Solved: Cannot contact devices outside of VLAN

Angelo ANELLO · ‎01-20-2013

Hi Guys,

I have created a VLAN on one of our switches and assigned it an address. I have also enabled ip-helper on this interface as we require connectivity to the DHCP server in our domain. I have setup a static route on the directly connected router for the VLAN n/w to point to the switch hosting the VLAN interface. From our primary router i can ping all required IP's and trace them successfully, however, from a PC that has a DHCP address in the reqd. range, i cannot ping anything outside of its IP range besides the switch IP that is hosting the VLAN.

Our network also uses BGP and i have created this VLAN n/w as a BGP neighbor hoping to add the routes and allow connectivity between networks. Unfortunately it is not working. I am able to obtain a DHCP address from our DHCP server. From the DHCP client i can ping to current VLAN gateway and the switch IP that hosts the VLAN int, but thats about it. I cannot contact our primary router or any other device on any other network

Below is a snippet of the config i have entered. Your help is appreciated.

PrimaryRouter (192.168.1.252)#

B 192.168.44.0/24 [20/0] via 10.10.1.xxx, 4d01h

Router2 (192.168.10.252)#

S 192.168.44.0/24 [1/0] via 192.168.10.1

ip route 192.168.44.0 255.255.255.0 192.168.10.1

router bgp 65000

no synchronization

bgp log-neighbor-changes

network 192.168.2.0

network 192.168.3.0

network 192.168.10.0

network 192.168.44.0 - current network with issue

Switch1 (192.168.10.1)#

interface Vlan44

ip address 192.168.44.1 255.255.255.0

ip helper-address 192.168.1.203

no ip route-cache

Do i need to setup a static route on our primary router if it is already identified through BGP?

Kind Regards,

Richard Burts · ‎01-22-2013

Angelo

Thank you for the additional information. There are several alternatives that you could consider to get this to work as you need it to.

- the most simple alternative is to configure a static route for the 44 network in each of the routers that need to access it.

- another alternative would be to configure some interior routing protocol (something like EIGRP or OSPF, or RIP) between the routers that need to access the 44 network and have the router that has the static route advertise the network to the other routers.

- the most complex alternative would be to modify BGP. You could have the router with the static route advertise the 44 network in BGP. It would be learned by the routers in your diagram. Then you could modify the BGP of the router that connects to the outside and configure a filter (distribute list or prefix list) that prevents advertisement of the 44 network to outside routers.

Any of these could work. But my advise is to configure a static route on the routers that need to access the 44 network.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎01-20-2013

Angelo

You have told us some things but not enough for us to accurately identify what is the problem here. If I am understanding correctly then you are telling us that the client does get an IP address via DHCP and that with the DHCP address you are able to communicate with locally connected devices but not with remotely connected devices.

If that understanding is correct then I can think of a couple of possible explanations:

- DHCP is not responding with a correct default router.

- Remote subnets do not have a correct route back to the subnet where the client is located.

Can you confirm for us whether either of these is the case?

HTH

Rick

HTH

Rick

Angelo ANELLO · ‎01-20-2013

Hi Rick,

Thanks for your reply. The current gateway is the VLAN IP address. This is hosted via the switch it is installed on. We are currently having an issue with Inter-domain routing. There are no requirements for remote site configuration.

Currently, we cannot ping VLAN "44" (192.168.44.254) from any device within the same VTP domain. We have 5 switches currently connected via Trunk ports and config. Only this VLAN is having an issue. Only if i create a static route on the two routers directly connected to the switches can I ping the VLAN 44 address. If i create a static route on our primary router, and i do a Traceroute, there is a routing loop. It is also not contactable, with or without the route from this router (192.168.1.254)

192.168.1.254 manages BGP routing for 192.168.10.254 & 192.168.2.254 (the two routers that are directly connected to the switfch hosting VLAN 44). Should i update the BGP information to contain the new 44.x network? Our servers are on the 1.x network and i require the devices on 44.x n.w to be able to contact them and currently they dont.

