Hi all, I have an issue at the momment in regards to two VLANs trying to communicate with each other. I have basically started work for this company and they have recently had a new network installed, we are still negotiating a support contact with the suppliers of the equipment but until then I need to resolve an issue with routing between VLANs.
I have one VLAN (ID = 10) and other VLAN (ID = 11) the 11 vlan houses a product demo suite, so basically a second dummy network. I need to be able to control one of the devices on VLAN 11 from VLAN 10, now this sounds easy right? It is all setup with trunk ports etc, there is a trunk between the Router and main switch, all encapsulation is set to DOT1Q, here is the weird part I can ping to the device (10.11.x.x on vlan 11) from any device on the VLAN 10 (10.10.x.x) but if I try and connect to the management console which uses port 80 it does not want to know. I have tried setting up another IIS website to see if i can access that, still no joy. I cannot access devices on VLAN 10 from VLAN 11 either buit again I can ping. Whats even stranger is that I am able to connect when incoming through a VPN connection to the network which uses a 10.50.x.x range and is VLSM.
Any ideas would be great I have tried everything and its really starting to annoy me. (Plus ive got my CCNA3 final tonight argggh)
I have been looking at this as an issue of routing between the 2 VLANs and assuming that there was no connectivity. The response from Craig made me go back and read again your original post and I see that I was way off track. Your description clearly says that there is basic connectivity between the VLANs and that you are able to ping the device in VLAN 11. So it is not a basic connectivity/routing issue as I had been thinking. And Craig is exactly right that the issue is the Policy Based Routing that is configured on the VLAN subinterface. That Policy Based Routing says that any packet received on that interface which is tcp port 80 (which you say is how you need to access the device in VLAN 11) will be sent out the dialer interface. This is exactly why you can not web to the device from VLAN 10 but can do so with no issue on your VPN connection (which is not doing the PBR).
To fix this you will need to modify access list 153 so that it denies traffic with source address in VLAN 10 and destination address in VLAN 11.
Lee, your route map directs the web traffic to go out the dialer1 interface. Route maps get processed first, before looking at the routing table so if the traffic is matched by the acl 153 then it will go out the dialer1 and it won't even look at the routing. You are able to ping from both vlans because your acl 153 doesn't have any statements for ICMP so it goes to the routing table and it finds the destination. However your acl 153, has web traffic identified so it gets processed by the route map instead of the routing table. You would have to add "access-list 153 permit tcp 10.10.0.0 0.0.255.255 (vlan 11) eq www" on the first line of your 153 acl.
access-list 153 permit tcp 10.10.0.0 0.0.255.255 (vlan 11) eq www
access-list 153 permit tcp src. vlan des vlan eq web
access-list 153 permit any any eq web