Solved: cannot add a static route between two or more Vlans

sibrahimoff · ‎10-31-2011

Here is what i need.

Servers at Vlan 6 must see servers at Vlan 2, 10, 11, 12. and and vica versa

How to write the correct commands.

Here is my outputs:

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4

2 ****OFFICE_SERVERS**** active Fa1/0/13, Fa1/0/14, Fa1/0/15, Fa1/0/16, Fa1/0/17, Fa1/0/18, Fa1/0/19, Fa1/0/20, Fa1/0/25

Fa1/0/26, Fa1/0/29, Fa1/0/30, Fa1/0/33, Fa1/0/34

4 ****END_USER**** active Fa1/0/39

6 ****ILO**** active Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/9, Fa1/0/10

10 ****WEB**** active Fa1/0/27, Fa1/0/28, Fa1/0/31, Fa1/0/32, Fa1/0/43

11 ****APP_SERVERS**** active Fa1/0/11, Fa1/0/12, Fa1/0/21, Fa1/0/22, Fa1/0/35, Fa1/0/36

12 ****DB_SERVERS**** active Fa1/0/23, Fa1/0/24, Fa1/0/37

99 ****VISITORS**** active

Gateway of last resort is 192.168.0.253 to network 0.0.0.0

C 192.168.10.0/24 is directly connected, Vlan100

172.16.0.0/24 is subnetted, 6 subnets

C 172.16.29.0 is directly connected, Vlan99

C 172.16.30.0 is directly connected, Vlan6

C 172.16.9.0 is directly connected, Vlan3

C 172.16.10.0 is directly connected, Vlan4

C 172.16.0.0 is directly connected, Vlan1

C 172.16.1.0 is directly connected, Vlan2

C 192.168.0.0/24 is directly connected, Vlan5

S* 0.0.0.0/0 [1/0] via 192.168.0.253

Mohit Chauhan · ‎11-01-2011

Hi Sanchos

this seems to be a routing problem.

Your ASA and the core switch needs to have routes exchanged.

the vlans that have ip on the ASA are coming via the core switch but all through layer 2.

the core switch has a default route so anyway it should send any request coming from say Vlan 2 subnet to ASA .253 address.

But the ASA does not know where is 172.16.1.0/24 subnet. So this is the problem.

you need to add static routes pointing back to the core switch- just do sh ip it brief on the core switch and pick the ip address which is coming from the firewall.

hope that helps.

Regards,

Mohit

View solution in original post

Reza Sharifi · ‎10-31-2011

If the vlans are located in the same switch, you don't need any static route. I see vlan 6 and 2 in your routing table.

Where are vlans 10, 11 and 12 located?

HTH

sibrahimoff · ‎10-31-2011

That is the point. can't find them, i'm new in that company.
i can look for them on second core switch. Or on access switches.

so, how will be the syntax of the command?

ip route [ip of 12, 11 or 10th vlan] [mask] [? which next hop? ] - don't know what to write instead of next hop... is it gonna be the address of that switch that holds these vlans? which address exactly, it has lots of them...

Reza Sharifi · ‎10-31-2011

You already have a default route on this switch

S* 0.0.0.0/0 [1/0] via 192.168.0.253

You need to look at the other switches and do a "sh vlan" and see if they are up and running

also sh ip int bri vlan 12

sh ip int bri vlan 11, etc will show you that

HTH

sibrahimoff · ‎10-31-2011

Thank you, thats helpful.

can you tell me what to do after i found them? how will be the correct command for static route?

Reza Sharifi · ‎10-31-2011

check to see if you have a default route or a default-gateway on that device. If the vlans are up and up, then that is all you need. Try pinging the vlans IP address and see if they are all reachable.

HTH

sibrahimoff · ‎10-31-2011

at the moment i cannot ping vlan 6 from vlan 10, 11, 12...

thats why i've started thinking about static routes that i might miss...

