05-30-2012 09:26 AM - edited 03-07-2019 06:59 AM
I'm having an issue with the routing of packets on my VLAN. The boxes I am testing with are linux (fedora 12 and fedora 16).
When i try to traceroute from 192.168.1.34 to 1.31 i get a dead link with: Communication administratively prohibited (administrative filtering prevents packet from being forwarded).
what am i missing, I have included my config below.
thanks
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname [REMOVED]-gateway
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 [REMOVED]
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 0 0
crypto pki token default removal timeout 0
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.30
ip dhcp excluded-address 192.168.1.252
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool vlan1pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.1.252 62.244.176.176
lease 14
!
!
!
ip inspect name fire-rules tcp
ip inspect name fire-rules udp
ip inspect name fire-rules ssh
no ip domain lookup
ip domain name [REMOVED].co.uk
ip cef
!
!
password encryption aes
license udi pid CISCO861-K9 sn FCZ1617C4VV
!
!
username [REMOVED]-admin privilege 15 secret 5 $1$H9J5$/GTqw3HtAQpI8dG2V2qE1.
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description ip
ip address [REMOVED]
ip access-group 100 in
ip inspect fire-rules out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description 'Default Vlan'
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.11 25 [REMOVED] 25 extendable
ip nat inside source static tcp 192.168.1.252 53 [REMOVED] 53 extendable
ip nat inside source static udp 192.168.1.252 53 [REMOVED] 53 extendable
ip nat inside source static tcp 192.168.1.11 443 [REMOVED] 443 extendable
ip nat inside source static tcp 192.168.1.11 993 [REMOVED] 993 extendable
ip route 0.0.0.0 0.0.0.0 [REMOVED]
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 deny tcp any any
access-list 100 deny udp any any
access-list 100 deny ip any any
no cdp run
!
line con 0
login local
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
login local
transport input telnet ssh
!
sntp server 194.35.252.7
sntp server 81.168.77.149
sntp server 194.164.127.6
sntp source-interface FastEthernet4
end
05-30-2012 10:26 AM
Hello Alastair,
if you mean from 192.168.1.34 to 192.168.1.31 they are in the SAME IP subnet so communication is direct between the two linux boxes and the router is not involved.
It is used just as a L2 LAN switch if the two boxes are connected to fast ethernet ports of the router.
Hope to help
Giuseppe
05-30-2012 01:39 PM
Apologies I thought that because the addresses were given under a vlan it did something special. Does it require anything special to route between vlan 1 and 2 eg 192.168.1.31 and 192.168.2.31.
Richard the packets are inspected on the way out and responses are allowed in, see: fire-rules
05-31-2012 04:25 AM
Hello Alastair,
you need to create vlan2 at OSI layer2, to configure the L3 interface vlan2 and to associate at least one port to vlan2
ports should be by default associated to vlan 1
for example if it is fas3 where host 192.168.2.31 is connected following Nik's link to 800 series configuration guide
int fas3
shutdown
desc Host2
switchport access vlan 2
no shutdown
int vlan2
ip address 192.168.2.254 255.255.255.0
ip nat inside
no shut
This is enough for inter-vlan routing
You need to update NAT configuration if you want to give internet access also to users in IP subnet 192.168.2.0/24
Edit:
updating NAT configuration requires the update of ACL 1 adding a line for 192.168.2.0 subnet
access-list 1 permit 192.168.2.0 0.0.0.255
Hope to help
Giuseppe
05-30-2012 10:28 AM
There are some things about your post that I do not understand. So it is difficult to give good answers.
You describe the problem as
When i try to traceroute from 192.168.1.34 to 1.31
but it looks to me like those addresses are within the same subnet. So the devices should talk directly to each other and not need forwarding by your network device. Can you help me understand what is going on here?
I do notice one thing that perhaps relates to the symptoms that you describe. You have this on an interface
interface FastEthernet4
ip address [REMOVED]
ip access-group 100 in
but access list 100 has only deny statements and does not permit anything
access-list 100 deny tcp any any
access-list 100 deny udp any any
access-list 100 deny ip any any
one of the fundamental properties of access lists applied inbound is that if they do not permit any traffic then no traffic will be successful coming into the interface.
HTH
Rick
05-30-2012 06:14 PM
Hi Richard,
The hole in the ACL you mentioned should be created by IP INSPECT rules when traffic going out so those are normal. In regards to this problem router should be removed from consideration. You need only to conside switches where these hosts are connected. It will be good to start with diagram and then config of the switches in between two servers.
Nik
05-30-2012 09:54 PM
Richard see my response above.
Nik the setup is just a test currently and only 2 hosts are attached directly to the 861, no other switches are involved at this time
05-30-2012 10:16 PM
Alastair,
DO you mean hosts are connected to two of 4 interfaces Fa0/0 - Fa0/3? If yes then the corresponding ports should be configured as access for VLAN1
Nik
05-31-2012 06:06 AM
Hi Nik, I do mean the hosts are connected via the cisco router. This is a test network and will be expanded in the future.
I have tried trunking the interfaces and setting them as access but a problem stil remains that i cannot solve:
Host A tried to SSH or traceroutes to Host B across the router, the connection hangs and will timeout 9/10 times.
Also Host A will hang when trying to SSH to the Cisco 861, the connection finally completes for me to make changes.
Message was edited by: Alastair Rogers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide