Cisco 871: Allow two VLANs to access one another

itlengineering · ‎04-13-2010

We are using a Cisco 871 in our data center, which is configured with two VLANs as follows:

- VLAN1 contains FastEthernet0, 1, and 2, has an IP address of 192.168.1.1, and is associated with network 192.168.1.0/24

- VLAN2 contains FastEthernet3, has an IP address of 192.168.101.1, and is associated with network 192.168.101.0/24

At present, I am able to ping all devices on both subnets from the Cisco router. However, from a machine that is connected to the 192.168.1.0 network, I can only ping 192.168.101.1 (the IP address of VLAN2). Ideally, I would like to be able to access any IP address on the 192.168.101.0 network when using a computer that is connected to the 192.168.1.0 network, and vice versa. Does anyone have any idea how this can be accomplished?

Any help would be greatly appreciated!

Best Regards,

Steven

Leo Laohoo · ‎04-13-2010

What's the config for both?

itlengineering · ‎04-13-2010

Here are the configs for both Vlans:

interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Vlan2
ip address 192.168.101.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!

ip route 192.168.1.0 255.255.255.0 Vlan1 permanent

-------------------------

Is this what you were looking for? If you require more information, please let me know.

lamav · ‎04-13-2010

It sounds like you're trying to PING PC's and it's not working. Make sure that they do not have a firewall enabled.

Victor

itlengineering · ‎04-13-2010

Hi Victor,

Actually, the devices I am trying to ping are not computers but IP phones, and as such they have no firewall. Also, I am able to ping these phones from any machine that resides on the 192.168.101.0 network, and I can ping these phones from the Cisco, so I don't think it's a firewall issue.

Also, there is no firewall currently set up on the Cisc. Perhaps its an ACL problem?

Leo Laohoo · ‎04-13-2010

Can you post the "sh run" of both routers?

lamav · ‎04-13-2010

Yes, please post the configs...

itlengineering · ‎04-13-2010

Thanks for your reply. Just to clarify, there is only one router (with two VLANs) in this configuration. The sh run of this router is as follows:

Building configuration...

Current configuration : 21858 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Engineering
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$c03E$wjKfvdU9usL1o5lJkJ/ij.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone jst 9
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool sdm-pool
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 192.168.1.9 192.168.1.200
    lease 0 8
!
!
ip cef
ip name-server 202.224.32.2
ip name-server 202.224.32.1
!
!
!
!
archive
log config
   hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
description $ETH-WAN$
ip address dhcp client-id FastEthernet4
ip mtu 1454
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.101.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
ip mtu 1454
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer redial interval 30 attempts 1000 re-enable 300
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ********
ppp chap password 0 ********
ppp pap sent-username ********
!
ip local pool SDM_POOL_1 192.168.9.101 192.168.9.250
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 2
ip route 192.168.1.0 255.255.255.0 Vlan1 permanent
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
logging 192.168.1.200
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.9.0 0.0.0.255 any
access-list 101 permit ip 192.168.101.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CCCC
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege

level of 15.

Please change these publicly known initial credentials using SDM or the IOS

CLI.
Here are the Cisco IOS commands.

username privilege 15 secret 0
no username cisco

Replace and with the username and password you want to

use.

For more information about SDM please follow the instructions in the QUICK

START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end
-------------------------

Thanks for your help! If you have any other questions, please let me know.

Steven

Leo Laohoo · ‎04-13-2010

Where's your route for VLAN2?

itlengineering · ‎04-13-2010

I just ran the following command from the router CLI:

ip route 192.168.101.0 255.255.255.0 Vlan2 permanent

However, I still cannot ping any 192.168.101.0 devices from the 192.168.1.0 network. Is the above command what you had in mind? If not, please let me know.

Thanks,

Steven

Shahaludeen N · ‎04-13-2010

Hi Steven,

If you are able to ping the IP phones from the router itself, layer2 reachability is there. I assume the subnet for IP phones is 192.168.101.0/24 based on your explanation and if so I can see the IP phones are getting the IP address not from the router as there is no pool configured for 192.168.101.0/24 subnet and so I am not sure the IP phones are using the correct default gateway. You have to use the 192.168.101.1 as the default gateway on the IP phones if that is your assumed gateway, then only it can reach network beyond their own.

Regards,

Shahal.

itlengineering · ‎04-14-2010

I changed the gateway of one phone to 192.168.101.1, and then I was able to ping it from a machine on the 192.168.1.0 network! Thanks for that!

However, now I have run into a different problem. The phone was previously using 192.168.101.252 as its gateway in order to communicate with the SIP network, which resides at IP address 220.157.32.78. This IP address is only accessible through gateway 192.168.101.252. Since the gateway value on the phone has now been changed to 192.168.1.1, the phone is no longer able to access 202.157.32.78 through SIP gateway 192.168.101.252. In an attempt to overcome this, I created a static route using the follwoing CLI command:

ip route 220.157.32.78 255.255.255.255 192.168.101.252 permanent

However, this did not seem to have any effect. Is it possible to configure the Cisco router to always route traffic directed at 202.157.32.78 through 192.168.101.252.

Thanks for your help!

Steven