NOTE: I have currently removed the 44.x n/w from BGP

Any help is appreciated

Kind Regards,

Message was edited by: Angelo ANELLO

Richard Burts · ‎01-21-2013

Angelo

Clearly there are layer 3 routing issues that impact the VLAN. If VLAN 44 is not reachable it is probably a routing issue. And if traceroute shows a loop it is certainly a routing issue. We do not have enough information about your network to give you good advice about routing issues. If you can provide better information about the topology and about the routing logic then perhaps we can give better answers.

HTH

Rick

HTH

Rick

Angelo ANELLO · ‎01-21-2013

Attached is a portion of our network. It contains the VTP domain that manages the VLAN's. The routers are using BGP to communicate. One interface is the internal network, the other interface is the WAN connection to our service provider.

Device 192.168.1.252 is connected to a switch (not in diagram) that manages a seperate VTP domain. This is used for our system environment (SAN, Exchange etc.). VLAN 44 needs to be able to communicate with the 192.168.1.x network and atm it cannot.

BGP CONFIG 192.168.2.252

router bgp 65000

no synchronization

bgp log-neighbor-changes

network 192.168.2.0

network 192.168.3.0

network 192.168.10.0

timers bgp 15 45

access-list 71 permit 192.168.10.0 0.0.0.255

access-list 71 permit 192.168.3.0 0.0.0.255

access-list 72 permit any

snmp-server community picasnmp RO

snmp-server ifindex persist

no cdp run

route-map PREPEND_BACKUP permit 10

match ip address 71

set as-path prepend 65000 65000

!

route-map PREPEND_BACKUP permit 20

match ip address 72

BGP CONFIG 192.168.10.252

router bgp 65000

no synchronization

bgp log-neighbor-changes

network 192.168.2.0

network 192.168.3.0

network 192.168.10.0

timers bgp 15 45

access-list 71 permit 192.168.2.0 0.0.0.255

access-list 72 permit any

snmp-server community picasnmp RO

snmp-server ifindex persist

no cdp run

route-map PREPEND_BACKUP permit 10

match ip address 71

set as-path prepend 65000 65000

!

route-map PREPEND_BACKUP permit 20

match ip address 72

ip route 192.168.44.0 255.255.255.0 192.168.10.2 (switch hosting vlan 44)

BGP CONFIG 192.168.1.252

router bgp 65000

bgp log-neighbor-changes

network 192.168.1.0

timers bgp 15 45

redistribute connected

redistribute static

neighbor 10.10.x.x remote-as 7474

neighbor 10.10.x.x weight 50

neighbor 192.168.1.253 remote-as 65000

neighbor 192.168.1.253 next-hop-self

default-information originate

SWITCH02 CONFIG 192.168.10.2

Interface Vlan 44

ip address 192.168.44.254/24

ip-helper 192.168.1.203

I can ping 192.168.44.254 from router 192.168.10.252 as it has the ip route specified but not from router 192.168.2.252

I hope this helps. If you need anything else, please let me know.

Richard Burts · ‎01-21-2013

Angelo

Thanks for the additional information. It does help answer some questions - and it raises some other questions.

Your drawing shows what appear to be some switches that have VLANs 1, 3, and 44 with some trunk ports, perhaps connecting to two of the routers. But it is not clear what VLANs are carried on what trunk ports. Nor is it clear what routers have interfaces in which of the VLANs.

It is also not clear whether the switches are just layer 2 switches or whether they are layer 3 switches. And this makes it difficult to know quite how routing is being done to VLAN 44. One router has a static route with a next hop which you tell us is one of the switches. That implies that it is a layer 3 switch and that it is routing for the VLAN 44. But it is not clear whether this is the case or not.

