Communication between VLANs

Question

Hi,   I'm having diffculty trying to figure out communication between vlans.  I've tried the White Paper examples but without much luck.   As a test I have 1 Powerconnect 5324 connected to one 6024 router.   Vlan setting are as followed on switch5324: Vlan1 is set to 192.168.0.0 subnet Vlan2 is set to 192.168.2.0 subnet   DHCP assigning is fine.  I can ping from host 192.168.0.1 to host 192.168.2.1, however I am unable to do the opposite.  I would like to configure it such that hosts on VLAN 1 can communicate with hosts on VLAN 2 and vice versa.   What am I doing wrong?  I have followed the examples from articles on Vlan based segmentation and Vlan routing whitepaper, even though they are not entirely based on the switchs that I have.   Is there any other better examples?

DELL-Cuong N. · Answer

If you would post your configuration for the 6024 and the 5324 and also identify the ports you are using to communicate between those two network maybe we can spot something from your configuration.  It sounds like a misconfiguration to me.   Cuong.

Arion · Answer

Here is the config file info

Router Configuration
-----------------------------

interface range ethernet g(1-3)
switchport mode trunk
exit
vlan database
vlan 2-4
exit
interface range ethernet g(1-3)
switchport trunk allowed vlan add 2
exit
interface range ethernet g(1-3)
switchport trunk allowed vlan add 3
exit
interface range ethernet g(1-3)
switchport trunk allowed vlan add 4
exit
interface vlan 2
name Servers

exit
interface vlan 3
name "Engineering/Art Team"
exit
interface vlan 4
name IT
exit
interface vlan 1
ip address 192.168.0.1 255.255.255.0
exit
interface vlan 2
ip address 192.168.1.1 255.255.255.0
exit
interface vlan 3
ip address 192.168.2.1 255.255.255.0
exit
interface vlan 4
ip address 192.168.3.1 255.255.255.0
exit
ip route 192.168.0.0 255.255.255.0 192.168.0.2
ip route 192.168.0.0 255.255.255.0 192.168.2.2
ip route 192.168.1.0 255.255.255.0 192.168.1.2


ip route 192.168.2.0 255.255.255.0 192.168.2.2
ip route 192.168.3.0 255.255.255.0 192.168.3.2
ip dhcp relay address 192.168.0.2
ip dhcp relay enable

OOB host Configuration
-----------------------------

interface out-of-band-eth 1
ip address 192.168.0.210 255.255.255.0
exit
interface out-of-band-eth 1
ip default-gateway 192.168.0.1
exit

SWITCH CONFIGURATION

show run
interface ethernet g1
switchport mode trunk
exit
vlan database
vlan 2-4
exit
interface ethernet g1
switchport trunk allowed vlan add 2
exit
interface range ethernet g(9-20)
switchport access vlan 3
exit
interface ethernet g1
switchport trunk allowed vlan add 3
exit
interface ethernet g1
switchport trunk allowed vlan add 4
exit
interface vlan 2
name Servers
exit
interface vlan 3
More: , Quit: q, One line:
[Kname "Engineering/Art Team"
exit
interface vlan 4
name IT
exit
interface vlan 1
ip address 192.168.0.203 255.255.255.0
exit
interface vlan 2
ip address 192.168.1.1 255.255.255.0
exit
interface vlan 3
ip address 192.168.2.1 255.255.255.0
exit
interface vlan 4
ip address 192.168.3.1 255.255.255.0
exit
ip default-gateway 192.168.0.1
snmp-server community private rw
ip domain-name i3dimensions.com
ip name-server 192.168.0.2

As to answer your questions on the 5324, port G1 is a member of vlan 1,2,3,4 and as is in trunk mode. Ports 8-16 are members of vlan 3. All other ports are on vlan 1.

5324 is connected via cable from port G1 to 6024 port G1. Port G1 on the 6024 is also set as trunk mode and is member of VLAN 1,2,3,4 as well.

VLAN membership configured on 6024 is the same as 5324. I have pasted the CLI capture as you have suggested.

To make it simplier I have connected one client on 5324 on port 8 to be member of VLAN 3. And another client on port 17 to be a member of VLAN1. Both on the single 5324.

I am testing this simple configuration so that I can understand the setup but eventually I would like to connect 2 other switches on top of that. 3 switches in total and 1 router. I would like to have the majority of the computers connected to VLAN 1 and another set on VLAN3 and VLAN4. VLAN 2 is just a backup.

