cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
734
Views
0
Helpful
10
Replies

VLAN routing on hybrid 6509 also need Inet access

Postal4x4
Level 1
Level 1

Dear Obi-wan,

I am attempting to configure 3 vlans and have the hosts on each vlan get an IP via dynamic dhcp with unique scopes that I have set up for each vlan ( I am using ip helper-address 10.21.1.50). I also need to have internet access in each vlan.

My core switch is a 6509 running in hybrid mode. I have created the vlans on all switches in the network and have created the svi vlans in the MSFC module in the 6509.

*I have my 5 3560s each trunked to the fiber ports of the 6509 and they show correctly:

*I have a WIN2000 DHCP server on port 3/5 of the 6509 (10.21.1.50)

*DNS is running on the same box (10.21.1.50)

*My firewall/internet filter is 10.21.0.2

My issues are this:

1. I had vlan routing working and was able to ping the gateways of each vlan ( except vlan1) A host on vlan20 was able to ping gateways of vlan30 and vlan40 and also hosts on those vlans. In my attempts to configure internet access I misconfigured something and now have screwed up my vlan routing. GRRRRRRRR!

2. No vlans except vlan1 existed on this network prior to this project, so all devices are still on vlan1 and function correctly at this point. I am trying to get vlan20, vlan30 and vlan40 to perform like vlan1. Once I am at that point I will work on ACLs.

3.My eyes hurt from looking at config after config after config....I think at this point I am numb....I am at my wits end and have overlooked something but have no idea what.

I have attached some config from the 6509 here and also followed it up with a sh run from one of the 3560s.

1 Accepted Solution

Accepted Solutions

What is the default-gateway set to on 10.21.1.50.

Can 10.21.1.50 ping the vlan 1 interface. Could you post from the 10.21.1.50 server

ipconfig

netstat -nr

Your firewall -

1) Does it have NAT set up on it so the 10.x.x.x source IP addresses are Natted to a public IP

2) Does the firewall know how to get back to the subnets on your 6500 ie. presumably your firewall has a default-gateway pointing to the upstream ISP router. It knows how to get to machines in vlan 1 because it is in that vlan. But it won't know about vlan 20 & 30 subnets so you need to make sure the firewall has routes for this pointing back to vlan 1 interface on 6500.

Jon

View solution in original post

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

Okay young jedi

1) If all the inter-vlan routing is being done on the 6500 then on your 3560(s)

i) remove all the vlan interfaces except vlan 1

ii) turn off ip routing - "no ip routing"

On your 6500

1) You have a route '10.0.0.0 255.0.0.0 10.21.0.2'

What is this meant to be doing ?. If this is for internet access you may want to replace this with

ip route 0.0.0.0 0.0.0.0 10.21.0.2

That way any IP address the 6500 doesn't know about it will forward the packet onto the firewall.

2) You need to allocate a PC into one of your new vlans, set it's default-gateway to the SVI ip address for that vlan on the 6500 and try connecting to something on vlan 1 and the internet.

Let us know the results.

Jon

Jon,

Thanks for the reply.

When you say:

i) remove all the vlan interfaces except vlan 1

Do you mean to make sure I do not have IPs assigned to the vlans on the 3560(s)?

I have also removed the odd route you mentioned. I am not sure what that was doing other than taking up space. But I do have 10.21.0.2 set as the gateway of last resort, will that suffice?

I will check everything once I get into the office and update the thread.

Any other opinions so far?

"Do you mean to make sure I do not have IPs assigned to the vlans on the 3560(s)?"

If all your inter-vlan routing is on the 6500 then yes, remove the vlan interfaces. Leave vlan 1 for management at the moment and we can address that when you have connectivity.

Jon

Jon,

I have verified the interfaces do not exist on the 3560.

I have connected a host with a static VLAN20 ip to a port on the 3560. From this host I am able to ping the dfg for:

VLAN1 (10.21.0.2)

VLAN20(10.10.0.1)

VLAN30(10.30.0.1)

CANNOT PING 10.21.1.50

I can also ping 2 other 3560(s) now that they have had their dfg configured for 10.21.0.19.

So, at this point, vlan1 is still functioning, but a static IP host on vlan20 still does not get to the internet, and I tried to pull an IP dynamically with ip helper-address (10.21.1.50) and was not able to get an IP.

Where to now?

UPDATE:

I found that the dhcp(10.21.1.50) had an incorrect dfg. I changed it to 10.21.0.19 and can ping it now from vlans other than vlan1.

Along with this change, I am able to pull IPs dynamically via ip helper-address!!

Now to try it with my blast shield down!

Last item for us to conquer is getting internet access to these additional vlans.

Any assistance is greatly appreciated!

What is the default-gateway set to on 10.21.1.50.

Can 10.21.1.50 ping the vlan 1 interface. Could you post from the 10.21.1.50 server

ipconfig

netstat -nr

Your firewall -

1) Does it have NAT set up on it so the 10.x.x.x source IP addresses are Natted to a public IP

2) Does the firewall know how to get back to the subnets on your 6500 ie. presumably your firewall has a default-gateway pointing to the upstream ISP router. It knows how to get to machines in vlan 1 because it is in that vlan. But it won't know about vlan 20 & 30 subnets so you need to make sure the firewall has routes for this pointing back to vlan 1 interface on 6500.

Jon

Jon,

thanks for the quick replies on this issue, I have been stressing over this and I see the light thanks to your guidance.

I updated the previous thread while you were replying, sorry.

The dhcp is now set with a dfg of 10.21.0.19 and is passing out IPs correctly to all vlans.

*Firewall*

Natting was not set up. I configured the vlan networks on the firewall and set up natting.

I added the vlans along with their gateways and they now have internet access.

Should these routes have the VLAN1 interface? or am I ok using the gatewayIPs for each vlan? VLAN20 = 10.10.0.1 so on and so on.

Postal

Could you explain what you mean by configured the vlan networks on the firewall ?

If the firewall inside interface is in vlan 1 then all all the routes to the internal subnets will have to point to the vlan 1 ip address on the 6500.

Glad were making progress :-)

Jon

Jon,

I added the vlans as separate Hosts/Networks via the Cisco PDM. I am not fluent enough to use the command line :(

Along with each vlan is the option to define the gateway, so I added the svi for each vlan as the gateway.

When I was complete, I verified that the networks displayed in the rules as any/any.

So, at this point I have dynamic IPs and internet access on all vlans. I am working out some kinks with some of the servers.

Should I have configured the firewall differently?

Postal

Postal

I'm not so good with PDM as i always use the CLI on pix/ASA devices. There are 2 separate things on the firewall

1) routing. Sounds like you have that sorted.

2) Firewall rules.

I'll have a look at PDM when i get back into work but i'm still not sure what you mean when you say you added each svi as a gateway unless your firewall is connected to all vlans on the 6500 - it's not trunked is it.

Anyway it sounds like you have it pretty much sorted. Glad to have helped and if you need any more help just come back.

Jon

Jon,

No, fw is not trunked.

1) I am assuming that the tab that allows me to add networks and hosts is really the cli version of 'routes'.

2) The first tab is the firewall rules. There is an option to show details of each rule and I see that once I added the networks on the 'routes' tab they automagically appeared in the rules.

At this point my hair is growing back and I am a little less stressed. The bulk of this was trying to learn catos on the 6509.

Thanks for your help, Jon.

I will mark the post that helped the most.

Postal -padwan extrodinaire.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco