cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
565
Views
0
Helpful
1
Replies

Problem with the Inter-VLAN function of cisco RV160 routers

Matthys
Level 1
Level 1

Hi,

 

I'm a first year networking student, and I'm currently studying VLANs. My school got new cisco routers, rv160, which the students and teachers have little technical knowledge about.

 

We have a project in progress, which is to create a working environment, with 3 VLANs.

 

  1. To start with, we have 1 server VLAN. This VLAN has a physical machine at 192.168.7.2, which is a VMWare ESXi machine, containing a Debian virtual machine that has no IP for now. The network address of the VLAN is 192.168.7.0 in /26. So the gateway is 192.168.7.62. VLAN ID 2
  2. The second VLAN is the "User" VLAN. This VLAN groups all user machines, where they get their IP addresses via DHCP. The network address of the VLAN is 192.168.7.64 in /26. So the gateway is 192.168.7.126. VLAN ID 1, this is the default VLAN.
  3. Finally, the DMZ VLAN. This VLAN has a Raspberry PI serving as a DMZ. It's configured in 192.168.7.193. VLAN ID 3
    The network address of the VLAN is 192.168.7.192 in /26. So the gateway is 192.168.7.254.

For educational reasons, not security reasons, we are asked to make Inter-VLANs. But nothing to do, it just doesn't seem to work.

 

I can ping 192.168.7.193, which is the DMZ, but because it's the DMZ, but otherwise, I can't ping what's in the VLAN server for example. It's as if the button dedicated to "Inter-VLAN routing" has no effect, it's not possible to reach the other VLANs.

 

For additional information, NAT is in place, so each workstation/DMZ/servers can access the Internet. Moreover, we tried with ACLs, but it doesn't change anything. Whether it's my classmates or my teacher, we don't know where this problem could come from.

 

I provide you the screenshot of the router VLAN configuration.

 

The router's version is 1.0.01.03

 

Thank you again for your help

This will allow us to break the deadlock


EDIT : It seems that I can ping the "DMZ" even without being declared as such in the router. This is really a headache, which would mean that one VLAN is accessible but not the other one.

1 Reply 1

nagrajk1969
Spotlight
Spotlight

Hi

 

>>>>This VLAN has a physical machine at 192.168.7.2, which is a VMWare ESXi machine, containing a Debian virtual machine that has >>>no IP for now. 

 

So to which IPaddress (in vlan2) are you trying to ping (from host in vlan1)????

a) is it 192.168.7.2? (in which case is there a Default-Gateway ipaddress 192.168.7.62 also configured on this ESX-machine?

b) As you said, is it the Debian-VM in the ESX-server that you are trying to reach from vlan1????..becos there is no ipaddr yet on the VM(Virtual Machine) anyways

c) You mentioned that you are able to ping to the rasberryPi device connected in DMZ-VLan3 (with ipaddr 192.168.7.193)...

 

d) Iam assuming that ALL your user-vlan1 hosts are connected to switches which in turn are connected ONLY to LAN1/LAN2 ports of rv160....just to confirm

 

In summary, as far as i can tell, the ONLY reason why you are not able to ping to vlan2 host from vlan1 (or even vlan3) would be becos the host/server in vlan2 is NOT configured with the correct default-gateway ipaddress of 192.168.7.62...therefore you are NOT recieving any reply packets..

 

On RV160 there is NO specific hardware/physical DMZ port on the Router...whereas for example in RV260 port 8 can be explicitly configured as hardware-DMZ port...

So on RV160, since you "consider" vlan3 as DMZ...you can add some fw-acl rules as below (a rough mention of the actual rules)..AND the order has to be as shown below...becos the rules are always parsed in top-to-down approach

- Say for example you want to allow from all internal-vlans to ONLY access to TCP port 8081 service on the RP-device in DMZ..

- Next you want to allow from internal vlans to ONLY access to ftp-server machine in the vlan3-dmz network

- And deny all other traffic from all internal-vlans to dmz-vlan

so the acl rules to add is:

 

------------------------------------------------------------------------------------------

rule-1 - allow from interface vlan1 (any src) to vlan3 (specific ip-host 192.168.7.193) service TCP-8081

rule-2 - allow from interface vlan2 (any src) to vlan3 (specific ip-host 192.168.7.193) service TCP-8081

rule-3 - allow from interface vlan1 (any src) to vlan3 (specific ip-host 192.168.7.194) service ftp

rule-4 - allow from interface vlan2 (any src) to vlan3 (specific ip-host 192.168.7.194) service ftp

rule-5 - DENY from interface ANY (any src) to vlan3 (dst any) service all-services

-------------------------------------------------------------------------------

 By default all access from WAN to any vlan is DENIED..the last default acl  rule that you see in the firewall....so you dont have to worry about allowing access to dmz, etc from wan, if any, for now

 

check once again the ip/def-gw configs on the ESX machine, etc

 

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: