On your current configuration that you provided I do not see an IP address or routing listed for VLAN 12.
Here is an output from the CLI Guide for the 62XX model.
switchport mode {access | trunk | general}
no switchport mode
• access — An access port connects to a single end station belonging to a
single VLAN. An access port is configured with ingress filtering enabled
and will accept either an untagged frame or a packet tagged with the access
port VLAN. An access port only egresses untagged packets.
• trunk — Trunk port connects two switches. A trunk port may belong to
multiple VLANs. A trunk port accepts only packets tagged with the VLAN
IDs of the VLANs to which the trunk is a member. A trunk only egresses
tagged packets.
• general — Full 802.1q support VLAN interface. A general mode port may
be a combination of both trunk and access ports. It is possible to fully
configure all VLAN features on a general mode port.
Incoming untagged frames are classified into the VLAN currently configured on the PVID. When you configured the PVID 10 it is placing all incoming untagged traffic into VLAN 10. Depending on how you want your environment set up you may want to consider removing the PVID.
Yes, I did manage to get my self going and here is what you need to do:
1. On you switch create the vlans 10, 20 , 30 .etc
I.e 10.0.10.1 /24 for LAN
192.168.20.1/24 ISCSI
2. Then create a trunk port on one of the ports on your switch (in my case I did trunk on port 1)
3. Allow the vlans that require access to the internet on the trunk port
4. Set all other ports to their desired vlans and they should be set as "Access mode"
5. On your firewall, create Vlans that match the vlans that you created on the switches.
Then on the firewall assign interfaces
I.e 10.0.10.254 LAN
6. connect the firewall to your switch via trunk port
7. Set the following on the switch 0.0.0.0 0.0.0.0 firewall interface. (this means anything the switch does not know about send it to the firewall).
8. on your clients set the IP config and assign the vlan switch gateway 10.0.10.1
Then you should be able to ping the gateway (your vlan switch) and your firewall interface.
If your config on the firewall is correct (NAT) then you should have access to the internet.
So you will have all the processing power handled by L3 switch and only internet access via firewall.
!Current Configuration: !System Description "PowerConnect 6224, 3.3.3.3, VxWorks 6.5" !System Software Version 3.3.3.3 !Cut-through mode is configured as disabled ! configure vlan database vlan 10,1000,1010,1024,1026,1050 (here is a list of vLANs That I have craeted) vlan routing 1024 1 vlan routing 1026 2 vlan routing 1 3 vlan routing 1050 4 vlan routing 10 5 vlan routing 1010 6 vlan routing 1000 7 exit stack (I have stacked switches) member 1 1 member 2 1 exit switch 1 priority 12 (you can ignore this)
ip address 10.10.10.1 255.255.255.0 (this is for default setup, you can put any IPs you will not need to use it ever). ip default-gateway 10.10.10.254 ip routing (Global routing) ip route 0.0.0.0 0.0.0.0 10.0.20.254 (Route anything you don't know to the firewall) interface vlan 1 routing exit interface vlan 10 name "iSCSI-P14-P19" routing ip address 172.16.16.1 255.255.255.0 exit interface vlan 1000 name "DMZ" ip address 192.168.20.1 255.255.255.0 exit interface vlan 1010 name "iDRAC-P2-P6" routing ip address 10.0.50.1 255.255.255.0 exit interface vlan 1024 name "HV-Management-p7-p13" routing ip address 10.0.10.1 255.255.255.0 exit interface vlan 1026 name "LAN-NETWORK-P20-P24" routing ip address 10.0.20.1 255.255.255.0 exit interface vlan 1050 name "DMZ" routing ip address 10.0.30.1 255.255.255.0 exit username "admin" password e19d5cd5af0378da05f63f891c7467af level 15 encrypted (web access password) ! interface ethernet 1/g1 (this is my trunk port) switchport mode trunk switchport trunk allowed vlan add 1000,1024,1026,1050 exit ! interface ethernet 1/g2 spanning-tree portfast mtu 9216 switchport access vlan 1010 (here you can set which port to switch vlan) ,,,, etc. exit ! interface ethernet 1/g3 spanning-tree portfast mtu 9216 switchport access vlan 1010 exit ! interface ethernet 1/g4 spanning-tree portfast mtu 9216 switchport access vlan 1010 exit ! interface ethernet 1/g5 spanning-tree portfast
Since it's L3 switch, routing should be done on the switches.
You don't want it to be L2 switch and all routing done on the firewall (router on stick) old configuration.
1. I did not use general mode
2. All what you need is one Trunk port with all allowed VLANs to access the internet and set all other ports to access mode and assign them to their designated vLANs
3. I did not use the default Vlan1 (it's not routeable by default, therefore you better create new set of vLANs (they should have routing enabled under each vlan).
4. On your watchguard set the interface to match the new vLAN you have created.
5. at this point you should be able to ping the firewall interface from your switch.
6. Note that I had to reboot the switches to bring the interfaces up! (still don't know why but that was truly unpleasant).
Since it's L3 switch, routing should be done on the switches.
You don't want it to be L2 switch and all routing done on the firewall (router on stick) old configuration.
1. I did not use general mode
2. All what you need is one Trunk port with all allowed VLANs to access the internet and set all other ports to access mode and assign them to their designated vLANs
3. I did not use the default Vlan1 (it's not routeable by default, therefore you better create new set of vLANs (they should have routing enabled under each vlan).
4. On your watchguard set the interface to match the new vLAN you have created.
5. at this point you should be able to ping the firewall interface from your switch.
6. Note that I had to reboot the switches to bring the interfaces up! (still don't know why but that was truly unpleasant).
1. I'm using Vyatta as a firewall, it gives me the capability to create vLANs and assign an interface under each one.
So I create vLAN 1026 and give it interface IP Address of 10.0.20.254 /24
Then connect my Vyatta physical NIC to the switch on Port 1 which as previously stated it's set to be a (Trunk port)
2. When you configure the switch for the first time, you can setup management IP (which is simply an IP Address that hit the switch from the lan) once you setup your vLANs you can hit the switch with the vLAN IP address so in my case I just ignored it and set random IP address.
3. vLAN 1 buy default is not routable so you should learn to leave it.
From my understanding because it's it's hold the management IP address that is why it's not routable (If you still can use it) but you have to switch the management to a different vLAN.
Why make it complicated, create a new vLAN and your are done.
So I created a new vLAN 10.0.20.1 /24
4. Once you have the vLANs created, and you have the cable connected. Your firewall and switch on the same segment 10.0.20.x /24
akamali
38 Posts
0
July 11th, 2012 13:00
Thanks for your quick response:
1. I do have 1/g1 is currently connected to my Router/Firewall 192.168.1.1 (which is a small testing router)
Do I need to set "switchport mode general" only on that port? or I have to set them on all ports?
2. I have changed the default Management Vlan from the default 1 to 11
3. Since I'm using generic low end Router/Firewall Can I set static route instead of trunking?
I tried
IP route 0.0.0.0 0.0.0.0 192.168.1.1
I get
The Specified static route next hop router address can't be in the same subnet as the service / network port.
Not sure what needs to be done here ....
Thanks
akamali
38 Posts
0
July 11th, 2012 14:00
Thank you, would you advice on my last question in my previous post?
3. Since I'm using generic low end Router/Firewall Can I set static route instead of trunking?
I tried
IP route 0.0.0.0 0.0.0.0 192.168.1.1
akamali
38 Posts
0
July 11th, 2012 14:00
Thanks for your response; I see now how it should be
Can you confirm if this is correct? Sorry I'm just trying to get this over my head.
So it should be like this:
Router / Firewall 192.168.1.1 ====> Switches L3 ===> VLAN10 (LAN1) 10.0.0.1
switchport mode general (in this case I don't have to specify static routes).
switchport general allowed vlan add vlan 10,20,30 ... etc
I'm testing this under NETGEAR RP614
I guess I have to setup static route under the router to point to my network.
Can you confirm thanks?
akamali
38 Posts
0
July 11th, 2012 17:00
Hello There;
I have spent about 3 hours on this, can someone assist? Can someone tell me what I'm doing wrong here
VALN 12: 10.10.10.1 for Management
VLAN 10: for Switch - To - Router 192.168.1.2
VALN 20: for LAN 10.0.0.1
VALN 1: Not being used
10.0.0.0 255.255.255.0 192.168.1.1
10.10.10.0 255.255.255.0 192.168.1.1
and here is the config
console#show running-config
!Current Configuration:
!System Description "PowerConnect 6224, 3.3.3.3, VxWorks 6.5"
!System Software Version 3.3.3.3
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 10,12,20
vlan routing 10 1
vlan routing 20 2
vlan routing 1 3
exit
stack
member 1 1
member 2 1
exit
ip address 10.10.10.1 255.255.255.0
ip default-gateway 10.10.10.254
ip address vlan 12
ip routing
interface vlan 10
name "SW-TO-Router"
routing
ip address 192.168.1.2 255.255.255.0
exit
interface vlan 12
name "Management"
exit
interface vlan 20
name "Local-Network"
routing
ip address 10.0.0.1 255.255.255.0
exit
username "admin" password 5f4dcc3b5aa765d61d8327deb882cf99 level 15 encrypted
!
interface ethernet 1/g1
switchport mode general
switchport general pvid 10
exit
!
interface ethernet 1/g2
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g3
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g4
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g5
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
DELL-Willy M
802 Posts
1
July 11th, 2012 18:00
Here is a good document discussing vlan configuration on some older switches.
www.dell.com/.../app_note_8.pdf
Then another on VLAN routing.
www.dell.com/.../app_note_8.pdf
On your current configuration that you provided I do not see an IP address or routing listed for VLAN 12.
