[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 873
  • Last Modified:

cisco - communications between vlan's (again)

it seems that i steel have the same problem... for some reason i steel can't establish a connection between the vlan's in my cisco... as an example a device from the 192.168.254.0 subnet can not ping or open another device in the 192.168.200.0 subnet

please i need help
here is the conf i use...

hostname geo
!
boot-start-marker
boot-end-marker
!
enable secret "secret"
!
no aaa new-model
!
resource policy
!
clock timezone Greece 3
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.254.1 192.168.254.100
ip dhcp excluded-address 192.168.200.1 192.168.200.100
!
ip dhcp pool VLAN1
   import all
   network 192.168.254.0 255.255.255.0
   default-router 192.168.254.254
   dns-server 62.169.194.17 62.169.194.18
   lease 4
!
ip dhcp pool Vlan200
   import all
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1
   dns-server 62.169.194.17 62.169.194.18
   lease 4
!
!
ip telnet source-interface Vlan1
no ip bootp server
no ip domain lookup
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 60
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw esmtp
vpdn enable
!
vpdn-group 1
!
!
!
!
username geo privilege 15 password "password"
archive
 log config
  hidekeys
!
!
!
!
!
!
interface Loopback0
 description required for eigrp through tunnels
 ip address 192.168.5.1 255.255.255.0
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache cef
 ip route-cache flow
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
 switchport access vlan 200
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description LAN network
 ip address 192.168.254.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 hold-queue 100 out
!
interface Vlan200
 ip address 192.168.200.1 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 hold-queue 100 out
!
interface Dialer1
 description ADSL Dialer
 bandwidth 128
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect myfw out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username "username" password "password"
 ppp ipcp dns request
 max-reserved-bandwidth 100
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map in2out interface Dialer1 overload
ip nat inside source static tcp 192.168.254.50 1723 interface Dialer1 1723
!
logging source-interface Vlan1
access-list 1 remark inside Vlan1
access-list 1 permit 192.168.254.0 0.0.0.255
access-list 101 remark -----permitions list
access-list 101 permit tcp any any eq ident
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
access-list 101 remark ----- e-mule ------
access-list 101 permit tcp any any eq 11111
access-list 101 permit udp any any eq 22222
access-list 101 remark -----IPSEC rule
access-list 101 remark -----nasa atomic clock permition
access-list 101 permit udp host 198.123.30.132 any eq ntp
access-list 101 remark -----antispoof list
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip host 127.0.0.1 any log
access-list 101 remark ---------- special use address
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny   ip 224.0.0.0 15.255.255.255 any log
access-list 101 deny   ip 240.0.0.0 7.255.255.255 any log
access-list 101 deny   ip 248.0.0.0 7.255.255.255 any log
access-list 101 remark ---------- RFC 1918 space
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 remark ---------- My space
access-list 101 remark -----logged deny list
access-list 101 deny   tcp any any eq 12345 log
access-list 101 deny   tcp any any eq 31337 log
access-list 101 deny   tcp any any eq 31773 log
access-list 101 deny   tcp any any eq telnet log
access-list 101 deny   tcp any any eq ftp log
access-list 101 deny   tcp any any eq 139
access-list 101 deny   icmp any any
access-list 101 deny   udp any any
access-list 101 deny   tcp any any
access-list 102 remark Inside2Outside routemap
access-list 102 permit ip 192.168.254.0 0.0.0.255 any
access-list 102 permit ip 192.168.200.0 0.0.0.255 any
access-list 103 remark -------------- vlan200 permitions --------------
access-list 103 permit tcp any any established
access-list 103 permit udp any any eq bootps
access-list 103 deny   ip 192.168.200.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 103 permit ip 192.168.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
route-map in2out permit 1
 match ip address 102
!
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 login local
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 transport output all
line vty 0 4
 access-class 1 in
 exec-timeout 120 0
 privilege level 15
 login local
 length 0
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
end
0
geothessgr
Asked:
geothessgr
  • 7
  • 4
  • 3
  • +1
4 Solutions
 
Istvan KalmarCommented:
the config seem good, the router reach booth VLANs?
0
 
Ken BooneNetwork ConsultantCommented:
Check the vlan database and see if the layer 2 vlan 200 exists.  
Show vlan

or go into the vlan database
then issue a show command

If you do a show interface vlan200 what is the status of the interface?
0
 
geothessgrAuthor Commented:
yes the router reaches both vlans and pings any device on both vlans
on vlan200 i have attach a wireless (simple) router that i'm using for my wireless needs... what i want to be able to do is to have access to his web interface... my pc is on vlan1 and that wireless router on vlan200

here is the output

Vlan200 is up, line protocol is up
  Hardware is EtherSVI, address is 001d.7089.2ce2 (bia 001d.7089.2ce2)
  Internet address is 192.168.200.1/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:02, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
  Queueing strategy: fifo
  Output queue: 0/100 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     22362 packets input, 1789237 bytes, 0 no buffer
     Received 3720 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     50505 packets output, 73807010 bytes, 0 underruns
     0 output errors, 3 interface resets
     0 output buffer failures, 0 output buffers swapped out

