Solved

how to communicate to servers on different vlan, PC's not able to reach destination

Posted on 2014-04-25
10
1,826 Views
Last Modified: 2014-05-02
Have 5 routers in various locations on network - servers are in this building on vlan 430 192.168.30.x/26  Am just setting up...tryiing to get domain services.  Router in this building has vlan 418 192.168.18.x/24 for client access.  Running in a vrf environment, all pertinent rtr config to do with the vrf is config'd.  Can ping vrf VRFNAME all over the place on the routers, just nothing happening on the PC's.
PC's receive ip from dhcp on router, incl the 192.168.30.20 dns server ip, show the correct domain, but cannot access any server services such as email, shared network drives, etc.  
Switch that has the server [430] connections, and also the 418 vlan ports has int 1 trunked  with both going to router g0/0/0 L2 connection.
Switch and routers can ping both ways the vlan 430 and the 418 IP, including the DNS server in the 430 network.
PC cannot ping DNS server or or switch on the 430 network.  But can ping the router .30.X IP
PC can ping the vlan 418 IP's on the switch and routers.  
What could I be missing?  Will send copyies of any info required, just did not want to send it right now - wait until you tell me what may be required so that there is not attachement overload.  Am at my wits end, not that experienced in routing so would appreciate any help.  Am on a deadline too.  Thanks in advance.  R
0
Comment
Question by:hayesie_r
  • 6
  • 4
10 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 40024498
Is VLAN 430 and 418 in the same L3 device and in the same VRF?  I thought that if you had the same VLAN's within the same L3 device that they had to be in the same VRF to communicate with each other.
0
 

Author Comment

by:hayesie_r
ID: 40024588
Yes both are in the same vrf. L3 pinging and l2 devices ping all over the place, just the PC cannot logon to domain and get services from network.
Have DNS in dhcp on router and have ip helper on vlan 430 on router.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40024641
I would double check and make sure the PC have the correct default router/gateway IP address and correct subnet mask specified.
0
 

Author Comment

by:hayesie_r
ID: 40024663
They do. One thing the subnet on client vlan is 192.168.18.x/24 and the server vlan is 192.168.30.x/26
Network statement in router ospf vrf is
192.168.0.0 0. 0.255.255
And access list also includes that statement.
Which would be addresses from .1 - 254.254

It was just pointed out to me that my ip helper address under the vlan 430 config is in the same network as the servers.

config t
vlan 430
name Server_Equip
!
int vlan 430
description Server Equipment
ip vrf forwarding VRFNAME
ip address 192.168.30.249 255.255.255.0
ip helper 192.168.30.20  <------------------should this IP be the 192.168.18.2 DHCP RTR IP?
no ip redirects
no ip unreachables
!
ip dhcp pool DATA
 vrf VRFNAME
 network 192.168.18.0 255.255.255.0
 default-router 192.168.18.2
 dns-server 192.168.30.20
 class DATA
  address range 192.168.18.41 192.168.18.254
0
 

Author Comment

by:hayesie_r
ID: 40025146
Okay I was able to get the machines working that are connected to the switch to the local router, but none of the remote workstations are seeing the servers....
I have this config on all of the routers, but different IP address...same vlan, no subinterfaces configured for vlan 430....is that wrong?

config t
vlan 430
name Server_Equip
!
int vlan 430
description Server Equipment
ip vrf forwarding VRFNAME
ip address 192.168.30.249 255.255.255.0
no ip redirects
no ip unreachables
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 150 total points
ID: 40025221
The "ip helper-address" should be the IP address of the dhcp server.

If the DHCP server is on the same switch as the clients, then you should not need the "ip helper-address" at all.

Again, verify your subnet masks.  It might just be a typo but you stated that you have "192.168.30.x/26" but in both your configs you have 255.255.255.0 which is /24.

I would display the route table on every device that can do routing and for each VRF.   You may be getting some unusual routing if you have multiple VRF's and you have OSPF looking at 192.168.0.0/16.
0
 

Author Comment

by:hayesie_r
ID: 40025711
Thanks for that but am using classless ip's, so the network range specified is within that range. I got the clients communicating with servers that are connected to same switch as servers, but still not the remote sites. I had put the vlan 430 on all routers then someone else on another site said it just goes on the local router...so am going to take it off remote servers today and see if that helps.
0
 

Accepted Solution

by:
hayesie_r earned 0 total points
ID: 40026128
Well I got the computers on the network communicating with the servers, even remote routers.  I took int vlan 430 off of all the remote routers, only left it on the local router.  It stewed overnight and was happy in the morning.  Guess it had to learn the routes.

Thanks for trying to help.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40026460
Even if you are using classless subnets you still have to have everything within the same subnet or they will not route correctly.

Say you have your SVI configured as 192.168.30.1/24, device #1 configured as 192.168.30.10/26, and device #2 as 192.168.30.240/26.  

If device #1 and #2 want to talk to each other they are in different subnets and want to go through a router.  However the SVI thinks they are in the same subnet and will not route traffic between hosts within the same subnet.

Depending on your network setup typically you have your L3 SVI in a single or two routers at the max.  Two routers only when using something like HSRP for router failover.

Although having the SVI on a single router is probably the best solution, but having SVI's on multiple routers will work when properly setup.
0
 

Author Closing Comment

by:hayesie_r
ID: 40036641
I resolved the issue, but would like to award some points to giltjr as they did try to assist.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now