Unsolved
This post is more than 5 years old
6 Posts
0
3451
Routing outside the 6248
Alright, I know this is a basic question and I've done a bunch of looking around and hours worth of trying different configurations with this 6248. Here's what I'm faced with:
- I have a flat network at this point that is 192.168.1.0 /24.
- I have a cable gateway modem at 192.168.1.1 that I use to get northbound to the Internet which is NOT capable of setting static routes.
- DNS is a VM at 192.168.1.5.
- My 6248 has several VLANs, all of which I want to route between: 1, 5, 6, etc.
- I want from every VLAN to be able to get internet access through the said cable gateway.
- VLAN 1 is 192.168.1.0 /24 network.
- Switch interface for VLAN 1 is 192.168.1.25
- Switch interface for VLANs 5 and 6 are the .1 of their respective networks, so 192.168.5.1, etc.
- Switch management interface is on VLAN 250 with IP of 192.168.250.250 /24
- All existing and future VLANs will be simple /24 networks.
- Nothing is plugged into this 6248 right now while I get the configuration right, aside from an uplink cable (access port) into the 192.168.1.0 /24 network, and a test connection to an ESXi host where I'm testing different VLAN connectivity through a VM port group.
And now, questions/problems:
- Since on this switch you cannot route between the management interface VLAN, I had to create this on VLAN 250. So right now, I can't connect to the management interface, but I can connect to the interface at 192.168.1.25. Given my network right now, how/where should I configure this switch management interface? Or is it fine like it is?
- Because my cable modem gateway is at 192.168.1.1, if I'm testing connectivity from VLANs 5 or 6, while I can reach everything on VLAN 1 (including those hosts not directly connected to the 6248), I cannot go northbound to the internet. I have also put a default route in the switch for 192.168.1.1, but that isn't working. If I am connected to the 6248, configure a port group on VLAN 1, and set the gateway on a test VM to point to 192.168.1.25, I can get out to the internet. I can also ping the router interfaces for VLANs 5 and 6.
Here is my config:
!Current Configuration:
!System Description "PowerConnect 6248, 3.3.14.2, VxWorks 6.5"
!System Software Version 3.3.14.2
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 5-6,250
vlan routing 1 1
vlan routing 5 2
vlan routing 6 3
exit
stack
member 1 2
exit
ip address 192.168.250.250 255.255.255.0
ip address vlan 250
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.1
interface vlan 1
routing
ip address 192.168.1.25 255.255.255.0
exit
interface vlan 5
name "test"
routing
ip address 192.168.5.1 255.255.255.0
exit
interface vlan 6
name "test"
routing
ip address 192.168.6.1 255.255.255.0
exit
username "admin" password db32549314c1390177c34647bf960343 level 15 encrypted
!
interface ethernet 1/g25
spanning-tree portfast
switchport mode trunk
switchport trunk allowed vlan add 1,5-6
exit
exit
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
June 6th, 2016 07:00
On the 6200 series switches, you can think of the "Management VLAN" as an OOB interface. It is not required that you manage the switch through this VLAN. You can manage the switch by accessing any of the IP addresses you have assigned to a VLAN.
since your cable modem is not aware of the other VLANs, it wont know how to direct returning traffic destined for these other VLANs. The port on the 6248 that faces upstream should be in access mode for VLAN 1. Then your upstream device needs to have the ability to have static routes in place that directs returning traffic.
Just like the switch has a static route directing traffic out.
ip route 0.0.0.0 0.0.0.0 192.168.1.1
The upstream device would need routes back.
ip route 192.168.5.0 255.255.255.0 192.168.1.25
ip route 192.168.6.0 255.255.255.0 192.168.1.25
typically this would be facilitated by a firewall. As an example, here is a KB article on static routes on a SonicWall.
http://dell.to/1SdpdUh
daphnis
6 Posts
0
June 6th, 2016 08:00
Thanks for your reply, Daniel. So you're saying that unless my cable modem gateway is able to configure static routes, that this basically won't work, correct?