My Firewall is 192.168.0.1 and is why I configured that to be as the gateway. DHCP server is 192.168.0.2 as well as one of my DNS Servers.

Thanks

Arion · Answer

Here is my current configuration

6624 Router Configurations:

vlan 1 ip interface 192.168.0.1

vlan 2 ip interface 192.168.1.1

vlan 3 ip interface 192.168.2.1

vlan 4 ip interface 192.168.3.1

Ip Routing Tables:

ip route 192.168.0.0/24 192.168.0.2

ip route 192.168.1.0/24 192.168.1.2

ip route 192.168.2.0/24 192.168.2.2

ip route 192.168.3.0/24 192.168.3.2

Default Gateway 192.168.0.1

DHCP Relay enabled : 192.168.0.2

Trunk Mode on g1 vlan allowed 1,2,3,4

On ALL Vlan Memberships 'T' enabled on all g1

5324 Router Configuration:

Ip vlan 2 192.168.1.1/24

Ip vlan 3 192.168.2.1/24

Ip vlan 4 192.168.3.1/24

Default Gateway 192.168.0.1

Trunk Mode on g1 vlan allowed 1,2,3,4

On ALL Vlan Memberships 'T' enabled on all g1

With this configuration I can ping from default vlan 1 (192.168.0.1/24) to any of the other vlans but not vice versa.

What other configuration am I missing?

Thanks!

DELL-Cuong N. · Answer

On the 5324 config - I'm not clear about these two lines:   Trunk Mode on g1 vlan allowed 1,2,3,4 On ALL Vlan Memberships 'T' enabled on all g1   Do you mean that you configure port G1 to be member of VLAN 1, 2, 3, and 4 and that it is trunk mode?  What about the other ports on the 5324?  Did you configure any of them to anything?   How is the 5324 connected to the 6024?  What port on 6024 connected to what port on 5324?   On the 6024 you didn't say how you configure the VLAN membership on that switch?   It might be better if you simply connect to the CLI on these two switches and do a 'show run' then capture the 'running config' for these two switches and post them.  It will be easier to understand exactly how the switches are configured.  Also again don't forget to provide a little network description of how things are connected.  For example, which port on 6024 is connected to which port on 5324.  Also I'm assuming you are sending pings or something to verify connectivity between two systems?  Where are these two systems connected?  Which port and on which switch?  Any other switches in your network other then these two?  A complete network picture along with configurations of these switches will make it easier to figure out what's wrong.   Cuong.

DELL-Cuong N. · Answer

Just a clarification. You said one of your client is connected to port 8 on the 5324 and the other to port 17. You said the one connected to port 8 is VLAN 3 and the one to port 17 is VLAN 1? According to your config, port 9-20 belongs to VLAN 3 (access mode) and port 8 is not configured so it must be the default access mode member of only VLAN 1.

Also the "default gateway" configuration on the 5324 doesn't do what you think it might. The 5324 is an L2 switch. It doesn't do any routing at all so the "default gateway" configuration only affects the management interface. It is used only when the management application on the switch attempts to send a packet. It is not used to cause packets not meant for management inteface to be "routed" to particular interface.

VLAN 1 is a special "management VLAN" and should probably not be used for non-management traffic. Probably you might want to assign a different VLAN (other then 1) for your production traffic. VLAN 1 should be used only to access the management interface on the switch.

So knowing that the 5324 does not do routing, if port 8 and 17 are not on the same VLAN then the two PCs on those ports would not be able to communicate with each others. The L2 switch will not forward across VLANs.

If you connected your PCs on the 6024 then you could use the 6024 L3 (routing) feature to route between those VLAN and the 6024 would change the VLAN tags when it route the packets between the two VLANs (again don't use VLAN 1 for production traffic).

Cuong.

