The UC has all the 3 vlans set up inside of it and there is a gateway on UC of 192.168.2.50 which is the firewall. It's the default gateway on vlan 1 network.

UC can communicate with the firewall fine, the problem I am having is a server on 192.168.4.251 talking to a device on 192.168.4.1 IP address. These devices are both on the same switch and have a default gateway of 4.250.

I can ping 192.168.4.1 from UC560 but I cannot ping 192.168.4.251.

I have also added a static route of 192.168.4.0 255.255.255.0 gateway 192.168.2.250 on 192.168.4.251 windows server, this allowed me to start pinging the vlan 4 network.

get the following outputs

sh ip route

sh int vlan

get the sh run from the switch and the UC .

Shine

From the UC

Gateway of last resort is 192.168.2.50 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.2.50

      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks

C        10.1.1.0/24 is directly connected, Vlan100

L        10.1.1.1/32 is directly connected, Vlan100

C        10.1.10.0/30 is directly connected, Vlan90

S        10.1.10.1/32 is directly connected, Vlan90

L        10.1.10.2/32 is directly connected, Vlan90

      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.2.0/24 is directly connected, Vlan1

L        192.168.2.250/32 is directly connected, Vlan1

      192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.4.0/24 is directly connected, Vlan4

L        192.168.4.250/32 is directly connected, Vlan4

Vlan1 is up, line protocol is up

  Hardware is EtherSVI, address is 588d.093b.4f62 (bia 588d.093b.4f62)

  Description: $FW_INSIDE$

  Internet address is 192.168.2.250/24

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive not supported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 3000 bits/sec, 3 packets/sec

  5 minute output rate 3000 bits/sec, 3 packets/sec

     990104 packets input, 145182027 bytes, 0 no buffer

     Received 364422 broadcasts (649 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     1199493 packets output, 169793606 bytes, 0 underruns

     0 output errors, 1 interface resets

     98898 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

Vlan4 is up, line protocol is up

  Hardware is EtherSVI, address is 588d.093b.4f62 (bia 588d.093b.4f62)

  Description: wireless$FW_INSIDE$

  Internet address is 192.168.4.250/24

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive not supported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 2000 bits/sec, 2 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     1201100 packets input, 157197294 bytes, 0 no buffer

     Received 238452 broadcasts (7 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     382629 packets output, 81876896 bytes, 0 underruns

     0 output errors, 1 interface resets

     4557 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

Vlan100 is up, line protocol is up

  Hardware is EtherSVI, address is 588d.093b.4f62 (bia 588d.093b.4f62)

  Description: $FW_INSIDE$

  Internet address is 10.1.1.1/24

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive not supported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 1000 bits/sec, 2 packets/sec

  5 minute output rate 1000 bits/sec, 1 packets/sec

     1165656 packets input, 75015139 bytes, 0 no buffer

     Received 52248 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     1566987 packets output, 129381141 bytes, 0 underruns

     0 output errors, 1 interface resets

     126 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

I cannot get access to the switches at the moment as I am waiting for the other IT company to provide me with VPN to them.

This seems to be your topology.

VLAN1, VLAN4, VLAN 100 -----> UC -----> FW -----> Internet

Well as long as your clients have the appropriate gateway configured for their VLANs, they should go to the UC as their default gateway, so all remote destination packets should go to the UC. From there you have a static route configured for 192.168.2.50.

What vlans are currently having trouble accessing the internet?

I did notice that VLAN1 has a default default of 192.168.2.50 per your first post. If VLAN1 wants to communicate with anything outside of its local network it will have to go to the FW first, since that's it's default gateway, the FW will then have to have routes configured to go to the whatever local subnet you want to communicate with. So, for VLAN2 to communicate with VLAN4, it will have to go from VLAN2 -> FW -> back to UC -> Then to client. It looks like inefficient routing. The packet will have to go out the interface it came in on the FW to get back to its destination. Depending on how you have the rest of your entire network setup, you may want to set the default gateway for VLAN1, to the UC, then the UC will have a default static route to 192.168.2.50, which is the FW.

When you're own VLAN4, do a traceroute to 8.8.8.8 and post the results if you don't mind.

Hi John,

Devices on vlan 1 have default gateway of 192.168.2.50 (firewall) and devices on vlan 4 have default gateway of 192.168.4.250 (UC). Is this wrong then?

VLAN 4 devices are the ones which are struggling to get internet access. I believe the static route for 192.168.4.0/24 to 192.168.2.250 has been deleted from the firewall (192.168.2.50).

Anyway this is the tracert from the UC which has access to the internet.

Tracing the route to google-public-dns-a.google.com (8.8.8.8)

  1 192.168.2.50 0 msec 0 msec 4 msec

  2 host81-142-246-129.in-addr.btopenworld.com (81.142.246.129) 0 msec 0 msec 4                               msec

  3 host81-134-96-1.in-addr.btopenworld.com (81.134.96.1) 12 msec 16 msec 12 mse                              c

  4 213.120.182.141 12 msec 12 msec 12 msec

  5 213.120.161.82 12 msec 12 msec 12 msec

  6 217.41.222.78 12 msec 12 msec 12 msec

  7 217.41.222.178 12 msec 12 msec 12 msec

  8 acc1-10gige-0-5-0-4.bm.21cn-ipp.bt.net (109.159.248.96) 12 msec

    acc1-10gige-0-1-0-6.bm.21cn-ipp.bt.net (109.159.248.94) 16 msec

    acc1-10gige-0-0-0-4.bm.21cn-ipp.bt.net (109.159.248.66) 12 msec

  9 core2-te-0-13-0-4.ilford.ukcore.bt.net (109.159.248.10) 20 msec

    core2-te-0-2-5-0.ilford.ukcore.bt.net (109.159.248.2) 20 msec

    core1-te0-13-0-4.ealing.ukcore.bt.net (109.159.248.8) 24 msec

Devices on vlan 1 have default gateway of 192.168.2.50 (firewall) and devices on vlan 4 have default gateway of 192.168.4.250 (UC). Is this wrong then?

- It's not really wrong, you just need routes back your local subnets from 192.168.2.50(which is your FW). But from a network design perspective, For VLAN1 to communicate with any of the inside networks, it will go to the FW first, since it's default gateway is 192.168.2.50, and then it will have to have routes on the FW back to the internal subnets. So, in theory it will work just fine it just may not be the best network design scenario. If you configured VLAN1 default gateway to be on the UC, then it would already have static routes to all the internal subnets, and then from there, if it wants to communicate with the internet, it

will go to the FW. THe traffic flow will be like VLAN1 --> UC(local routes) --> FW --> Internet.

VLAN 4 devices are the ones which are struggling to get internet access. I believe the static route for 192.168.4.0/24 to 192.168.2.250 has been deleted from the firewall (192.168.2.50).

If that is the case then, VLAN4 will be able to send packets out to the internet, but when it comes back to the firewall, the firewall will not have a route to 192.168.4.0, so it will not be able to reply to VLAN4. Was that traceroute done from a client PC on VLAN4?

I had TeamViewer access to the server on 192.168.4.251 IP and as soon as I took the default gateway off from the second LAN adaptor which was connecting to only vlan1, it threw me off it. School boy error!

Once the IT department gets me VPN access I should be able to get back and do those traceroutes for you.

Also, I should be able to access the 192.168.4.251 from the UC shouldn't i? As they are on the same vlan and 192.168.4.251 has gateway of the UC. I am getting no ping reply from .4.251

Well if you are trying to ping from the UC, I believe it is using the managment vlan to ping, so it would be VLAN2 to VLAN4, which is one of the issues yo uare having, so that may be why it's not working.

Try to ping 4.254 with a source of another vlan interface on the UC and see what happends.

Getting no reply from 192.168.4.251 at all. I do get one from 192.168.4.1. Perhaps the network settings have been set up wrong or I forgot to add the default Gateway!

If they're on the same network they will communicate via ARP.  Could be a L2 misconfiguration some where.