I have installed a new LAN using a 3550 switch as a central router to route between 3 different VLAN's. The client nodes can ping each other both in their own VLAN's and across other VLAN's, so inter VLAN routing works. My problem is I cannot route out to the internet from any client node in any VLAN. The outward bound Int on FA0/1 is 10.1.1.1 which is connected to our firewall internal Int of 10.1.1.5. I've added a static route of 0.0.0.0 0.0.0.0 10.1.1.5.
I've traced IP route from the 3550 out to the internet via our firewall which works, but when I attempt a tracert from a client it fails after reaching it's own VLAN default-gateway eg.
Tracing route to 10.1.1.5 over a maximum of 30 hops
1 <10 ms <10 ms <10 ms 10.3.1.1
2 * * * Request timed out.
3 * * ^C
attached are the config of the 3550 and a 2950c. I cannot see why this isn't working? Can anyone see what I'm missing? Help!
1) Are you sure your trunks work OK? I'm not sure if setting switchport mode trunk on 3550 and leaving just default (i.e. desired) on 2950 trunk side is correct. But if you are able to route between your VLANs (i.e. to ping from a PC in VLAN2 to another PC in VLAN3) then it's correct probably.
2) There might be a problem with NAT on your firewall. If you forget to define NAT for VLAN2 and VLAN3 IP address ranges and have defined only NAT for 10.1.1.0 255.255.255.0 then tracert output would be the same (Firewall is not responding to tracert probably. The Internet routers do but the response can't be translated to correct 10.x.x.x because of missing NAT).
Thanks for your thoughts guys. It seems that packets are reaching the firewall and then being droped. Obviously something is wrong on the firewall. On the surface all 3 VLAN's are routed and NAT is implemented as well. I'm looking further into this,
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...