• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2091
  • Last Modified:

CISCO 837: Using 2 Layer3 interfaces and routing between them - HP ProCurve 2650 Switch

Hi,

Been trying to work this out tonight and just getting frustrated now.

I am running a HP ProCurve 2650 Managed Switch, I have 2 VLAN's,

VLAN1 is connected to the primary business running in the building (192.168.200.0/24)
VLAN2 is connected to the secondary business running in the same building (192.168.2.0/24)

What I have is a printer that is in the secondary VLAN2 (192.168.2.250/32) that needs access from anyone.

Now after checking things over and over again, it seems I can't share port between VLANs unless the device supports it (in this case the printer doesn't support 802.1q), so I have connected the Cisco 837 router as follows:

Ethernet 0 (FastEthernet 1) is connected to Port 1 (in VLAN1)
Ethernet 2 (FastEthernet 4) is connected to Port 48 (in VLAN2)

I have configured Ethernet0 to be 192.168.200.254 and Ethernet2 to be 192.168.2.252

From the router I can ping 192.168.200.1 and ping 192.168.2.250 therefore the VLAN has been over come.

However no computers on the 192.168.200.0/24 subnet can route through to 192.168.2.250/32 (the printer), Why in hell can't it! :) I have tried access-lists and tried different ways to route but it just doesn't seem to be working.

Any suggestions?

Current configuration : 3946 bytes
!
version 12.3
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NTDS
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
ip cef
ip name-server 210.18.210.210
ip name-server 210.18.206.206
!
interface Ethernet0
 ip address 192.168.200.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 no ip mroute-cache
 hold-queue 100 out
!
interface Ethernet2
 ip address 192.168.2.252 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 no ip address
 no cdp enable
!
interface Dialer1
 ip address <remote ip>
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname <our username>
 ppp chap password 0 <our password>
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.2.0 255.255.255.0 192.168.2.254
ip route 192.168.2.0 255.255.255.0 Ethernet2
ip route 192.168.2.250 255.255.255.255 Ethernet2 permanent
ip route 192.168.200.0 255.255.255.0 Ethernet2
ip route 192.168.200.0 255.255.255.0 Ethernet0
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static udp 192.168.200.180 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.200.1 443 interface Dialer1 443
ip nat inside source static tcp 192.168.200.1 34206 interface Dialer0 34206
ip nat inside source static tcp 192.168.200.1 1433 interface Dialer1 1433
ip nat inside source static tcp 192.168.200.1 34200 interface Dialer0 34200
ip nat inside source static tcp 192.168.200.1 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.200.1 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.200.3 80 interface Dialer1 8888
ip nat inside source static tcp 192.168.200.1 5061 interface Dialer1 5061
ip nat inside source static tcp 192.168.200.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.200.1 110 interface Dialer1 110
ip nat inside source static tcp 192.168.200.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.200.3 3389 interface Dialer1 3390
ip nat inside source static tcp 192.168.200.180 1720 interface Dialer1 1720
ip nat inside source static tcp 192.168.200.180 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.200.180 16384 interface Dialer1 16384
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit tcp host 211.26.10.154 eq pop3 any eq pop3
access-list 101 permit tcp host 211.26.10.154 eq smtp any eq smtp
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit tcp host 211.26.10.154 eq 1723 any eq 1723
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any eq 3389 any
access-list 101 permit tcp any eq 443 any
access-list 101 permit ip any any
access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.2.0 0.0.0.255
!
control-plane
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
!
scheduler max-task-time 5000
end

0
delta-mp
Asked:
delta-mp
  • 3
  • 3
  • 2
  • +2
1 Solution
 
Vladan_MOBTELCommented:
Could you post output for -  sh ip route?

Could you delete these lines:
ip route 192.168.2.0 255.255.255.0 192.168.2.254
ip route 192.168.2.0 255.255.255.0 Ethernet2
ip route 192.168.2.250 255.255.255.255 Ethernet2 permanent
ip route 192.168.200.0 255.255.255.0 Ethernet2
ip route 192.168.200.0 255.255.255.0 Ethernet0

and post sh ip route again?

These are directly connected networks, do not need routes...

I am quite confused here as well...
0
 
lrmooreCommented:
Vlad is right about removing the static routes. You never want to add static routes to your own directly connected networks.
You should only have one default route and that's it.

