Connection Between Sites with a 2600 Router 1

[Goons]

Hi everyone, was wondering if someone could help shed some light on a problem we're having with this network:

At our main site we have several hosts all interconnected through a Cisco 1900 switch. For examples sake the IP's used here are in the 192.168.0.X range. The main site (we'll call it site A) is linked to Site B through a 2600 router. The IP address range of site B is, again for examples sake, 192.168.1.X. Everything is on the 255.255.255.0 subnet (ie no subnetting). OK, everything is working great except now we are trying to connect up with our new third site which is on the 192.168.2.X range. Simple enough, everything is connected but I can only get the following sites to interconnect: A and B, B and C, just can't seem to get A to talk to C... we only have 1 2600 router which is currently located here on the main site. We're getting someone in Monday if the problem cannot be resolved but if anyone has any suggestions as to what could be causing it before then it would be appreciated.

Thanks,

Allan

 

[JOAMON]

Question.
1st What routers are at the other locations and what type of link to each site.
2nd Can you post the configurations of each router with anything private X'd out?

 

[Goons]

Hi Joamon,

Thanks for your reply. At the other site we have a 2950 series switch. The 2600 router we have at the main site happily passes traffic between here and our secondary site, but it can't seem to pass it through our secondary site to the third one:

Primary site (1900 switch to handle clients plugged into 2600 Router) <--> Secondary site (2950 switch) <--> third site (will most likely be another 2950 switch).

I'll be able to get the configurations on Monday, currently they can't be accessed off site. It was really just the issue of routing traffic from a 2600 router through a 2950 switch to another site which is proving problematic. I haven't done a lot of work with the 2950 switches as previously the 2600 router handled everything.

Allan.

 

[JOAMON]

When you say site I think of different locations connected over a WAN connection. Are these sites just different bldgs connected via ethernet cabling?

 

[Goons]

Hi Joamon,

Thanks for your continued help. Apologies for the confusion; yes, these are different buildings connected via ethernet cabling. A simplified layout of the network topology is as follows:

A. Cisco 1900 switch (192.168.0.2)
|
A.) Cisco 2600 router (f/e 0/0 = 192.168.0.1 | f/e 0/1 = 192.168.1.1)
|
B.) Cisco 2950 switch (192.168.1.2)
|
C.) Cisco 2950 switch (192.168.2.1)

The switch at site A is able to ping the router at site A and the switch at site B, however it is unable to ping site C at all, whereas site C is able to ping site B and the router at site A but not the switch at site A, ie. The further most links apart are unable to ping each other. This is basically the problem.

Allan.

 

[plshlpme]

from the above i would think that youll need to be using truinking to get back to the router and create a vlan for each site.. the problem here to me is that the third network you just added doesn't have a router port to use to route to the other two networks..

 

[Goons]

Hi plshlpme,

The new network is able to access the switch and hosts at site B as well as the actual router at site A. However, it is just unable to access the switch and hosts which are connected to the router at site A.

I have tried setting up a VTP domain between the sites with the switch at site B as the server but it doesn't seem to make any difference. Surely it must be possible to achieve without VLANs.

Also, when the switch and hosts at site C are set to have the IP range of 192.168.1.X (the same as site B) everything works fine. Unfortunately though it is required to be set to a seperate range.

If it helps then the default gateway at site A is set to 192.168.0.1 and the default gateway at sites B and C is set to 192.168.1.1

Allan

 

[KiscoKid]

So this new site C is connected via Site B?

Well you don't need trunking between the sites to make this work, routing will work just fine. You only need to setup trunks etc if you want to span the same VLANs over all your sites and be able to cascade these VLANs from your VTP master (presumably the 1900 at Site A). Otherwise you don't need trunks.

I would summise that either Site A doesn't know how to get to 192.168.2.0/24 or Site C doesn't know how to get to 192.168.0.0/24

Verify the routing on both Site A and Site C routers.

 

[Goons]

Hi KiscoKid,

Thanks for your reply.

"I would summise that either Site A doesn't know how to get to 192.168.2.0/24 or Site C doesn't know how to get to 192.168.0.0/24"

Yes thats exactly the problem. If we had another router at the new site then I would be able to set-up IP routes between the sites without a problem, however we only have one router - a 2600 which is located at our main site. Site B and site C both only currently have 2950 series switches.

Site A Site B Site C
1900 Switch
^
2600 Router <---> 2950 Switch <---> 2950 Switch

The 2600 router can see the 2950 switch at both sites, its just that the 1900 switch cannot see site C. Visa versa in that the 2950 switch at site C cannot see the 1900 switch but can see the 2600 router.

 

[plshlpme]

thats why i thought trunking would work... because you have essentially cascaded two switches to connect building B to building C...
the only router is in Building A...

 

[Goons]

Thanks plshlpme, thats what we eventually ended up doing. Site B has been set up on a VLAN (LANB) as has site C (LANC).

Just having one small problem now though - Its required that some of the machines at site A have restricted access to the VLAN at site C. Is it possible to set up an access-list to deny access to a VLAN? I've only ever set up access lists against specific networks or interfaces.

I have set up encapsulation on the 2600 router to allow the hosts within the VLANs to ping outside of their VLANs and tried to apply the access list to the sub-interface I am using (fastethernet 0/0.3). Can access lists actually be applied to sub-interfaces because it doesn't seem to be letting me right now.

Thanks again for any help offered,

Allan.

 

[plshlpme]

ive never tried but after you build your acl.. can you not go to the fa0/0.3 and put
ip access-group 101 in ??? or something?

 

[Goons]

Hi plshlpme,

That was my first thought also, but the IOS on the 2950 switch doesn't seem to support adding access-lists to subinterfaces, at least not for me. I can't really think of any other way of doing it either...

Allan.

 

[plshlpme]

hmm.. again ive never done this... but my approach would be to put the ACLs on the sub interfaces on the 2600.

To talk between VLANS the packets would have to go to the router to be routed to the other vlans wouldnt they?

 

[Goons]

Yes thats correct. The only ways I can think of to do it would be to apply the ACL to the 0/0.3 interface or individually to each interface which was a member of the VLAN which is required to be inaccessible via the 2950 switch if that's even possible.

I will have to work on it again tomorrow. Surely it is possible to configure ACL's on fastethernet subinterfaces on the 2600. I must have something else configured wrong...

Allan

 

[plshlpme]

just make sure you apply the acl in the right direction...

inbound is packets coming from the VLAN and
outbound is packets going to the VLAN