How to Set up Static Routes Between VLANs

Question

I am having trouble understanding how set up static routes to access one VLAN from another.  We have a Dell Powerconnect 6024, Layer 3 managed switch and two Dell Powerconnect 3348, Layer2 Managed switches.   I am working from an article on Dell's web site called 'What is VLAN Routing?' It is 'PowerConnect Application Note #38'.  It is available at the link, http://www.dell.com/downloads/global/products/pwcnt/en/app_note_38.pdf. I believe I understand everything in the article, except for two lines on page 4, step 4, in which the static routes are set up.  They are as follows:   Dell-6024(config)# ip route 10.10.0.0 255.255.255.0 10.10.0.2 Dell-6024(config)# ip route 10.20.0.0 255.255.255.0 10.20.0.2   These are the routes defined on the 6024, Layer 3 switch.  There are two basic things I don't understand in these statements.  First, the destination network and the gateway to get to the destination network are on the same subnet in each case.  My limited understanding of static routes tells me that, in order to grant access to another subnet, an IP address for one interface of a router must be in the same subnet as the computers that need access to the other subnet.  In other words, in order for a computer with an IP address of, say, 10.10.0.5 on the 10.10.0.0/24 subnet to access the computer 10.20.0.5 on the 10.20.0.0/24 subnet, I thought the following route would be required,   ip route 10.20.0.0 255.255.255.0 10.10.0.2   where 10.20.0.0 255.255.255.0 is the destination subnet and 10.10.0.2 is the router interface on the same subnet as the 10.10.0.5 computer.   In this article, the 10.10.0.2 gateway or 'next hop' is on the same subnet as the destination subnet, 10.10.0.0 255.255.255.0.  I don't understand this.  Could the fact that ports 23 & 24 on the 6024 are defined as Trunk ports have anything to do with this?  Could these lines be a couple of typeos in which the destination subnets are each on the wrong line in this document?   The second thing I don't understand is what entities in this article are assigned the 10.10.0.2 and 10.20.0.2 IP addresses.  Are these IP addresses assigned to the appropriate 3348 switches? VLAN 10 & VLAN 20 are assigned 10.10.0.1 & 10.20.0.1, respectively, on the 6024 switch.  So, they can't be the VLAN IP addresses on the 6024 switch.   I have tried varoius scenarios for creating static routes.  I tried setting the gateway addresses to be the VLAN addresses on the 6024 switch, but I got an error saying I can't use an IP address assigned to the device.  I tried setting them to the VLAN IP addresses assigned on the 3348 switches and this didn't work either.  In all cases, I tried defining static routes with the gateway address on the  opposite subnet, as well as on the destination subnet.  I tried placing a computer on each subnet and pinging the other computer, as well as pinging the IP addresses assigned to the VLANs on the switches, all without success.  Do I need to enable ECHO on the switches? Thank you for any information you can provide.     Sincerely, Michael Mall

GregG1 · Answer

The whitepaper is a bit misleading. The 6024 will automatically route between directly connected networks. If the only devices you are using are the 6024 and two 3348s, you would not need to configure static routes.   To route between the VLANs, you would simply need to bind the ip addresses of the different networks to their respective VLAN, configure the uplinks between the switches to trunk the necessary VLANs, and configure the client ports on each switch as access mode ports in their VLAN. When a port goes active that is a member of a VLAN, the VLAN interface will also be brought up. Once the VLAN interface is up, that network will be seen as directly connected and will be seen in the routing table (show ip route).

eriworld · Answer

I have some questions about your last message.   You said, '...bind the ip addresses of the different networks to their respective VLAN...'.   Does this mean simply assigning an IP address to each VLAN on the switches?   You said, '...configure the uplinks between the switches to trunk the necessary VLANs...'.   I can make any port on any switch a trunk port.  I changed the mode on each port on each switch that is connected by a cable to another switch to Trunk mode.  Then, I added each of these ports to VLAN 10 & VLAN 20.  Is this what you mean?      Thanks,   Mike

GregG1 · Answer

Assigning an IP address to a VLAN interface is how you bind the address to the VLAN (as apposed to binding the IP address to a physical port).   By default, a trunk mode port does not trunk all VLANs. You must use the 'switchport trunk allowed vlan add ' command to specify which VLANs to trunk.

eriworld · Answer

I have simplified the configuration. Now, I have two 6024 switches. I am trying to use the Layer 3 capabilities of one, which I will call S1, and only the Layer 2 capabilities of the other one, which I will call S2.

My workstation is connected to Port g15 on S1. It is also connected to S2 via a Serial cable.

I have set up Port g24 of S1 to be a trunk port with VLAN 10 & VLAN 20 binded to it. It is connected by a cable to Port g1 of S1, which is also a trunk port with VLAN 10 & VLAN 20 binded to it.

