Inter VLAN Routing

Answered Question
Feb 18th, 2008

Hi all, I have an issue at the momment in regards to two VLANs trying to communicate with each other. I have basically started work for this company and they have recently had a new network installed, we are still negotiating a support contact with the suppliers of the equipment but until then I need to resolve an issue with routing between VLANs.

I have one VLAN (ID = 10) and other VLAN (ID = 11) the 11 vlan houses a product demo suite, so basically a second dummy network. I need to be able to control one of the devices on VLAN 11 from VLAN 10, now this sounds easy right? It is all setup with trunk ports etc, there is a trunk between the Router and main switch, all encapsulation is set to DOT1Q, here is the weird part I can ping to the device (10.11.x.x on vlan 11) from any device on the VLAN 10 (10.10.x.x) but if I try and connect to the management console which uses port 80 it does not want to know. I have tried setting up another IIS website to see if i can access that, still no joy. I cannot access devices on VLAN 10 from VLAN 11 either buit again I can ping. Whats even stranger is that I am able to connect when incoming through a VPN connection to the network which uses a 10.50.x.x range and is VLSM.

Any ideas would be great I have tried everything and its really starting to annoy me. (Plus ive got my CCNA3 final tonight argggh)

Cheers

Lee

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 9 months ago

Lee

I have been looking at this as an issue of routing between the 2 VLANs and assuming that there was no connectivity. The response from Craig made me go back and read again your original post and I see that I was way off track. Your description clearly says that there is basic connectivity between the VLANs and that you are able to ping the device in VLAN 11. So it is not a basic connectivity/routing issue as I had been thinking. And Craig is exactly right that the issue is the Policy Based Routing that is configured on the VLAN subinterface. That Policy Based Routing says that any packet received on that interface which is tcp port 80 (which you say is how you need to access the device in VLAN 11) will be sent out the dialer interface. This is exactly why you can not web to the device from VLAN 10 but can do so with no issue on your VPN connection (which is not doing the PBR).

To fix this you will need to modify access list 153 so that it denies traffic with source address in VLAN 10 and destination address in VLAN 11.

HTH

Rick

Correct Answer by bsudol79p about 8 years 9 months ago

Lee, your route map directs the web traffic to go out the dialer1 interface. Route maps get processed first, before looking at the routing table so if the traffic is matched by the acl 153 then it will go out the dialer1 and it won't even look at the routing. You are able to ping from both vlans because your acl 153 doesn't have any statements for ICMP so it goes to the routing table and it finds the destination. However your acl 153, has web traffic identified so it gets processed by the route map instead of the routing table. You would have to add "access-list 153 permit tcp 10.10.0.0 0.0.255.255 (vlan 11) eq www" on the first line of your 153 acl.

access-list 153 permit tcp 10.10.0.0 0.0.255.255 (vlan 11) eq www

access-list 153 permit tcp src. vlan des vlan eq web

access-list 153 permit any any eq web

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Richard Burts Mon, 02/18/2008 - 08:54

Lee

It would help us to see what is going on and to give you better answers if you would post configuration information. Also you mention a main switch and a router. Perhaps you can clarify the topology of the network for us. Is the switch just a layer 2 switch and is the intervlan routing done on the router?

HTH

Rick

leejones365 Tue, 02/19/2008 - 01:26

Hi Rick,

The inter-vlan routing is done by the router, there is then a gigabyte switch that has a trunked port to the router. The gig switch feeds two poe switches also with trunked ports.

As for the config the router is as followed:

{Output ommited}

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 10.10.0.1 255.255.0.0

ip nat inside

ip virtual-reassembly

ip policy route-map web

!

interface FastEthernet0/0.11

encapsulation dot1Q 11

ip address 10.11.0.1 255.255.0.0

!

{IP Interface conifg}

There is also natting enabled on the router would this have anythink to do with the issue?

Cheers

Lee

shivlu jain Tue, 02/19/2008 - 01:35

Lee

There is route-map called web please post the configuration of it also.

regards

shivlu

leejones365 Tue, 02/19/2008 - 01:39

Shivlu,

ip nat inside source route-map nonat pool natpool overload

ip nat inside source route-map web interface Dialer1 overload

Is this what you need? Or should there be more?

PS this is also under the access lists

!

!

!

route-map web permit 10

match ip address 153

set interface Dialer1

!

route-map nonat permit 10

match ip address 100

Richard Burts Tue, 02/19/2008 - 05:07

Lee

Thank you for posting additional information. I do not yet see a particular issue that would cause your problem in routing between VLANs. The configuration of address translation might be an issue. The route map web is applied on one interface. That route map uses access list 153. It might be helpful if you would post the content of access list 153.

Another question to ask in this is whether the router is able to ping end stations in both VLANs.

HTH

Rick

leejones365 Tue, 02/19/2008 - 05:33

Rick,

The router can ping both sides of the VLANs I can ping a host on VLAN 11 and VLAN 10.