Reza Sharifi · ‎10-31-2011

vlan 6 is up. That is why you see it in the above routing table (your first post) does the other switch have default route or default gateway? Are all the other vlans in this switch ie 3,4,1,5 are reachable? what is the output of "sh ip route" from the other switch?

sibrahimoff · ‎10-31-2011

The other switch have default gateway for sure! I thought they are all on this switch, but now i see that they are not.

so have to look for them on other switches tomorrow at work. In this switch all vlans are reachable, for sure!

i'll paste the output tomorrow.

sibrahimoff · ‎10-31-2011

Reza, i've checked the other switches and did'n find any static routes on them... seems like everything is configured on this core swich...

i know the interface names that belong to that vlans, may be we can do it by writing interface names instead of next hop?

Marius Gunnerud · ‎11-01-2011

are the other switches Layer 2 or Layer 3 switches? Are they all connected to the core switch or is there a heirarchy design? Is each switch assigned only one vlan or do they each hold many vlans?

--
Please remember to select a correct answer and rate helpful posts

sibrahimoff · ‎11-01-2011

Here is the topology... it's my 3rd work day, i don't know the structure well...

But as i can ping Vlan 10 and Vlan for ILO from the core swithces, i understand (and see) that they are connected to core switches physically...

I've noticed that other vlans that i need (marked with red), are connected to something else... looks like ASA, but not sure...

sibrahimoff · ‎11-01-2011

success i guess...

i've got this from ASA:

interface GigabitEthernet0/2

description ****WEB****

nameif web_dmz

security-level 60

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.11

description ****APP_SERVERS****

vlan 11

nameif app_dmz

security-level 61

ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/3.12

description ****DB_SERVERS****

vlan 12

nameif db_dmz

security-level 62

ip address 192.168.3.1 255.255.255.0

!

interface Management0/0

description LAN/STATE Failover Interface

seems like i found them... but don't know what to do next?

Marius Gunnerud · ‎11-01-2011

well what device is associated with the IP address 192.168.0.253? is this IP address pingable? I am assuming that this is the ASA? If it is, does it have routes for the networks attached to it to vlan 6?

--
Please remember to select a correct answer and rate helpful posts

sibrahimoff · ‎11-01-2011

Correct, this is ASA. yes, i can ping it.

Seems like no, because i cant see them.

show vlan command gives me something like this: 11-12

command show ip route doesnt work.

this command worked

phfwasa01# show ip address

System IP Addresses:

Interface Name IP address Subnet mask Method

GigabitEthernet0/0 outside **.**.**.** 255.255.255.240 CONFIG

GigabitEthernet0/1 inside 192.168.0.253 255.255.255.0 CONFIG

GigabitEthernet0/2 web_dmz 192.168.1.1 255.255.255.0 CONFIG

GigabitEthernet0/3.11 app_dmz 192.168.2.1 255.255.255.0 CONFIG

GigabitEthernet0/3.12 db_dmz 192.168.3.1 255.255.255.0 CONFIG

Management0/0 failover 10.1.1.1 255.255.255.252 unset

Current IP Addresses:

Interface Name IP address Subnet mask Method

GigabitEthernet0/0 outside **.**.**.** 255.255.255.240 CONFIG

GigabitEthernet0/1 inside 192.168.0.253 255.255.255.0 CONFIG

GigabitEthernet0/2 web_dmz 192.168.1.1 255.255.255.0 CONFIG

GigabitEthernet0/3.11 app_dmz 192.168.2.1 255.255.255.0 CONFIG

GigabitEthernet0/3.12 db_dmz 192.168.3.1 255.255.255.0 CONFIG

Management0/0 failover 10.1.1.2 255.255.255.252 unset

but somehow i can ping computers in vlan 6

phfwasa01# ping 172.16.30.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.30.101, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms

phfwasa01# ping 172.16.30.102

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.30.102, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

I guess i have to add routes in ASA...