I can not tell whether you have omitted some parts of the BGP config that are really in the config or whether some parts are just not configured. For example I notice that on both router 192.168.2.252 and 192.168.10.252 you have some network statements under router bgp but there are no neighbor statements. Whether there are neighbor statements could have an impact about the problem.

Also I notice that the drawing lists network 192.168.44.0 as a private network. I am not sure what that means but it suggests that the network is not being advertised on purpose. And this seems to be the main part of your issue.

What your output seems to show is that the only router that has routing information for 192.168.44.0 is router 192.168.10.252. And that router 192.168.10.252 is not advertising that network to any other router (at least as far as we can tell). If that is the case then it certainly explains why no router, other than 192.168.10.292 is able to access the network 192.168.44.0. If only one router knows a route to the network then that is the only router that can access the network.

HTH

Rick

HTH

Rick

Angelo ANELLO · ‎01-21-2013

Hi Rick,

Yes i have ommited some of the BGP statements with regards to neighbors. I will attach it below.

So what would be the best option for adding the route so that at least those three routers know about it and how to route to the 44 Vlan? I didnt think that i had to add a static route on all of the devices. I assume that with this in mind i wouldnt have to modify the BGP settings to include the 44.x network as it is not required across the entire network. Is this correct?

The 44.x network is required to be able to traverse across the routers and switches in the diagram but not beyond the 192.168.1.252 router (this is our primary network router). I have added more config below for your perusal to help address some of your points.

In regards to the trunk ports, they are switch specific only. There are multiple VLAN's on the switches and the trunk ports have been configured to allow traffic across the switches only. The VLAN's used in this scenario have been created as sub interfaces on the routers. VLAN 1 is for data, VLAN 3 is for VOIP and aVLAN 44 is currently required for Data also but we need to seperate its traffic from the default VLAN 1.

Router 192.168.2.252 config

interface FastEthernet0/0

no ip address

ip route-cache flow

duplex auto

speed auto

!

interface FastEthernet0/0.1

description *** Data ***

encapsulation dot1Q 1 native

ip address 192.168.10.253 255.255.255.0 secondary

ip address 192.168.2.252 255.255.255.0

ip helper-address 192.168.1.203 redundancy hsrp-Fa0/0.1-2

ip helper-address 192.168.1.201 redundancy hsrp-Fa0/0.1-2

ip helper-address 192.168.3.210 redundancy hsrp-Fa0/0.1-2

no keepalive

standby 2 ip 192.168.2.254

standby 2 priority 105

standby 2 preempt delay minimum 120

standby 2 track FastEthernet0/1

standby 10 ip 192.168.10.254

standby 10 preempt

!

interface FastEthernet0/0.3

description *** VOIP ***

encapsulation dot1Q 3

ip address 192.168.3.253 255.255.255.0

ip helper-address 192.168.3.210 redundancy hsrp-Fa0/0.3-3

standby 3 ip 192.168.3.254

standby 3 preempt

!

interface FastEthernet0/1

description ** WAN link ***

bandwidth 10240

ip address 10.10.2.253 255.255.255.252

ip route-cache flow

speed 100

full-duplex

service-policy output Global

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

network 192.168.2.0

network 192.168.3.0

network 192.168.10.0

timers bgp 15 45

neighbor 10.10.2.253 remote-as 7474

neighbor 10.10.2.253 weight 100

neighbor 10.10.2.253 route-map PREPEND_BACKUP out

neighbor 192.168.10.252 remote-as 65000

neighbor 192.168.10.252 next-hop-self

neighbor 192.168.10.252 weight 50

no auto-summary

!

ip forward-protocol nd

ip route 192.168.3.0 255.255.255.0 192.168.10.4

!

