Looking for someone better than me with networking I am doing some firewall testing for a local...

[G+_Benjamin Webb]

Looking for someone better than me with networking. I am doing some firewall testing for a local database.

 

I have two seperate lans comming out of a VM host

 

172.16.2.0/24

 

172.16.3.0/24

 

Looking to set it up so a server running on 172.16.3.100:11002 can be contacted via a client on 172.16.2.103 with nothing else open. Hope to accomplish this

 

This is just a test environment with VMs.

 

For hardware I have a cisco ws-c3560-48PS (layer 3 switch) and a ancient linksys E3000 running tomato. It was suggested that I simply plug the server lan into a wan connection with DHCP and DNS running off of a domain controller and the client on the lan side on the E3000 with the router acting as DNS and DHCP. I can't seem to get that to work (goofed with expanding the subnet masks as well).

 

On the cisco end I can set up two vlans on the layer 3 switch and saw some instructions for giving them gateways but kind of at a loss how to connect them to each other and route it properly so traffic can only flow from 172.16.2.0/24 to 172.16.3.0/24 like it would LAN to WAN when contacting a server on the internet.

 

Just looking for something that will work now but down the road would like to get the cisco layer 3 to route this internally if possible. I have full control of everything but just need an architecture that will work.

[G+_Akira Yamanita]

Once the switch has the two VLAN interfaces defined and IP addresses assigned, you should be able to communicate with the interface from each respective network. If that doesn't work, it's something in the connection between the VM host and the switch. Probably a VLAN assignment misconfiguration.

 

If it works, set the gateway on the VMs (at least one on each side) to use the respective VLAN interface IP addresses. (The switch will be the default gateway, at least while testing.) If you can't ping between the networks, make sure that IP routing is enabled on the switch. (ip routing" in config mode). If it's enabled but not routing, there may be old access lists applied.

 

If that works, then limiting the connection is a matter of setting up an access list and applying it to the VLAN interface that you want to control access through.

 

Once that's done, then it's a matter of making additional routing changes as desired for Internet access, other networks, etc. That can get fairly complicated depending on what you need or want but a basic config would just have the default route on the switch point to the Internet router and have all other hosts point to the switch as the gateway.

 

I can provide more specific instructions if you can let me know what phase you're at and some specifics like if you're using VLAN tagging on the host and/or separate interfaces for each network.

[G+_Benjamin Webb]

Thanks for offering to help

 

Switch#show vlan

 

VLAN Name Status Ports

---- -------------------------------- --------- ------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10

Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Gi0/1, Gi0/2, Gi0/3

Gi0/4

10 techsup active Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25

Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31, Fa0/32

20 techsup2 active Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41

Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47, Fa0/48

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

 

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

--- --- -------- --- ---- ---- -------- ---- -------- ------ ----

1 enet 100001 1500 - - - - - 0 0

10 enet 100010 1500 - - - - - 0 0

20 enet 100020 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

 

Remote SPAN VLANs

----------------------------------------------------------------------------

 

 

Primary Secondary Type Ports

----- ------- --------------- ----------------------------------------

 

 

 

running-config

 

interface Vlan10

ip address 172.16.2.2 255.255.255.0

!

interface Vlan20

ip address 172.16.3.2 255.255.255.0

!

 

Ok all set up with two separate vlans with gateways at 172.16.2.2 and 172.168.3.2. How do I get a client in VLAN10 to connect to a server in VLAN20? Do I need to set up a static route or something? I figure I just have to point the client at 172.16.2.102 to 172.168.3.2 then do a port forward of 11002 to the server at 172.16.3.100 or something else.

 

Was using the example from here as kind of a template

 

practicalnetworking.net - Routing Between VLANs – Practical Networking .net

 

[G+_Akira Yamanita]

I didn't see that page mention how to enable routing. Routing on a switch is turned off by default. You have to add the "ip routing" command to the config to enable it as I had previously mentioned.

 

[G+_Benjamin Webb]

entered ip routing under telnet and immediately my connection dies and I can no longer get into the router lol. After rebooting the switch my vlans have lost their ips. Will keep playing with it.

[G+_Akira Yamanita]

If you're not on the same network, the default gateway goes away when routing is enabled and you lose your connection. You have to have a route to 0.0.0.0/0 in place before enabling routing.

 

If that isn't the problem, it would help to know what address you were connecting from and the switch address that you were connecting to. Also, the output of "show up route" and the full running-config (you can omit anything sensitive) would help.

 

Make sure that you save your config along the way.

 

copy running-config startup-config

 

"write mem" also works on most equipment ("wr mem" for short), even though that command has been deprecated for over a decade.

 

If you don't have a serial cable for the switch, you should pick one up so that it's easier to troubleshoot these issues or make changes that could cause a disconnection.