********Configuration of S1*********

Using Telnet to connect to S1, the following shows that Port g24 is in Trunk mode and has VLAN 10 & 20 added to it.

console# show interface switchport ethernet g24
Port : g24
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1

Port is member in:

Vlan               Name               Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
1                  1                  Untagged          System
10                 10                  Tagged           Static
20                 20                  Tagged           Static

The following shows that 192.169.0.40 is binded to VLAN 10 and 192.168.1.1 is binded to VLAN 20 on S1.

console# show ip interface vlan 10

Proxy ARP is disabled

      IP Address          Type     Directed
                                   Broadcast
----------------------- --------- -----------
    192.168.0.40/24      static     disable

console# show ip interface vlan 20

Proxy ARP is disabled

      IP Address          Type     Directed
                                   Broadcast
----------------------- --------- -----------
    192.168.1.1/24       static     disable

The following shows that 192.168.0.0/24 & 192.168.1.0/24 are directly connected subnets on S1.

console# show ip route
Maximum Parallel Paths: 4 (4 after reset)

Codes: C - connected, S - static, R - RIP, O - OSPF, E - OSPF external

C    192.168.0.0/24              is directly connected              vlan 10
C    192.168.1.0/24              is directly connected              vlan 20
C   192.168.10.0/24              is directly connected              vlan 1

The following shows that Port g15, to which my workstation is connected, is a member of VLAN 10.

console# show interface switchport ethernet g15
Port : g15
Port Mode: Access
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 10

Port is member in:

Vlan Name Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
10 10 Untagged Static

********Configuration of S2*********

Using HyperTerminal on a Serial cable connection between my worstation and S2, the following shows that Port g1 is in Trunk mode and has VLAN 10 & 20 added to it.

console# show interface switchport ethernet g1
Vlan Name
Ingress UnTagged VLAN ( NATIVE ): 1

Port is member in:

Vlan               Name               Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
1                  1                  Untagged          System
10                 10                  Tagged           Static
20                 20                  Tagged           Static

The following shows that 192.169.0.32 is binded to VLAN 10 and 192.168.1.2 is binded to VLAN 20 on S2.

console# show ip interface vlan 10

Proxy ARP is disabled

      IP Address          Type     Directed
                                   Broadcast
----------------------- --------- -----------
    192.168.0.32/24      static     disable

console# show ip interface vlan 20

Proxy ARP is disabled

      IP Address          Type     Directed
                                   Broadcast
----------------------- --------- -----------
    192.168.1.2/24       static     disable

The following shows that 192.168.0.0/24 & 192.168.1.0/24 are directly connected subnets on S2.

console# show ip route
Maximum Parallel Paths: 4 (4 after reset)

Codes: C - connected, S - static, R - RIP, O - OSPF, E - OSPF external

C    192.168.0.0/24              is directly connected              vlan 10
C    192.168.1.0/24              is directly connected              vlan 20
C   192.168.11.0/24              is directly connected              vlan 1

********End of Configuration Information*********

In your first reply to my initial request, you wrote, "The 6024 will automatically route between directly connected networks. If the only devices you are using are the 6024 and two 3348s, you would not need to configure static routes."

Currently, I still cannot get a device on one subnet/VLAN to ping a device on the other subnet/VLAN and get a reply. In this configuration, I am using the VLAN interfaces, themselves, as the "devices" in question. For example, on S1, VLAN 10 is 192.168.040 & on VLAN 20, it is 192.168.0.32. VLAN 20, on S1, is 192.168.1.1 & on S2 it is 192.168.1.2. From a DOS prompt on my workstation, which is connected to a port on VLAN 10, I cannot get a reply if I ping 192.168.1.1 or 192.168.1.2. That is, I cannot get a reply from a device on another subnet, regardless of which switch it is on.

I think I am trying to do something simple. But, I am overlooking something obvious.

Any help you can provide would be greatly appreciated.

eriworld · Answer

Correction to last message:

In my last message, I wrote,

"...on S1, VLAN 10 is 192.168.040 & on VLAN 20, it is 192.168.0.32. VLAN 20, on S1, is 192.168.1.1 & on S2 it is 192.168.1.2."

This should read as follows,

"...on S1, VLAN 10 is 192.168.040 & on S2, it is 192.168.0.32. VLAN 20, on S1, is 192.168.1.1 & on S2 it is 192.168.1.2."

GregM_1 · Answer

This looks good, what is the default gateway of the pinging nodes set to?

eriworld · Answer

I am pinging from my computer. It is configured as follows:

U:\>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix . : erinet.eriworld.com
       IP Address. . . . . . . . . . . . : 192.168.0.103
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.0.254
                                                       192.168.0.40

192.168.0.254 is the internal IP address of our firewall between our network and the internet. 192.168.0.40 is the IP address of VLAN10 on S1.

