Inter-VLAN Routing - Unable to ping devices

Unanswered Question
Mar 10th, 2009

Hi,

I hope someone is able to assist with my issues. There are a couple of matters I would like to hopefully solve here.

Firstly, I have configured a Router-On-A-Stick setup with a 2620 router running c2600-is-mz.121-27b.bin and 2x WS-2960-24TT-L switches running c2960-lanbase-mz.122-46.SE.bin.

The switches and router have been configured with the following IP addresses for management purposes:

192.168.74.231/24 (SW1)

192.168.74.232/24 (SW2)

192.168.74.250/24 (Router)

The router has a single FE interface configured with 4 sub-interfaces for vlans as follows:

* 172.16.2.254/24 (vlan2)

* 172.16.3.254/24 (vlan3)

* 172.16.4.254/24 (vlan4)

* 10.1.1.254/24 (vlan5)

and the switches have corresponding vlan interfaces setup as follows:

* 172.16.2.1/24 (vlan2)

* 172.16.3.1/24 (vlan3)

* 172.16.4.1/24 (vlan4)

* 10.1.1.253/24 (vlan5)

I have allocated ports from across both switches to the various vlans. See attached configs for exact details.

The 192.168.74.x range is the default vlan, vlan1. The servers in my network are configured in the same IP range and subnet.

Here is where my problem begins...

1. from either of the switches or the router, i am able to ping any IP address on my network, in any of the ranges.

2. from a device in any of the 172.16.x.x subnets, i am able to ping the other subnet interfaces and gateways as well as the 192.168.74.x addresses of the switches and router.

3. from a device in any of the 172.16.x.x subnets, I am unable to ping any of my servers even though they are in the same subnet as the switches and router.

4. from any device in the 192.168.x.x subnet, other than the switches and router, I am unable to ping devices in the 172.16.x.x subnets.

Question #1: How can I enable devices from the 172.16.x.x subnets to be able to communicate with the others in the 192.168.74.x subnet and vice-versa?

Question #2: Is there additional config required on the router/switches to enable what I want to achieve?

Question #3: Have I got the correct IOS installed on my hardware? Is there a particular IOS I need for each device?

Question #4: How can I get each device in the vlans to obtain automatic IP addresses based on their vlan membership? I have already setup the appropriate scopes in WinSrvr2K3 DHCP.

Secondly, the 5th vlan's purpose as a testlab is to have a direct path to the internet by bypassing my network's proxy server. However, access to and from the remainder of the network is still required.

I think ACLs will be required to achieve this, but not exactly sure on the required config. I have played around with ACLs in the past in an attempt to control the flow of traffic throughout the network but only ended up blocking everything instead.

If someone can point me in the right direction or provide the required configuration details to help me resolve these matters, it would be greatly appreciated.

I have attached the configs for each switch and router for everyone's info.

Apologies for the long winded explanation, but the more info provided, the better.

Thanks in advance,

Darren

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ericn8484_2 Tue, 03/10/2009 - 07:11

It sounds like you are having a default gateway/subnet issue. All devices should have a subnet mask for 255.255.255.0 no matter what network it is.

All devices in the in the 192.168.74.x network should have a default gateway of 192.168.74.250 as that is your router. Everything else should have 172.16.x.254 as their default gateways.

As for DHCP, on your VLAN interfaces on your router, add the following command:

ip helper-address (DHCP SERVER IP)

That will forward DHCP requests to your DHCP server. Your DHCP server should see that the request are coming from your VLAN interface and hand out the proper IP address range.

darrenoleary Tue, 03/10/2009 - 14:26

Thanks for the tip. Such a small and simple thing can make a world of difference.

You said to have 192.168.x.250 as the DG on each of the 192.168.x.x machines. I have my proxy server/firewall (ISA 2004) with twin NICs.

The internal NIC has no DG as it is the gateway to all machines inside the network(s) to get out to the internet. It's external NIC is the only one with a DG, which is the next hop to get out.

Should I enter 192.168.x.250 on the internal NIC as this is now the only machine unable to ping any of the 172.16.x.x networks and vice versa, the 172.16.x.x are unable to ping 192.168.x.254?

My alternative to this is to use a hardware firewall such as a PIX or use another router with two FE interfaces, but I assume this will involve setting various rules or ACLs to control traffic flow.

That resolves a couple of issues raised. Now to resolve the others regarding bypassing the proxy server and setting ACLs for traffic control.

Actions

This Discussion