N3048 Not Forwarding Traffic Based On L3+ Data

Question

I have a rather unusual puzzle going on with my N3048 switch stack that I'm unable to piece together. I'm trying to consolidate some equipment from an old Netgear Prosafe unmanaged switch onto my PowerConnect switches, but when I transfer them over, this change in L2 topology creates an impact on traffic delivery based on L3 data.

My network is connected as shown in the diagram below. The intent is to move all the hosts connected to the netgear to the powerconnect, then reconnect the router to the powerconnect and remove the netgear. Before moving from the netgear, hosts are able to be reached by other hosts on the local network as well as by hosts in network 1. After moving to the powerconnect, only hosts on the local network can reach the device.

I ran a wireshark capture on the host and the router. No changes were observed in the traffic coming from the router, but after moving from the netgear to the powerconnect, no frames containing packets from network 1 were delivered to the host. I also ran a ping from the router interface directly and those arrived at the host just fine, despite having the exact same ethernet headers as the frames containing the network 1 packets that never arrived!

Since the traffic is entering the powerconnect, but never being forwarded, I can only assume this is an issue with the powerconnect switch. Since the powerconnect is not doing routing on this vlan, that seems extremely strange. No ACLs of any kind are defined on the powerconnect switch. Can anyone offer any insight into this bizarre behavior?

PacketPusher · Answer

@Dell-Daniel C

Network 1 is the primary internal vlan for our network. The network with the Netgear is a semi-isolated network for certain things like our door controllers. Below is a more detailed drawing of the network to give a more complete picture. Yes, I realize the sillyness of using a second cable from the router to the switch, but this is a "get it done" design and should work just fine.

When I move the connection from the router (a fortigate 200B) to the Dell switch, the same behavior happens as if I'd moved all the devices from the Netgear to the Dell; connections from within the same subnet work, connections to the WAN work, but frames containing packets from our internal LAN are dropped at the Dell switch. This also happens if all connections are attached to the Dell, with the Netgear shut down.

Below is also a screenshot of the pcap off the router's interface as displayed in Wireshark. The Ethernet headers are identical, but one frame was sent as a ping from the router's local interface and the other contained a packet routed from one of the client subnets.

PacketPusher · Answer

@Dell-Daniel C

That's mostly correct, except the traffic does flow on the red path until the netgear is replaced with the vlan on the PowerConnect or the vlan on the PowerConnect sits anywhere between the host and the router. VLAN routing is also handled by the dell switch, with the Fortigate as the default router and serving as the router for our DMZ and the isolated security network in question (listed as vlan 2 in your diagram).

The config is attached to this post, with some minor edits, such as removing the enable password and snipping unrelated interfaces for length. The new vlan created for this project is 130, and is applied to gi1/0/43-46 and gi2/0/43-46. The connection to the fortigate is on VLAN 1 and is on port Gi1/0/41. The client subnet I'm connecting from is VLAN 132, and I'm trunking in from one of the ten gig interfaces.

