problem in routing between vlans

July 1, 2012 at 12:17:18
Specs: Windows 7
hi all

i have hp layer 3 switch with those configuration:
ip routing
vlan 1
name "DEFAULT_VLAN"
no untagged 1-48
no ip address
exit
vlan 100
name "core"
untagged 3-13
ip address 192.168.138.1 255.255.255.0
tagged 16
exit
vlan 101
name "linux"
untagged 2,14-31
ip helper-address 192.168.138.101
ip address 192.168.112.1 255.255.252.0
exit
vlan 102
name "windows"
untagged 32-45
ip helper-address 192.168.138.101
ip address 192.168.116.1 255.255.252.0
exit
vlan 110
name "install"
untagged 46-48
ip helper-address 192.168.138.101
ip address 10.10.4.1 255.255.252.0
tagged 18
exit
power-over-ethernet pre-std-detect
ip route 0.0.0.0 0.0.0.0 10.158.160.42
ip route 10.230.8.35 255.255.255.255 192.168.112.252


i have perfect routes between all the vlans, ny problem is with 1 leg that connected to some firewall of some comapny and give as access to some server.
ip of the server is 10.230.8.35, one leg of the router are connected to our layer3 switch, and the leg that connected to the firewall have ip 192.168.112.252(ip from vlan101).
so i write thise static route: ip route 10.230.8.35 255.255.255.255 192.168.112.252

now vlan 101=192.168.112.1/22 and vlan 102=192.168.116.1/22
have route and ping to the server that behind the firewall but vlan100=192.168.138.1/24 have no route to the server 10.230.8.35.
whats wrong? inside the lan there is route between all vlans, but i can access to the remote server just from 2 vlans and not from 1 vlan?
i think its becouse the 2 vlan that working have subnet 22(255.255.252.0)
and the vlan that not working have differnet subnet 24(255.255.255.0),
thats the only reason that i could think.

what wrong with my routing, why one vlan are blocked?

thanks you very much


See More: problem in routing between vlans

Report •


#1
July 2, 2012 at 06:31:50
Maybe the server you are trying to access doesn't have route back. Have a tracert run from that server to a host in VLAN 100. See if it goes the right route. If not, enter a routing statement on its router that would send the traffic down the right path.

--
Andrew Leonard
BL Technical Services
IT Support Maryland


Report •

#2
July 2, 2012 at 07:19:21
I'm not familiar with your switches. What exactly is the "helper IP" and what is it's relation to the VLAN IP?

ip route 0.0.0.0 0.0.0.0 10.158.160.42
ip route 10.230.8.35 255.255.255.255 192.168.112.252

What is the purpose of this first route and where does 10.158.160.42 come into this?

i have perfect routes between all the vlans, ny problem is with 1 leg that connected to some firewall of some comapny and give as access to some server.

Combined with:

now vlan 101=192.168.112.1/22 and vlan 102=192.168.116.1/22
have route and ping to the server that behind the firewall but vlan100=192.168.138.1/24 have no route to the server 10.230.8.35.

Makes me wonder if the issue isn't the remote firewall blocking the one VLAN.

Questions:

- What port on your switch is the uplink port to the remote firewall?
- What are the VLAN's assigned to this uplink port (as in, is VLAN 100 even assigned to to it?)

Comments:

I'm guessing English isn't your first language. If it is, shame on you! If it's not, for future reference, use of captialization and punctuation is very professional and should be used at all times. It not only makes it easier to read what you write but it also gives the appearance of professionalism. You're not texting a message to a friend here. You're on a tech help forum asking a question related to your work. I'm a professional and as you can see, I try to capitalize and punctuate properly so as to make what I'm writing easier to read. Just a tip for future reference.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#3
July 2, 2012 at 11:32:06
hello, thanks on the fast reply!
i'm sorry on my english, its not my first language :(

Questions:
- What port on your switch is the uplink port to the remote firewall?
- What are the VLAN's assigned to this uplink port (as in, is VLAN 100 even assigned to to it?)

answer:
1) uplink is port 2
2) vlan's thats assigned to the port is vlan 101(untagged).

i'm starting to think that the problem is in the remote firewall, but how he can reach 2 vlan's but not the other vlan?, whats firewall configuration it could be?
thanks a lot!


Report •

Related Solutions

#4
July 2, 2012 at 13:13:50
Potentially, the remote router could have routing statements in for two of the three. Or, it could have a default route that goes to your system and a static route that goes somewhere else.

--
Andrew Leonard
BL Technical Services
IT Support Maryland


Report •

#5
July 3, 2012 at 07:21:05
If you only have one the two VLAN's on port 2 (ie: VLAN 1 and VLAN 101) then how do you expect traffic from any other VLAN's to get across that port to the remote firewall?

A port can only pass VLAN traffic that has been assigned to it.

Again, not being familiar with your switches I can tell you this. On any Cisco switches I've worked on, you have to set an uplink port as a "trunk" port. Once you do so, this adds all VLAN's on that switch to the trunk port so that all traffic can be passed. Typically a trunk port is one that links network appliances together.

On the Avaya switches we're using here in my environment, I would set the port as "trunk" and the traffic as "tag all" and the PVID (primary VLAN ID would be VLAN 1).

So in your case, my trunk port setting would be:
PVID = 1
Allowed VLAN's = 1, 100, 101, 102

Any VLAN's not added to the trunk port would not be passed.

We use VLAN 1 for what it was intended. It's the default "management" VLAN and all network appliances in our environment have IP addresses on that subnet. Only network appliances (core switches, edge switches, routers, firewalls) have IP's in that VLAN (subnet) and all other VLAN's are carried over that one as they pass through trunk ports.

While it is entirely possible the firewall at the other end is blocking your traffic. I don't see that you have that uplink port designated as a trunk and more importantly, I don't see those other VLAN's attached to that port. If it were me (and again, I stress, I'm not familiar with the equipment you're using) I would try adding the other VLAN's to that uplink port. You may have to change the traffic tagging as well to make it work. It's certainly one avenue worth investigating before talking to the IT people at the far end. Mind you, asking them to monitor the traffic flowing from you to them would let you know if those particular VLAN's traffic is even making it to there end.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#6
July 3, 2012 at 07:33:37
thanks you very much on the answer!
i will check those things.
i learned a lot, thanks again!

Report •


Ask Question