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
June 6th, 2016 09:00
Correct, you need a device that will have instructions on how to direct the returning traffic. There are open source software based options that you might look into.
this list has several free ones.
http://bit.ly/1suhgzT
daphnis
6 Posts
0
June 6th, 2016 11:00
Let's assume for a moment that such a device was placed at 192.168.1.30 (so, on VLAN 1) as a virtual machine and that the 6248's interface at 192.168.1.25 still existed. Here are questions and assumptions I would ask to validate:
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
June 6th, 2016 12:00
1. This really depends on which product you are using. For instance, while configuring pfSense, the WAN interface is statically established, then the LAN interfaces. The default config will know to forward traffic out the WAN interface. Most routers/firewalls will have this dedicated WAN interface.
2. The routes on 192.168.1.30 would direct vlan 5 and 6 traffic to 192.168.1.25.
3. The switch is still performing L3 functionality on your LAN, so end devices on VLAN 1 would still have a default gateway of 192.168.1.25.
The static route on the switch would need to be changed to point to the Router/firewall.
ip route 0.0.0.0 0.0.0.0 192.168.1.30
From the little bit of information we have, it doesn't seem like the network you are working with is very large? How many devices are on the network? Is it imperative that they be in different VLANs? If possible, it may simplify things greatly if you can transition to a flat network.
daphnis
6 Posts
0
June 6th, 2016 13:00
Thanks again for the clarification, Daniel. As a last question, if a separate router *were* added into the picture with an existing cable modem/gateway and the 6248 switch functioning as L3, what would the "outside" interface be like versus the "inside" if the router is straddled entirely on VLAN 1?
The network as it sits now is very simple and, up to this point, has been completely flat. I am putting the 6248 into the picture in preparation for network virtualization, and to mimic a customer's datacenter network infrastructure. For this, I need a dedicated transport zone on its own VLAN, and additional VLANs are needed to simulate different sites for purposes of DR/BC testing.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
June 6th, 2016 14:00
By default the Wan interface is typically going to have certain protective measures in place to restrict traffic from entering your network. While the LAN side allows connection to WAN. As an example here is an excerpt from pfSense install document.
When it comes to the flow of traffic though, the router will have the ability to take the returning traffic and direct it to the switch. The router may not know where 192.168.5.2 is, but because of the static route, it knows to forward the packet to 192.168.1.25. Where as with the Modem, it will receive a packet with a destination that it is not able to resolve.
Here is a post on the Cisco forums that may help to better explain this.
http://bit.ly/1suwipv
If your ESXi host has enough interfaces, you can setup pfSense as a guest OS.
http://bit.ly/1X7CWOX
I hope this helps.
daphnis
6 Posts
0
June 7th, 2016 08:00
Thanks again, Daniel. I'm familiar with how such a device would work and the principles of it, just wasn't sure if its operation would work consistently with both legs in the same VLAN.
Let me run this scenario by you to see if return routing would work properly.
What if your cable modem/gateway you put on, say, VLAN 250 and set its IP as 192.168.250.2. You create VLAN 250 on the 6248, assign the switch's interface for that VLAN as 192.168.250.1, and plug an uplink from port g48 into the said cable modem/gateway setting it as an access port for VLAN 250. All other ports on the 6248 are trunk ports for various other VLANs except for 250. The default route on the switch is set for 192.168.250.2, thereby sending all traffic to that address if it doesn't have an internal path for it. If a host on VLAN 6 (ex., 192.168.6.26) attempts to communicate northbound to the Internet, it sends its packet to the gateway--the switch's interface of 192.168.6.1--and the switch in turn forwards that on to 192.168.250.2, the cable modem/gateway. Since VLAN 250 is only used for that one switch interface, it is forcing it to talk to the cable modem/gateway. Would return traffic from the Internet get routed properly back to 192.168.6.26? Or would this still not work?
Apologies for any frustration. I'm trying to determine what's the simplest way to make this work while keeping the network and infrastructure to a minimum.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
June 7th, 2016 09:00
It is not uncommon, and in several instances common practice, to dedicate subnets for connections from switch to router/firewall. Changing the setup to the one you described, would not change the outcome. The switch does not have the ability to NAT.