Router 192.168.10.252 config

interface FastEthernet0/0

no ip address

ip route-cache flow

duplex auto

speed auto

!

interface FastEthernet0/0.1

description *** DATA ***

encapsulation dot1Q 1 native

ip address 192.168.2.253 255.255.255.0 secondary

ip address 192.168.10.252 255.255.255.0

ip helper-address 192.168.1.203 redundancy hsrp-Fa0/0.1-2

ip helper-address 192.168.1.201 redundancy hsrp-Fa0/0.1-2

ip helper-address 192.168.3.210 redundancy hsrp-Fa0/0.1-2

no keepalive

standby 2 ip 192.168.2.254

standby 2 preempt

standby 10 ip 192.168.10.254

standby 10 priority 105

standby 10 preempt delay minimum 120

standby 10 track FastEthernet0/1

!

interface FastEthernet0/0.3

description *** VOIP ***

encapsulation dot1Q 3

ip address 192.168.3.252 255.255.255.0

ip helper-address 192.168.3.210 redundancy hsrp-Fa0/0.3-3

standby 3 ip 192.168.3.254

standby 3 priority 105

!

interface FastEthernet0/1

description ** WAN Link ***

bandwidth 10240

ip address 10.10.10.254 255.255.255.252

ip route-cache flow

speed 100

full-duplex

service-policy output Global

!

interface Serial0/1/0

no ip address

shutdown

clock rate 2000000

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

network 192.168.2.0

network 192.168.3.0

network 192.168.10.0

timers bgp 15 45

neighbor 10.10.10.253 remote-as 7474

neighbor 10.10.10.253 weight 100

neighbor 10.10.10.253 route-map PREPEND_BACKUP out

neighbor 192.168.2.252 remote-as 65000

neighbor 192.168.2.252 next-hop-self

neighbor 192.168.2.252 weight 50

no auto-summary

!

Router 192.168.1.252

router bgp 65000

bgp log-neighbor-changes

network 192.168.1.0

timers bgp 15 45

redistribute connected

redistribute static

neighbor 10.10.1.253 remote-as 7474

neighbor 10.10.1.253 weight 50

neighbor 192.168.1.253 remote-as 65000

neighbor 192.168.1.253 next-hop-self

default-information originate

ip route 0.0.0.0 0.0.0.0 192.168.1.51

ip route 0.0.0.0 0.0.0.0 192.168.1.253 250

ip route 10.0.0.0 255.255.255.0 192.168.1.51

ip route 192.168.3.0 255.255.255.0 10.10.1.3

ip route 192.168.3.0 255.255.255.0 10.10.1.253

ip route 192.168.7.0 255.255.255.0 192.168.1.124

ip route 192.168.20.0 255.255.255.0 192.168.1.253

!

Kind Regards,

Richard Burts · ‎01-22-2013

Angelo

Thank you for the additional information. There are several alternatives that you could consider to get this to work as you need it to.

- the most simple alternative is to configure a static route for the 44 network in each of the routers that need to access it.

- another alternative would be to configure some interior routing protocol (something like EIGRP or OSPF, or RIP) between the routers that need to access the 44 network and have the router that has the static route advertise the network to the other routers.

- the most complex alternative would be to modify BGP. You could have the router with the static route advertise the 44 network in BGP. It would be learned by the routers in your diagram. Then you could modify the BGP of the router that connects to the outside and configure a filter (distribute list or prefix list) that prevents advertisement of the 44 network to outside routers.

Any of these could work. But my advise is to configure a static route on the routers that need to access the 44 network.

HTH

Rick

HTH

Rick

Angelo ANELLO · ‎01-22-2013

Hi Rick,

I have added the static route to the required routers, however, when i traceroute to the 192.168.44.254 address, there is still a routing loop. It is also still uncontactable from any router that is not directly connected to it.

It looks like the packet is trying to go out the WAN link to a backup router (ommitted from the diagram above) then it comes back in to the WAN interface of the primary 192.168.1.252 router. I have modified the diagram above to include the WAN links as this is where the loop is occurring. There is a firewall between the 1.252 and 1.253 routers.