04-01-2008 11:35 AM - edited 03-05-2019 10:07 PM
Hello,
I am having a problem pinging from my vlan to end stations on my network.
A Tracert from my laptop in the vlan shows that the packet stops on the 200 subnet on the router. Vlan is in 200 subnet.
There are only one network and one vlan setup on the router, I am not sure why ping will not go to the other network from the vlan. I can log into the web interface of the router and do a ping from the router specifying that the ping is from the 200 subnet and that adds the .90 subnet address to arp table. Only then am i able to ping from my end station across vlan to the other network client.
I can provide some more info if needed.
JKR
04-01-2008 01:12 PM
Hi Randy,
It would definitely help if you provided the running config of your router, with clearer explanation on the topology of your network:
Are the end users and your laptop on different interfaces of your router?
How did you to set up a vlan on the router?
Maybe, it is a layer3 switch?
Thanks:
Istvan
04-01-2008 01:27 PM
As requested (in two Parts) this is Part 1
Current configuration
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
no service password-encryption
service sequence-numbers
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip name-server 192.168.90.4
ip dhcp excluded-address 192.168.80.1 192.168.80.99
ip dhcp excluded-address 192.168.80.200 192.168.80.254
ip dhcp excluded-address 192.168.80.1 192.168.80.100
ip dhcp smart-relay
ip dhcp relay information option
no ip dhcp relay information check
ip dhcp relay information trust-all
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.90.65 255.255.255.0
ip access-group 100 in
ip access-group 1 out
ip mask-reply
ip directed-broadcast
ip route-cache flow
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/1
switchport access vlan 3
no ip address
no cdp enable
!
interface FastEthernet0/2
switchport access vlan 3
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/3
switchport access vlan 2
no ip address
shutdown
no cdp enable
interface FastEthernet0/4
switchport access vlan 2
no ip address
shutdown
no cdp enable
interface Vlan1
no ip address
interface Vlan3
description Wireless
ip address 192.168.200.254 255.255.255.0
ip access-group 102 in
ip access-group 102 out
ip helper-address 192.168.90.4
ip mask-reply
ip directed-broadcast
ip dhcp relay information trusted
ip route-cache flow
router rip
passive-interface FastEthernet0/0
passive-interface Vlan1
passive-interface Vlan3
network 192.168.90.0
network 192.168.200.0
no auto-summary
End part 1
04-01-2008 01:28 PM
)Part 2(
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.90.1 permanent
ip route 10.0.0.0 255.255.255.0 192.168.90.49
ip route 10.54.244.0 255.255.255.0 192.168.90.252
ip route 172.16.16.0 255.255.255.0 192.168.90.1
ip route 192.168.70.0 255.255.255.0 192.168.90.252
ip route 192.168.200.0 255.255.255.0 Vlan3
ip http server
ip http authentication local
ip http secure-server
ip access-list standard sdm_vlan1_in
remark SDM_ACL Category=1
permit any
logging trap debugging
logging 192.168.90.226
access-list 1 remark SDM_ACL Category=1
access-list 1 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.80.0 0.0.0.255 any
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.90.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.200.254 echo-reply
access-list 101 permit icmp any host 192.168.200.254 time-exceeded
access-list 101 permit icmp any host 192.168.200.254 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 permit ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.90.0 0.0.0.255 any
access-list 102 permit icmp any host 192.168.200.254 echo-reply
access-list 102 permit icmp any host 192.168.200.254 time-exceeded
access-list 102 permit icmp any host 192.168.200.254 unreachable
access-list 102 permit eigrp any any
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 permit ip 172.16.0.0 0.15.255.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip host 0.0.0.0 any
access-list 102 permit ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.90.0 0.0.0.255 any
access-list 103 permit icmp any host 192.168.80.254 echo-reply
access-list 103 permit icmp any host 192.168.80.254 time-exceeded
access-list 103 permit icmp any host 192.168.80.254 unreachable
access-list 103 permit ip 10.0.0.0 0.255.255.255 any
access-list 103 permit ip 172.16.0.0 0.15.255.255 any
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 permit ip host 0.0.0.0 any
access-list 103 permit ip any any log
no cdp run
04-01-2008 07:57 PM
Hi Randy,
What I observed in you configuration is the following:
The below part of access-list 102 effectively does not allow icmp messages to pass through interface vlan3 to the .90 subnet, where your inside network resides:
access-list 102 permit icmp any host 192.168.200.254 echo-reply
access-list 102 permit icmp any host 192.168.200.254 time-exceeded
access-list 102 permit icmp any host 192.168.200.254 unreachable
ICMP messages are allowed to the 192.168.200.254 host only.
So I would remove this part of the access-list.
Secondly, you apply access-list 102 on interface vlan 3 inbound and outbound.
This also creates unnecessary complexities.
Apply access-lists in one direction only on the interface.
Cheers:
Istvan
04-01-2008 11:16 PM
I mean do not apply the same access-list in to different directions on the same interface.
Cheers:
Istvan
04-01-2008 06:27 PM
ok, does this 1760 have a 4 port switch module? and are all end stations connected to these ports?
Could you copy the output of the following commands
sh vlan brief
sh int
Can you confirm the endpoints are correctly receiving an IP address on this VLAN?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide