Inter-vlan Routing Variation 2

[vdinenna]

Hi,

I would like to setup 2 vlans: native and a Lab network.
Network is as follows:

hosts> firewall> router> Internet

All equipment is Cisco. The router is ISP managed. I can't change the config on it.

I setup another Cisco router with inter-vlan routing.
The host in the native vlan can't router to the Lab vlan because the firewall is the default gateway. The Pix can't route out the same interface as far as I know.

How can I allow hosts in vlan 1 to route to the sub-interface of the second router to get across to the Lab vlan?

If I enter the DGW of the inter-vlan router on the hosts, they can get to the Lab network. So, I think inter-vlan routing is working.

Thanks for any tips you can provide.

Vince

 

[unclerico]

The Pix can't route out the same interface as far as I know

It depends on which model and OS you're using

How can I allow hosts in vlan 1 to route to the sub-interface of the second router to get across to the Lab vlan

So is your topology actually like this:
Hosts -> Router -> PIX -> Router -> Internet

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[vdinenna]

Hello Unclerico, thanks for the reply.

The Pix is 515e using:
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Fri 02-Jul-04 00:07 by morlee
up 80 days 14 hours
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

The topology looks like you described, but the router after the hosts is not directly connected to the Pix. It's a router-on-a-stick on a trunk port.

I was giving this some thought last night and decided maybe the easiest way to deal with this is just have DHCP provide the second route to the hosts on the native Vlan. I was trying to find a hardware solution, but I guess that's what DHCP is there for anyway.

If you have another solution, I'd like to hear it. I'd like to learn as much as I can.

Thanks,

Vince

 

[vdinenna]

I found a way to route hosts to an alternate gateway:
The Windows 'Route' command.

I added a persistant route like this:

<route> <-p> persistant route <add> destination ip <mask> mask <metric> number 1-???

c:\route -p add 192.168.50.0 mask 255.255.255.0 metric 10

There might be a way to do this thru Group Policy for adding to multiple hosts. I have to look into it.

If you can think of any other way to accomplish this with hardware routing, I'd like to know how.

Thanks,

Vince

 

[vdinenna]

Was able to add alternate route thru DHCP scope. Scope Option 249- Classless Static Routes.

Only host using DHCP will receive route(s) in routing table.

Vince

 

[DallasBPF]

why not put a default route into the router on a stick that points to the PIX?

ip route 0.0.0.0 0.0.0.0 <insert PIX internal trusted ip add>

this way if there is not a route for it in the routing tables it shoots it out to the firewall

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[vdinenna]

I follow.

That would involve pointing all hosts to the ROAS.

I can't afford to take a hit on speed by sending clients to the ROAS and back out to the PIX. My switches are Gb speed.

Do you think there would be additional bottle-necking by going to another 10/100 interface before going to the PIX 10/100 interface?

I need to keep the lab as seperate as possible from the native VLAN as I can. My boss will be all over me if he senses a slow down. We have several apps that go to the Internet for large DBs...every night.

Thanks for the advice!

Vince

 

[DallasBPF]

The apps you have that go out to the internet at night for the DB's are being ran on servers that should not be using DHCP anyways right?

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[vdinenna]

That's true. The server can have their own gateway setting.

Thanks for the tips,

Vince

 

[burtsbees]

What kind of switch? GB speeds tell me that it could be a layer 3 switch, in which case routing vlans with the switch would be MUCH faster.

Burt

 

[vdinenna]

The switches are 2970's but these are not the L3 version.
I checked.

 

[DallasBPF]

You would just be better off putting the servers on their own subnet and keeping them out of the lab and native vlans

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[vdinenna]

I was told by the people who installed the network before I got here that they wanted to add vlans to improve backup times on the servers. I thought that was a good idea. Never got around to it.

Inter-vlan communication is working now, except the lab vlan can't get to the internet. DNS works locally but not to the internet. Can't get to our web pages with internal IPs either. I can from native vlan.

Ran nslookup and got an ip of a website, but I can't get to the site itself thru a browser.

-Ran Wire Shark on the client, but no DNS errors or failures.
-Added 'ip helper-address' for all my DNS server.
-Added default route to next hop for Pix to internet.
-Can't add the 'ip routing' global command for some reason.
It doesn't appear in the running config. The router is a 1721. Sounds like routing issue

Building configuration...

Current configuration : 1159 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxx
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface FastEthernet0
no ip address
speed 100
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
ip address 192.168.1.2 255.255.255.0
!
interface FastEthernet0.10
encapsulation dot1Q 10
ip address 192.168.50.1 255.255.255.0
ip helper-address 192.168.1.21
ip helper-address 192.168.1.17
ip helper-address 192.168.1.8
!
interface Serial0
no ip address
encapsulation ppp
shutdown
!
no ip classless
no ip forward-protocol udp domain
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxx
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 xxxxxxxx
login
!
!
end

 

[DallasBPF]

you need to add the VLANs to a routing protocol like eigrp


router eigrp 1
network 192.168.1.0 0.0.0.255
network 192.168.50.0 0.0.0.255


why dont you have ip add helpers for your native VLAN?

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[DallasBPF]

That and is there a reason ip cef is turned off?

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[DallasBPF]

I would recommend also upgrading your IOS to 12.4 if you have the ability to.

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[vdinenna]

The reason I don't have this stuff turned on is because I now learning this stuff for the first time. I have not seen these requirements in anything I have read or seen.
I have the CCNA training vid from signaltrain.com and it never mentioned routing protocol is must on the router-on-a-stick portion. I have the Sybex CCNA by Lemmle and it doesn't specify a routing protocol either.

I don't know what 'IP CEF' is.

I was told- the vlan sending the udp broadcast is the only vlan that needs the 'Helper-address'. The servers providing the DHCP and DNS are in vlan 1.

Apparently what I don't know could fill a book.

 

[vdinenna]

Those commands did not work either.

I'm bringing in my 2620 from home.
Will figure this out. Even if it costs me.

Thanks for all your help,

Vince

 

[DallasBPF]

Cisco Express Forwarding (CEF) is advanced Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions.

CEF offers these benefits:

Improved performance
Scalability
Resilience

Although you can use CEF in any part of a network, it is designed for high-performance, highly resilient Layer 3 IP backbone switching.




------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[unclerico]

-Ran Wire Shark on the client, but no DNS errors or failures.
-Added 'ip helper-address' for all my DNS server.
-Added default route to next hop for Pix to internet.
-Can't add the 'ip routing' global command for some reason.

- You don't need to add a helper address for DNS since the DNS queries are unicast (that is unless you are using multicast DNS which I highly doubt)
- You also need to add a route in the PIX for the "lab" VLAN so that return traffic knows where to go
- IP Routing is already set since it's a router
- For your internal web pages, do the web servers point to 192.168.1.2 or do they still point to the PIX IP as the gateway??

- Without question you need to have CEF enabled
- Even though it's not hurting anything (at the moment), enable classless routing by issuing ip classless
- As Dallas said, upgrade to 12.4 if you can.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)