Cisco 1760 VLAN Router Ques.

Unanswered Question

Hello,


I am having a problem pinging from my vlan to end stations on my network.


A Tracert from my laptop in the vlan shows that the packet stops on the 200 subnet on the router. Vlan is in 200 subnet.


There are only one network and one vlan setup on the router, I am not sure why ping will not go to the other network from the vlan. I can log into the web interface of the router and do a ping from the router specifying that the ping is from the 200 subnet and that adds the .90 subnet address to arp table. Only then am i able to ping from my end station across vlan to the other network client.


I can provide some more info if needed.


JKR

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Istvan_Rabai Tue, 04/01/2008 - 13:12
User Badges:
  • Gold, 750 points or more

Hi Randy,


It would definitely help if you provided the running config of your router, with clearer explanation on the topology of your network:


Are the end users and your laptop on different interfaces of your router?


How did you to set up a vlan on the router?

Maybe, it is a layer3 switch?


Thanks:

Istvan

As requested (in two Parts) this is Part 1



Current configuration


version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

no service password-encryption

service sequence-numbers



no aaa new-model

ip subnet-zero

no ip source-route



ip tcp synwait-time 10


ip name-server 192.168.90.4

ip dhcp excluded-address 192.168.80.1 192.168.80.99

ip dhcp excluded-address 192.168.80.200 192.168.80.254

ip dhcp excluded-address 192.168.80.1 192.168.80.100

ip dhcp smart-relay

ip dhcp relay information option

no ip dhcp relay information check

ip dhcp relay information trust-all

interface FastEthernet0/0

description $FW_INSIDE$$ETH-LAN$

ip address 192.168.90.65 255.255.255.0

ip access-group 100 in

ip access-group 1 out

ip mask-reply

ip directed-broadcast

ip route-cache flow

speed auto

full-duplex

no cdp enable

!

interface FastEthernet0/1

switchport access vlan 3

no ip address

no cdp enable

!

interface FastEthernet0/2

switchport access vlan 3

no ip address

shutdown

no cdp enable

!

interface FastEthernet0/3

switchport access vlan 2

no ip address

shutdown

no cdp enable


interface FastEthernet0/4

switchport access vlan 2

no ip address

shutdown

no cdp enable


interface Vlan1

no ip address


interface Vlan3

description Wireless

ip address 192.168.200.254 255.255.255.0

ip access-group 102 in

ip access-group 102 out

ip helper-address 192.168.90.4

ip mask-reply

ip directed-broadcast

ip dhcp relay information trusted

ip route-cache flow

router rip

passive-interface FastEthernet0/0

passive-interface Vlan1

passive-interface Vlan3

network 192.168.90.0

network 192.168.200.0

no auto-summary


End part 1

)Part 2(



ip classless

ip route 0.0.0.0 0.0.0.0 192.168.90.1 permanent

ip route 10.0.0.0 255.255.255.0 192.168.90.49

ip route 10.54.244.0 255.255.255.0 192.168.90.252

ip route 172.16.16.0 255.255.255.0 192.168.90.1

ip route 192.168.70.0 255.255.255.0 192.168.90.252

ip route 192.168.200.0 255.255.255.0 Vlan3

ip http server

ip http authentication local

ip http secure-server

ip access-list standard sdm_vlan1_in

remark SDM_ACL Category=1

permit any

logging trap debugging

logging 192.168.90.226

access-list 1 remark SDM_ACL Category=1

access-list 1 permit any

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 permit ip 192.168.80.0 0.0.0.255 any

access-list 100 permit ip 192.168.200.0 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip 192.168.90.0 0.0.0.255 any

access-list 101 permit icmp any host 192.168.200.254 echo-reply

access-list 101 permit icmp any host 192.168.200.254 time-exceeded

access-list 101 permit icmp any host 192.168.200.254 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 permit ip any any log

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip 192.168.90.0 0.0.0.255 any

access-list 102 permit icmp any host 192.168.200.254 echo-reply

access-list 102 permit icmp any host 192.168.200.254 time-exceeded

access-list 102 permit icmp any host 192.168.200.254 unreachable

access-list 102 permit eigrp any any

access-list 102 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 permit ip 172.16.0.0 0.15.255.255 any

access-list 102 permit ip 192.168.0.0 0.0.255.255 any

access-list 102 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip host 255.255.255.255 any

access-list 102 permit ip host 0.0.0.0 any

access-list 102 permit ip any any log

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 permit ip 192.168.90.0 0.0.0.255 any

access-list 103 permit icmp any host 192.168.80.254 echo-reply

access-list 103 permit icmp any host 192.168.80.254 time-exceeded

access-list 103 permit icmp any host 192.168.80.254 unreachable

access-list 103 permit ip 10.0.0.0 0.255.255.255 any

access-list 103 permit ip 172.16.0.0 0.15.255.255 any

access-list 103 permit ip 192.168.0.0 0.0.255.255 any

access-list 103 permit ip 127.0.0.0 0.255.255.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 permit ip host 0.0.0.0 any

access-list 103 permit ip any any log


no cdp run


Istvan_Rabai Tue, 04/01/2008 - 19:57
User Badges:
  • Gold, 750 points or more

Hi Randy,


What I observed in you configuration is the following:


The below part of access-list 102 effectively does not allow icmp messages to pass through interface vlan3 to the .90 subnet, where your inside network resides:


access-list 102 permit icmp any host 192.168.200.254 echo-reply

access-list 102 permit icmp any host 192.168.200.254 time-exceeded

access-list 102 permit icmp any host 192.168.200.254 unreachable


ICMP messages are allowed to the 192.168.200.254 host only.


So I would remove this part of the access-list.


Secondly, you apply access-list 102 on interface vlan 3 inbound and outbound.


This also creates unnecessary complexities.

Apply access-lists in one direction only on the interface.


Cheers:

Istvan


Istvan_Rabai Tue, 04/01/2008 - 23:16
User Badges:
  • Gold, 750 points or more

I mean do not apply the same access-list in to different directions on the same interface.


Cheers:

Istvan

gojericho0 Tue, 04/01/2008 - 18:27
User Badges:
  • Bronze, 100 points or more

ok, does this 1760 have a 4 port switch module? and are all end stations connected to these ports?


Could you copy the output of the following commands


sh vlan brief

sh int


Can you confirm the endpoints are correctly receiving an IP address on this VLAN?

Actions

This Discussion