This post is more than 5 years old
8 Posts
0
71047
Separate VLANS on same subnet causing problems.
Hi All,
I am trying to reduce the number of switches we have on our network. Currently we have 3 switches. One on the public side of the firewall, one behind the firewall, and lastly one after the layer 7 load balancer.
Internet (public IP) - Swich1 - firewall - Switch2 (10.x.x.x) - Load Balancer - Switch3 (10.x.x.x)
I'm trying to reduce the number of switches by using 1 Dell 6248 switch and creating 3 VLANS.
VLAN1 - Firewall - VLAN2 - Load Balancer - VLAN3
I tested to make sure that no traffic is able to traverse into a different VLAN.
Switch 1 and 2 were replaced with VLAN1 and VLAN2. Everything is good up to this point. The moment I connect servers to VLAN3, servers in VLAN are not accessable from VLAN1/2. If I use a separate 6248 in place of VLAN3, everything works.
I'm out of ideas. Can 2 different VLANS be on the same subnet (ie 10.x.x.x)? I need to have all 3 VLANs complete separate from each other as if they are separate swtiches.
Any help is much appreciated.
Regards,
Victor
Victor_Nomura
8 Posts
0
February 4th, 2014 14:00
I found out that VLANs on the same switch can not occupy the same IP addressing space. Since VLAN2 and VLAN3 both had 10.x.x.x, it created havoc for the switch. Creating VLANs is not the same as having separate switches.
Victor
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
January 31st, 2014 07:00
I don’t know that this is going to work quite like you anticipate it to. If this switch is acting as your layer 3 switch, you wont be able to place the same subnet on multiple VLANs, you will receive an error. If the switch is working in Layer 2 mode, you may theoretically be able to get it to work, but it sure would not be what is recommended.
How is this being cabled together? Is this switch layer 3 or 2?
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
January 31st, 2014 11:00
Routing has to be enabled on the switch, it is not enabled from the factory. Can you post up your running config along with which ports on the 6248 plug into which devices. I can't guarantee this will work, but we can try. What else does your load balancer plug into?
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
January 31st, 2014 11:00
Thanks for the extra info, that configuration is how i would set things up if i were to try this. I don't see any changes you could make to the configuration that would change the behavior. If the network load balancer is only connected to the 6248 and nothing else, what purpose is it serving on the network?
Victor_Nomura
8 Posts
0
January 31st, 2014 11:00
Here is the config.
Internet -> (port2 on 6248) (port 12) -> firewall -> (port13 on 6248) -> (port 24 on 6248) ->port 1Load blancer port2 -> (port25 on 6248) -> webs server on port 26 on 6248.
VlanA port2-12
VlanB port13-24 (except 47+48)
VlanC port25-48 (except 45+46)
!Current Configuration:
!System Description "PowerConnect 6248, 3.3.8.2, VxWorks 6.5"
!System Software Version 3.3.8.2
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 2-4
exit
stack
member 1 2
exit
ip address 10.0.0.1 255.0.0.0
ip default-gateway 10.150.0.1
interface vlan 2
name "clientside"
exit
interface vlan 3
name "serverside"
exit
interface vlan 4
name "outside"
exit
username "removed from post"level 15 encrypted
monitor session 1 destination interface 1/g12
monitor session 1 source interface 1/g2
monitor session 1 source interface 1/g3
monitor session 1 source interface 1/g4
monitor session 1 source interface 1/g5
monitor session 1 mode
!
interface ethernet 1/g1
mtu 9216
exit
!
interface ethernet 1/g2
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g3
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g4
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g5
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g6
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g7
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g8
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g9
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g10
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g11
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g12
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g13
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g14
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g15
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g16
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g17
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g18
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g19
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g20
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g21
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g22
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g23
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g24
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g25
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g26
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g27
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g28
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g29
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g30
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g31
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g32
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g33
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g34
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g35
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g36
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g37
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g38
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g39
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g40
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g41
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g42
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g43
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g44
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g45
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g46
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g47
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g48
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/xg1
mtu 9216
exit
!
interface ethernet 1/xg2
mtu 9216
exit
!
interface ethernet 1/xg3
mtu 9216
exit
!
interface ethernet 1/xg4
mtu 9216
exit
enable password a1208ed11204cad632d752adbcd68ae8 encrypted
exit
Victor_Nomura
8 Posts
0
January 31st, 2014 11:00
The load balancer is not connected to anything else. port1 is upstream and port2 is downstream to the servers.
I'll post the config soon.
Victor
Victor_Nomura
8 Posts
0
January 31st, 2014 11:00
Hi,
Firstly, thanks for your reply.
The 6248 by default layer 3 from the factory?. How does one place this switch into layer 2 mode?
It's being cabled together in a flat network. Internet -> Vlan1 -> firewall -> Vlan2 -> Port1 on Load Balancer port2 ->Vlan3 -> servers. Vlan2 and Vlan3 need to be on the same network but the only device between them is the load balancer.
Regards,
Victor
Victor_Nomura
8 Posts
0
January 31st, 2014 11:00
Correction, firewall public side is connect to port 11 on 6248 as port 12 is the destination to the mirrored ports 2,3,4,5.
Web servers are unreachable when the last VLAN is connected to the web servers. Only when I use a separate switch, it works.
Victor
Victor_Nomura
8 Posts
0
January 31st, 2014 11:00
The load balancer sits in between the web servers and the rest of the network. It listens for HTTP requests on port 1 and distributes the load on port2 where the servers are located.
There are other minor servers connected right behind the firewall so there needs to be a Vlan in the "middle"
IF there were any traffic "leaking" between the last 2, I'd think there would be a network loop as you could just pretend the load balancer as a piece of network cable.
Victor
Victor_Nomura
8 Posts
0
January 31st, 2014 13:00
Alteon 184.
I'll do some tests monday. It's a production environment so I can't experiment too much. I'll first see if I have enough equipment to reproduce this in a lab environment.
Maybe I'm just grasping at straws...but....
I wonder if the load balancer gets confused with MAC addresses. Will each VLAN have the same MAC address? So port1/2 (upstream and downstream) on the load balancer see the same MAC on the 2 ports and just get confused.
Anyways, thanks for all the help so far. It's giving me ideas.
Regards,
Victor
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
January 31st, 2014 13:00
What brand/model is the load balancer being used? If you take the load balancer out and put a cable in its place, does traffic flow?
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
February 5th, 2014 05:00
Thanks for keeping us updated, sorry this wont work how you would like.
StealthSingh
3 Posts
0
February 6th, 2014 14:00
Hello,
A quick answer would be to ensure that your switch does not have ip routing enabled.
Without IP routing the switch is just layer 2, and you might be able to do what you are trying.
If you have IP routing enabled:
This will not work for multiple reasons. While having same subnets on different vlan's is possible(at layer 2, only MACs matter IP doesn't come into play). The problem comes into play the moment you have to do routing. you can't have same subnets on more than 1 port of the router.
If your try doing inter-vlan routing on the switch it won't work.
If your try routing through firewall, it still won't work.
Think of it this way, traffic from 10.*.*.1/8 doesn't need routing to get to 10.10.*.1/8 but traffic from 10.10.10.1/24 will need routing to get to 10.10.20.1/24
Your problem might go away if you narrow down your network to /24 or something like that.