Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Access to Internet from VLANs on 3500

SOLVED
Go to solution
KMarkevich
Occasional Visitor

Access to Internet from VLANs on 3500

I'd appreciate any help as I'm new to VLANs and this is getting frustrating. Any suggestions or simplifications?

We have a 3500yl acting as a routing switch with 3 Vlans (let's say 192.168.100.0-Data1; 192.168.101.0-Voice1; 192.168.102.0-Data2). Gateway to Internet is through a seperate router(#1) on Vlan-Data1 with ip 192.168.100.2. A default static route of 0.0.0.0/0 192.168.100.2 is programmed for sending to this router. This router acts as a firewall and then it connects to another main gateway router(#2) that serves another LAN and out to the world.

The 3500 seems to work fine as it routes between Vlans. The problem is access to Internet. On Data1 there is no problem going out. It seems to use the static 0.0.0.0/0 route. On Voice1 and Data2, you can only ping as far as Router #1 (192.168.100.2). I think the return path is the problem. Do I need static routes in the 3500 or Router #1 or #2? I've tried variations of this but can't seem to have PCs on Data2 go out past router #1.

The 3500 has ip routing enabled of course along with RIP. Any suggestions for this newbie?
11 REPLIES
Jaguar
Occasional Advisor

Re: Access to Internet from VLANs on 3500

Hi,

Have you add static route on your router?

Your router static route may look like:
192.168.102.0/24 192.168.100.1
192.168.101.0/24 192.168.100.1
assuming 192.168.100.1 is your Data1 VLAN ip address.
KMarkevich
Occasional Visitor

Re: Access to Internet from VLANs on 3500

Thanks for the quick reply. Yes, static routes are in router #1 as you indicated. Thanks. I don't have static routes in router #2, though. I've tried that but it doesn't seem to matter.
Mohieddin Kharnoub
Honored Contributor

Re: Access to Internet from VLANs on 3500

Hi

Try to solve this problem with the first hop, Router1.

If you are able to ping router1 from Vlan2,3 then you have no problem in routing between the 3500 switch and router1.
Also you should be able to ping your DNS or ping www.hp.com

If you didn't get a reply from the DNS then check move to next Hop, Router2.

From router2 you should be able to ping Vlan1, 2 and 3.

If you have routing on the 3500 enabled, on Router1 static route entries for Vlan2,3 and RIP (as you mentioned) enabled between Router1 and 2 then be sure you read the routing table of both routers and you should be able to an entry(ies) for Vlan2 and 3

Other wise telnet to router2, and simply ping Vlan2 or 3 and you should be able to if you have the correct routing table on both router1,2

Good Luck !!!
Science for Everyone
OLARU Dan
Trusted Contributor

Re: Access to Internet from VLANs on 3500

Estimated problem: improper default gateway (DGW) -not clearly specified- for the clients: their DGW is allocated to them by their DHCP server (assuming you have defined "ip helper-address" on the VLAN interface subnets that do not have a DHCP server) as being the IP addy of the 3500yl VLAN interfaces of the subnet they live in. On the Inter-VLAN Router (IVR), however, you've defined the default static route to the host 192.168.100.2. I'd bet you that the clients in this subnet have no problem getting to the internet and other internal subnets, whatsoever.

Possible solution: define another VLAN interface on the 3500 yl especially for a subnet with the Gateway to Internet: assign say 10.1.1.1/24 to the newly switch interface and put 10.1.1.2/24 to the Gateway to Internet. Define "ip route 0.0.0.0 0.0.0.0 10.1.1.2 255.255.255.255" on 3500yl, instead of the old one. Define an "ip route 192.168.100.0 0.0.3.255 10.1.1.1 255.255.255.255" on the Gateway to Internet (return route for the Internet responses).

End result of change: Clients are happy with their DGW (3500yl, for all internal subnets), and traffic not destined to the internal subnets will be routed to and from 10.1.1.2.

Should work.
OLARU Dan
Trusted Contributor

Re: Access to Internet from VLANs on 3500

Also you might need to define default route to the next hop towards the Internet (I assume this is already done), and return routes to your internal subnets, on Router#2.
KMarkevich
Occasional Visitor

Re: Access to Internet from VLANs on 3500

Thanks all for quick replies. I got pulled away on a problem but will try suggested solutions. Router #1 is a firewall as we don't want traffic from LAN on Router #2 coming toward VLANs.

Mr. Kharnoub: On router #2 would you have suggestion for static routes to take me back to Vlans?

OLARU Dan: It seems like this might be the more elegant solution and then use ACL to restrict access to internet. As mentioned in your first paragraph, 192.168.100.0 has no problem getting to Internet or other Vlans. I'm not sure i understand your last posting but if you have suggested example I'd appreciate it. Thanks again for all help.
KMarkevich
Occasional Visitor

Re: Access to Internet from VLANs on 3500

Just set up Internet Vlan as 10.1.1.1 with 10.1.1.2 as Gateway to Internet (router #1). Added static routes in router #1 as 192.168.100.0 255.255.240.0 to 10.1.1.1.

Now I can ping Router #2 and through to Router #1, but cannot go past to Internet. Router #1 is NAT and has static routes 10.1.1.0 255.255.255.0 192.168.10.2 (i/f for Router #1) and 192.168.100.0 255.255.240.0 192.168.10.2. Is there some other static route(s) I am missing?

Interestingly, PC on Router #2 LAN can ping right through to Vlans. I will restrict that after, but at least it seems to me the routing in the 3500 and Router #2 is ok. I just can't go the other way out through the main router #1 to Internet. Or, may not have the right static routes in place for responses from internet.
Mohieddin Kharnoub
Honored Contributor
Solution

Re: Access to Internet from VLANs on 3500

Hi

It seems to me that the situation begins to getting complicated for no reason.

I just wanted to ask, what are the brands for Router1 and 2.

If they are good ones, then they can do NAT from multiple subnets.

Suggestion: you can test doing routing between the 3 Vlans on Router1 not on the 3500.

Regarding restriction of traffic between Router2 and some Vlans, it has to be done on Router2 because its the final HOP to internet.

Good Luck !!!
Science for Everyone
KMarkevich
Occasional Visitor

Re: Access to Internet from VLANs on 3500

Thanks for all the help. I finally got the routing working properly on the other routers. I went with a seperate VLAN for Internet access and will use ACL on the 3500 to restrict some access. The 3500yl works fine. Just a matter of enabling the right static routes and settings on the other routers. Thanks again for any help.
OLARU Dan
Trusted Contributor

Re: Access to Internet from VLANs on 3500

Don't forget to restrict access on Router#2 from that external LAN to your Intranet subnets.

Most problems stem in Layer 3 (routing: incorrect [default] routes, unclear DGW's for the clients, wrongly applied routing protocols) and in the security wrapper (-since one can define security at each of the 7 layers of the OSI reference model- ACLs wrongly defined and applied to interfaces - inbound/outbound judgement errors and the like, put extended ACLs closest to the destination and standard ACLs closest to the source).

Glad we could help.
OLARU Dan
Trusted Contributor

Re: Access to Internet from VLANs on 3500

Don't forget to restrict access on Router#2 from that external LAN to your Intranet subnets.

Most problems stem in Layer 3 (routing: incorrect [default] routes, unclear DGW's for the clients, wrongly applied routing protocols) and in the security wrapper (-since one can define security at each of the 7 layers of the OSI reference model- ACLs wrongly defined and applied to interfaces - inbound/outbound judgement errors and the like, put extended ACLs closest to the destination and standard ACLs closest to the source - to reduce unneeded traffic that will be discarded at some point anyway).

Glad we could help.