05-11-2021 11:21 AM - edited 05-11-2021 11:54 AM
Hi,
I'm a first year networking student, and I'm currently studying VLANs. My school got new cisco routers, rv160, which the students and teachers have little technical knowledge about.
We have a project in progress, which is to create a working environment, with 3 VLANs.
For educational reasons, not security reasons, we are asked to make Inter-VLANs. But nothing to do, it just doesn't seem to work.
I can ping 192.168.7.193, which is the DMZ, but because it's the DMZ, but otherwise, I can't ping what's in the VLAN server for example. It's as if the button dedicated to "Inter-VLAN routing" has no effect, it's not possible to reach the other VLANs.
For additional information, NAT is in place, so each workstation/DMZ/servers can access the Internet. Moreover, we tried with ACLs, but it doesn't change anything. Whether it's my classmates or my teacher, we don't know where this problem could come from.
I provide you the screenshot of the router VLAN configuration.
The router's version is 1.0.01.03
Thank you again for your help
This will allow us to break the deadlock
EDIT : It seems that I can ping the "DMZ" even without being declared as such in the router. This is really a headache, which would mean that one VLAN is accessible but not the other one.
06-04-2021 12:05 PM
Hi
>>>>This VLAN has a physical machine at 192.168.7.2, which is a VMWare ESXi machine, containing a Debian virtual machine that has >>>no IP for now.
So to which IPaddress (in vlan2) are you trying to ping (from host in vlan1)????
a) is it 192.168.7.2? (in which case is there a Default-Gateway ipaddress 192.168.7.62 also configured on this ESX-machine?
b) As you said, is it the Debian-VM in the ESX-server that you are trying to reach from vlan1????..becos there is no ipaddr yet on the VM(Virtual Machine) anyways
c) You mentioned that you are able to ping to the rasberryPi device connected in DMZ-VLan3 (with ipaddr 192.168.7.193)...
d) Iam assuming that ALL your user-vlan1 hosts are connected to switches which in turn are connected ONLY to LAN1/LAN2 ports of rv160....just to confirm
In summary, as far as i can tell, the ONLY reason why you are not able to ping to vlan2 host from vlan1 (or even vlan3) would be becos the host/server in vlan2 is NOT configured with the correct default-gateway ipaddress of 192.168.7.62...therefore you are NOT recieving any reply packets..
On RV160 there is NO specific hardware/physical DMZ port on the Router...whereas for example in RV260 port 8 can be explicitly configured as hardware-DMZ port...
So on RV160, since you "consider" vlan3 as DMZ...you can add some fw-acl rules as below (a rough mention of the actual rules)..AND the order has to be as shown below...becos the rules are always parsed in top-to-down approach
- Say for example you want to allow from all internal-vlans to ONLY access to TCP port 8081 service on the RP-device in DMZ..
- Next you want to allow from internal vlans to ONLY access to ftp-server machine in the vlan3-dmz network
- And deny all other traffic from all internal-vlans to dmz-vlan
so the acl rules to add is:
------------------------------------------------------------------------------------------
rule-1 - allow from interface vlan1 (any src) to vlan3 (specific ip-host 192.168.7.193) service TCP-8081
rule-2 - allow from interface vlan2 (any src) to vlan3 (specific ip-host 192.168.7.193) service TCP-8081
rule-3 - allow from interface vlan1 (any src) to vlan3 (specific ip-host 192.168.7.194) service ftp
rule-4 - allow from interface vlan2 (any src) to vlan3 (specific ip-host 192.168.7.194) service ftp
rule-5 - DENY from interface ANY (any src) to vlan3 (dst any) service all-services
-------------------------------------------------------------------------------
By default all access from WAN to any vlan is DENIED..the last default acl rule that you see in the firewall....so you dont have to worry about allowing access to dmz, etc from wan, if any, for now
check once again the ip/def-gw configs on the ESX machine, etc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide