Re: VLAN ROUTING & COMMUNICATION

I-TECH · ‎03-04-2023

Good Afternoon-

I am hoping to get some technical insight into an ongoing issue I've been trying to resolve...

I have an all-Cisco-shop consisting of:

(1) ASA, (2) ROUTERS, (4) SWITCHES (4) IP PHONES

ALL SWITCH PORTS ON ALL SWITCHES ARE CONFIGURED AS TRUNK PORTS!

SW1 | connects to the ASA, and to SW2, SW3, and SW4. ALL SWITCHES CONNECT TO EACH OTHER WITH FAIL-OVER...

SW1 | VLAN 7 SERVERS AND WORKSTATIONS LIVE HERE

SW2 | VLAN 200 IP PHONES LIVE HERE

SW3 | VLAN 101 SECURITY DVRS LIVE HERE

SW4 | VLAN 99 STREAMING DEVICES LIVE HERE

All Servers are connected to SW1 and are configured with IP Addresses of all the VLANs, DNS Records, and Pointer Records for connected end-devices for each VLAN…

All Switches function at L2 with no routing. The VLANs are configured on all (4) Switches

All Routers are configured with SVIs for each VLAN.

All Routers and Switches can ping all VLAN Gateway Addresses…

From the Router(s) and any of the Switches (VLAN 7), I can ping the Default Gateway x.x.7.1, and the ASA x.x.7.250, and I can also ping any end-device within VLAN 7.

From a laptop configured on VLAN 7, I can ping all other VLAN gateways, (x.x.7.1, x.x.99.1, x.x.100.1, Etc...)

PROBLEM:

I CAN'T PING any other end-devices configured with any VLAN other than VLAN7...!

Not from the Router(s), Not from any of the Switches where the end-devices are physically connected...!!! The Switches can't ping any of the connected end-devices on any VLAN, OTHER THAN VLAN 7...

Although all VLANs should have Internet Access; VLAN 7 is the only VLAN that can access the Internet.

**Any help you can provide would be greatly appreciated!!!**

Thank you.

MHM Cisco World · ‎03-04-2023

same security traffic permit intra-interface <<- add this to ASA only

additional make sure the ASA have route to all VLAN.

I-TECH · ‎03-04-2023

Hi MHM-

Thank you for your response...

I've checked this as you requested and all is configured on the ASA...

Still no change, I can't ping end-devices.

MHM Cisco World · ‎03-04-2023

dont worry,
can you draw the topology ?

I-TECH · ‎03-04-2023

Hi MHM-

I'm working on the Topology now, I'll submit it here soon...

Thanks.

I-TECH · ‎03-04-2023

Here is the Topology...

MHM Cisco World · ‎03-07-2023

OK, I take Look,
the two router is run HSRP for all VLAN ?
and the ASA is connect the internet and also it have DMZ VLAN ?

first you must make the link interconnect two access SW FWD status.

balaji.bandi · ‎03-04-2023

I CAN'T PING any other end-devices configured with any VLAN other than VLAN7...!

end device I take PC like windows ?

This thinks my first guess Windows Firewall ? (disable this and test)

as you confirmed you able to ping from end device to gateway

Although all VLANs should have Internet Access; VLAN 7 is the only VLAN that can access the Internet.

- this thinks for me NAT issue on your ASA or some kind of routing

you need to post ASA configuration and any small network diagram how these are connected will help.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I-TECH · ‎03-04-2023

Hi BB-

Thanks for your quick response...

I did as you suggested and disabled the Windows Firewall on the Workstation and retested the ping...

Still no change, I can't ping end-devices at all.

balaji.bandi · ‎03-04-2023

from what device you not able to ping, can you do traceroute ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎03-04-2023

Hello
Can you post a topology of this network, and confirm what device is performing the intervlan routing ( asa,router) and then attach a file showing the running config of both asa and router

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I-TECH · ‎03-04-2023

Hi Paul-

I'm working on the Topology now, I'll submit it here soon...

Thanks.

I-TECH · ‎03-04-2023

H

ere is the topology...

KJK99 · ‎03-04-2023

If all switchports are configured as trunks, I wonder how you make the end-point devices belong to some other VLAN than the native one. I guess the IP phones are configured with VID 200 so they are part of VLAN 200, but what about the other devices. What is it that makes the security devices belong to VLAN 101 and the streaming devices belong to VLAN 99? Also, is VLAN 7 native by chance?

Kris K

I-TECH · ‎03-07-2023

Good Morning KJK99-

Thank you for chiming in...

I may have forgotten to mention something here...

All the Switches are Cisco Small Business Switches...

The NATIVE VLAN is the DEFAULT VLAN 1

I know this is a security risk; this will be changed after I get all the VLAN communications functioning properly as I do not want to introduce yet another issue to diagnose at this point.