?
Solved

Unable to access web or internal IMAP from VLAN 2 on Cisco Catalyst Switches

Posted on 2008-10-20
6
Medium Priority
?
536 Views
Last Modified: 2012-06-21
We recently reconfigured our network with 2 VLANS for our new VoIP system.  We installed the voicemail server on the voice VLAN, VLAN 2, and we are unable to telnet to IMAP on the internal Exchange server for integrated messaging from this voicemail server.  In addition, we are unable to access the web from machines on VLAN 2.  We appear to have inter-VLAN routing setup correctly, though I am not sure.

We are able to ping everything from every network just fine.  Even a tracert to www.google.com works from VLAN 2, however, the web page is never returned to the browser following the DNS request.  If we put the voicemail server onto VLAN 1, it can telnet the IMAP on the Exchange server fine.

Any ideas?
Setup:
 
Netscreeen SSG140 -->  Cisco Catalyst 3560 G (Acting as L3 router)
Default GW: 10.0.0.15  VLAN 1:  10.0.0.30
                       VLAN 2:  10.0.1.1
                       ip route 0.0.0.0 0.0.0.0 10.0.0.15 255.255.255.0
 
-->  2nd Cisco Catalyst 3560  VLAN 1:  10.0.0.5
                              VLAN 2:  10.0.0.4
                              ip default-gateway:  10.0.0.30

Open in new window

0
Comment
Question by:wega1985
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 10

Accepted Solution

by:
kyleb84 earned 2000 total points
ID: 22763825
I'm guessing the Netscreeen is 10.0.0.15?

The "3560G" should have this route:
ip route 0.0.0.0 0.0.0.0 10.0.0.15

And this command should be present:
ip routing

The Netscreen should have this route:
Network: 10.0.1.0 255.255.255.0 via 10.0.0.30

The 2nd 3560 shouldn't be doing VLAN routing at all, and it's Vlan2 interface needs a 10.0.1.X/24 ip address - not a 10.0.0.0 address that belong one Vlan1 VLAN

Every device on the Vlan1 VLAN should have a Default Gateway of 10.0.0.30
Every device on the Vlan2 VLAN should have a Default Gateway of 10.0.1.1

Only the 1st 3560G should have a ip route of 10.0.0.15 as mentioned above.

The uplink between these two switches should be a trunk on both sides:

interface XXX
 switchport mode trunk
 switchport trunk allowed vlan 1,2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 1

Where XXX is the switches uplink interface to the other switch, this applies to both switches.

0
 

Author Comment

by:wega1985
ID: 22766482
Great answer.  I double checked my configs and all looked good except for some trunk commands.  I forgot to change the default gateway on the Exchange server to 10.0.0.30, so now the IMAP issue is resolved.
However, I still can't access the Internet from VLAN 2.  IE is stuck on "connecting to [IP address of site]"
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22782936
So on that VLAN 2 PC:
- It's IP address is 10.0.1.X, netmask of 255.255.255.0?
- It's default gateway is 10.0.1.1?
- It has a DNS server configured?
- It can ping 10.0.1.1?
- It can ping 10.0.0.30?
- It can ping 10.0.0.15?
- It can ping it's DNS server?
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 

Author Comment

by:wega1985
ID: 22785215
Yes to all.
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22791128
Ok, weird...

- Does it resolve DNS properly?
- Can you ping the ISP's default gateway (or any other internet IP)?
- Can it ping www.google.com?

If all the internal routing is ok (as you've confirmed above). I'm wondering whether its a DNS issue or a problem with your Netscreen....
0
 

Author Comment

by:wega1985
ID: 22811614
Yes again.  I suspect the issue is with some blocking in the Netscreen, though I'm not sure what.  Possibly an additional policy is needed.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question