Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

cannot add a static route between two or more Vlans


Here is what i need.

Servers at Vlan 6 must see servers at Vlan 2, 10, 11, 12. and and vica versa

How to write the correct commands.

Here is my outputs:

VLAN Name                                                Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                                           active             Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4

2    ****OFFICE_SERVERS****              active    Fa1/0/13, Fa1/0/14, Fa1/0/15, Fa1/0/16, Fa1/0/17, Fa1/0/18, Fa1/0/19, Fa1/0/20, Fa1/0/25

                                                                  Fa1/0/26, Fa1/0/29, Fa1/0/30, Fa1/0/33, Fa1/0/34

4    ****END_USER****                          active    Fa1/0/39

6    ****ILO****                                          active    Fa1/0/1, Fa1/0/2, Fa1/0/3, Fa1/0/4, Fa1/0/5, Fa1/0/6, Fa1/0/7, Fa1/0/8, Fa1/0/9, Fa1/0/10

10   ****WEB****                                      active    Fa1/0/27, Fa1/0/28, Fa1/0/31, Fa1/0/32, Fa1/0/43

11   ****APP_SERVERS****                    active    Fa1/0/11, Fa1/0/12, Fa1/0/21, Fa1/0/22, Fa1/0/35, Fa1/0/36

12   ****DB_SERVERS****                    active    Fa1/0/23, Fa1/0/24, Fa1/0/37

99   ****VISITORS****                           active

Gateway of last resort is 192.168.0.253 to network 0.0.0.0

C    192.168.10.0/24 is directly connected, Vlan100

172.16.0.0/24 is subnetted, 6 subnets

C       172.16.29.0 is directly connected, Vlan99

C       172.16.30.0 is directly connected, Vlan6

C       172.16.9.0 is directly connected, Vlan3

C       172.16.10.0 is directly connected, Vlan4

C       172.16.0.0 is directly connected, Vlan1

C       172.16.1.0 is directly connected, Vlan2

C    192.168.0.0/24 is directly connected, Vlan5

S*   0.0.0.0/0 [1/0] via 192.168.0.253

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

cannot add a static route between two or more Vlans

Hi Sanchos

this seems to be a routing problem.

Your ASA and the core switch needs to have routes exchanged.

the vlans that have ip on the ASA are coming via the core switch but all through layer 2.

the core switch has a default route so anyway it should send any request coming from say Vlan 2 subnet to ASA .253 address.

But the ASA does not know where is 172.16.1.0/24 subnet. So this is the problem.

you need to add static routes pointing back to the core switch- just do sh ip it brief on the core switch and pick the ip address which is coming from the firewall.

hope that helps.

Regards,

Mohit

26 REPLIES
VIP Super Bronze

cannot add a static route between two or more Vlans

If the vlans are located in the same switch, you don't need any static route.  I see vlan 6 and 2 in your routing table.

Where are vlans 10, 11 and 12 located?

HTH

New Member

Re: cannot add a static route between two or more Vlans

That is the point. can't find them, i'm new in that company.
i can look for them on second core switch. Or on access switches.

so, how will be the syntax of the command?

ip route [ip of 12, 11 or 10th vlan] [mask] [? which next hop? ] - don't know what to write instead of next hop... is it gonna be the address of that switch that holds these vlans? which address exactly, it has lots of them...

VIP Super Bronze

cannot add a static route between two or more Vlans

You already have a default route on this switch

S*   0.0.0.0/0 [1/0] via 192.168.0.253

You need to look at the other switches and do a "sh vlan" and see if they are up and running

also sh ip int bri vlan 12

sh ip int bri vlan 11, etc will show you that

HTH

New Member

Re: cannot add a static route between two or more Vlans

Thank you, thats helpful.

can you tell me what to do after i found them? how will be the correct command for static route?

VIP Super Bronze

cannot add a static route between two or more Vlans

check to see if you have a default route or a default-gateway on that device. If the vlans are up and up, then that is all you need. Try pinging the vlans IP address and see if they are all reachable.

HTH

New Member

cannot add a static route between two or more Vlans

at the moment i cannot ping vlan 6 from vlan 10, 11, 12...

thats why i've started thinking about static routes that i might miss...

VIP Super Bronze

cannot add a static route between two or more Vlans

vlan 6 is up. That is why you see it in the above routing table (your first post) does the other switch have default route or default gateway? Are all the other vlans in this switch ie 3,4,1,5 are reachable? what is the output of "sh ip route" from the other switch?

New Member

cannot add a static route between two or more Vlans

The other switch have default gateway for sure! I thought they are all on this switch, but now i see that they are not.

so have to look for them on other switches tomorrow at work. In this switch all vlans are reachable, for sure!

i'll paste the output tomorrow.

New Member

cannot add a static route between two or more Vlans

Reza, i've checked the other switches and did'n find any static routes on them... seems like everything is configured on this core swich...

i know the interface names that belong to that vlans, may be we can do it by writing interface names instead of next hop?

VIP Green

cannot add a static route between two or more Vlans

are the other switches Layer 2 or Layer 3 switches? Are they all connected to the core switch or is there a heirarchy design?  Is each switch assigned only one vlan or do they each hold many vlans?