 VLAN ISL Id: 200
    Name: wirlessVLAN
    Media Type: Ethernet
    VLAN 802.10 Id: 100200
    State: Operational
    MTU: 1500
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
geothessgrAuthor Commented:
anyway... i want to know how to make the two vlans talk to eachother and after that how to control traffic between them
thank youin advance for all your help
0
 
Istvan KalmarCommented:
did you set the default gateways correctly?
0
 
Istvan KalmarCommented:
defaultly all communications enabled between VLANs you able to contrlo via ACL
0
 
geothessgrAuthor Commented:
i use the cisco as the dialing device so he is the default gateway for both vlans... 192.168.254.254 for vlan1 and 192.168.200.1 for vlan200... and everything goes through dhcp!

from my pc i can ping cisco on both vlan addreses... but i can not ping anything else that belongs on vlan200...
cisco pings everything
0
 
Ken BooneNetwork ConsultantCommented:
So the question really is what is on vlan 200 other than the wireless device and then what is the ip address, subnet mask and default gateway that is configured currently on the wireless device?
0
 
rochey2009Commented:
Hi,

access-list 103 permit tcp any any established
access-list 103 permit udp any any eq bootps
access-list 103 deny   ip 192.168.200.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 103 permit ip 192.168.200.0 0.0.0.255 any

your access-list 103 is not permitting icmp.

you need to add the following to acl 103

access-list 103 permit icmp 192.168.200.0 0.0.0.255 any
0
 
geothessgrAuthor Commented:
on fastethernet0 it is attached a wireless device and on this device wirelessly  connects another pc that collects his ip from dhcp that is configured on cisco...
i will be more than happy if i have a reply from the wireless device when i issue a ping command from my laptop wich is connected with a wire on vlan1

from within the cisco i can ping everything on every subnet

lets say i want to create two vlans and enable full communication between them... what should i do? do i have to create an access list or not??? and if i have what should this access list contain???
0
 
rochey2009Commented:
If you want full communication between the vlans and you don't want to restrict any traffic from each vlan to anything else eg. internet then you shouldn't need an access list. What do you want to achieve with the access-list?
0
 
geothessgrAuthor Commented:
in the above conf i removed the access list from the interface vlan2 but the effect is still the same, no communication between the vlans... so, simple removing the access list is not a solution...

  people... i really need any help i can get... i can't find any literature!!!  and i'm getting a headache :-)
0
 
geothessgrAuthor Commented:
as for the question about the need for an access list... i need her in order to achieve control on the traffic that passes... but i will be perfectly happy to establish communication as a start!!!
0
 
Istvan KalmarCommented:
do you able to do deb ip packet on router?
0
 
Ken BooneNetwork ConsultantCommented:
So I will ask again:

What is the ip address, subnet mask and default gateway that is configured currently on the wireless device?

The fact that you can ping everything from the Cisco says that from a "local" network you can talk, but from a remote network you cannot talk.  Routing should be automatic between vlan 1 and vlan 200.  You should see connected routes in the routing table "show ip route".  So the only thing blocking this would be #1) an ACL - which is removed at this point or #2) misconfiguration of devices on one of the segments.  This would usually be in the form of a typoed ip address, incorrect subnet mask or wrong default gateway configured on the device which is on vlan 200.

Lets start by taking a laptop and putting it on vlan 200 with a good vlan 200 ip address, subnet mask and default gatway of the router.  Then see if you can do an extended ping from the router's vlan 1 ip address to this laptop.  

When you ping from the router, the router sources the ping packet with the ip address of the egress interface.  To simulate this we need to force the router to source the ping packet with the vlan 1 IP address.  Do this with extended ping.  From the router type ping and hit enter.  Follow the prompts and when you get to extended options type Y, then it will ask you for the source ip address, this is where you can tell it the vlan 1 ip address, then take the rest of the defaults.

By using a laptop on vlan 200 we can rule out any issues with the wireless device causing problems and making you think it is router related.  Do this and lets see what happens.

Perhaps the wireless AP is not configured properly
0
 
geothessgrAuthor Commented:
Happy new year for everybody people :-)))

  sorry for my delay...
i will try everything you suggest "kenboonejr" and i will post the results tomorrow !!!
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now