The access list is as followed:

access-list 153 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 153 permit tcp 10.10.0.0 0.0.255.255 any eq 443

access-list 153 permit udp 10.10.0.0 0.0.255.255 any eq domain

access-list 153 permit tcp 10.10.0.0 0.0.255.255 any eq 22

access-list 153 permit tcp 10.10.0.0 0.0.255.255 any eq pop3

access-list 153 permit tcp 10.10.0.0 0.0.255.255 any eq ftp

access-list 153 permit tcp 10.10.0.0 0.0.255.255 any eq ftp-data

access-list 153 permit tcp 10.10.0.0 0.0.255.255 any gt 1023

Cheers

Lee

Richard Burts Tue, 02/19/2008 - 05:53

Lee

Thanks for the additional information. It pretty much eliminates address translation as the source of the problem.

So let me go in a slightly different direction. If the router can ping hosts in vlan 10 and in vlan 11, if you use extended ping on the router and in the extended ping to a host in vlan 11 you specify the source address as the vlan 10 interface, does the ping still work? And similarly if you ping a host in vlan 10 and specify the source as the vlan 11 interface does the ping work?

HTH

Rick

Craig Norborg Tue, 02/19/2008 - 06:36

I'm not great with PBR, but it looks to me like his problem is with the route-map. The route-map should be taking any incoming traffic that matches the acl (ie: www) and send it to the dialer1 interface. Why is the route-map there?

leejones365 Tue, 02/19/2008 - 06:45

Rick,

Thanks for all your help so far. I tired the extended ping on the router and specfified the two interfaces and the two hosts etc and the ping was sucessfull when pinging from one VLAN to another, both were 100% successful.

Lee

Correct Answer
bsudol79p Tue, 02/19/2008 - 08:49

Lee, your route map directs the web traffic to go out the dialer1 interface. Route maps get processed first, before looking at the routing table so if the traffic is matched by the acl 153 then it will go out the dialer1 and it won't even look at the routing. You are able to ping from both vlans because your acl 153 doesn't have any statements for ICMP so it goes to the routing table and it finds the destination. However your acl 153, has web traffic identified so it gets processed by the route map instead of the routing table. You would have to add "access-list 153 permit tcp 10.10.0.0 0.0.255.255 (vlan 11) eq www" on the first line of your 153 acl.

access-list 153 permit tcp 10.10.0.0 0.0.255.255 (vlan 11) eq www

access-list 153 permit tcp src. vlan des vlan eq web

access-list 153 permit any any eq web

leejones365 Tue, 02/19/2008 - 13:50

Hi thanks for the post, in regards to modifying the ACL. Do I actually write access-list 153 permit tcp 10.10.0.0 0.0.255.255 (vlan 11) eq www or do I need to change the (vlan 11) for the ip address or the int of VLAN11 etc. Also with the access-list 153 permit tcp src. vlan des vlan eq web do i put the network addresses of these or do i leave it as it is. Another question is will this stop the traffic desting for the internet be blocked?

Cheers again for all the help recieved.

Lee

Richard Burts Tue, 02/19/2008 - 14:11

Lee

While Bart was very helpful in explaining the changes to the access list, he got one important detail wrong. The line that he is talking about adding to the access list should deny the traffic from vlan 10 to vlan 11 instead of permit as he had it.

So to eliminate confusion here is what should be the first line in the access list:

access-list 153 deny tcp 10.10.0.0 0.0.255.255 10.11.0.0 0.0.255.255 eq www

HTH

Rick

leejones365 Wed, 02/20/2008 - 01:35

Thankyou both for aiding me in this problem, It has now been resolved and I actualy learnt something. Also just a quick final question, if I add a line at the top instead of the port 80 tcp denying. Would I be able to add a line that deny any traffic for the 10.11.0.0 network with a access-list 153 deny ip 10.10.0.0 0.0.255.255 10.11.0.0 0.0.255.255 as any traffic desting for the vlan 11 does not need to go through the dialer interface.

Cheers

Lee

Richard Burts Wed, 02/20/2008 - 04:15

Lee

Yes making the statement into:

access-list 153 deny ip 10.10.0.0 0.0.255.255 10.11.0.0 0.0.255.255

would be better. My suggestion (and Bart) addressed the particular issue that you were having. But this change addresses the broader issue and would be a better solution.

Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read what was able to successfully resolve the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

leejones365 Wed, 02/20/2008 - 04:27

Rick,

Thanks again and to Bart for supplying me with the answer I needed. I will continue to use this forum for issues I may encounter, I might also try to aid other users where possible, as I mentioned earlier I had my CCNA3 final on monday (passed by the way :-))but the forum has helped me in areas such as this (route-maps) before I wouldnt have known what they do but now I do :)

Cheers again.

Lee

Correct Answer
Richard Burts Tue, 02/19/2008 - 08:51

Lee

I have been looking at this as an issue of routing between the 2 VLANs and assuming that there was no connectivity. The response from Craig made me go back and read again your original post and I see that I was way off track. Your description clearly says that there is basic connectivity between the VLANs and that you are able to ping the device in VLAN 11. So it is not a basic connectivity/routing issue as I had been thinking. And Craig is exactly right that the issue is the Policy Based Routing that is configured on the VLAN subinterface. That Policy Based Routing says that any packet received on that interface which is tcp port 80 (which you say is how you need to access the device in VLAN 11) will be sent out the dialer interface. This is exactly why you can not web to the device from VLAN 10 but can do so with no issue on your VPN connection (which is not doing the PBR).

To fix this you will need to modify access list 153 so that it denies traffic with source address in VLAN 10 and destination address in VLAN 11.

HTH

Rick

Actions

This Discussion