Re: VLAN problem

acorbett · ‎04-09-2003

I was wondering if you could help me out with something I am working on

here. I have on my LAN, 2 VLANs (VLAN10 and VLAN192). My corporate servers are on VLAN192 and corporate users are on VLAN10 I have here at

the corporate office a 2611XM router with 2 Ethernet ports. One port

(fa0/0.1) is ip address 192.168.2.1, encapsulation dot1q 192 native.

The other port (fa0/1.1) is ip address 10.0.2.1, encapsulation dot1q 10.

I have 3 2950s on VLAN192 and 4 2950s on VLAN10. Now, I have a disaster

recovery site in Westchester, PA to which we will be doing real time

mirroring of some servers that reside here at the corporate office to

identical servers at the PA site. At that site I have a 1602 router

with a WIC-T1 card and a 2950 (VLAN192) switch. There is a dedicated 384k

frame-relay line connecting the PA site with corporate. My goal is to

have the servers at the PA site on the same VLAN192 that my servers up

here are on. I do have connectivity to the remote site server, but here is the strange part. I can only connect to the servers at the remote site from computers in corporate that are on VLAN10. Even though the remote site is VLAN192, I cannot connect to it from any computers/servers in corporate that are also on VLAN192. I can provide configs if needed. Thanks!

john-lucero · ‎04-09-2003

Are you using static or dynamic routing. We would need to look closer at the routing configs on both the 2611, and the 1602.

acorbett · ‎04-09-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Here are the configs. I only have one server on line at the remote site right now. Its address is 192.168.2.231, and the matching server on the corporate side is 192.168.2.230, so you will see that I have a static route(s) in thier for those servers.

2611 CONFIG:

version 12.2

service timestamps debug datetime show-timezone

service timestamps log datetime show-timezone

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname --moderator edit--

!

enable secret 5 --moderator edit--

enable password 7 --moderator edit--

!

ip subnet-zero

no ip source-route

!

call rsvp-sync

!

interface FastEthernet0/0

no ip address

speed 100

full-duplex

!

interface FastEthernet0/0.1

encapsulation dot1Q 192 native

ip address 192.168.2.1 255.255.255.0

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip helper-address 192.168.2.25

shutdown

!

interface Serial0/0

bandwidth 768

no ip address

encapsulation frame-relay

service-module t1 timeslots 1-12

frame-relay lmi-type ansi

!

interface Serial0/0.99 point-to-point

description Frame_Relay PVC to Westchester Mirror

ip address 10.10.3.254 255.255.255.0

frame-relay interface-dlci 475

!

interface FastEthernet0/1

no ip address

speed 100

full-duplex

!

interface FastEthernet0/1.1

encapsulation dot1Q 10

ip address 10.0.2.1 255.255.255.0

ip helper-address 192.168.2.25

!

interface Serial0/1

description xxxxx

ip address xxxxxx

!

interface Serial0/2

no ip address

shutdown

!

interface Serial1/0

no ip address

shutdown

!

router eigrp 1

network 10.0.0.0

network 172.0.0.0

network 192.168.2.0

network 192.168.254.0

no auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.2.2

ip route 172.16.0.0 255.255.0.0 192.168.2.80

ip route 192.168.2.231 255.255.255.255 10.10.3.253

ip http server

ip pim bidir-enable

!

logging trap notifications

logging 10.0.2.59

!

dial-peer cor custom

!

banner motd ^CCCCCCCC

+---------------------------------------------+

| |

| Welcome to |

| Sterling Autobody |

| |

| This is a private computer network. |

| UNAUTHORIZED ACCESS OR USE |

| IS PROHIBITED AND IS PUNISHABLE |

| UNDER FEDERAL, STATE & LOCAL LAW |

| |

+---------------------------------------------+^C

!

line con 0

session-timeout 25

exec-timeout 25 0

password 7 --moderator edit--

flowcontrol hardware

line aux 0

transport input all

line vty 0 4

session-timeout 25

exec-timeout 25 0

password 7 --moderator edit--

login

line vty 5 15

password 7 --moderator edit--

login

!

1602 CONFIG:

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname --moderator edit--

!

enable secret 5 --moderator edit--

enable password 7 --moderator edit--

!

ip subnet-zero

no ip source-route

!

interface Ethernet0

ip address 192.168.2.205 255.255.255.0

no ip directed-broadcast

no ip proxy-arp

!

interface Serial0

no ip address

no ip directed-broadcast

shutdown

no fair-queue

service-module 56k clock source line

service-module 56k network-type dds

!

interface Serial1

ip address 10.10.3.253 255.255.255.0

no ip directed-broadcast

encapsulation frame-relay

logging event subif-link-status

logging event dlci-status-change

service-module t1 timeslots 1-6

frame-relay interface-dlci 875

frame-relay lmi-type ansi

!

router eigrp 1

passive-interface Ethernet0

network 10.0.0.0

network 192.168.2.0

!

ip classless

ip route 192.168.2.230 255.255.255.255 10.10.3.254

!

banner motd ^CCCCCCCCCCC

+---------------------------------------------+

| |

| Welcome to |

| Sterling Autobody |

| |

| This is a private computer network. |

| UNAUTHORIZED ACCESS OR USE |

| IS PROHIBITED AND IS PUNISHABLE |

| UNDER FEDERAL, STATE & LOCAL LAW |

| |

------------------------------------------

--+^C

!

line con 0

exec-timeout 120 0

password 7 --moderator edit--

transport input none

line vty 0 4

exec-timeout 0 0

password 7 --moderator edit--

login

!

Thanks!

vincent-n · ‎04-09-2003

Hi there

Looking at the configs above I can see a few things that puzzled me.

1. You're using the SAME LAN IP subnet/network on both routers. That is you're using /24 subnet mask on F0/0.1 on 2611 (ip address 192.168.2.1 255.255.255.0) and E0 on 1602 (ip address 192.168.2.205 255.255.255.0)!!!! You cannot route like this. The subnets need to be different.

2. Using the information in step 1, I can say that you won't be able to connect to the remote site's server from any of the servers/PCs that reside on your side of VLAN192. That is from VLAN 192 (your side), the PC will send an ARP request for a destination address that it thinks is on the local network (instead of sending it to the default gateway which is the F0/0.1 on 2611). If you want this to work then you'll have to manually enter manual routes on each of the local PC/server to point to the default gateway for any remote destination. For instance on your PC (on VLAN 192), go to DOS, type:

--- route add 192.168.2.230 mask 255.255.255.255 192.168.2.1

Doing the above might not be the ideal solution though for you might have to add manual routes for EACH device that sit on VLAN 192 on your side.

3. From VLAN 10 you can get to the remote server because you have a "host" static route on the router showing the router how to route to the destination remote network.

4. I think that the best solution is to either:

--- A. Run bridging between the local and the remote network - which is NOT a very ideal solution because of bridging on WAN

--- B. Re-address either your VLAN192 or the remote VLAN192 to something different. Say you'll use 192.168.3.0/24 and the remote will use 192.168.2.0/24 (ad before). This way you won't have to put in any static routes and things will definitely work.

5. BTW, I have no idea why you add network 172.0.0.0 and 192.168.254.0 into your "router eigrp ..." section on your 2611. You have NO interfaces that start with those network addresses.

Good luck and let me know how you go.