inter-vlan communication

Unanswered Question
Mar 12th, 2009

Hey One and all;

I'm having an issue that I need to figure out and would like advice/guidance in how I can resolve it. Here goes: our company has a domain in which we have a few computers; the company has several departments and we decided to segment the network using VLANS . our core device is a catalyst 3750 switch and that is also doing the inter-vlan routing. I can ping any machine and I can access applications from our application server from any other VLAN. However if I try to \\computername to machines in another VLAN I get an error stating that the network path was not found. If I try the command between 2 machines that are in the same VLAN it works; but across VLANs it's a no go. I have checked the configuration and there is no access-list restricting traffic across the VLANs. Any ideas, guidance, information on resolving this matter would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
lamav Thu, 03/12/2009 - 11:01

Can you post the config of the 3750 switch that is doing the i-v routing and provide some more architecture info?

Tshi M Thu, 03/12/2009 - 11:07

It sounds like ports 445 and 139 are blocked somewhere though you did mention of no ACL.

Joseph W. Doherty Thu, 03/12/2009 - 12:43

Are these computers Windows systems? If I recall correctly, Windows treats DNS name resolution differently from NetBIOS name resolution (or did). I'm not current with Windows technology, but the NetBIOS name resolution used to be done by WINS servers. I think Windows has improved the integration between IP and NetBIOS, but don't know what the currrent scheme is for Windows off local subnet name resolution. (Same subnet used to be resolved by local broadcast.) Something you might want to check.

pacsniffing Thu, 03/12/2009 - 12:54

Thanks for all the responses, yes the systems are all windows XP with one or two of them being win2k please find attached text of config and network diagram. our current network does not have any WINS servers

Tshi M Thu, 03/12/2009 - 13:00

Did you try to use IP address rather than FQDN?

Joseph W. Doherty Thu, 03/12/2009 - 17:19

So something like:

net use x: \\ahost\ashare


net use x: \\#.#.#.#\ashare

works on the same subnet but neither works across subnets, yet both ping ahost or ping #.#.#.# work?

Joseph W. Doherty Thu, 03/12/2009 - 18:20

I was afraid you were going to say that.

I didn't see anything that looked wrong in your 3750 config, but I didn't sift through it either.

Other than what another poster inquired about blocking NetBIOS ports, which doesn't seem the case, the only other thing that comes to mind is somehow your clients NetBIOS isn't running over TCP (IPv4) but uses something else that works on a local segment.

I'm too rusty at Windows client support to recall what all you might look at. You might seach Microsoft's knowledgebase.

I was afraid you were going to say that.

I didn't see anything that looked wrong in your 3750 config, but I didn't sift through it either.

Other than what another poster inquired about blocking NetBIOS ports, which doesn't seem the case, the only other thing that comes to mind is somehow your clients NetBIOS isn't running over TCP (IPv4) but uses something else that works on a local segment.

I'm too rusty at Windows client support to recall what all you might look at. You might seach Microsoft's knowledgebase.



To help confirm its a Windows NetBIOS/client issue, you might try a "pure" IP service on your Windows hosts like HTTP, FTP, Telnet, etc. across your VLANs. (The fact that you note some other applications work, might already validate this.)

Tshi M Thu, 03/12/2009 - 19:35

I as Joseph did not see anything on your configuration. Could you try to telnet to port 445 and 139 across VLAN?

pacsniffing Fri, 03/13/2009 - 08:14

thanks for the responses, even though i can't \\ to the machines i can use a remote access application that works over http for eg i can go to http://machinename:22222 and can connect to the machine and resolve user issues

Tshi M Fri, 03/13/2009 - 08:17

were you able to telnet to port 445 and 139 from one host on a vlan to the another host on a different vlan?

pacsniffing Fri, 03/13/2009 - 08:20

no i was not able to i get a connection failed error: as per below

I:\>telnet 445

Connecting To not open connection to the host, on port 445:

Connect failed

sharma16031981 Fri, 03/13/2009 - 09:27

first correct the port configuration. You have configured trunk and access port on same port.

you have created interfaces for different vlans have you created vlans for them.

if you are running stp and your vlan info is shown in sh vlan in 3750 then check your access layer switches they are learning about those vlans or not.

If not, configure stp on them or create vlans manually in all of the switches.

Configured trunk properly so that different vlan traffic can flow through them.

Most probably the problem is with trunk port config and vlan flow problem.


