Making 2 VLANs talk to 1 server

Unanswered Question
Jul 11th, 2012

I have two VLANs each with a different subnet.

We'll call them VLAN A on 192.198.0.1 and VLAN B on 192.168.16.1.

We have to maintain the network isolation for PCI (Credit Card compliance), but I have a server on VLAN A, 192.168.0.45 that computers on both VLANs need to access.

My infrastructure is three switches in series with trunking ports configured. There is a gateway for VLAN A and a separate gateway for VLAN B each to a separate router and T1 connection.

The switches are managed switches and IP routing is enabled. 

Is there a way to make both VLANs communicate with 192.168.0.45?

Do I have to put both VLANs on the 192.168.0.1 subnet and just isolate by VLAN?

Is there a way to make the two VLANs communicate?

Do I need to add a static route on the switches to 192.168.045 or set the switch port that 192.168.0.45 is on as a trunk port?

This isn't my area of expertise, small business I wear a lot of hats, so any help is greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
pompeychimes Wed, 07/11/2012 - 14:01

Do you have a diagram? I'm not getting an accurate picture of the network from your description.

Thanks,

James

danoldenkamp Wed, 07/11/2012 - 15:53

The customer service vlan was 192.168.16.1 but I think I need to set it also to 192.168.0.1 to talk to server in the middle.

Yes, I know these are Adtran boxes and this is a Cisco forum but the IOS is about the same and the Cisco forum is much more active.

I am trying to maintain the VLAN isolation, except get everybody to talk to that 1 server.

danoldenkamp Wed, 07/11/2012 - 15:56

I can give you the whole topological map, but it is more convoluted.

I have trunking enabled on the ports that link between switches.

I had customerservice on 192.168.16.1 subnet which is how I got them to go to the Adtran Netvana 3200 router instead of the Adtran Total Access router.

pompeychimes Wed, 07/11/2012 - 16:05

Ohh pretty.

Are all the networks using a /24 mask. If not what are they using?

Where is the default gateway for each vlan? Is it an on the switches (SVI or routed port) or is it the inside interface of each Adtran?

James

danoldenkamp Thu, 07/12/2012 - 08:15

I don't know why the switches were on a 10.10.10.1 the computers on VLAN 1 are on 192.168.0.1 but able to route just fine.

Originally I was going to have VLAN 1 on 192.168.0.1

and VLAN 2 on 192.168.16.1 but to get them both to talk to 192.168.0.45 I thought I might have to put both VLANs on ip address 192.168.0.1 /24.

However, it will not let me configure them both the same.

Here is the config file:

!

interface vlan 1

  ip address  10.10.10.1  255.255.255.0

  ip address  209.253.81.1  255.255.255.248  secondary

  no ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.1  255.255.255.0

  no ip route-cache

  no ip route-cache express

  no shutdown

!

!

!

no ip tftp server

no ip tftp server overwrite

ip http server

ip http secure-server

no ip snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

=-=-==-=and on switch2

!

!

interface vlan 1

  ip address  10.10.10.2  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.1  255.255.255.0

  no ip route-cache express

  no shutdown

!

!

!

=-=-=-=--=-=Switch3

!

!

interface vlan 1

  ip address  10.10.10.3  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.1  255.255.255.0

  no ip route-cache express

  no shutdown

!

!

Richard Burts Thu, 07/12/2012 - 08:29

Dan

Trying to put both VLANs on 192.168.0.1 would create a big mess and would not really work if you need to maintain separation between the VLANs. I strongly suggest that you not try to do this.

If there are two separate VLANs then there need to be two separate subnets. And if PCs in the second VLAN/subnet need to access a server in the first VLAN/subnet then the answer should be some device that can route between the subnets. On the device that routes between the subnets you should be able to configure access controls so that the second VLAN/subnet and access only the server and no other devices in the first subnet.

HTH

Rick

pompeychimes Thu, 07/12/2012 - 09:12

It looks like the DFG for VLAN 1 is the Router and the DFG for VLAN 2 is the Switch. I would move the DFG for VLAN 1 to the switch also. This will take care of the routing.

You also have duplicate SVI's for VLAN 2 on each of the switches. SVI's for both VLAN's should be on one switch only unless you plan on using some version of first hop redundancy.

James

danoldenkamp Thu, 07/12/2012 - 15:53

DFG = Default Gateway?

SVI = Switched Virtual Interface

Are you suggesting I configure the switches like this:

SW1:

interface vlan 1

  ip address  192.168.0.251  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.251  255.255.255.0

  no ip route-cache express

  no shutdown

SW2:

interface vlan 1

  ip address  192.168.0.252  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.252  255.255.255.0

  no ip route-cache express

  no shutdown

SW3:

interface vlan 1

  ip address  192.168.0.253  255.255.255.0

  ip route-cache express

  no shutdown

!

interface vlan 2

  ip address  192.168.16.253  255.255.255.0

  no ip route-cache express

  no shutdown

I guess I am confused, is the interface vlan > ip address the GateWay or the switch login address.

What kind of device to route between the subnets?

Can I used the managed switches?

Do you suggest I ensure IP routing is enabled on the switches and create a static route to 192.168.0.45 somehow?

pompeychimes Thu, 07/12/2012 - 17:41

DFG = Default Gateway? Correct

SVI = Switched Virtual Interface Correct

You have two networks VLAN 1 / 192.168.0/24 and VLAN 2 / 192.168.16.0/24.

To route between them you need a layer 3 device. You stated in your orginal post that you enabled routing on the switches meaning they are layer 3 devices. You need one layer 3 interface (SVI) for each network. Configure these layer 3 interfaces on one switch. Other than for mgmt purposes you don't need layer 3 interfaces on the other 2 switches. They are essentially layer 2 switches.