--

Please remember to rate and select a correct answer
New Member

Re: cannot add a static route between two or more Vlans

Here is the topology... it's my 3rd work day, i don't know the structure well...

But as i can ping Vlan 10 and Vlan for ILO from the core swithces, i understand (and see) that they are connected to core switches physically...

I've noticed that other vlans that i need (marked with red), are connected to something else... looks like ASA, but not sure...

New Member

Re: cannot add a static route between two or more Vlans

success i guess...

i've got this from ASA:

interface GigabitEthernet0/2

description ****WEB****

nameif web_dmz

security-level 60

ip address 192.168.1.1 255.255.255.0

!            

interface GigabitEthernet0/3

no nameif   

no security-level

no ip address

!            

interface GigabitEthernet0/3.11

description ****APP_SERVERS****

vlan 11     

nameif app_dmz

security-level 61

ip address 192.168.2.1 255.255.255.0

!            

interface GigabitEthernet0/3.12

description ****DB_SERVERS****

vlan 12     

nameif db_dmz

security-level 62

ip address 192.168.3.1 255.255.255.0

!            

interface Management0/0

description LAN/STATE Failover Interface

seems like i found them... but don't know what to do next?

VIP Green

cannot add a static route between two or more Vlans

well what device is associated with the IP address 192.168.0.253?  is this IP address pingable? I am assuming that this is the ASA? If it is, does it have routes for the networks attached to it to vlan 6?

--

Please remember to rate and select a correct answer
New Member

Re: cannot add a static route between two or more Vlans

Correct, this is ASA. yes, i can ping it.

Seems like no, because i cant see them.

show vlan command gives me something like this: 11-12

command show ip route doesnt work.

this command worked

phfwasa01# show ip address

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                **.**.**.**    255.255.255.240 CONFIG               

GigabitEthernet0/1       inside                 192.168.0.253   255.255.255.0   CONFIG

GigabitEthernet0/2       web_dmz                192.168.1.1     255.255.255.0   CONFIG

GigabitEthernet0/3.11    app_dmz                192.168.2.1     255.255.255.0   CONFIG

GigabitEthernet0/3.12    db_dmz                 192.168.3.1     255.255.255.0   CONFIG

Management0/0            failover               10.1.1.1        255.255.255.252 unset

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                **.**.**.**    255.255.255.240 CONFIG

GigabitEthernet0/1       inside                 192.168.0.253   255.255.255.0   CONFIG

GigabitEthernet0/2       web_dmz                192.168.1.1     255.255.255.0   CONFIG

GigabitEthernet0/3.11    app_dmz                192.168.2.1     255.255.255.0   CONFIG

GigabitEthernet0/3.12    db_dmz                 192.168.3.1     255.255.255.0   CONFIG

Management0/0            failover               10.1.1.2        255.255.255.252 unset

but somehow i can ping computers in vlan 6

phfwasa01# ping 172.16.30.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.30.101, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms

phfwasa01# ping 172.16.30.102

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.30.102, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

I guess i have to add routes in ASA...

New Member

Re: cannot add a static route between two or more Vlans

Guys, it feels like i found the clue...

Vlans 10, 11 and 12 are on my ASA it's adress from my side is 192.169.0.253....

So if i want these vlans to be seen from vlan 6 and 2 (that are on core switch) i have to write this command on the Core switch: ip route 192.168.1(or 2-3).0 255.255.255.0. 192.168.0.253 (adress of next hop)

Plz confirm if i'm right...

New Member

Re: cannot add a static route between two or more Vlans

seems like i was wrong:(

New Member

cannot add a static route between two or more Vlans

Hi Sanchos

this seems to be a routing problem.

Your ASA and the core switch needs to have routes exchanged.

the vlans that have ip on the ASA are coming via the core switch but all through layer 2.

the core switch has a default route so anyway it should send any request coming from say Vlan 2 subnet to ASA .253 address.

But the ASA does not know where is 172.16.1.0/24 subnet. So this is the problem.

you need to add static routes pointing back to the core switch- just do sh ip it brief on the core switch and pick the ip address which is coming from the firewall.

hope that helps.

Regards,

Mohit

New Member

Re: cannot add a static route between two or more Vlans

Great!

Thats right, i've noticed the default gateway to ASA.253 address...

the problem is in the way back...

PHSWCO01#sh ip int brief

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  172.16.0.1      YES NVRAM  up                    up     

Vlan2                  172.16.1.2      YES NVRAM  up                    up     

Vlan3                  172.16.9.2      YES NVRAM  up                    up     

Vlan4                  172.16.10.2     YES NVRAM  up                    up     

Vlan5                  192.168.0.2     YES NVRAM  up                    up     

Vlan6                  172.16.30.2     YES NVRAM  up                    up     

Vlan99                 172.16.29.2     YES NVRAM  up                    up     

Vlan100                192.168.10.251  YES NVRAM  up                    up     

this is from core switch, but it's not so helpful to pick the interface coming from ASA...