Tshi M Fri, 03/13/2009 - 10:24

I don't think that it is a trunk problem for he is able to ping and access the hosts using other applications sush as http. His trunk config is left as default thus allowing all VLANs across.

pacsniffing Fri, 03/27/2009 - 13:43

Sorry for the delay in responding everyone, more work than hands. i've used a protocol analyzer to verify the requirements of the \\ command to see if maybe i was restricing the service in some way, but i don't have any ACL on the switch and all the vlans are directly connected so routing should be straight forward. thanks in advance

rpfinneran Sun, 03/29/2009 - 03:19

Okay, so now can you put the protocol analyzer on the destination VLAN and see if the traffic is making it through the IV routing part? Just to rule out any kind of Windows FW for IPS feature blocking the connection...

jholding09 Sun, 03/29/2009 - 04:45

I think since you are one different subnets and have no WINS server you will have to use the LMHOSTS file to point everything to your domain.

pacsniffing Sun, 03/29/2009 - 19:14

The LMhost file in windows??? i'd really prefer to avoid that cause i can just see it being a lot of configurations on a per machine basis and would have to do it everytime a new machine is added. unless a script would work. but that would have the same problem i'm having noow with the config not being pushed.

pacsniffing Sun, 03/29/2009 - 19:11

I'll be out of the office tomorrow, but will try it on tuesday, thanks for the suggestion

mmacdonald70 Sun, 03/29/2009 - 05:46

Windows NetBios uses UDP broadcasts for most Netbios traffic. By default the "ip helper-address" command redirects all udp broadcast traffic to the helper address. This includes NetBios broadcasts.

Try adding:

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-ss

to your vlan interfaces.

pacsniffing Sun, 03/29/2009 - 19:20

will definitely give this a try to see how it goes and thanks for the wiki, about to go read it now

pacsniffing Sun, 03/29/2009 - 19:27

ok tried but the command is not available in the firmware of my L3 switch, thanks anyway though

pacsniffing Thu, 04/02/2009 - 10:59

hey everyone; still working on this issue so here are the updates, i tried adding the commands from mmacddonald70 but the result is the same, still can't get to the machine using \\machinename. couple things with the commands, for our switch i can't add it in the actual VLAN interfaces, it has to be a global command and the second one the no ip forward-protocol udp netbios-ss gives me an error UDP port 139 not found to delete. i also added a machine with wireshark installed on the other VLAN and tried the \\ the wireshark logs shows that the traffic is reaching the VLAN and the traffic is coming on port 445 and 137 and verified that these ports are passing through the windows firewall as part of the file and printer sharing rule. so i'm still in the same position as before. thanks for all the help so far though, been learning a lot through it.

rpfinneran Sun, 04/05/2009 - 20:27 seems like if you are able to sniff the traffic on the other VLAN and have verified it is reaching the PC, then I would assume this is not a routing/switching problem. Keep us posted on what you find.

pacsniffing Wed, 07/15/2009 - 14:26

OK one and all, found the culprit...... seems years ago before i got here the then System administrator altered a GPO which then restricted file and print sharing to only the local subnet. as a result all inter-vlan traffic for F&P sharing was being block by said GPO. well thanks for the help anyway. at least this is one less thing to worry about.

JudAster2010 Wed, 06/09/2010 - 00:56


I'm sorry to fire this thread up again, but I'm having the same problem and I don't understand the solution. I can ping from every host of every VLAN to any other host in any other VLAN, I can use FTP to a NAS disk in a different VLAN, but I can't see the other VLAN computers in the network plaves, or use the printers in different VLANs. Where can I find the GPO configuration and how do I change it?

Thank you very much,


michael.hutt Wed, 06/09/2010 - 02:51

Hi Jud,

The original poster's problem was actually beyond the scope of Cisco devices, as it was a problem with the Windows Group Policy setup, which basically told all the client computers that they may only share files and printers with devices on their local subnet (i.e., not through routers).

From what I understand, though, is that in order to have Windows File and Printer Sharing across multiple subnets, you need to have a WINS server that all machines on all subnets can communicate with.  WINS is like DNS in that it takes these Windows host names and maps them to their destinations.

In essence, if you want to communicate with another computer using its hostname, you need to send a request to find out which IP address belongs to which hostname.  If you use broadcasts, you will only be able to find those on your local subnet.  The client can not and will not have any idea of any networks and hosts residing outside of the local subnet, unless you give it a WINS server to help with queries.  The server will take the queries and process them, sending back results, therefore enabling \\hostname-here requests to work across multiple subnets.

That's what I'm understanding from all the discussion in this thread, anyways.  If anyone else knows more about WINS and SMB across subnets, now's your time to shine

Mark Bowyer Wed, 06/09/2010 - 02:58

You dont need a WINS server. You can append the DNS suffix in DNS so that you dont have to use the fully qualified name. If you do an ipconfig /all, you will see the DNS suffix appended there if DNS has been configured correctly. You need to remote onto one of your domain controllers, open up group policy in the group policy management console or whatever method you use to edit group policy and change the default domain group policy to allow file and print sharing.

JudAster2010 Wed, 06/09/2010 - 03:19

Thank you VERY much. We don't have any server in our small office right now, but my next duty is to install one new Small Business Server 2008 box next week, so I hope it will solve my inter-VLAN browsing problems.



JudAster2010 Wed, 06/09/2010 - 03:16

Thank you very much for taking the time to enlight me. I understand it now !

Have a nice day,



This Discussion