Need help with routing.

Unanswered Question
Jan 12th, 2008

Hello,

I am a newbie on Cisco with limited knowledge, but have read the configuration manuals for the 3550 and 2950 devices. We are in process of changing our network infrastructure substantially.

The problem I am trying to solve is I cannot identify why we cannot access the internet from VLAN's on our 2950's.

I presume I am missing something insanely simple to resolve at this point, but I have been unable to identify what that is.

This is a long post but I wanted to include all the information which I thought was pertinent.

Your assistance is most appreciated.

Sincerely,

Carl

PHYSICAL CONFIGURATION:

We have one 3550, three 2950's and firewall with PFSense.

Our physical connections are as follows:

[295001] ->

[295002] ->[3550]->[PFSense]->[The World]

[295003] ->

The 2950's are trunked to the 3550 and we are using a routed interface from the 3550 to connect to the PFSense firewall.

There are (will be) VLANs on each 2950 which are subnetted to /24. The configuation files which follow are not complete but we are using two VLANs for testing, one on 295001 (VLAN7-10.7.7.0/24) and one on 295002 (VLAN9-10.12.12.0/24).

The management VLAN is 1001 on 10.200.1.0/24.

CURRENT STATUS:

While connected to the management VLAN on the 3550:

We can ping from the 3550 to all VLANs/subnets on the 2950's by hitting their IP as defined in the 3550.

We can ping from the 3550 to the routed IP which connects to the PFSense by hitting its IP (192.168.100.1) as defined in the 3550.

We can ping from the 3550 to the gateway (LAN side of the PFSense box) by hitting its IP (192.168.100.254).

We can ping from the 3550 to IP addresses in "The World".

While connected to a client attached to one of the VLAN's on the 2950's:

We can ping from the 2950 client to the VLAN's IP (i.e. from 10..12.12.100 to 10.12.12.1).

We can ping from the 2950 client to the management VLAN's IP.

We can ping from the 2950 client to the routed IP which connects to the PFSense by hitting its IP (192.168.100.1) as defined in the 3550.

We CANNOT ping from the 2950 client to the gateway (LAN side of the PFSense box) by hitting its IP (192.168.100.254).

We have static routes mapped back to the VLANs from the PFSense box.

We are routing all of our existing public traffic on our existing network infrastructure through the same PFSense box, so we know it is fully active and functioning.

One specific question I do have is should the default-gateways on the 2950's point to 10.200.1.11 (the IP of the managment VLAN) or to 10.100.100.1 (the IP of VLAN1)? I tried it both ways and it did not impact our ability to hit the PFSense box at 192.168.100.254.

I have included detailed configuration information in the attached file.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Sat, 01/12/2008 - 15:02

Impressive post, lots of useful information.

Your configuration in all switches are perfect, the problem seems to be at the PFSense Box.

Do you have a way to post the routing table from this device ?

You should have a route to 10.200.1.0/24, 10.7.7.0/24 and 10.12.12.0/24 pointing to 192.168.100.1 as the gateway.

Also, you need to translate for those networks in your NAT device.

HTH,

___

Edison.

cwlangren Mon, 01/14/2008 - 09:37

Dear ediortiz,

Thanks very much for the response.

It was the PFSense box as you said. Thanks for taking the time to review our configs. We had the routes in, but we were blocking traffic from the new subnets.

Regards,

Carl

cwlangren Mon, 01/14/2008 - 09:33

We found the problem. It was a firewall rule in the PFSense box. Duh.

I would still like to get some feedback on one issue:

One specific question I do have is should the default-gateways on the 2950's point to 10.200.1.11 (the IP of the managment VLAN) or to 10.100.100.1 (the IP of VLAN1)? I tried it both ways and it did not impact our ability to hit the PFSense box at 192.168.100.254.

Thanks much for the help.

Carl

Edison Ortiz Mon, 01/14/2008 - 13:56

It's fine the way you have it. Vlan1 is shutdown at the moment. You are only allowed to have one IP active on 2950s as they are Layer2 devices.

Actions

This Discussion