Here is the scenario. I have a public and a private VLAN setup (public 192.168.2.x, private 192.168.1.x) on purpose I don't want people to be able to hop directly between Vlan 2 and Vlan 1 which is fine, BUT the web server for the organization is located on VLAN1, which I want to be able to be accessed from VLAN2. All that happens now, is that the request goes from VLAN2 to the DNS server (external) and then the request come back to the router, and the router pops up the login page only, it doesn't seem to use the NAT entry for the web server.
This seems like it should be something simple, but I can't seem to find an entry or ACL to create to allow this to happen.
That's an asymmetrical route, which Cisco is WELL known for specifically not allowing. Their philosophy is that you need to route between interfaces to keep things kosher, not route to your external side, then back in. What you're trying to do can be easily fixed by creating an internal DNS server and pointing your www.domainname.com to the internal IP address on VLAN1...
FYI: Most high-end routers/firewalls don't like asymmetrical routes... It's a HUGE pain, but it is best practice not to have them.
I understand what you mean, BUT my DNS server (which I do have a local one) is on the 192.168.0.x network, which is implied that you cannot cross from 192.168.2.x to 192.168.1.x should I just create an entry for traffic on port 80 to allow access between, but then I don't think DNS will work either, as that uses a different access method .?
Any further assistance of course is greatly appreciated.
If all of your traffic is on VLAN1, the above poster's ACL will allow ONLY 80/443 traffic from VLAN1 -> VLAN2.... From there, simply add an A record to your DNS server 192.168.0.102 for www.sitename.com -> webserver IP on VLAN2 and any user on VLAN1 will resolve www.sitename.com and direct traffic to VLAN2, not asymmetrically routing.
This is the easiet way to accomplish what you want to do without making major modifications to your infrastrucutre.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...