I just made an interesting discovery, however. The configuation above corresponds to the way DHCP is set up on our Win 2K server. Under Scope Options in the DHCP manager, the 003 Router is 192.168.0.254, 192.168.0.40. I changed it, with the order reversed, making it 192.168.0.40, 192.168.0.254. Then, I ran "IPCONFIG /RELEASE", followed by, "IPCONFIG /RENEW". I ran IPCONFIG and the Default Gateway order was reversed, with 192.168.0.40 first, as expected. Then, I tried to ping a URL on the internet, such as www.google.com. Instead of getting a replies from Google, I got replies, "192.168.0.40 Destination net unreachable" , as if it never even found the 192.168.0.254 gateway. I tried pinging 192.168.1.1 & 192.168.1.1 got replies from both.

Perhaps I do need to set up a static route, after all.

eriworld · Answer

To follow up on my last message, I would like to know why the gateway listed first is the only one used, apparently.  Why does Windows allow for listing more than one gateway if it only uses the first one?

eriworld · Answer

Okay, I have had some more success. But, I'm still very frustrated with this issue. Some of the info below is a rehash of what I wrote in previous messages.

**********S1 Configuration************

VLAN 10: 192.168.0.40 on subnet, 192.168.0.0 /24

VLAN 20: 192.168.1.1 on subnet, 192.168.1.0 /24

Port 24 is a trunk port with VLANs 10 & 20 added to it.

Port 1, which is a member of VLAN 10, connects to another switch on our network and thus is connected to the rest of our LAN. My workstation is configured as follows:

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix . : erinet.eriworld.com
        IP Address. . . . . . . . . . . . : 192.168.0.103
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.254
                                            192.168.0.40

I don't understand what the second gateway, 192.168.0.40, actually does or how to get it to be useful in any way.

**********S2 Configuration**********

VLAN 10: 192.168.0.32 on subnet, 192.168.0.0 /24

VLAN 20: 192.168.1.2 on subnet, 192.168.1.0 /24.

Port 1 is a trunk port with VLANs 10 & 20 added to it.

I have a workstation connected to port 5, which is a member of VLAN 20. This workstation is configured with Static IP, as follows:

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix . : erinet.eriworld.com
        IP Address. . . . . . . . . . . . : 192.168.1.5
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.2

*********End of Configuration Info*********

Previously, I was only able to get the worstation on VLAN 20 to ping and get replies from my workstaion, on VLAN 10, when I had changed my workstation to use either 192.168.0.40 (on S1) or 192.168.0.32 (on S2) as the default gateway. However, when I did this, I couldn't get acces to the internet through our firewall, 192.168.0.254, even though I had it listed as a second gateway. Of course, in order to send echo responses to a ping request from another VLAN, the echoing computer needs a route to the other VLAN. In this case, my workstation was using the x.x.x.40 or x.x.x.32 addresses as the default gateway, wich provided the necessary route.

Today, from a DOS prompt, I ran the following:

route add 192.168.1.0 mask 255.255.255.0 192.168.0.40

Then, I was able to ping 192.168.1.1, 192.168.1.5, and all other hosts on VLAN 20 and get replies. Similarly, I was able to get replies from my workstation, 192.168.0.103, on VLAN 10 from the 192.168.1.5 computer on VLAN 20.

Okay, fine. I can manually configure each computer on VLAN 10 to add a route to respond to requests from computers on VLAN 20. I could even set up a logon scritp to take care of this. But, I shouldn't have to do that. Besides, I don't know how to set up a route on our firewall to other subnets, so computers on VLAN 20 cannot access the internet, anyway. That is, they can't get a response from the firewall because it doesn't have a route to which to send acknowledgements or other packets.

There is something very basic I am missing, here. Tree Spanning? Packet Forwarding? What is it?

GregM_1 · Answer

You could set up a default route to point to the firewall.  This tells the router to forward all traffic with subnets it does not have in its address table to a specified gateway.   ip route 0.0.0.0 0.0.0.0 192.168.0.254   So, when traffic from 192.168.1.0 enters the switch looking for an internet IP, the 6024 will forward the request to 192.168.0.254.  Same thing for 192.168.0.0, keep in mind the clients need their gateways set to the 6024.   Here is the problem:  The firewall has no idea what to do with returning traffic that needs to get to 192.168.1.0.  You need to be able to set a static route or use a routing protocol.  Does the firewall support RIP?   In addition, I would make the situation a little cleaner by creating a third vlan/subnet just for communication between the 6024 and the firewall.  Default route pointing to the the firewall, but again the firewall needs a way to know to send traffic back to the 6024, either via static route or routing protocol.   You have a two router network, both will need to be configured for this solution to work without modifying your workstations.

eriworld · Answer

Thank you very much for your assistance in this matter. I believe I now fully understand everything I was struggling with. Ultimately, the biggest hurdle seems to have been the fact that I couldn't figure out how set up a static route to another VLAN on the internet firewall. After looking at it again, I found where to do this. That took care of everything.

I haven't yet set up the workstations to use the 6024 as the gateway. However, I'm able to get internet access and see nodes on other VLANs/subnets, regardless of on which VLAN/subnet the node resides.

Next is setting up ACLs so that I can restrict access to one VLAN from members of another.

Thanks again.

-Mike

Networking General

Was this post helpful?