DELL-Cuong N. · Answer

If you connected two 5324s to the 6024 and you connect a PC to each 5324 then yes you can use the routing function on the 6024 to route between two VLANs.   If you have PCA connected to 5324A and PCB connected to 5324B and both 5324s connected to 6024 via two different trunks.  The two trunks belong to both VLANs you are using.   So now when you send a packet from PCA to 5324A destined for PCB and let's say it is tagged to VLAN 10.  Since 5324A doesn't know where PCB is yet it flood all ports that are member of VLAN 10 including the trunk port leading to the 6024.  When the packet gets to 6024, the switch will see that it has a route to the trunk port leading to 5324B and it will change the VLAN tag to 20.  The packet is sent through the trunk port to 5324B.  The 5324B will see the packet and if it doesn't yet know about PCB it will flood all ports (except the trunk port - it will not send back through the port on which it received the packet) and PCB will receive the packet.  When PCB response to PCA, the packet will arrive at 5324B on VLAN 20 (assumed you setup the port leading to PCB correctly for VLAN 20).  This time the switch already know about PCA MAC address which it learned when the packet arrived earlier on the switch at the trunk from 5324B to 6024.  So the switch simply forward the packet back to the 6024.  This time 6024 receives on VLAN 20 and see a route back to the trunk port to 5324A and will change the tag back to VLAN 10 and send back to 5324A.  The 5324A also already learn where PCA resides so it doesn't need to flood and simply return the packet to PCA.   If you had actually setup this way instead then my mistake.  I misunderstood your configuration.  If it is setup this way then it should have worked.  I can look again at your configuration.   Cuong.

Arion · Answer

Hi,

You said I can route between the two vlans if I were to "connect the PC's onto the "6024" and use the L3 routing. So does that mean if I have two 5324 switches that are connected to the 6024, one switch is Vlan 2 and the other switch is Vlan 3, if I were to connect PC's on each switch they are not able to communicate with eachother (Vlan 2 to Vlan 3), even though they are connected to the 6024 which does the routing? Does that mean inorder for me to have the two vlans to communicate, the PC's will have to be DIRECTLY connected to the 6024 rather than the switches?

DELL-Cuong N. · Answer

BTW, you should NOT use VLAN 1 for user traffic.  VLAN 1 is used only for management traffic.  You might want to change your setup to use another VLAN instead of 1. Cuong.

Arion · Answer

Thank you for your assistants.  Appreciate your help.  I will reconfiguring it and try it again.

Arion · Answer

Hi Cuong,

I'm sorry, but I'm still can't get the two PC's to communicate.

Here is my current config:

Router Configuration
-----------------------------

interface range ethernet g(1-3)
switchport mode trunk
exit
vlan database
vlan 2-4
exit
interface range ethernet g(1-3)
switchport trunk allowed vlan add 2
exit
interface range ethernet g(1-3)
switchport trunk allowed vlan add 3
exit
interface range ethernet g(1-3)
switchport trunk allowed vlan add 4
exit
interface vlan 2
name Servers
[0mMore: , Quit: q, One line:

exit
interface vlan 3
name "Engineering/Art Team"
exit
interface vlan 4
name IT
exit
interface vlan 1
ip address 192.168.0.1 255.255.255.0
exit
interface vlan 2
ip address 192.168.1.1 255.255.255.0
exit
interface vlan 3
ip address 192.168.2.1 255.255.255.0
exit
interface vlan 4
ip address 192.168.3.1 255.255.255.0
exit
ip route 192.168.0.0 255.255.255.0 192.168.0.2
ip route 192.168.0.0 255.255.255.0 192.168.2.2
ip route 192.168.1.0 255.255.255.0 192.168.1.2
[0mMore: , Quit: q, One line:

ip route 192.168.2.0 255.255.255.0 192.168.2.2
ip route 192.168.3.0 255.255.255.0 192.168.3.2
ip dhcp relay address 192.168.0.2
ip dhcp relay enable