Here is an output from the CLI Guide for the 62XX model.
switchport mode {access | trunk | general}
no switchport mode
• access — An access port connects to a single end station belonging to a
single VLAN. An access port is configured with ingress filtering enabled
and will accept either an untagged frame or a packet tagged with the access
port VLAN. An access port only egresses untagged packets.
• trunk — Trunk port connects two switches. A trunk port may belong to
multiple VLANs. A trunk port accepts only packets tagged with the VLAN
IDs of the VLANs to which the trunk is a member. A trunk only egresses
tagged packets.
• general — Full 802.1q support VLAN interface. A general mode port may
be a combination of both trunk and access ports. It is possible to fully
configure all VLAN features on a general mode port.
Incoming untagged frames are classified into the VLAN currently configured on the PVID. When you configured the PVID 10 it is placing all incoming untagged traffic into VLAN 10. Depending on how you want your environment set up you may want to consider removing the PVID.
console# configure
console(config)# interface ethernet 1/g1
console(config-if)# no switchport general pvid
akamali
38 Posts
0
July 11th, 2012 20:00
Thanks for your answer:
- I have removed the PVID.
- My question is that the Management interface does not accept routing. This is why I could not configure an IP address on that interface.
My network:
Router/Firewall: 192.168.1.1
VALN 12: 10.10.10.1 for Management (not being assigned to any physical port)
VLAN 10: for Switch - To - Router 192.168.1.2 (port 1/g1) - General mode and tagged ports from LAN20
VALN 20: for LAN 10.0.0.1 (ports 2-12) - Access mode
VALN 1: Not being used
have created 2 static routes on my firewall :
10.0.0.0 255.255.255.0 192.168.1.1
10.10.10.0 255.255.255.0 192.168.1.1
What else I'm missing here??? Thank you again for your help and input it's highly appreciated.
akamali
38 Posts
0
July 11th, 2012 21:00
console#show running-config
!Current Configuration:
!System Description "PowerConnect 6224, 3.3.3.3, VxWorks 6.5"
!System Software Version 3.3.3.3
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 10,12,20
vlan routing 10 1
vlan routing 20 2
vlan routing 1 3
exit
stack
member 1 1
member 2 1
exit
ip address 10.10.10.1 255.255.255.0
ip default-gateway 10.10.10.254
ip address vlan 12
ip routing
interface vlan 10
name "SW-TO-Router"
routing
ip address 192.168.1.2 255.255.255.0
exit
interface vlan 12
name "Management"
exit
interface vlan 20
name "Local-Network"
routing
ip address 10.0.0.1 255.255.255.0
exit
username "admin" password 5f4dcc3b5aa765d61d8327deb882cf99 level 15 encrypted
!
interface ethernet 1/g1
switchport mode general
switchport general allowed vlan add 10,12,20 tagged
exit
!
interface ethernet 1/g2
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g3
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g4
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g5
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g6
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g7
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g8
spanning-tree portfast
mtu 9216
switchport access vlan 20
exit
!
interface ethernet 1/g9
spanning-tree portfast
....etc
MrHarrySingh
18 Posts
0
August 3rd, 2012 07:00
Hi Akamali
did you manage to resolve this issue and get all your VLAN accessing the internet via firewall.
am having exactly same issue with my two new 6224 , exactly same setup.
please advise if you managed to fix it.
akamali
38 Posts
0
August 3rd, 2012 08:00
Yes, I did manage to get my self going and here is what you need to do:
1. On you switch create the vlans 10, 20 , 30 .etc
I.e 10.0.10.1 /24 for LAN
192.168.20.1/24 ISCSI
2. Then create a trunk port on one of the ports on your switch (in my case I did trunk on port 1)
3. Allow the vlans that require access to the internet on the trunk port
4. Set all other ports to their desired vlans and they should be set as "Access mode"
5. On your firewall, create Vlans that match the vlans that you created on the switches.
Then on the firewall assign interfaces
I.e 10.0.10.254 LAN
6. connect the firewall to your switch via trunk port
7. Set the following on the switch 0.0.0.0 0.0.0.0 firewall interface. (this means anything the switch does not know about send it to the firewall).
8. on your clients set the IP config and assign the vlan switch gateway 10.0.10.1
Then you should be able to ping the gateway (your vlan switch) and your firewall interface.
If your config on the firewall is correct (NAT) then you should have access to the internet.
So you will have all the processing power handled by L3 switch and only internet access via firewall.
MrHarrySingh
18 Posts
0
August 3rd, 2012 08:00
thank God someone here with hope , i am trying to get this sorted since last couple of days without any luck.
below is my setup
2 dell 6224 in stack.
switch IP = 172.16.10.2 on default VLAN1
firewall/router is watchguard connect to port G1 router IP = 172.16.10.1 being in same VLAN as switch.
then two more VLAN10 (172.16.12.1) and VLAN11 (172.16.13.1)
devices on VLAN got VLAN itnerface ip is there GW IP they can all ping each other across the VLANs but they can't ping firewall or switch IP.
port G1 is on general mode as advised by DELL guys .
i will try to change that to trunk mode and allow tagged from all VLANs.
is there anything you think am doing wrong.
let me try as you said and will update you here.
thanks a lot.
Harry
akamali
38 Posts
0
August 3rd, 2012 08:00
I have updated the post with the config I used.
few notes:
Since it's L3 switch, routing should be done on the switches.
You don't want it to be L2 switch and all routing done on the firewall (router on stick) old configuration.
1. I did not use general mode
2. All what you need is one Trunk port with all allowed VLANs to access the internet and set all other ports to access mode and assign them to their designated vLANs
3. I did not use the default Vlan1 (it's not routeable by default, therefore you better create new set of vLANs (they should have routing enabled under each vlan).
4. On your watchguard set the interface to match the new vLAN you have created.
5. at this point you should be able to ping the firewall interface from your switch.
6. Note that I had to reboot the switches to bring the interfaces up! (still don't know why but that was truly unpleasant).
akamali
38 Posts
0
August 3rd, 2012 08:00
I have updated the post with the config I used.
few notes:
Since it's L3 switch, routing should be done on the switches.
You don't want it to be L2 switch and all routing done on the firewall (router on stick) old configuration.
1. I did not use general mode
2. All what you need is one Trunk port with all allowed VLANs to access the internet and set all other ports to access mode and assign them to their designated vLANs
3. I did not use the default Vlan1 (it's not routeable by default, therefore you better create new set of vLANs (they should have routing enabled under each vlan).
4. On your watchguard set the interface to match the new vLAN you have created.
5. at this point you should be able to ping the firewall interface from your switch.
6. Note that I had to reboot the switches to bring the interfaces up! (still don't know why but that was truly unpleasant).
MrHarrySingh
18 Posts
0
August 3rd, 2012 10:00
i will follow this shortly.
can you please confirm what is your firewall IP,
and what is your switch IP.
also your switch management interface is it in default VLAN1 or any other.
same firewall is it in new VLAN?
thanks
akamali
38 Posts
0
August 3rd, 2012 10:00
Thanks Daniel for your help!
For HarrySingh
1. I'm using Vyatta as a firewall, it gives me the capability to create vLANs and assign an interface under each one.
So I create vLAN 1026 and give it interface IP Address of 10.0.20.254 /24
Then connect my Vyatta physical NIC to the switch on Port 1 which as previously stated it's set to be a (Trunk port)
2. When you configure the switch for the first time, you can setup management IP (which is simply an IP Address that hit the switch from the lan) once you setup your vLANs you can hit the switch with the vLAN IP address so in my case I just ignored it and set random IP address.
3. vLAN 1 buy default is not routable so you should learn to leave it.
From my understanding because it's it's hold the management IP address that is why it's not routable (If you still can use it) but you have to switch the management to a different vLAN.
Why make it complicated, create a new vLAN and your are done.
So I created a new vLAN 10.0.20.1 /24
4. Once you have the vLANs created, and you have the cable connected. Your firewall and switch on the same segment 10.0.20.x /24
And you are good to go.
I hope this explains things better.
MrHarrySingh
18 Posts
0
August 3rd, 2012 11:00
thanks guys
ok letme list what i understood so far from this. and below is what i plan to implement then
on Watchguard i should select physical port and create VLAN101 with IP 172.16.10.1/24
on there i have option to create more vlan and tick box to option send /recieve traffic for tagged/untagged vlans.
then connect this firewall physical port to switch on port 1/g1
Leave switch IP and default vlan1 as it is in default mode.
create new VLAN101 with IP 172.16.10.10/24 enable routing on this. (do i need to set access port for this) is this just for routing purpose.
create VLAN12 for servers 172.16.12.1/24 enable routing
create VLAN13 for desktops 172.16.13.1/24 enable routing.
set interface 1/g1 to trunk mode
in trunk mode add vlan 12,13
global routing enabled.
devices on VLAN12 have default gateway 172.16.12.1 same devicse on VLAN 13 will have DG as 172.16.13.1
with above will my devices in both VLAN12-13 be able to ping my watchguard 172.16.10.1
shall i still setup default route 0.0.0.0 0.0.0.0 to 172.16.10.1
please advise if above looks correct . thanks