02-01-2021 10:35 AM
Hi, I have a 3750 switch and three 2960 switches and a Kerio firewall.
IP range of 2960 switches: 10.10.31.0/24, 10.10.32.0/24, 10.10.41.0/24
DMZ IP Range: 10.10.10.0/24
LAN IP Range: 10.10.12.0/24
WAN IP Range: 180.140.32.0/24
IP Kerio: 10.10.10.2
Computers on the LAN can see each other. But they do not have access to the server. And do not see DMZ and WAN.
I defined a VLan for DMZ and a separate VLan for LAN.And a VLan for each of the 2960 switches that give devices IP through DHCP.
Thanks for pointing me to how I can modify the code.
I attached the code I used below.
3750 :
enable configure terminal hostname SW-Core ip default-gateway 10.10.10.2 ip domain-name ******** vtp mode server vtp domain ******** vtp version 2 vtp pruning enable secret ******** line vty 0 15 password ******** login exit line console 0 password ******** login exit VLan 10 name DMZ exit VLan 12 name CORE exit VLan 31 name F3N exit VLan 32 name F3S exit VLan 41 name F4N exit interface vlan 10 ip address 10.10.10.11 255.255.255.0 no shutdown exit interface vlan 12 ip address 10.10.12.1 255.255.255.0 no shutdown exit interface vlan 31 ip address 10.10.31.1 255.255.255.0 no shutdown exit interface vlan 32 ip address 10.10.32.1 255.255.255.0 no shutdown exit interface vlan 41 ip address 10.10.41.1 255.255.255.0 no shutdown interface range gigabitEthernet 1/0/1-6 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 1-99 no shutdown exit interface range gigabitEthernet 1/0/7-9 switchport mode access switchport access vlan 10 no shutdown exit interface range gigabitEthernet 1/0/10-12 switchport mode access switchport access vlan 12 no shutdown exit interface range gigabitEthernet 1/0/13-28 shutdown exit ip dhcp pool DMZ network 10.10.10.0 255.255.255.0 default-router 10.10.10.11 dns-server 10.10.10.2 lease 8 exit ip dhcp pool CORE network 10.10.12.0 255.255.255.0 default-router 10.10.12.1 dns-server 10.10.10.10 lease 8 exit ip dhcp pool F3N network 10.10.31.0 255.255.255.0 default-router 10.10.31.1 dns-server 10.10.10.10 lease 8 exit ip dhcp pool F3S network 10.10.32.0 255.255.255.0 default-router 10.10.32.1 dns-server 10.10.10.10 lease 8 exit ip dhcp pool F4N network 10.10.41.0 255.255.255.0 default-router 10.10.41.1 dns-server 10.10.10.10 lease 8 exit ip routing ip dhcp excluded-address 10.10.10.1 10.10.10.12 ip dhcp excluded-address 10.10.12.1 10.10.12.10 ip dhcp excluded-address 10.10.31.1 10.10.31.10 ip dhcp excluded-address 10.10.32.1 10.10.32.10 ip dhcp excluded-address 10.10.41.1 10.10.41.10 exit write
2960 :
enable configure terminal hostname SW-F3N vtp mode client vtp domain ******** ip default-gateway 10.10.31.1 enable secret ******** line vty 0 15 password ******** login exit line console 0 password ******** login exit interface gigabitEthernet 0/24 switchport mode trunk no shutdown exit interface range gigabitEthernet 0/21-23 shutdown exit interface range gigabitEthernet 0/1-20 switchport mode access switchport access vlan 31 no shutdown exit interface vlan 1 no ip address shutdown exit interface vlan 31 ip address 10.10.31.2 255.255.255.0 no shutdown exit exit write
02-01-2021 11:37 AM
Hello,
the configs look good. The only thing that needs to be removed is:
hostname SW-Core
--> no ip default-gateway 10.10.10.2
Are the Vlan interfaces up/up ? Post the output of:
sh ip int brief
from the core switch.
02-02-2021 02:28 AM
Thanks for your answer, I executed the command you said and now I can ping LAN computers through Kerio, but I can't ping DMZ servers and even Kerio through LAN computers. Do I have to write a specific route? I ordered
ip route 0.0.0.0 0.0.0.0 VLan 10 10.10.10.2
I did it in 3750 but it didn't work.
