PC 6224 VLAN on existing LAN

The firmware looks up to date, which is always good. Looks like VLAN routing is enabled. I do see a couple things we can see about changing.

With IP routing the first IP address is the source ip address, subnet mask, and then the next hop for the traffic to take.  

ip route 10.10.0.0 255.255.255.0 10.10.0.2

ip route 10.10.0.0 255.255.255.0 192.168.111.1

ip route 10.20.0.0 255.255.255.0 10.20.0.2

ip route 0.0.0.0 0.0.0.0 192.168.111.1

What is 10.10.0.2 and 10.20.0.2 assigned to?

ip route 0.0.0.0 0.0.0.0 192.168.111.1

Will help all traffic get to the Cisco.

On the Cisco do we have a static route to help traffic coming back to the PowerConnect? On the Cisco do we have all the same VLANs created?

On the 6224 you may want to have a gateway set.

console(config)#ip default-gateway 192.168.111.1

On ports connecting the 6224 to another networking device, like the Cisco, we should not have portfast enabled.  

Something else to consider on the 6224, is you must use General mode if you want to allow management traffic onto the switch over the PVID.  If you use Trunk mode, you will not have the default VLAN on those ports.  The ports will only allow tagged traffic.

Let me know if any of these changes help.

Thanks

Thanks. I thought, though, that that was kinda what VLAN 11 was doing; it is on the existing LAN net. The other 2 VLANs have IP's (10.10.0.1,10.20.0.1) and the hosts on the VLAN have their respective VLAN ip as gateway.

Are you suggesting creating another VLAN? Why can't I route to VLAN 11?

I was thinking I could create VLAN11 on the existing LAN and keep it. Are you saying I can, but need to create a new, separate VLAN to then trunk to the Firewall?

Thanks again.

Any time one goes from a flat network where the default gateway for all devices is an upstream node, to a network with multiple networks, there is a fundemental shift in how the logical topology of it all looks.  (Its good to white-board this part if you haven't done already).  Each VLAN/network that needs to be routed will have an IP address assignment on the switch, and that is what the endpoint nodes will use as the default gateway.  Then, you will have a seperate VLAN/network that goes between the switch and the upstream router/firewall.

And on a seperate note, for untagged traffic, stick to "access" or "general"  

Ok thanks. Yeah, that makes sense. I was kinda hoping I could put this together during regular working hours without taking down the net, but that sounds unlikely.

So assuming I change the ip on the firewall to say 192.168.2.1 and create a new VLAN 30 on the 6224, general, 192.168.2.2, and I have a client on VLAN 10, 10.10.0.5 255.255.255.0 10.10.0.1, how do I route VLAN 10 to VLAN 30? Do I just ip route 0.0.0.0 0.0.0.0 192.168.2.1 ?

Are you trying to add these VLANs to your switch while maintaning your upstream firewall as your default gateway?  If so, you need to rethink the approach.  If you want intervlan routing to work where all vlans can feed upstream to and external device, an IP will need to be set for each VLAN on that switch, and that will be the default gateway for each network.  Those will need to route to the firewall by way of another network - not the same one you are on.   Create a small bubble network  (say, /29 perhaps) that is for nothing more than your internal interface of your firewall to accomplish this.

Yeah, that sort of change during production hours is not going to happen.  It can sometimes be a painful experience making the initial transition (especially if your default gateway for end nodes was a device that provided proxy services), but the end result is worth it.  

To make them routable, just do a:

interface vlan xx

routing

ip address x.x.x.x 255.255.255.0

Then, to get the switch to go upstream do a:

ip route 0.0.0.0 0.0.0.0 [defgatewayaddress]

Painful huh? That's putting it lightly ;)

So to test this out, I have a separate net here - a cable modem at 192.168.2.1

I've added the following to 6224:

VLAN 10 10.10.0.1 routing

VLAN 20 10.20.0.1 routing

VLAN 30 192.168.2.2 routing

0.0.0.0 0.0.0.0 192.168.2.1

1/g1 mode access vlan 10 - computerx 10.10.0.5 255.255.255.0 10.10.0.1

1/g2 mode access vlan 20 - computery 10.20.0.5 255.255.255.0 10.20.0.1

1/g23 mode general allow vlan 10,20,30

from computerx in VLAN 10, I can ping computery, 10.10.0.1, 10.20.0.1, 192.168.2.2 and that's it. Can't ping 192.168.2.1 or access the net.

I also can't ping 192.168.2.1 from the switch directly.

Does this look right? Do I need to configure the upstream endpoint to be able to return ping to within a vlan? It seems likely, but why can't I ping from the 6224 directly?

Make sure your upstream router knows how to get to those new subnets.  Otherwise, the continuity testing wont work.

Doing validations in the right order will help you determine where the gap is.  Something like:

Ping on same VLAN to Def GW of that VLAN

Ping on same VLAN to other host

Ping on same VLAN to other VLAN on Def GW (often won't work if you don't have a host connected to that other VLAN)

Ping on same VLAN to other host on other VLAN.

For your upstream network that goes to a firewall/device (all L3 by the way), there really isn't much of a reason why you want to use "general"  That type (General) works well when it is being uplinked to other disparite switchgear, etc.  

Thanks for all your help guys.

I finally got things working. I had to set up some routes in the sonicwall to get traffic back. I'm going to try and explain for any future poor souls who may stumble across this looking for help.

NSA-2400

X0 - LAN 192.168.111.1 (this was the existing net before everything started; all clients were on 192.168.111.x /24)

X1 - WAN

X2 - LAN 192.168.10.2 Static; I hooked this into 1/g3 of the 6224

Routing (on NSA-2400):

Any VLAN 20 (10.10.0.0 255.255.255.0) Any VLAN 20 GW (10.10.0.1) X2  

Any VLAN 10 (10.20.0.0 255.255.255.0) Any VLAN 10 GW (10.20.0.1) X2  

And here is the 6224 config:

console#show running-config 
!Current Configuration:
!System Description "PowerConnect 6224, 3.3.5.5, VxWorks 6.5"
!System Software Version 3.3.5.5
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 10-11,20,30
vlan routing 10 1
vlan routing 20 2
vlan routing 30 3
vlan routing 11 4
exit
stack
member 1 1
exit
switch 1 priority 1
ip address 1.1.1.1 255.255.255.0
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip route 10.10.0.0 255.255.255.0 10.10.0.2

                     
interface vlan 10
routing
ip address 10.10.0.1 255.255.255.0
exit
interface vlan 11
routing
ip address 192.168.111.3 255.255.255.0
exit
interface vlan 20
routing
ip address 10.20.0.1 255.255.255.0
exit
interface vlan 30
routing
ip address 192.168.10.1 255.255.255.0
exit
username "admin" password 8c6f5bc00648216e03ada18b486581c1 level 15 encrypted
!
interface ethernet 1/g1
switchport access vlan 10
exit

                     
!
interface ethernet 1/g2
spanning-tree portfast
switchport access vlan 20
exit
!
interface ethernet 1/g3
spanning-tree portfast
switchport access vlan 30
exit
!
interface ethernet 1/g4
spanning-tree portfast
switchport access vlan 30
exit
!
interface ethernet 1/g24
switchport access vlan 11
exit
exit

Now on the existing infrastructure, all that's left to do is plug the switches into 1/g24 and change the gateways to 192.168.111.3

Thanks again.

Glad to hear you got this working! And thank you for updating us on what worked. I am sure others will find this very helpful.

Cheers.

Thank you for your post.  I was also having the same problem routing internet traffic through the sonicwall.  Both Sonicwall and Dell Support couldn't figure this out.  I created the routes on my sonicwall NSA 250 and everything worked perfectly.