Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Vlans not working on remote data center

Hello I am needing some help with a problem I am having.

Ok I have a VLAN that have ip access-group config on the local data center it works fine, what I need to do is also have this vlan working on the remote data center. 

Here is the config I have done

Local Data Center
 interface Vlan888
 description VLAN 888 - PROJECT test
 ip address 10.88.70.250 255.255.255.0
 ip access-group TEstIN in
 ip access-group TEstOUT out
 ip helper-address 10.70.0.1
 standby 1 ip 10.88.70.254
 standby 1 priority 200
 standby 1 preempt
 standby 1 authentication XXXXXX

Remote Data Center
interface Vlan888
 description VLAN 888 - PROJECT test
 ip address 10.88.70.253 255.255.255.0
 ip helper-address 10.70.0.1
 standby 1 ip 10.88.70.254
 standby 1 priority 170
 standby 1 preempt
 standby 1 authentication XXXXXX

when I am connected to that vlan on the remote data center core i can ping the 10.88.70.253 and .254 but nothing else.

Do I need to created the same ip access-groups or this there another way? 

I have to do this on a couple of 6500 series switch we have here.

 

5 REPLIES

Hi highlander02, In order to

Hi highlander02,

 

In order to control intervlan traffic, all you need is "ip access-group TEstIN in" and it is not required to restrict by "ip access-group TEstOUT out" and it will complicate away too much by using "in" and "out" ACLs, beside I don't know what exactly you want to achieve by access-group in and out.

So just limit your restriction with "ip access-group TEstIN in" and if you could explain what kind of restriction you want to in place by this "ip access-group TEstIN in" and post your access-list TEstIN and will explain what is exactly you want to achieve and I will tell you why it is not working and what is the possible fix maybe.

 

Thanks

Rizwan Rafeek

  

 

 

 

 

 

New Member

What is the configuration of

What is the configuration of the interface GigabitEthernet about the Vlan888 ?

 

New Member

Ok, I have remove the access

Ok, I have remove the access-group out with no issues thank you very much that one 

 

 

New Member

Are you facing problem with

Are you facing problem with VLAN? (You did mention you can ping Local and Remote DC vlan IPs from Remote DC then what else?).

Security is optional as per your organization need. As I can see both DCs share the VLAN database, in that sense relevant configuration also needs to replicate. This is not meant to solve the problem you are facing but assuming the requirement.

Is there issue with HSRP? If so, you will need to verify the access-list to see UDP 1985 is permitted in both direction (in and out access-lists).

 

HTH

Rate if you feel this is helpful.

 

 

 

 

New Member

Well, before I try the HSRP

Well, before I try the HSRP option I was not getting any network connection on the remote data center core. 

I found the reason that connection was not working I thought the core device that the remote site had the working p2p connection i was wrong 

So as I add that vlan and int vlan information the other connection start to work.

I dont know if the config would work with out the HSRP config or not 

I have created the same access-list on the that vlan no just have to test it. 

 

55
Views
0
Helpful
5
Replies