I added the result of the Tracert command in two ranges: DMZ, WAN and the command you mentioned
SW-Core#sh ip int brief
Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES unset up up Vlan10 10.10.10.11 YES manual up up Vlan12 10.10.12.1 YES manual up up Vlan31 10.10.31.1 YES manual up up Vlan32 10.10.32.1 YES manual up up Vlan41 10.10.41.1 YES manual up up Vlan42 10.10.42.1 YES manual up up Vlan51 10.10.51.1 YES manual up up Vlan52 10.10.52.1 YES manual up up GigabitEthernet1/0/1 unassigned YES unset up up GigabitEthernet1/0/2 unassigned YES unset down down GigabitEthernet1/0/3 unassigned YES unset down down GigabitEthernet1/0/4 unassigned YES unset down down GigabitEthernet1/0/5 unassigned YES unset down down GigabitEthernet1/0/6 unassigned YES unset down down GigabitEthernet1/0/7 unassigned YES unset down down GigabitEthernet1/0/8 unassigned YES unset down down GigabitEthernet1/0/9 unassigned YES unset up up GigabitEthernet1/0/10 unassigned YES unset down down GigabitEthernet1/0/11 unassigned YES unset down down GigabitEthernet1/0/12 unassigned YES unset up up GigabitEthernet1/0/13 unassigned YES unset administratively down down GigabitEthernet1/0/14 unassigned YES unset administratively down down GigabitEthernet1/0/15 unassigned YES unset administratively down down GigabitEthernet1/0/16 unassigned YES unset administratively down down GigabitEthernet1/0/17 unassigned YES unset administratively down down GigabitEthernet1/0/18 unassigned YES unset administratively down down GigabitEthernet1/0/19 unassigned YES unset administratively down down GigabitEthernet1/0/20 unassigned YES unset administratively down down GigabitEthernet1/0/21 unassigned YES unset administratively down down GigabitEthernet1/0/22 unassigned YES unset administratively down down GigabitEthernet1/0/23 unassigned YES unset administratively down down GigabitEthernet1/0/24 unassigned YES unset administratively down down GigabitEthernet1/0/25 unassigned YES unset administratively down down GigabitEthernet1/0/26 unassigned YES unset administratively down down GigabitEthernet1/0/27 unassigned YES unset administratively down down GigabitEthernet1/0/28 unassigned YES unset administratively down down
tracert 10.10.10.2(Firewall)
Tracing route to 10.10.10.2 over a maximum of 5 hops 1 <1 ms <1 ms <1 ms 10.10.31.1 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. Trace complete.
tracert 172.80.10.1(WAN)
Tracing route to 172.20.1.1 over a maximum of 5 hops 1 <1 ms <1 ms <1 ms 10.10.31.1 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. Trace complete.
02-02-2021 03:49 AM
Hello,
at this point it gets confusing what works and what does not work. Post a drawing of your topology including all devices and IP addresses, and how they are connected.
02-03-2021 05:16 AM
I posted
02-02-2021 04:59 AM - edited 02-02-2021 05:26 AM
Sorry for bad drawing
Kerio Routing Table :
02-03-2021 06:04 AM
Hello,
the drawing is very good actually !
Make sure all Vlans actually exist on the Core switch. When you issue the command 'sh vlan' , all Vlans should be listed. If they are not there, you might have to manually create them, e.g.:
SW-Core#conf t
SW-Core(config)#vlan 10
Also, make sure that both the PC and the Kerio use the IP address of the respective SVI of the core switch as the default gateway:
Kerio default gateway
--> 10.10.10.11
PC default gateway
--> 10.10.31.1
02-03-2021 06:57 AM
This is exactly the problem. Kerio uses the wan address as its gateway. Other servers use kerio dmz ip as gateway (10.10.10.2). But vlan10 has its own gateway (10.10.10.11) and vlan12 has its own gateway (10.10.12.1).
Now computers connected to a 2960 switch and then 2960 switch connected to the core switch via a trunk cannot see the dmz.
02-03-2021 07:15 AM
In core switch, the ports are as follows
Ports 1 to 6: Trunk for connecting 2960 switches. With own DHCP and gateway
(10.10.31.1,10.10.32.1,10.10.41.1)
Port 7-9: Intended for use by DMZ with Gateway 10.10.10.11
Port 10-12: Intended for LAN.
On the server
Nic0: LAN
Nic1,2: DMZ
Nic3: WAN
In ESXi
Server installed on ESXi were used vlan10 IP range manually, but with Kerio Gateway (10.10.10.2)
02-19-2021 11:44 PM
02-04-2021 09:58 PM
May someone help me
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide