Below is an image for reference. When setting up VLANs in a Layer 2 environment on one side of a router you can only have one IP designated per VLAN. A VLAN is a network segment. When you said "We have two switches (sw0 and sw1) with identical configs except for each has a unique vlan 200 ip" that maybe the reason you are having trouble.
Best Practices state that you have 1 IP set on a VLAN. When you have 2 switches connected (like below), you need the VLANs on both switches in the VLAN database. Then you would only set the IP inside the VLAN interface on 1 switch.
There are options to set up VRRP on some of the other PowerConnect models. Unfortunately, that feature is not available on the 5300 models.
The Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in the static default gateway environment. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the configured VRRP routers on a LAN. The VRRP router that maintains the native IP address(es) associated that are also associated with a virtual router is called the Master, and forwards packets sent to these IP addresses.
Basically you can set a single gateway for your devices to get out and have 2 different hardware devices carry the load for redundant hardware.
There are two firewalls that are session synced via direct connections between them. Each of the uplinks for the vlans below are connected to their own port on the firewall. The two switches are identically configured except the interface vlan 200 ip address XX.X.X.X00 on one and and XX.X.X.X01 on the other. The strange thing is that it used to work fine. For YEARS. I assumed it was some kind of hardware failure but our isp did recently make a change to how we were connected and they wanted us to confirm that the spanning tree id's were above or below a certain number. I guess it's feasible that the second switch stopped working then (it is after all a backup, so it might not have been apparent immediately).
A network set up like you have described will communicate, but it is limping around. Typically you have a high amount of discarded packets. When you have 2 different IPs on a VLAN the traffic is confused on where to go.
I don't have an explanation as to why it finally quit. Possibly the traffic level increased enough to cause a change in the behavior.
I guess maybe I was confused. I was under the impression that the ip address was just a means of providing an interface to connect to the switch for configuration purposes. how do you configure more than one switch if they don't each have a unique ip?
Ok, after further research you are correct about the ip configuration. On this model that is strictly layer 2 you can set the ip on any interface VLANs, LAGs, or ports, and can be used to manage the switch and for connectivity testing using ping.
I was confusing this model with others we have in the PowerConnect line.
Sorry about that.
Are you able to ping between 2 end devices connected to interface 1-3 on sw1. I see that they are in the same VLAN 100 access mode. Then I'm assuming if you were to do the same thing with an end device plugged into sw1 port 1-3 and then sw0 ports 1-3 it is not communicating
If that is true then you are probably right about the trunk connection. You may want to try a known good cable on that connection. Then even go as far as configuring a different port on the switches as the trunk. This would test the physical port and the physical cable.
You may also look at the firmware level and update if necessary. It may come down to possible corruption on the firmware installed on sw1. Here is a link to the most recent firmware:
Yeah, I'm definitely behind on the newest firmware. right now vlan 100 is really just a public network (in hindsight I probably should have plugged this directly into the firewall) .. the internet connectivity/uplink is plugged into g1 and g3 is the connection to the firewall wan port. I did this so that I could (if needed) plug a device in and have it directly connected to the internet with no firewall causing any issues (for testing purposes).
Most of my testing has been on VLAN 200. Its basically a LAN network (less restricted outbound etc). There are a couple servers residing on this VLAN 200 and I am not able to ping them (per my original post). I'm also not able to ping sw0's ip address. sw0 (the working one) is able to ping machines on VLAN 200. sw1 is not able to ping machines on VLAN 200. It's all very strange and it smells of some kind of possible hardware failure or maybe something further upstream with the ISP? (if that is even possible).
I may end up simply powering down the switch and replacing them. I need to find a nice set of reburbished 48 port gb switches with vrrp capabilities (yes I have seen issues with loops on the network recently, but I don't think it started occuring until recently). It's a production environment and we have people using it 24hrs a day so I have to pick and choose times to try to mess with stuff. :)
DELL-Willy M
802 Posts
0
March 12th, 2013 10:00
Below is an image for reference. When setting up VLANs in a Layer 2 environment on one side of a router you can only have one IP designated per VLAN. A VLAN is a network segment. When you said "We have two switches (sw0 and sw1) with identical configs except for each has a unique vlan 200 ip" that maybe the reason you are having trouble.
Best Practices state that you have 1 IP set on a VLAN. When you have 2 switches connected (like below), you need the VLANs on both switches in the VLAN database. Then you would only set the IP inside the VLAN interface on 1 switch.
There are options to set up VRRP on some of the other PowerConnect models. Unfortunately, that feature is not available on the 5300 models.
The Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in the static default gateway environment. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the configured VRRP routers on a LAN. The VRRP router that maintains the native IP address(es) associated that are also associated with a virtual router is called the Master, and forwards packets sent to these IP addresses.
Basically you can set a single gateway for your devices to get out and have 2 different hardware devices carry the load for redundant hardware.
Matthew Lenz
19 Posts
0
March 12th, 2013 11:00
These two switches are connected on g24.
There are two firewalls that are session synced via direct connections between them. Each of the uplinks for the vlans below are connected to their own port on the firewall. The two switches are identically configured except the interface vlan 200 ip address XX.X.X.X00 on one and and XX.X.X.X01 on the other. The strange thing is that it used to work fine. For YEARS. I assumed it was some kind of hardware failure but our isp did recently make a change to how we were connected and they wanted us to confirm that the spanning tree id's were above or below a certain number. I guess it's feasible that the second switch stopped working then (it is after all a backup, so it might not have been apparent immediately).
interface ethernet g1
description "primary internet"
speed 100
duplex full
no negotiation
exit
interface ethernet g3
description "fw0 wan"
speed 1000
duplex full
exit
interface ethernet g4
description "uplink vlan200"
speed 1000
duplex full
exit
interface ethernet g8
description "uplink vlan300"
speed 1000
duplex full
exit
interface ethernet g14
description "uplink vlan400"
speed 1000
duplex full
exit
interface ethernet g21
description "uplink vlan500"
speed 1000
duplex full
exit
interface ethernet g24
switchport mode trunk
exit
vlan database
vlan 100,200,300,400,500,600
exit
interface range ethernet g(1-3)
switchport access vlan 100
exit
interface ethernet g24
switchport trunk allowed vlan add 100
exit
interface range ethernet g(4-7)
switchport access vlan 200
exit
interface ethernet g24
switchport trunk allowed vlan add 200
exit
interface range ethernet g(8-13)
switchport access vlan 300
exit
interface ethernet g24
switchport trunk allowed vlan add 300
exit
interface range ethernet g(14-20)
switchport access vlan 400
exit
interface ethernet g24
switchport trunk allowed vlan add 400
exit
interface range ethernet g(21-23)
switchport access vlan 500
exit
interface ethernet g24
switchport trunk allowed vlan add 500
exit
interface ethernet g24
switchport trunk native vlan 600
exit
interface vlan 100
name VLAN100
exit
interface vlan 200
name VLAN200
exit
interface vlan 300
name VLAN300
exit
interface vlan 400
name VLAN400
exit
interface vlan 500
name VLAN500
exit
interface vlan 600
name VLAN600
exit
interface vlan 200
ip address XX.X.X.X00 255.255.255.0
exit
aaa authentication enable default line
aaa authentication login default line
line telnet
password XXXXXXXXXXXXXXXXXXXXXXXXXXXX encrypted
exit
line ssh
password XXXXXXXXXXXXXXXXXXXXXXXXXXXX encrypted
exit
line console
password XXXXXXXXXXXXXXXXXXXXXXXXXXXX encrypted
exit
username admin password XXXXXXXXXXXXXXXXXXXXXXXXXXXX level 15 encrypted
snmp-server community private rw
DELL-Willy M
802 Posts
1
March 12th, 2013 11:00
A network set up like you have described will communicate, but it is limping around. Typically you have a high amount of discarded packets. When you have 2 different IPs on a VLAN the traffic is confused on where to go.
I don't have an explanation as to why it finally quit. Possibly the traffic level increased enough to cause a change in the behavior.
DELL-Willy M
802 Posts
1
March 12th, 2013 12:00
You are correct each switch will have a specified IP for management. This is usually set on VLAN 1. Do you have your management set up on VLAN 200?
Some of the PowerConnect models have the command
ip address vlan xx
that moves the management vlan to the specified VLAN. I do not see that option available on the 5300 models.
Matthew Lenz
19 Posts
0
March 12th, 2013 12:00
I guess maybe I was confused. I was under the impression that the ip address was just a means of providing an interface to connect to the switch for configuration purposes. how do you configure more than one switch if they don't each have a unique ip?
Matthew Lenz
19 Posts
0
March 12th, 2013 17:00
per my config above.
interface vlan 200
ip address XX.X.X.X00 255.255.255.0
exit
I just masked out the actual ip address sw0 is X00 and sw1 is X01
DELL-Willy M
802 Posts
1
March 12th, 2013 18:00
Ok, after further research you are correct about the ip configuration. On this model that is strictly layer 2 you can set the ip on any interface VLANs, LAGs, or ports, and can be used to manage the switch and for connectivity testing using ping.
I was confusing this model with others we have in the PowerConnect line.
Sorry about that.
Are you able to ping between 2 end devices connected to interface 1-3 on sw1. I see that they are in the same VLAN 100 access mode. Then I'm assuming if you were to do the same thing with an end device plugged into sw1 port 1-3 and then sw0 ports 1-3 it is not communicating
If that is true then you are probably right about the trunk connection. You may want to try a known good cable on that connection. Then even go as far as configuring a different port on the switches as the trunk. This would test the physical port and the physical cable.
You may also look at the firmware level and update if necessary. It may come down to possible corruption on the firmware installed on sw1. Here is a link to the most recent firmware:
www.dell.com/.../powerconnect-5324
Matthew Lenz
19 Posts
0
March 12th, 2013 18:00
Yeah, I'm definitely behind on the newest firmware. right now vlan 100 is really just a public network (in hindsight I probably should have plugged this directly into the firewall) .. the internet connectivity/uplink is plugged into g1 and g3 is the connection to the firewall wan port. I did this so that I could (if needed) plug a device in and have it directly connected to the internet with no firewall causing any issues (for testing purposes).
Most of my testing has been on VLAN 200. Its basically a LAN network (less restricted outbound etc). There are a couple servers residing on this VLAN 200 and I am not able to ping them (per my original post). I'm also not able to ping sw0's ip address. sw0 (the working one) is able to ping machines on VLAN 200. sw1 is not able to ping machines on VLAN 200. It's all very strange and it smells of some kind of possible hardware failure or maybe something further upstream with the ISP? (if that is even possible).
I may end up simply powering down the switch and replacing them. I need to find a nice set of reburbished 48 port gb switches with vrrp capabilities (yes I have seen issues with loops on the network recently, but I don't think it started occuring until recently). It's a production environment and we have people using it 24hrs a day so I have to pick and choose times to try to mess with stuff. :)
Thanks again for your feedback.
DELL-Willy M
802 Posts
0
March 12th, 2013 19:00
VRRP is first introduced on the 6200 series and is found on the 7000 and 8000 series. All these have a 48 port or more option.