I am just creating a new VLAN and i'm having access issues.  The routing table only contains a default route. Below is adding 2 /24 but still the same supernet.

VLAN 2:

interface Vlan2
description USER_VLAN
ip address 10.128.66.1 255.255.255.0

ROUTING TABLE:
Gateway of last resort is 192.168.1.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.128.66.0 is directly connected, Vlan2
C       10.128.65.0 is directly connected, Vlan6
C    192.168.1.0/24 is directly connected, Vlan1
C    192.168.3.0/24 is directly connected, Vlan10
S*   0.0.0.0/0 [1/0] via 192.168.1.1

STATIC DEFAULT:
ip route 0.0.0.0 0.0.0.0 192.168.1.1

Thanks.

I might be wrong but I don't see any problem with this:

     10.0.0.0/24 is subnetted, 2 subnets
C       10.128.66.0 is directly connected, Vlan2
C       10.128.65.0 is directly connected, Vlan6

This is because there are two VLANs with mask /24, that's why you get the above output.

Does not matter there's no routes in the routing table, the 4500 will add the directly connected routes as soon as the interfaces are functional.

What I'm saying is that if you add another VLAN with a different mask i.e. /27 the output of the supernet will be different. I migth be wrong but give it a try if you can.

Federico.

I guess your right.

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.10.10.0/27 is directly connected, Vlan6
C       10.128.66.0/24 is directly connected, Vlan2
C    192.168.1.0/24 is directly connected, Vlan1
C    192.168.3.0/24 is directly connected, Vlan10
S*   0.0.0.0/0 [1/0] via 192.168.1.1

Ultimately i'm getting an error on my pix firewall stating that is doesn't have a route so this looked interesting.

110001: No route to 10.128.66.50 from 172.19.1.208

Ok, now the PIX does not have a way to reach 10.128.66.50?

If you check the routing table on the PIX is there a route to that IP? ''sh route''

If not, you need to check if the PIX and the 4500 share an IP subnet and include the proper route.

Federico.

Darren

This additional information is helpful. So the problem is on your firewall and not on your switch.

Can you post the output of show route from the firewall?

HTH

Rick

Darren

The routing table as you post it is saying that network 10.0.0.0 is subnetted with a single mask which is a /24. This agrees with the interface config that you posted.

If you are having access issues I do not see anything in the routing table that would create access issues. Can you tell us a bit more about what you are trying to do and what is not working?

If your access issue is a problem with a machine in one VLAN attempting to communicate with a machine in another VLAN then here are some steps I would suggest to troubleshoot the problem:

- do both of the machines show up in the ARP table? If not this is a problem and figure out why they are not in the ARP table.

- do the machines have the correct default gateway configured (which should be the VLAN interface address of the switch)?

- starting from one machine verify that

__ can it ping its own default gateway address (the VLAN address on the switch)?

__ can it ping the address of the other VLAN interface of the switch?

- can you verify that ip routing is enabled on the switch?

HTH

Rick

Ok the routing table looks good.  I have 2 machines at different locations that are trying to communicate but i'm having access issues.  I can ping between both machines but i'm unable to web or https.  The only thing i see is the firewall is stating no route which lead me to believe that there was a routing table issue.  I'll have to dig into it a bit more since i know all access lists allow access and i have a nonat in place.  Thank you both for responding.

If you can PING I don't think there's a routing issue.

However check the routing and permissions (ACLs) and also the NAT config.

If you need any more help let us know.

Federico.

Darren

If I am understanding correctly you say that the 2 machines can ping each other. For that to happen it would seem that the PIX would have routes for both subnets. So I am puzzled at the error message on the PIX about no route to subnet.

If 2 machines can ping each other and can not run other applications, such as web, then my first instinct is to look for access list issues. If you check and verify that access lists are permitting the traffic, then my second instinct would be to look at translations and see if something is translated differently for ping or for web.

It also puzzles me what the topology is. Where are these machines and what do they connect to? I had been assuming that both of them are connected to your switch. But if they are connected to the switch then how does the PIX get into the traffic? Perhaps you can provide a better explanation of the topology?

HTH

Rick

Show route from the firewall is below.

506# sh route
        outside 0.0.0.0 0.0.0.0 192.168.2.2 1 OTHER static (System i'm trying to connect to and i'm able to ping)
        inside 10.128.66.0 255.255.255.0 192.168.1.6 1 OTHER static (Source system on 4506 switch)
        inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
        outside 192.168.2.0 255.255.255.0 192.168.2.1 1 CONNECT static
        inside 192.168.3.0 255.255.255.0 192.168.1.6 1 OTHER static

access-list 102 line 60 permit ip 10.128.64.0 255.255.252.0 172.16.0.0 255.240.0.0 (IPSEC Tunnel Traffic)

access-list nonat line 27 permit ip 10.128.64.0 255.255.252.0 172.16.0.0 255.240.0.0 (nonat)

access-list outgoing line 37 permit tcp 10.128.64.0 255.255.252.0 any eq www (inside out traffic from source system)

Thanks Peter that is confusing but it now makes sense.

Output from the firewall and thanks for working with me on this guys.   I'm getting the output from the other firewall too.