 1000
denied access from vlan 1000 to 100 in the acl.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Geert Gerrits

‎09-03-2019 04:59 AM

Thanks for the update. I am glad that you have managed to solve it. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents