Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
0
Helpful
5
Replies

Vlans not working on remote data center

Adam Coombs
Level 1
Level 1

‎09-08-2014 02:02 PM - edited ‎03-04-2019 11:43 PM

Hello I am needing some help with a problem I am having.

Ok I have a VLAN that have ip access-group config on the local data center it works fine, what I need to do is also have this vlan working on the remote data center. 

Here is the config I have done

Local Data Center
 interface Vlan888
 description VLAN 888 - PROJECT test
 ip address 10.88.70.250 255.255.255.0
 ip access-group TEstIN in
 ip access-group TEstOUT out
 ip helper-address 10.70.0.1
 standby 1 ip 10.88.70.254
 standby 1 priority 200
 standby 1 preempt
 standby 1 authentication XXXXXX

Remote Data Center
interface Vlan888
 description VLAN 888 - PROJECT test
 ip address 10.88.70.253 255.255.255.0
 ip helper-address 10.70.0.1
 standby 1 ip 10.88.70.254
 standby 1 priority 170
 standby 1 preempt
 standby 1 authentication XXXXXX

when I am connected to that vlan on the remote data center core i can ping the 10.88.70.253 and .254 but nothing else.

Do I need to created the same ip access-groups or this there another way? 

I have to do this on a couple of 6500 series switch we have here.

 

Labels:
0 Helpful
5 Replies 5

rizwanr74
Level 7
Level 7

‎09-08-2014 06:37 PM

Hi highlander02,

 

In order to control intervlan traffic, all you need is "ip access-group TEstIN in" and it is not required to restrict by "ip access-group TEstOUT out" and it will complicate away too much by using "in" and "out" ACLs, beside I don't know what exactly you want to achieve by access-group in and out.

So just limit your restriction with "ip access-group TEstIN in" and if you could explain what kind of restriction you want to in place by this "ip access-group TEstIN in" and post your access-list TEstIN and will explain what is exactly you want to achieve and I will tell you why it is not working and what is the possible fix maybe.

 

Thanks

Rizwan Rafeek

  

 

 

 

 

 

0 Helpful

Walter Astori
Level 1
Level 1
In response to rizwanr74

‎09-09-2014 12:25 AM

What is the configuration of the interface GigabitEthernet about the Vlan888 ?

 

0 Helpful

Adam Coombs
Level 1
Level 1
In response to rizwanr74

‎09-09-2014 12:06 PM

Ok, I have remove the access-group out with no issues thank you very much that one 

 

 

0 Helpful

Naren K
Level 1
Level 1

‎09-08-2014 11:49 PM

Are you facing problem with VLAN? (You did mention you can ping Local and Remote DC vlan IPs from Remote DC then what else?).

Security is optional as per your organization need. As I can see both DCs share the VLAN database, in that sense relevant configuration also needs to replicate. This is not meant to solve the problem you are facing but assuming the requirement.

Is there issue with HSRP? If so, you will need to verify the access-list to see UDP 1985 is permitted in both direction (in and out access-lists).

 

HTH

Rate if you feel this is helpful.

 

 

 

 

0 Helpful

Adam Coombs
Level 1
Level 1
In response to Naren K

‎09-09-2014 12:44 PM

Well, before I try the HSRP option I was not getting any network connection on the remote data center core. 

I found the reason that connection was not working I thought the core device that the remote site had the working p2p connection i was wrong 

So as I add that vlan and int vlan information the other connection start to work.

I dont know if the config would work with out the HSRP config or not 

I have created the same access-list on the that vlan no just have to test it. 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card