Hello,
i created a VLAN für test purposes.
I want to secure this VLAN with ACLs lateron.
(havent added any ACLs yet)
since a lot of productive Systems are running in the Network i didn't want to try around too much on the core Switch at the moemnt.
I'm sure i only forgot something minor.
Problem:
My Client with the IP Address 10.14.68.145 can't connect to other Networks / Internet. (I cant even Ping the Gateway of the VLAN)
Config:
VLAN 24
Bereich 10.14.68.144 / 28 to: 10.14.68.159
Mask 255.255.255.240
Gateway 10.14.68.158
free 10.14.68.145 to: 10.14.68.157
------------------------------------------------------------------------
Client PC config:
Ip 10.14.68.145
Sm 255.255.255.240
Gateway 10.14.68.158
DNS: 10.14.42.71 (our DNS)
------------------------------------------------------------------------
Config on Core-Switch:
sh run int vlan 24
interface Vlan24
ip address 10.14.68.158 255.255.255.240
end
-
interface Port-channel1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-24,30,90,101,104
switchport mode trunk
ip arp inspection trust
no ip address
mls qos trust dscp
ip dhcp snooping trust
end
-
Member of the Portchannel:
interface TenGigabitEthernet1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-24,30,90,101,104
switchport mode trunk
ip arp inspection trust
no ip address
mls qos trust dscp
channel-group 1 mode desirable
ip dhcp snooping trust
end
interface TenGigabitEthernet1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-24,30,90,101,104
switchport mode trunk
ip arp inspection trust
no ip address
mls qos trust dscp
channel-group 1 mode desirable
ip dhcp snooping trust
end
-
The Client is connected over 2 Switches These are the Port configs of the trunks / the port
(link to first switch)
interface TenGigabitEthernet6/4
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
no ip address
mls qos trust dscp
ip dhcp snooping trust
end
(link to 2nd switch)
interface GigabitEthernet1/0/37
switchport mode trunk
ip arp inspection trust
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 30 0 0 0
priority-queue out
mls qos trust dscp
ip dhcp snooping trust
end
(Port on 2nd Switch)
interface GigabitEthernet0/5
switchport access vlan 24
switchport mode access
spanning-tree portfast
end
-----------------------------------------
VLAN is up and active:
Sh ip int brief
Vlan24 10.14.68.158 YES manual up up
Sh ip route
Gateway of last resort is 10.14.0.250 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 22 subnets, 8 masks
C 10.14.68.144/28 is directly connected, Vlan24
S* 0.0.0.0/0 [1/0] via 10.14.0.250
------------------------------------------------------------------------------------------
CoreSwitch: show arp | i Vlan24
Internet 10.14.68.158 - 0013.5fec.6c00 ARPA Vlan24
Client:
Arp -a
Schnittstelle: 10.14.68.145 --- 0xb
Internetadresse Physische Adresse Typ
10.14.68.158 00-14-1b-ec-00-00 Dynamisch
10.14.68.159 Ff-ff-ff-ff-ff-ff Statisch
224.0.0.22 01-00-5e-00-00-16 Statisch
224.0.0.251 01-00-5e-00-00-fb Statisch
224.0.0.252 01-00-5e-00-00-fc Statisch
255.255.255.255 Ff-ff-ff-ff-ff-ff Statisch
Extended Ping from Core Switch with source ip of the VLAN:
ping
Protocol [ip]:
Target IP address: 10.14.0.250
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.14.68.158
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.14.0.250, timeout is 2 seconds:
Packet sent with a source address of 10.14.68.158
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 MS
Thank you for your help!
