Unsolved
This post is more than 5 years old
10 Posts
0
41851
PowerConnect 6224 VLAN Routing, unable to connect outbound from VLAN but able to connect inbound.
In setting up a new VLAN to segregate common workstation network and obtain new DHCP scope I had a few questions and found some direction in the post http://en.community.dell.com/support-forums/network-switches/f/866/t/19370806.aspx?PageIndex=3 but now I am finding that my traffic is not traversing properly so I am starting a new thread to get help getting this all to work.
Current primary network 192.168.1.0/24 (DHCP server 192.168.1.200). Added new scope to server for 192.168.3.0/24 and it is active.
192.168.1.0/24 default gateway is 192.168.1.254 (Cisco ASA, it was set up that way when I came and no room to insert dedicated router). Added route to 192.168.3.0/24 > 192.168.1.253 (PC6224 management interface and VLAN 1). I have also added NAT exceptions to the ASA for the 192.168.3.0 network.
I was still having some trouble pinging to the 192.168.3.0 network from the DHCP server so I added a static route to the server for that network, bypassing the ASA for routing to the switch.
From the DHCP server I am able to ping 192.168.1.253, 192.168.3.254 but not a laptop running Windows XP configured with 192.168.3.1 address plugged into port 22 of the 6224.
From the XP laptop I am able to ping 192.168.3.254 but not 192.168.1.253 or any other address in the 192.168.1.0 network.
From the switch cli I am able to ping destinations on both networks.
Here is my switch config. I have configured it from scratch factory reset so there are no old ACLs burried in it.
console#show run
!Current Configuration:
!System Description "PowerConnect 6224P, 3.3.5.5, VxWorks 6.5"
!System Software Version 3.3.5.5
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 2
vlan routing 2 1
exit
ip address 192.168.1.253 255.255.255.0
ip default-gateway 192.168.1.254
ip domain-name domain.local
ip name-server 192.168.1.11
ip name-server 192.168.1.200
ip routing
ip helper-address 192.168.1.200 dhcp
interface vlan 2
name "common"
routing
ip address 192.168.3.254 255.255.255.0
ip netdirbcast
bandwidth 10000
ip helper-address 192.168.1.11 domain
ip helper-address 192.168.1.200 domain
ip helper-address 192.168.1.200 dhcp
ip mtu 1500
exit
dhcp l2relay
dhcp l2relay vlan 2
!
interface ethernet 1/g21
switchport access vlan 2
exit
!
interface ethernet 1/g22
switchport access vlan 2
exit
!
interface ethernet 1/g23
switchport access vlan 2
exit
!
interface ethernet 1/g24
switchport access vlan 2
exit
DELL-Willy M
802 Posts
0
February 11th, 2013 13:00
I would like to look at the overall structure of your Layer 3 routing. At layer 3 we need to have an isolated subnet (VLAN with the Powerconnect models) between the Layer 3 devices. Here is a rough diagram we can use for discussion. A VLAN 100 (or whatever you choose to make it) can only be used in between the 2 layer 3 devices. If you were to use VLAN 100 on the client side down with VLAN 200 or 300 you would not have full communication across all the VLAN/subnets.
You can set up a new VLAN that would be for the connection between the PC 62xx and the ASA. You would set the port for that connection as a switchport access mode for the new VLAN. It will need to have its own IP range. Then all the other VLANs you have on the swtich will be there own differentt subnet ranges. This way you can communicate at layer 3 between all the different VLANs.
Also the management VLAN cannot be routed on the 62xx model.
This will get us started. Let us know if you have further questions.
grunt_73179
10 Posts
0
February 11th, 2013 15:00
Ok, That just seems lame. I think I will just obtain a Cisco router and skip the switch routing. If I can't route the management port network I will have to set up a server with an extra NIC or serial connection in it and remote to that in order to manage the switch from my workstation.
Also, after emplementing the above senario, I can now obtain a good DHCP address and I can perform an nslookup for say, www.google.com but I am unable to access the webpage. I also tried to get a webpage from a server in our DMZ and no go.
Watching our firewall there are no errors or information recorded for the 192.168.3.x network traffic.
DELL-Willy M
802 Posts
1
February 11th, 2013 16:00
The 7xxx and 8xxx switch models have routing enabled by default on the management VLAN. Unfortunately, the 62xx model does not have this feature available and is not going to have it added in any upcoming firmware release as far as I understand.
We can take a look at your routing table and verify if all the subnets have a proper path set up.
console# show ip route
You will want a default route set to give a path for all traffic that is not local.
console# ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX ( where X is the ip address of the next hop address to the outside world) in your case it would be the address on the port of the ASA connecting to the 62xx switch.
grunt_73179
10 Posts
0
February 12th, 2013 06:00
Willy, Thanks for your input.
The issue is really that, just because a firewall can route packets it doesn't make it a router. It doesn't want to just direct the traffic and it doesn't want traffic to go in and out of the same interface.
I need to change the network set up here and put an actual router between the network and the firewall. I guess I could go through and point all of my internal servers to the switch at 192.168.1.253 as their default-gateway, I still have the bummer about not being able to directly access the management although at least we only have a small NOC and single location.