I'm suggesting you configure your switches like this...

SW1:

interface vlan 1 (SVI for VLAN 1 and can be used for Mgmt also)

  ip address  192.168.0.251  255.255.255.0 (This will be the DFG for devices on VLAN 1)

  ip route-cache express

  no shutdown

!

interface vlan 2 (SVI for VLAN 1 and can be used for Mgmt also)

  ip address  192.168.16.251  255.255.255.0 (This will be the DFG for devices on VLAN 2)

  no ip route-cache express

  no shutdown

SW2:

interface vlan 1 (Mgmt only)

  ip address  192.168.0.252  255.255.255.0

  ip route-cache express

  no shutdown

!

SW3:

interface vlan 1 (Mgmt only)

  ip address  192.168.0.253  255.255.255.0

  ip route-cache express

  no shutdown

!

Make sure your interswitch links are trunks

Make sure you have routes on SW1 to route non local traffic to the Adtran Routers

James

danoldenkamp Fri, 07/13/2012 - 12:12

Great.

So I don't want to route between 192.168.0.1 and 192.168.16.1.  (the whole network)

I only want to route between 192.168.16.1 and 192.168.0.45. (just the one server)

Is there a way to configure a route on switch 1 from 192.168.16.1 subnet to 192.168.0.45 server on port 20?

The Default Gateway for both subnets and the .45 server are on Swith1 so I shouldn't have to worry about traffic on the other two switches.

pompeychimes Sun, 07/15/2012 - 17:22

A specific route isn't necessary. If ip routing is enabled and both SVI's are on switch one then intervlan routing will work. At this point you'd want to use a security mechanisim (VACL's, PVLAN's, FW, etc...) to control who can talk to who.

Where the DFG's always on switch one or are they there because of my suggestion above. If the latter where were the DFG's before? I believe I previoulsy suggested one DFG was on a switch and the other on a Router.

Also, just to confirm what IP address is being used as the DFG on each VLAN?

James

pjmonline Sun, 07/15/2012 - 17:57

What if you created a new vlan for the server and let both of the other vlans talk to the server and disallow vlan 1 and vlan 2 from talking to each other with an acl. In my option this is easier than acl to open up traffic to server in current vlan setup.

Sent from Cisco Technical Support iPhone App

Richard Burts Sun, 07/15/2012 - 18:19

Paul

I think that this is an excellent suggestion. So +5 for you

I have been focused on trying to find solutions within the parameters/limitations given by Dan. But you have looked at possibilities outside of this and I believe that you have proposed a better solution. If both VLANs/subnets must remain isolated from each other and if there is a single resource that should be accessible from both then it is a better solution to put that resource in another VLAN.

HTH

Rick

danoldenkamp Mon, 07/23/2012 - 16:42

Thanks for the suggestions.

I was away last week on an emergency.

I tried your suggestion today.  I put the server on its on VLAN and its own subnet; but I can't ping it.

I think there is a problem with the route table.

VLAN configuration on Switch 1:

Swith 1 connects to switch 2 connects to Switch 3

VLAN Configuration on Switch3:

The ACD server which both subnets talk to I set to IP: 192.168.32.7     Gateway: 192.168.32.253

IP Routing is enabled, trunking ports are set, but I can't ping 192.168.32.7 from 192.168.0.51

Route table is the same on switches 1 and 3

But switch 2 doesn't have those directly connected routes:

Do I have to put the Gateway:  Address as the default (0.0.0.0), the trunk port somehow, or the VLAN interface (192.168.32.253).

Nothing seems to work.

Any advice. 

Greatly appreciated guys.

pjmonline Mon, 07/23/2012 - 18:20

What is the default gateway for vlan1?

If it is the router then you need a route back to the switch doing the routing for the new vlan. Can you ping server from other vlan .16?

Sent from Cisco Technical Support iPhone App

Richard Burts Mon, 07/23/2012 - 18:54

Dan

From what you have posted it looks to me as if the new vlan does not exist on switch 2. Can you either configure that vlan and its connectivity to both other switches or post the output that shows that it does already exist on the switch?

HTH

Rick

danoldenkamp Tue, 07/24/2012 - 08:10

All 3 VLans exist on all three routers.

Here is switch 2:

If you look at the above topological map view way up above, there are two exit paths for the network.

VLan 1 Default goes out the Total Acces Adtran router.  Its interface gateway is 192.168.0.1.

VLan 2 customerservice goes out to a firewall box running Untangle OS to do packet filtering.  Its interface gateway is configured to 192.168.16.1.

This firewall has two NICs the second going to the Adtran Netvana 3200 router for isolation. 

I pointed the shared server that resides on VLan 3 at the IP Address for Switch 3, the switch with which it is connected. I set its gateway to 192.168.32.253.

I have not configured any ACLs yet nor created any static routes on either router.

danoldenkamp Tue, 07/24/2012 - 08:25

Here is the full quasi- confusing topological network map with some info removed for Internet anonymity.

danoldenkamp Tue, 07/24/2012 - 11:16

Here is one of the routers:   route table.

I would think I just neet to add a route to the 192.168.32.1 subnet out the 0.0.0.0 default gateway.

But it won't let me in the web gui nor by command line.

FYI: There is no 192.168.5.0 in my network, but the int won't let me delete it.

Actions

Login or Register to take actions

This Discussion

Posted July 11, 2012 at 1:12 PM
Stats:
Replies:20 Avg. Rating:5
Views:2013 Votes:0
Shares:0
Tags: switches, vlans
+

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
160
82
70
69
55