Also, what is the printer's default gateway? Since you probably can't add static routes to the printer config, you need to make sure that the printer's default gateway points to the router interface 192.168.2.252

>What I have is a printer that is in the secondary VLAN2 (192.168.2.250/32)
Make sure your subnet mask on the printer is /24 and not /32
0
 
delta-mpAuthor Commented:
rmoore you may be onto something there, I didn't think about the default gateway of the printer, it is set to another cisco router 827 with IP 192.168.2.254

How can I have two default gateways?

I basically want all 192.168.200.0/24 traffic to go to 192.168.200.254 and all 192.168.2.0/24 traffic to go to 192.168.2.254

Maybe in the Cisco 827 router if I add a (just wondering) static route of 192.168.200.0/24 192.168.2.252 ? ? ?

would that work? (I don't have access to the 827 atm, as it is the secondary business router and need to get auth details)

I will post the ip route for you tommorow Vladan, thanks for your help so far guys.

Regards,

Michael Proctor
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Vladan_MOBTELCommented:
Only the other router can do the job for you, or static routes on the printer (highly unlikely), You do not have to add anything on the first 827.
0
 
pseudocyberCommented:
Vladan might be saying the same thing ...

>>I basically want all 192.168.200.0/24 traffic to go to 192.168.200.254 and all 192.168.2.0/24 traffic to go to 192.168.2.254

You need to put a static route on the router which is the default router of the 192.168.2.0/24 network pointing to the 192.168.200.0/24 net.

Something to the effect of:

192.168.200.0 255.255.255.0 192.168.2.254

For all traffic in 192.168.200.0 send it to the next hop 192.168.2.254.

Then you don't need to change anything on any of your clients.  You would need the same thing on the 192.168.200.0/24 default gateway pointing to the 192.168.2.0 net.
0
 
magicommincCommented:
is this really a Cisco 837? I thougt 837 has one ADSL port and one WIC 4ESW?
0
 
delta-mpAuthor Commented:
How would I go about access lists to make sure that only 192.168.2.250 is visible from the 192.168.200.0/24 network and only 192.168.200.1 from the 192.168.2.0/24 network.

My current access list is screwed I am sure... This config was already on the router and seems to be a bit screwy like having two dialers but only using dialer1 not dialer0.

I figure it should be like:
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.200.1 0.0.0.0
access-list 102 permit ip 192.168.200.0 0.0.0.255 192.168.2.250 0.0.0.0

access-list 101 permit ip any any

how do I apply access list 102 to ethernet 0 and ethernet 2?
0
 
lrmooreCommented:
>make sure that only 192.168.2.250 is visible from the 192.168.200.0/24 network and  only 192.168.200.1 from the 192.168.2.0/24 network.

These are contradictory..
 only 192.168.2.250 is visible from the 192.168.200.0/24
 only 192.168.200.1 from the 192.168.2.0/24 network.

If I only allow 192.168.2.250 to be seen from 192.168.200.0, then I can't make the reverse any less restrictive...i.e.
  only host 192.168.2.250 can talk to host 192.168.200.1
  no other hosts on network 192.168.200.x can talk to host 192.168.2.250
  only host 192.168.200.1 can be seen from only host 192.168.2.250

Here's what I would do:
 
no access-list 102

access-list 102 permit ip 192.168.200.0 0.0.0.255 host 192.168.2.250
   everyone on 192.168.200.0 is only allowed to access host 192.168.2.250

access-list 103 permit ip 192.168.2.0 0.0.0.255 host 192.168.200.1
   everyone on 192.168.2.0 is only allowed to access host 192.168.200.1

End result is that only those two hosts can see each other...nobody on either network can get internet or anything else at all.

FYI to "apply" them:
  interface Eth 0
   ip access-group 102 in
  interface Eth 2
   ip access-group 103 in

It may be more advantagous to determine what you DON'T want to be accessed from one side or the other

0
 
delta-mpAuthor Commented:
ummm...... Damn IP networks, they are flexible but has some major complexities when dealing in VLAN's and multiple routers on different subnets!

so can't I add a access-list to permit access to dialer1 (as in default gateway route) for eth 0 (192.168.200.0/24 network) ?
0
 
lrmooreCommented:
Let's see if this will work any better for you..

access-list 102 permit ip 192.168.200.0 0.0.0.255 host 192.168.2.250
access-list 102 deny ip 192.168.200.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.200.0 0.0.0.255 any

access-list 103 permit ip host 192.168.2.250 host 192.168.200.1
access-list 103 deny ip 192.168.2.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 103 permit ip 192.168.2.0 0.0.0.255 any

You really have to be careful what you wish for on access-lists...
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now