Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

Arizona Joe

6 Posts

26454

February 13th, 2013 08:00

PowerConnect 5448 Multiple VLANs between upstream firewall and downstream server

I am struggling with what I thought would be a simple task:  route multiple subnets, each on a different VLAN, from a firewall to a server.  In fact, I can't seem to get even one non-default VLAN through despite everything looking correct in address tables and STP.

Port 1 = firewall, VLAN 1 untagged, VLAN 2 tagged, PVID 1, tried both trunk and general modes

Port 17 = server NIC, VLAN 1 untagged, VLAN 2 tagged, PVID 1 and 2 tried, tried both trunk and general modes

VLAN 1 (untagged from firewall) 10.84.195.0/24, IP Interface 10.84.195.2, default gateway 10.84.195.1

VLAN 2 (tagged from firewall) 10.101.0.0/16, IP Interface 10.101.0.2 for VLAN 2, firewall is .1

The first thing I assumed was that something wasn't tagged correctly either from the server (Hyper-V, using SC VMM 2012 SP1) or the firewall (Watchguard XTM 520).  Simple test: VPN to firewall, ping the switch at 10.101.0.2 with tag and it works, remove the tag and it doesn't.  Dynamic address table shows both pathways to firewall.  Row 18 below appears right after the ping as expected on VLAN 2 with same MAC address as VLAN 1.  Also, I can ping the switch 10.101.0.2 from the server and it works fine.  The table shows only VLAN 2 from the host (and 1 other VM) so it seems to me that everything is tagged properly.

 


 		 15 VLAN 1 00907f8f571b g1    
  16 VLAN 2 00155d1f1b07 g17    
  17 VLAN 2 001dd8b71c01 g17    
  18 VLAN 2 00907f8f571b g1    
 

 

 What I can't do is ping across the switch on VLAN 2.  I cannot ping the server (10.101.20.1) from my VPN and I cannot ping the gateway (10.101.0.1) from the server.  Note, it is not due to any firewall rules on either end.

What am I missing?  I don't believe I need any Layer 3 routing here, I'm not trying to cross VLANs, just have multiple VLANs pass from one port to another.

Other things worth noting in case it helps:

- I do have untagged connectivity with everything else through the switch 10.84.195.xxx/24.

- If I remove the VLAN 2 tagged trunk from port 1, I can suddenly ping the VLAN 2 gateway (10.101.0.1) from the server, although I suspect that is because the same port is the default gateway for the switch.

- For brevity, only 2 lines of the STP are shown below, but all ports match accordingly based on whether they are connected or not.

g1   enabled   128.1       4      Frw   Desg    No        P2P (STP)
 g2   enabled   128.2      100     Dsbl  Dsbl    No            -

- Latest firmware installed.

- Also, for the security-minded folks, I do intend to remove the default VLAN usage in the future.

 

DELL-Willy M

802 Posts

February 13th, 2013 09:00

Would it be possible for you to paste your show run output here in the forum.  That way we can take a closer look at what you have configured.  

If you plug a laptop/desktop (with and IP in the 10.101.0.0 /16 range) into a port with switchport access mode for VLAN 2 are you able to ping IP Interface 10.101.0.2 for VLAN 2?  You might try disconnecting the firewall and the configurations for that port and work on getting communication thru the switch with 2 end devices on a single VLAN.  Then once that is confirmed as working connect the firewall back up with a trunk/general mode adding the needed VLANs.

Are you connecting to the firewall on a Layer 3 interface?  You may need Layer 3 routing to reach the firewall properly.  

Arizona Joe

6 Posts

February 13th, 2013 11:00

OK, I did as you suggested and here are the results:
Access mode connection to VLAN 2, succeeded in pinging the switch interface.
Connecting 2 downline machines via VLAN 2 tagged works: they both ping each other.
I included the run output below, after connecting 16 and 17 together successfully.
It is tricky, that the firewall is tagging packets appropriately when going through to the switch, but not accepting and/or returning tagged packets from the switch.  Port 1 plugs straight into an internal port on the firewall which is the device doing the VLAN tagging.  Assuming I didn't miss anything, the issue is with the firewall and I'm in the wrong forum! :)  Although hopefully its just a configuration issue and not a need for new hardware.   I must admit I'm scratching my head as to why you might need layer 3 switch routing if the other device is doing the legwork on routing and VLAN tagging.
Also, just to note, I was incorrect on claiming I was able to ping the firewall when set to access mode on port 1 /  vlan 1.  It found that route via another adapter.
Thanks!
 

 

console# show run
interface port-channel 1
switchport mode general
exit
interface range ethernet g(1,16-17)
switchport mode general
exit
vlan database
vlan 2-4
exit
interface port-channel 1
switchport general pvid 4
exit
interface range ethernet g(1,16-17)
switchport general allowed vlan add 2
exit
interface port-channel 1
switchport general allowed vlan add 4 untagged
exit
interface vlan 2
name RRHostManagement
exit
interface vlan 3
name RRExternal
exit
interface vlan 4
name RRSAN
exit
interface port-channel 1
switchport general acceptable-frame-type tagged-only
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface range ethernet g(12,14)
channel-group 1 mode on
exit
iscsi target port 860 address 0.0.0.0
iscsi target port 3260 address 0.0.0.0
interface vlan 1
ip address 10.84.195.2 255.255.255.0
exit
interface vlan 2
ip address 10.101.0.2 255.255.0.0
exit
interface ethernet g25
ip address 10.106.0.2 255.255.0.0
exit
ip default-gateway 10.84.195.1
*******username/pw stuff removed
clock timezone -5






Default settings:
Service tag: ****

SW version 2.0.0.46 (date  14-Apr-2011 time  13:10:53)

Gigabit Ethernet Ports
=============================
no shutdown
speed 1000
duplex full
negotiation
flow-control off
mdix auto
no back-pressure

interface vlan 1
interface port-channel 1 - 8

spanning-tree
spanning-tree mode STP

qos basic
qos trust cos
console#
View More
View All
No Events found!




      
                               
       

      
      

  
    
  
  
Top