New Member

cannot add a static route between two or more Vlans

Sanchos Ibrahimov wrote:

Great!

Thats right, i've noticed the default gateway to ASA.253 address...

the problem is in the way back...

PHSWCO01#sh ip int brief

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  172.16.0.1      YES NVRAM  up                    up     

Vlan2                  172.16.1.2      YES NVRAM  up                    up     

Vlan3                  172.16.9.2      YES NVRAM  up                    up     

Vlan4                  172.16.10.2     YES NVRAM  up                    up     

Vlan5                  192.168.0.2     YES NVRAM  up                    up     

Vlan6                  172.16.30.2     YES NVRAM  up                    up     

Vlan99                 172.16.29.2     YES NVRAM  up                    up     

Vlan100                192.168.10.251  YES NVRAM  up                    up     

this is from core switch, but it's not so helpful to pick the interface coming from ASA...


ASA are quite complex conmpared to switches in regards to commands.

Depending what version of ASA you are running, the following is the command to be used to add a static route on version 8.2.x:

     route if_name dest_ip mask gateway_ip

     [distance]

     Example:

     hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1

also to check the routing table,

do sh route (this is based on version 8.2)

you should be able to see the default route in the o/p.

Cheers.

New Member

Re: cannot add a static route between two or more Vlans

many thanks, you helped a lot!

so i have to add such a static route in ASA, as i understand, right? and the interface is gonna be "inside" i guess...

New Member

cannot add a static route between two or more Vlans

Sanchos Ibrahimov wrote:

many thanks, you helped a lot!

so i have to add such a static route in ASA, as i understand, right? and the interface is gonna be "inside" i guess...


I think yes, just make sure before that the "inside" is on the subnet which connects to the switch.

sh route shall tell you clearly like

C x.x.x.x x.x.x.x is directly connected, INSIDE

do advise if that fixex your issue. cheers!

New Member

Re: cannot add a static route between two or more Vlans

phfwasa01# sh route

Gateway of last resort is gw_int to network 0.0.0.0

S    192.168.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.29.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.30.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.9.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.0.0 255.255.255.0 [1/0] via 192.168.0.1, inside     -here it is!!!

S    172.16.1.0 255.255.255.0 [1/0] via 192.168.0.1, inside

C    10.1.1.0 255.255.255.252 is directly connected, failover

C                255.255.255.240 is directly connected, outside

C    192.168.0.0 255.255.255.0 is directly connected, inside

C    192.168.1.0 255.255.255.0 is directly connected, web_dmz

C    192.168.2.0 255.255.255.0 is directly connected, app_dmz

C    192.168.3.0 255.255.255.0 is directly connected, db_dmz

S*   0.0.0.0 0.0.0.0 [1/0] via gw_int, outside

and my command on ASA will be:

hostname(config)# route inside 172.16.30.0 255.255.255.0 172.16.0.1

- 172.16.30.0 is the network i want to reach

- 172.16.0.1 is the adress of the core switch

seems like it will work, let me check...

New Member

Re: cannot add a static route between two or more Vlans

Strange output:(((

phfwasa01(config)# route inside 172.16.30.0 255.255.255.0 172.16.0.1

phfwasa01(config)# sh route                                        

Gateway of last resort is gw_int to network 0.0.0.0

S    192.168.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.29.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.30.0 255.255.255.0 [1/0] via 192.168.0.1, inside

                                              [1/0] via 172.16.0.1, inside

S    172.16.9.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.10.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.0.0 255.255.255.0 [1/0] via 192.168.0.1, inside

S    172.16.1.0 255.255.255.0 [1/0] via 192.168.0.1, inside

C    10.1.1.0 255.255.255.252 is directly connected, failover

why do i have such an emty space there? is it normal

New Member

Re: cannot add a static route between two or more Vlans

i've deleted the route i added... there is a different one ... so it's not the correct way...:(

New Member

cannot add a static route between two or more Vlans

looks like you already have a route entry there pointing to 192.168.0.1

its good you removed that new entry that you had added as that was miles away from what i was pointing. you had pciked up a static route (you see S in front of that line. it should have been C - as you seee this below

C    192.168.0.0 255.255.255.0 is directly connected, inside)

anyway, i think looking at the diagram you pasted above you have two core switches and perhaps you are running HSRP/VRRP thing? cos the vlan 5 ip address on the switch output (sh ip int bri) says 192.168.0.2

can you ping 192.168.0.2 from the Firewall. i should be working cos you have many routes pointing to that interface.

check where is 192.168.1.1 as that is the place where the traffic is pointing to. if you are running hssrp or vrrp then we need to may be check its working....i wud say if u can send me the sho run from both cores i may be able to look thru quickly.

for security reasons, u can remove any passwords from it if you like.

cheers,

Mohit

New Member

Re: cannot add a static route between two or more Vlans

Mohit, i've solved the problem.

The routing between vlans were on my ASA. And ACL's vere there two... the problem was in acl's they were extended and for spoecific protocols. i've changed it to standard specifying Ip's and everything started to work...

Thank you very much for your help. I really appreciate it!

2915
Views
0
Helpful
26
Replies
CreatePlease to create content