×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

vlan config issues

Unanswered Question
Aug 16th, 2006
User Badges:

I have a 6509 with a vlan 105 configure. I have also added a vlan 100. vlan 100 and 105 work for internal routing. vlan 105 workstation can get to the internet. however any vlan 100 workstation can not access the internet. A tracert from a workstation on vlan 100 stops at the 6509. attached is the 6509 config, i have included IP just because they already have changed.


any ideas? Does the port connecting to my firewall have to allow all vlan traffic? if so how do i do this.


thanks,



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
vijayasankar Wed, 08/16/2006 - 03:11
User Badges:
  • Silver, 250 points or more

Hi,

Please provide more information on setup( other devices, connectivity diagram) to have a clear idea, so that we can help you.


From the config provided, i could see the following default route

ip route 0.0.0.0 0.0.0.0 10.175.105.3

What is 10.175.105.3 ? Is this your firewall / WAN router??


Also what is the need for this static route.?

ip route 10.175.100.0 255.255.255.0 10.175.105.3


10.175.100.0/24 is the subnet for vlan 100, which a directly connected network on this switch. Hence you dont need that route. Remove that route.


Finally whatever device is 10.175.105.3, please add a route in that device for vlan 100 so that traffic can reach vlan 100.

The route that you should add in 10.175.105.3 is

ip route 10.175.100.0 255.255.255.0 10.175.105.1.


Hope this helps.


-VJ


adam.strobel Wed, 08/16/2006 - 04:09
User Badges:

Attached is a visio of my diagram. But yes 10.175.105.3 is my checkpoint FW.


I thought I needed the ip route 10.175.100.0 255.255.255.0 10.175.105.3 to route the traffic to the FW, now I see that it is not needed.


In the 10.175.105.3 I'm nating all 10.0.0.0 to the outside world.


Hope this helps.



gpulos Wed, 08/16/2006 - 03:21
User Badges:
  • Blue, 1500 points or more

as well you may need to verify your firewall (or whatever ISP border gateway) is performing NAT for the VLAN 100 subnet as it currently does for the VLAN 105 subnet.


this plus making sure the firewall knows a route back to VLAN 100 should be good.

adam.strobel Wed, 08/16/2006 - 04:43
User Badges:

Hey everyone. I was able to get vlan 100 to access the internet. I had to turn on RIP on the internal interface on the FW (10.175.105.3).


I was so conserned that i had configured the vlans wrong or I was missing configurations on the interfaces that I overlooked this part.


thanks everyone for your help and suggestions.

Actions

This Discussion