10-31-2011 12:09 PM - edited 03-07-2019 03:08 AM
Here is what i need.
Servers at Vlan 6 must see servers at Vlan 2, 10, 11, 12. and and vica versa
How to write the correct commands.
Here is my outputs:
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4
2 ****OFFICE_SERVERS**** active Fa1/0/13, Fa1/0/14, Fa1/0/15, Fa1/0/16, Fa1/0/17, Fa1/0/18, Fa1/0/19, Fa1/0/20, Fa1/0/25
Fa1/0/26, Fa1/0/29, Fa1/0/30, Fa1/0/33, Fa1/0/34
4 ****END_USER**** active Fa1/0/39
6 ****ILO**** active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/9, Fa1/0/10
10 ****WEB**** active Fa1/0/27, Fa1/0/28, Fa1/0/31, Fa1/0/32, Fa1/0/43
11 ****APP_SERVERS**** active Fa1/0/11, Fa1/0/12, Fa1/0/21, Fa1/0/22, Fa1/0/35, Fa1/0/36
12 ****DB_SERVERS**** active Fa1/0/23, Fa1/0/24, Fa1/0/37
99 ****VISITORS**** active
Gateway of last resort is 192.168.0.253 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, Vlan100
172.16.0.0/24 is subnetted, 6 subnets
C 172.16.29.0 is directly connected, Vlan99
C 172.16.30.0 is directly connected, Vlan6
C 172.16.9.0 is directly connected, Vlan3
C 172.16.10.0 is directly connected, Vlan4
C 172.16.0.0 is directly connected, Vlan1
C 172.16.1.0 is directly connected, Vlan2
C 192.168.0.0/24 is directly connected, Vlan5
S* 0.0.0.0/0 [1/0] via 192.168.0.253
Solved! Go to Solution.
11-01-2011 10:09 PM
Hi Sanchos
this seems to be a routing problem.
Your ASA and the core switch needs to have routes exchanged.
the vlans that have ip on the ASA are coming via the core switch but all through layer 2.
the core switch has a default route so anyway it should send any request coming from say Vlan 2 subnet to ASA .253 address.
But the ASA does not know where is 172.16.1.0/24 subnet. So this is the problem.
you need to add static routes pointing back to the core switch- just do sh ip it brief on the core switch and pick the ip address which is coming from the firewall.
hope that helps.
Regards,
Mohit
10-31-2011 12:18 PM
If the vlans are located in the same switch, you don't need any static route. I see vlan 6 and 2 in your routing table.
Where are vlans 10, 11 and 12 located?
HTH
10-31-2011 12:25 PM
That is the point. can't find them, i'm new in that company.
i can look for them on second core switch. Or on access switches.
so, how will be the syntax of the command?
ip route [ip of 12, 11 or 10th vlan] [mask] [? which next hop? ] - don't know what to write instead of next hop... is it gonna be the address of that switch that holds these vlans? which address exactly, it has lots of them...
10-31-2011 12:31 PM
You already have a default route on this switch
S* 0.0.0.0/0 [1/0] via 192.168.0.253
You need to look at the other switches and do a "sh vlan" and see if they are up and running
also sh ip int bri vlan 12
sh ip int bri vlan 11, etc will show you that
HTH
10-31-2011 12:34 PM
Thank you, thats helpful.
can you tell me what to do after i found them? how will be the correct command for static route?
10-31-2011 12:42 PM
check to see if you have a default route or a default-gateway on that device. If the vlans are up and up, then that is all you need. Try pinging the vlans IP address and see if they are all reachable.
HTH
10-31-2011 12:48 PM
at the moment i cannot ping vlan 6 from vlan 10, 11, 12...
thats why i've started thinking about static routes that i might miss...
10-31-2011 12:55 PM
vlan 6 is up. That is why you see it in the above routing table (your first post) does the other switch have default route or default gateway? Are all the other vlans in this switch ie 3,4,1,5 are reachable? what is the output of "sh ip route" from the other switch?
10-31-2011 01:08 PM
The other switch have default gateway for sure! I thought they are all on this switch, but now i see that they are not.
so have to look for them on other switches tomorrow at work. In this switch all vlans are reachable, for sure!
i'll paste the output tomorrow.
10-31-2011 11:30 PM
Reza, i've checked the other switches and did'n find any static routes on them... seems like everything is configured on this core swich...
i know the interface names that belong to that vlans, may be we can do it by writing interface names instead of next hop?
11-01-2011 01:33 AM
are the other switches Layer 2 or Layer 3 switches? Are they all connected to the core switch or is there a heirarchy design? Is each switch assigned only one vlan or do they each hold many vlans?
11-01-2011 01:50 AM
Here is the topology... it's my 3rd work day, i don't know the structure well...
But as i can ping Vlan 10 and Vlan for ILO from the core swithces, i understand (and see) that they are connected to core switches physically...
I've noticed that other vlans that i need (marked with red), are connected to something else... looks like ASA, but not sure...
11-01-2011 01:58 AM
success i guess...
i've got this from ASA:
interface GigabitEthernet0/2
description ****WEB****
nameif web_dmz
security-level 60
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.11
description ****APP_SERVERS****
vlan 11
nameif app_dmz
security-level 61
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3.12
description ****DB_SERVERS****
vlan 12
nameif db_dmz
security-level 62
ip address 192.168.3.1 255.255.255.0
!
interface Management0/0
description LAN/STATE Failover Interface
seems like i found them... but don't know what to do next?
11-01-2011 02:11 AM
well what device is associated with the IP address 192.168.0.253? is this IP address pingable? I am assuming that this is the ASA? If it is, does it have routes for the networks attached to it to vlan 6?
11-01-2011 02:46 AM
Correct, this is ASA. yes, i can ping it.
Seems like no, because i cant see them.
show vlan command gives me something like this: 11-12
command show ip route doesnt work.
this command worked
phfwasa01# show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside **.**.**.** 255.255.255.240 CONFIG
GigabitEthernet0/1 inside 192.168.0.253 255.255.255.0 CONFIG
GigabitEthernet0/2 web_dmz 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet0/3.11 app_dmz 192.168.2.1 255.255.255.0 CONFIG
GigabitEthernet0/3.12 db_dmz 192.168.3.1 255.255.255.0 CONFIG
Management0/0 failover 10.1.1.1 255.255.255.252 unset
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside **.**.**.** 255.255.255.240 CONFIG
GigabitEthernet0/1 inside 192.168.0.253 255.255.255.0 CONFIG
GigabitEthernet0/2 web_dmz 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet0/3.11 app_dmz 192.168.2.1 255.255.255.0 CONFIG
GigabitEthernet0/3.12 db_dmz 192.168.3.1 255.255.255.0 CONFIG
Management0/0 failover 10.1.1.2 255.255.255.252 unset
but somehow i can ping computers in vlan 6
phfwasa01# ping 172.16.30.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.30.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
phfwasa01# ping 172.16.30.102
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.30.102, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
I guess i have to add routes in ASA...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide