04-03-2012 12:34 PM - edited 03-07-2019 05:56 AM
Hi,
We have 2 internet connections- one for production and one as a backup. The backup connection will be used for allowing guest visitors on a wireless network that is on a seperate VLAN.
We have the following networks:
VLAN 1 production, 192.168.1.0
VLAN 10 backup internet connection, 192.168.100.0, Interface 100.2
VLAN 41 wireless guests, 192.168.41.0, interface 41.1
VLAN routing provided by Dell 6224 switch and other switching is Cisco 2970 (L2) switches.
Backup Internet router is SMC (Comcast)
I would like to allow clients on VLAN 41 access the internet connection in VLAN 10 at 192.168.100.1. Clients on VLAN 41 can PING and trace to the default gateway 100.1. VLAN 41 clients are also able to get DHCP info from VLAN 1. NSlookup fails when using the ISP DNS servers. NSlookup is suscessful when using our internal DNS servers, but web pages are not returned. It eventually fails.
We've tried to set the DFGW on the clients to both 41.1 and 100.1 with no success.
100.2 know where to find 41.1 interface for the 41.0 network.
The router/gateway can PING the clients on VLAN 41, 192.168.41.0 network and visa-vera.
It seems like the clients are not able to get through 100.1 to the internet or the gateway/router doesn't know how to get packets back to the clients.
A static entry was made on the router that mapped back to the next hop at 100.2. 1
Someone alluded to a NAT issue, where the returning packets have information for the 100.0 network only and the internet router doesn't know to send the packets through to the 41.1 interface to the clients.
Any ideas what might cause this behavior?
thanks.
04-09-2012 06:01 AM
It looks like you have the routing setup working as you can ping form the backup gateway to the client and client to backup gateway. I would agree that the SMC box doesnt know anything about .41 network and only knows the directly connected network of .100 and most probably NAT is not kicking in for the additional .41 network.
There are few ways you can work around this:
1. Get a device which can support multiple internal netwokrs (Cisco gear may be !! )
2. Separate the wireless guest access entirely to backup internet connection, single subnet separate from your production traffic. This is more safer option for you.
Even if you get the wireless Guest working through the single L3 core switch you will have problem directing production subnet to one internet gateway and wireless subnet to another gateway as default routes, unless you can do somesort of source based routing whcih requries some advanced gears.
You are limited to above two options.
04-09-2012 06:17 AM
Thank you for the reply.
As a temporary workaround, I move the guest wireless to the .100.0 network, just so we can get the ball rolling for visiting guests.
We can change the SMC modem/router to a bridge for passing data only. Need the ISP to make the change.
We have a ASA 5505, but want to upgrade our 5510 to the latest model and IOS and use the older 5510 on the backup internet connection.
.
I believe the ASA firwall can do VLANs, in act, it's required when setting up the inside and outside interfaces...at least to some degree.
Thanks again.
Vince
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide