cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7821
Views
0
Helpful
8
Replies
Highlighted
Beginner

VLAN between two routers

Hello. I am trying to solve a practice problem and I cant seem to route the VLANs. The layout is this:

You have two routers connected two each other. Each router has one switch and each switch has four generic PCs connected. Each PC on that switch belongs on its own VLAN. So,

Switch 1Switch 2
  • PC A - VLAN 10
  • PC E - VLAN 10
  • PC B - VLAN 20
  • PC F - VLAN 20
  • PC C - VLAN 30
  • PC G - VLAN 30
  • PC D - VLAN 40
  • PC H - VLAN 40


So PC A on Router 1/Switch 1 can ping PC E on Router2/Switch 2 and it cant ping all the others. So on and so forth.

So I tried setting PC C as VLAN 10 to check if my configuration works, and it does. But then I attach my router and made sub interfaces, set interface fa0/1 on my switch as trunk and allowed VLAN 10, 20, 30 and 40. Now all of the PCs on the router can ping each other! That should not happen. Now I don't know what is wrong. Can anyone help me?

I attached the docx and the packet tracer file.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Sorry I've just realised you don't want connectivity between all PCs.

Which is a relief because looking at your configuration I couldn't see why they wouldn't be able to :-)

You need to use acls on your subinterfaces to only allow traffic you want to.

If you want to allow any PC to ping any other PC within the same site but only the PC in the same vlan in the other site then use an acl outbound on the serial interfaces of the routers.

If you want to only allow ping between PCs in the same vlan then use acls inbound on the subinterfaces.

Jon

View solution in original post

8 REPLIES 8
Highlighted
Hall of Fame Guru

Are you using the same IP subnet for all vlans in each site ?

If so you can't do this.

As to why some pings work it entirely depends on what vlan you place the router interfaces that connect to the switches into.

So when PC A could ping PC B I assume you had the router interfaces connecting to the switches in vlan 10.

Then when you put PC C into vlan 10 it worked.

If you want each PC to have a different vlan in each site you need a different IP subnet per vlan at each site and then you can setup subinterfaces on the router for each vlan.

Note also that vlan 10 in one site is not the same vlan as vlan 10 in the other site.

You may know that but just wanted to point out that simply reusing the vlan ID does not make it the same vlan because the routers are connected with a L3 link.

Jon

Highlighted

Are you using the same IP subnet for all vlans in each site ?

No. In the first router, I'm using subnets of 192.168.10.0/29 and in the second, i use the subnets of 192.168.11.0/29.

 

So when PC A could ping PC B I assume you had the router interfaces connecting to the switches in vlan 10.

Then when you put PC C into vlan 10 it worked.

I already set up the VLANs for each PC.

What I meant when I said that I changed PC C (fa0/4) to VLAN 10 is that I wanted to see if my configuration worked (if PC A could successfully ping PC C while failing to ping other hosts). It was just temporary. After I was sure that the problem was not in the VLAN assignment in the switch, I reassigned PC C again to VLAN 30. But after trunking the fa0/1 in the switch and typed: switchport trunk allowed vlan 10,20,30,40, PC A can now successfully ping PC B, C, D even if they are on different VLAN.

What I want is to connect:

PC0 ---------------------------------------- PC4
PC1 ---------------------------------------- PC5
PC2 ---------------------------------------- PC6
PC3 ---------------------------------------- PC7

PC0 should not be able to ping PC1-3 and PC5-7. So on and so forth.

 

Highlighted

Okay, your original diagram didn't make clear you were actually using multiple /29 subnets at each site.

So at each site the switch connection to the router is configured as a trunk link ?

If so can you post -

"sh ip route" from each router  and

"sh int trunk" from each switch.

Jon

Highlighted

Router 1
"show ip route" on the first router
Router 2
"show ip route" on the second router

 

Switch 1
"show int trunk" on switch 1
Switch 2
"show int trunk" on switch 2

 

Highlighted

Sorry I've just realised you don't want connectivity between all PCs.

Which is a relief because looking at your configuration I couldn't see why they wouldn't be able to :-)

You need to use acls on your subinterfaces to only allow traffic you want to.

If you want to allow any PC to ping any other PC within the same site but only the PC in the same vlan in the other site then use an acl outbound on the serial interfaces of the routers.

If you want to only allow ping between PCs in the same vlan then use acls inbound on the subinterfaces.

Jon

View solution in original post

Highlighted

Thanks man. I thought I could solve my problem by using only VLAN commands. Can you give me any tips on ACLs or any resources? If you don't mind.

Highlighted

Have a read of this document -

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

it gives a good overview of acls.

If you need any help with them then feel free to come back with any queries.

Jon

Highlighted

Is your problem solved.... i am too facing same problem....can you please share the information regarding the same.

Content for Community-Ad