Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1129
Views
0
Helpful
8
Replies

Vlan routing problem

alirogers_
Level 1
Level 1

‎05-30-2012 09:26 AM - edited ‎03-07-2019 06:59 AM

I'm having an issue with the routing of packets on my VLAN. The boxes I am testing with are linux (fedora 12 and fedora 16).

When i try to traceroute from 192.168.1.34 to 1.31 i get a dead link with: Communication administratively prohibited (administrative filtering prevents packet from being forwarded).

what am i missing, I have included my config below.

thanks

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname [REMOVED]-gateway
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 [REMOVED]
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 0 0
crypto pki token default removal timeout 0
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.30
ip dhcp excluded-address 192.168.1.252
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool vlan1pool
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.254 
 dns-server 192.168.1.252 62.244.176.176 
 lease 14
!
!
!
ip inspect name fire-rules tcp
ip inspect name fire-rules udp
ip inspect name fire-rules ssh
no ip domain lookup
ip domain name [REMOVED].co.uk
ip cef
!
!
password encryption aes
license udi pid CISCO861-K9 sn FCZ1617C4VV
!
!
username [REMOVED]-admin privilege 15 secret 5 $1$H9J5$/GTqw3HtAQpI8dG2V2qE1.
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description ip
 ip address [REMOVED]
 ip access-group 100 in
 ip inspect fire-rules out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description 'Default Vlan'
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.11 25 [REMOVED] 25 extendable
ip nat inside source static tcp 192.168.1.252 53 [REMOVED] 53 extendable
ip nat inside source static udp 192.168.1.252 53 [REMOVED] 53 extendable
ip nat inside source static tcp 192.168.1.11 443 [REMOVED] 443 extendable
ip nat inside source static tcp 192.168.1.11 993 [REMOVED] 993 extendable
ip route 0.0.0.0 0.0.0.0 [REMOVED]
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 deny   tcp any any
access-list 100 deny   udp any any
access-list 100 deny   ip any any
no cdp run
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 1 in
 privilege level 15
 login local
 transport input telnet ssh
!
sntp server 194.35.252.7
sntp server 81.168.77.149
sntp server 194.164.127.6
sntp source-interface FastEthernet4
end
Labels:
0 Helpful
8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-30-2012 10:26 AM

Hello Alastair,

if you mean from 192.168.1.34 to 192.168.1.31 they are in the SAME IP subnet so communication is direct between the two linux boxes and the router is not involved.

It is used just as a L2 LAN switch if the two boxes are connected to fast ethernet ports of the router.

Hope to help

Giuseppe

0 Helpful

alirogers_
Level 1
Level 1
In response to Giuseppe Larosa

‎05-30-2012 01:39 PM

Apologies I thought that because the addresses were given under a vlan it did something special. Does it require anything special to route between vlan 1 and 2 eg 192.168.1.31 and 192.168.2.31.

Richard the packets are inspected on the way out and responses are allowed in, see: fire-rules

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to alirogers_

‎05-31-2012 04:25 AM

Hello Alastair,

you need to create vlan2 at OSI layer2, to configure the L3 interface vlan2 and to associate at least one port to vlan2

ports should be by default associated to vlan 1

for example if it is fas3 where host 192.168.2.31 is connected following Nik's link to 800 series configuration guide

int fas3

shutdown

desc Host2

switchport access vlan 2

no shutdown

int  vlan2

ip address 192.168.2.254 255.255.255.0

ip nat inside

no shut

This is enough for inter-vlan routing

You need to update NAT configuration if you want to give internet access also to users in IP subnet 192.168.2.0/24

Edit:

updating NAT configuration requires the update of ACL 1 adding a line for 192.168.2.0 subnet

access-list 1 permit 192.168.2.0 0.0.0.255

Hope to help

Giuseppe

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎05-30-2012 10:28 AM

There are some things about your post that I do not understand. So it is difficult to give good answers.

You describe the problem as

When i try to traceroute from 192.168.1.34 to 1.31

but it looks to me like those addresses are within the same subnet. So the devices should talk directly to each other and not need forwarding by your network device. Can you help me understand what is going on here?

I do notice one thing that perhaps relates to the symptoms that you describe. You have this on an interface

interface FastEthernet4

ip address [REMOVED]

ip access-group 100 in

but access list 100 has only deny statements and does not permit anything

access-list 100 deny   tcp any any

access-list 100 deny   udp any any

access-list 100 deny   ip any any

one of the fundamental properties of access lists applied inbound is that if they do not permit any traffic then no traffic will be successful coming into the interface.

HTH

Rick

HTH

Rick
0 Helpful

nkarpysh
Cisco Employee
Cisco Employee
In response to Richard Burts

‎05-30-2012 06:14 PM

Hi Richard,

The hole in the ACL you mentioned should be created by IP INSPECT rules when traffic going out so those are normal. In regards to this problem router should be removed from consideration. You need only to conside switches where these hosts are connected. It will be good to start with diagram and then config of the switches in between two servers.

Nik

HTH,
Niko
0 Helpful

alirogers_
Level 1
Level 1
In response to nkarpysh

‎05-30-2012 09:54 PM

Richard see my response above.

Nik the setup is just a test currently and only 2 hosts are attached directly to the 861, no other switches are involved at this time

0 Helpful

nkarpysh
Cisco Employee
Cisco Employee
In response to alirogers_

‎05-30-2012 10:16 PM

Alastair,

DO you mean hosts are connected to two of 4 interfaces Fa0/0 - Fa0/3? If yes then the corresponding ports should be configured as access for VLAN1

http://www.cisco.com/en/US/docs/routers/access/800/860-880-890/software/configuration/guide/vlanconf.html#wp1053028

Nik

HTH,
Niko
0 Helpful

alirogers_
Level 1
Level 1
In response to nkarpysh

‎05-31-2012 06:06 AM

Hi Nik, I do mean the hosts are connected via the cisco router. This is a test network and will be expanded in the future.

I have tried trunking the interfaces and setting them as access but a problem stil remains that i cannot solve:

Host A tried to SSH or traceroutes to Host B across the router, the connection hangs and will timeout 9/10 times.

Also Host A will hang when trying to SSH to the Cisco 861, the connection finally completes for me to make changes.

Message was edited by: Alastair Rogers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card