Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Issue with routing from VLAN to WAN router

Status
Not open for further replies.
nunzeo

nunzeo

Programmer
Nov 17, 2003
196
US
I am trying to connect a Dell 6224 F layer 3 switch to a cisco 800 series router using VLANs.

I have the following configured

Dell 6224
- vlan1 192.168.1.2 / 24
- vlan10 10.3.5.2 / 24
- vlan167 167.233.100.2 /24
- vlan172 172.16.100.2 /24

Port 24 of the dell is connected to my cisco router. Port 24 is configured with SWITCHPORT ACCESS VLAN 10.

Cisco router
- lan inter configured with 10.3.5.1 / 24

167 and 172 clients can talk to each other.

From the clients I can ping vlan10 at 10.3.5.2 but I cannot ping the WAN router at 10.3.5.1

From telnet on the dell L3 I can ping 10.3.5.1 as well as all other vlans.

From the cisco I can ping 10.3.5.2 which is on the Dell at vlan10 but I cannot ping anything on vlan167 or 172.

Am I missing something configured on port 24 that is connecting my router and L3 switch?

I tired configuring vlan1 as 10.3.5.2 but then I was unable to route from 167 or 172 to 10. Is that by design? Are you unable to talk to default vlan1 because of security purposes?

 
Sort by date Sort by votes
make sure that you have routes on the cisco pointing to the dell for all networks other than 10.3.5/24 since it is directly connected.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
thanks unclerico. i forgot about that but i still cannot ping 10.3.5.1 from a client on the 172 network. but i can from the dell.

i put a route on the cisco for testing


ip route 172.16.100.0 255.255.255.0 172.16.100.2

for the port that is connected to the cisco (port 24 that i have switch port access vlan 10 configured) do i need to trunk that port and add all vlans who need to communicate over it?
 
Upvote 0 Downvote
forget it. i realized i am that stupid and put the routes wrong. i have route 172 traffic to 10.3.5.2 which is vlan 10 which is directly connected to 167 and 172 networks. just did it and it works.

now i do have one more question. how can you route traffic from vlans to default vlan1. i ask because i wanted to make default vlan1 10.3.5.2 and not vlan10.

thanks for all your help.
 
Upvote 0 Downvote
unless you have a specific reason for using vlan 1 i would personally recommend against using it for security purposes.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
If they won't let you route to vlan 1, how do you manage a specific switch if you are on another subnet. You would not be able to telnet to manage. Or do you assign another ip address to that switch under a different vlan that is routable?
 
Upvote 0 Downvote
do you have a management vlan specified within your network?? if not i would establish one and place your devices in that vlan.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Not yet. But are suggesting to not configure an IP for vlan1? Or do you have to configure something for vlan1 of every device?

Then make a management VLAN 100 lets say and configure all the switches with IPs in the vlan 100. This way I can get to them via telnet to change ports, etc. Then lock down communication to that VLAN 100 so only a set of IPs can reach it?


 
Upvote 0 Downvote
Yes. Do not configure an IP address on VLAN1, but instead do so for, like you said, VLAN100. I use a combination of ACL's on my L3 switches to permit traffic from our Network Management Stations as well as access-class entries on the vty ports.

Other good options for securing your devices (where applicable):
1) Permit only SSH for the vty ports if possible
2) Enable port-security. This will help to limit the number of MAC's on a single port so an attacker can't flood your switch
3) Enable dhcp snooping. Keeps any rogue DCHP servers from offering DHCP services
4) Create a service-policy and apply it to the control-plane of each device and permit ssh traffic from your NMS. This will help to mitigate DOS attacks on your devices
5) Create a VLAN specifically for native VLAN use on dot1q trunk links and exclude it from the allowed VLAN list. This will help to mitigate any kind of VLAN hopping attacks.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Perfect. Thank you very much for your help unclerico. I appreciate it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Pankaj88
  • Locked
  • Question
BGP Routing Clarification
Replies
0
Views
231
Pankaj88
Pankaj88
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
304
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
397
madwok
madwok
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
538
BIS
BIS
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
210
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top