5324A Switch Configuration
-----------------------------

interface ethernet g1
switchport mode trunk
exit
vlan database
vlan 2-4
exit
interface ethernet g1
switchport trunk allowed vlan add 2
exit
interface range ethernet g(9-20)
switchport access vlan 3
exit
interface ethernet g1
switchport trunk allowed vlan add 3
exit
interface ethernet g1
switchport trunk allowed vlan add 4
exit
interface vlan 2
name Servers
exit
interface vlan 3
More: , Quit: q, One line:
[Kname "Engineering/Art Team"
exit
interface vlan 4
name IT
exit
interface vlan 1
ip address 192.168.0.203 255.255.255.0
exit
interface vlan 2
ip address 192.168.1.1 255.255.255.0
exit
interface vlan 3
ip address 192.168.2.1 255.255.255.0
exit
interface vlan 4
ip address 192.168.3.1 255.255.255.0
exit
ip default-gateway 192.168.0.1
ip name-server 192.168.0.2
More: , Quit: q, One line:
[Kconsole# show run
interface ethernet g1
switchport mode trunk
exit
vlan database
vlan 2-5
exit
interface ethernet g1
switchport trunk allowed vlan add 2
exit
interface ethernet g1
switchport trunk allowed vlan add 3
exit
interface range ethernet g(9-20)
switchport access vlan 4
exit
interface ethernet g1
switchport trunk allowed vlan add 4
exit
interface vlan 2
name Network
exit
interface vlan 3
More: , Quit: q, One line:
[Kname Servers
exit
interface vlan 4
name "Engineering/Art Team"
exit
interface vlan 5
name IT
exit
interface vlan 1
ip address 192.168.5.203 255.255.255.0
exit
interface vlan 2
ip address 192.168.0.1 255.255.255.0
exit
interface vlan 3
ip address 192.168.1.1 255.255.255.0
exit
interface vlan 4
ip address 192.168.2.1 255.255.255.0
exit
interface vlan 5
ip address 192.168.3.1 255.255.255.0
More: , Quit: q, One line:
[Kexit
ip default-gateway 192.168.5.1
ip name-server 192.168.0.2

5324B Switch Configuration
--------------------------------------

interface ethernet g1
switchport mode trunk
exit
interface ethernet g2
switchport mode trunk
exit
vlan database
vlan 2-5
exit
interface range ethernet g(3-22)
switchport access vlan 2
exit
interface range ethernet g(1-2)
switchport trunk allowed vlan add 2
exit
interface range ethernet g(1-2)
switchport trunk allowed vlan add 3
exit
interface range ethernet g(1-2)
switchport trunk allowed vlan add 4
exit
interface vlan 2
More: , Quit: q, One line:
[Kname Network
exit
interface vlan 3
name Servers
exit
interface vlan 4
name "Engineering/Art Team"
exit
interface vlan 5
name IT
exit
interface vlan 1
ip address 192.168.5.202 255.255.255.0
exit
interface vlan 2
ip address 192.168.0.1 255.255.255.0
exit
interface vlan 3
ip address 192.168.1.1 255.255.255.0
exit
interface vlan 4
ip address 192.168.2.1 255.255.255.0
More: , Quit: q, One line:
[Kexit
interface vlan 5
ip address 192.168.3.1 255.255.255.0
exit
ip default-gateway 192.168.5.1
ip name-server 192.168.0.2 192.168.0.5
console#

I have PC1 connected to port G9 of 5324A which is on VLAN4 and PC2 connected to port G7 on 5324B on VLAN2. What am I configuring wrong on the Router, that is not allowing them to communicate?

DELL-Cuong N. · Answer

Hi Arion,

I must have confused you with my earlier answers - sorry about that. So this time let me be a bit more precise:

First, I wanted to point out that the 5324 is an L2 switch so it doesn't do any routing function at all. So if you had intended for the "ip-default gateway" command on the 5324 to be used to cause packet with unknown route to be sent to the default gateway, this will not do it. The "ip default-gateway" command on the 5324 only affect the traffic from the 5324 management interface and will have no affect on your production traffic.
Also the IP addresses you configured on the 5324 VLAN have no affect on routing on the 5324. It doesn't matter what you configure for IP addresses on VLANs on the 5324 since the 5324 is not a router and will not use that information for routing. The only thing that does is to configure the management IP addresses that the 5324 will use for those VLAN. Meaning that the switch management interface will response to those IP addresses.
In the dump you show below there seems to be two different configuration for the 5324A - in the first one port G9 is on VLAN 3 and in the second one port G9 is on VLAN 4?
On the 6024, for this particular simple test you actually did not need to define those routing entries because once you defined an IP address for a given VLAN on the 6024, the switch will already know which VLAN interface should be used for a given network anyway and didn't need the routing entries - in fact the 6024 will probably ignore the routing entries for these directly connected network.
On the 6024, you only need to add routing entries if the subnet you are trying to get to does not match any of the IP addresses of the directly connected interface. For example, if your 6024 has a VLAN with IP address 192.168.1.1/24 and that interface connects to another router that knows about other network such as 192.168.2.1/24 and you want the first 6024 to route through the 192.168.1.1/24 interface to get to the router that knows about the second network then you would need to add a routing entry (192.168.2.0/24 192.168.1.2 - assuming the second router IP address is 192.168.1.2). In this case, if you send a packet to the first 6024 destined for 192.168.2.10 for example, it would match the 192.168.2.0/24 rule and the 6024 would see that you need to send that packet to the address 192.168.1.2 which matches the interface defined with the IP 192.168.1.1 so the packet would get sent to the second router and the second router would figure out where to send the packet to get it to the correct destination.
Also if you note on your 6024 routing table you actually had two rules for "ip route 192.168.0.0...", whenever this happens the first rule would apply and the second one would be ignored. The routing algorithm find the first best match in case there are two matching rule. You probably did not intend to do this.