!Current Configuration:
!System Description "Dell Networking N3048, 6.2.7.2, Linux 3.6.5-50bbccb7"
!System Software Version 6.2.7.2
!
configure
vlan 100,110,116,120,130,132,148,164,180,196,1096
exit
vlan 1
vlan association subnet 192.168.10.0 255.255.255.0
exit
vlan 100
name "Voice"
vlan association subnet 10.0.0.0 255.255.0.0
exit
vlan 110
name "WAN2"
exit
vlan 116
name "Upstairs"
vlan association subnet 10.16.0.0 255.255.0.0
exit
vlan 120
name "WAN1"
exit
vlan 130
name "Fire_Sec_Net"
exit
vlan 132
name "Downstairs"
vlan association subnet 10.32.0.0 255.255.0.0
exit
vlan 148
name "Servers"
vlan association subnet 10.48.0.0 255.255.0.0
exit
vlan 164
name "Wireless"
vlan association subnet 10.64.0.0 255.255.0.0
exit
vlan 180
name "Guest"
vlan association subnet 10.80.0.0 255.255.0.0
exit
vlan 196
name "Printers"
vlan association subnet 10.96.0.0 255.255.255.0
exit
vlan 1096
name "Management"
vlan association subnet 10.96.16.0 255.255.255.0
exit
hostname "Server_Room-3048-Stack"
slot 1/0 3 ! Dell Networking N3048
slot 1/1 10 ! Dell SFP+ Card
slot 2/0 3 ! Dell Networking N3048
slot 2/1 10 ! Dell SFP+ Card
stack
member 1 4 ! N3048
member 2 4 ! N3048
exit
ip routing
ip helper-address 10.48.16.3 dhcp
interface vlan 1
ip address 192.168.10.1 255.255.255.0
bandwidth 10000
exit
interface vlan 100
ip address 10.0.0.1 255.255.0.0
bandwidth 10000
exit
interface vlan 116
ip address 10.16.0.1 255.255.0.0
bandwidth 10000
ip helper-address 10.48.16.3 dhcp
ip helper-address 10.48.16.4 dhcp
ip helper-address 10.48.64.13 dhcp
exit
interface vlan 132
ip address 10.32.0.1 255.255.0.0
bandwidth 10000
ip helper-address 10.48.16.3 dhcp
ip helper-address 10.48.16.4 dhcp
ip helper-address 10.48.64.13 dhcp
exit
interface vlan 148
ip address 10.48.0.1 255.255.0.0
bandwidth 10000
exit
interface vlan 164
ip address 10.64.0.1 255.255.0.0
bandwidth 10000
ip helper-address 10.48.16.3 dhcp
ip helper-address 10.48.16.4 dhcp
exit
interface vlan 180
ip address 10.80.0.1 255.255.0.0
bandwidth 10000
exit
interface vlan 196
ip address 10.96.0.1 255.255.255.0
bandwidth 10000
exit
interface vlan 1096
ip address 10.96.16.1 255.255.255.0
bandwidth 10000
exit
ip default-gateway 192.168.10.254
voice vlan
spanning-tree priority 16384
!

interface Gi1/0/41
description "Fortigate"
switchport general allowed vlan add 164 tagged
exit
!

interface Gi1/0/43
switchport access vlan 130
exit
!
interface Gi1/0/44
switchport access vlan 130
exit
!
interface Gi1/0/45
switchport access vlan 130
exit
!
interface Gi1/0/46
switchport access vlan 130
exit
!

interface Gi2/0/43
switchport access vlan 130
exit
!
interface Gi2/0/44
switchport access vlan 130
exit
!
interface Gi2/0/45
switchport access vlan 130
exit
!
interface Gi2/0/46
switchport access vlan 130
exit
!

PacketPusher · Answer

I don't think it's a spanning tree problem as if it were, the port would be in a down state, meaning that no traffic would flow. If that were the case, how would the traffic be so selectively lost? The only time I see STP causing selective traffic loss is when something like PVST is involved and since these are access ports and some traffic is flowing, that just doesn't seem to be a good fit for the symptoms.

We also see that when the netgear is connected between the fortigate and the dell switch (at which point any host on the dell switch's vlan doesn't work in the way described above) we see that the RSTP process puts the port into a forwarding state as expected. In the below line, the netgear was attached to the dell stack at Gi1/0/44 and here is the sho sp output:

Gi1/0/44 Enabled 128.44 20000 FWD Desg No

The fortigate has static routes back to the client VLANs as well as a route out its own interface to the 192.168.250.0/24 network (the one used by the network in question) and it works when the netgear is connected, but not when the PowerConnect switch is in the switching path. Even if the routing was wrong, we should still see the return frame come back to the Fortigate's interface, even if the fortigate dropped it when it went to forward it, but we're not seeing that happen, nor are we seeing it arrive on the destination host to be responded to.

The existence of 164 on that interface is an error, but the port is in access mode, so the general mode configs shouldn't affect it. I'll strip that off to avoid future confusion. Thanks for catching that.

Quite the poser, isn't it? :)

Thanks for the input. Let me know if you have any more thoughts!

Networking General

N3048 Not Forwarding Traffic Based On L3+ Data

Was this post helpful?