I'm going to give you a more detail example below but first here is the routing algorithm in summary assuming you are trying to route a packet to IP address A:

Compare A against all the directly connected network on the switch (basically you examine all the IP addresses for the VLANs and ports configured on the switch and find the best matching network). If you find a matching network then you send the packet over that interface.
If no interface match then you compare A against the routing table and find the first best matching rule and send the packet to the next hop specified in that rule.
If no routing rule match and a default route is specified then send the packet to the next hop defined for the default route.
If nothing match then drop the packet.

Ok so let's go back to your simplest scenario and use a single 6024 and a single 5324 and two PCs:

Let's say PCA is configured with IP address 192.168.1.100/24 and PCB is configured as 192.168.2.100/24.
Now let's say PCA is connected to port 5 on the 5324 and PCB is connected to port 6 on the 5324.
Let's say port 5 on the 5324 is configured as an "access port" and VLAN 2 (access mode - VLAN 2 untag - PVID 2).
Let's say port 6 on the 5324 is configured as an "access port" and VLAN 3 (access mode - VLAN 3 untag - PVID 3).
Let's say the 5324 is connected to the 6024 on port 10 (on both switches).
The 5324 port 10 is configured as a "trunk port" and member of VLAN 2 and 3 (trunk mode - VLAN 2 and 3 tag - accept tag only - PVID 4095).
The 6024 port 10 is configured as a "trunk port" and member of VLAN 2 and 3 (trunk mode - VLAN 2 and 3 tag - accept tag only - PVID 4095).
On the 6024, VLAN 2 is configured with an IP = 192.168.1.1/24 and VLAN 3 is configured with an IP = 192.168.2.1/24.
On the 6024 you may also want to configure an IP for VLAN 1 if you want to be able to manage the switch on the other ports - so you might configure VLAN 1 with IP = 192.168.3.1/24 (or whatever - assuming 192.168.3.x is the management network).
On the 5324 you may also want to configure an IP for VLAN 1 if you want to be able to manage the switch so you might configure the VLAN 1 IP = 192.168.3.2/24 (or whatever - assuming 192.168.3.x is the management network).
Then finally, you must properly configure PCA NIC so that its default gateway is the 6024 IP on VLAN 2 (192.168.1.1) and you must properly configure PCB NIC so that its default gateway is the 6024 IP on VLAN 3 (192.168.2.1). Note that if you didn't configure defautl gateway on your PC, likely your PC didn't even send the packet out since for example PCA network is 192.168.1.100/24 and it would not know how to send to 192.168.2.100 (no matching interface).

Ok I hope this is a bit clearer. Let me know if this helps any. I can also recommend some additional books or links to more information if you like.

Cuong.

Arion · Answer

Hi Cuong,   Just a couple of things I don't quite understand.. on the 5324 or the 6024 web interface, when you go to the VLAN Port Settings, if you place a port as a 'trunk port' as you suggested it will not allow you to change the Frame Type (to accept tag only) or the PVID (to 4095), it is greyed out.  However if I change the port settings to General Mode it allows me to do so.  So how would you go about changing to what you have suggested in my test environment?   I'll appreciate any recommending reading that you may suggest that would better help my understanding.   Thanks,   Arion

DELL-Cuong N. · Answer

Hi Arion, you are correct, once you set the mode to trunk then the other options (accept tag only and pvid set to 4095) are basically done automatically and once you set the mode to access then the other options (allow untag and pvid set to the same as the port VLAN membership which may only be one VLAN) are also automatic. Normally when I configure the switch I just do everything using general mode so that I get the configurations exactly as I want it. The trunk and access modes are really only convenient but if you know what you want then using general mode is actually more flexible.

There are several books that would help:

The Switch Book - Seifert (L2 switching)
TCP/IP Principles - Comer (L3 routing and L4 application)

Good luck,

Cuong.

Networking General

Communication between VLANs

Was this post helpful?