Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

Victor_Nomura

8 Posts

71142

January 30th, 2014 15:00

Separate VLANS on same subnet causing problems.

Hi All,

I am trying to reduce the number of switches we have on our network.  Currently we have 3 switches.  One on the public side of the firewall, one behind the firewall, and lastly one after the layer 7 load balancer.

Internet (public IP) - Swich1 - firewall - Switch2 (10.x.x.x) - Load Balancer - Switch3 (10.x.x.x)

I'm trying to reduce the number of switches by using 1 Dell 6248 switch and creating 3 VLANS.

VLAN1 - Firewall - VLAN2 - Load Balancer - VLAN3

I tested to make sure that no traffic is able to traverse into a different VLAN.

Switch 1 and 2 were replaced with VLAN1 and VLAN2.  Everything is good up to this point.  The moment I connect servers to VLAN3, servers in VLAN are not accessable from VLAN1/2.  If I use a separate 6248 in place of VLAN3, everything works.

I'm out of ideas.  Can 2 different VLANS be on the same subnet (ie 10.x.x.x)?  I need to have all 3 VLANs complete separate from each other as if they are separate swtiches.

Any help is much appreciated.

Regards,

Victor

Victor_Nomura

8 Posts

February 4th, 2014 14:00

I found out that VLANs on the same switch can not occupy the same IP addressing space.  Since VLAN2 and VLAN3 both had 10.x.x.x, it created havoc for the switch.  Creating VLANs is not the same as having separate switches.

Victor

Victor_Nomura

8 Posts

January 31st, 2014 11:00

Here is the config.

Internet -> (port2 on 6248) (port 12) -> firewall -> (port13 on 6248) -> (port 24 on 6248) ->port 1Load blancer port2 -> (port25 on 6248) -> webs server on port 26 on 6248.

VlanA port2-12

VlanB port13-24 (except 47+48)

VlanC port25-48 (except 45+46)

!Current Configuration:
!System Description "PowerConnect 6248, 3.3.8.2, VxWorks 6.5"
!System Software Version 3.3.8.2
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 2-4
exit
stack
member 1 2
exit
ip address 10.0.0.1 255.0.0.0
ip default-gateway 10.150.0.1
interface vlan 2
name "clientside"
exit
interface vlan 3
name "serverside"
exit
interface vlan 4
name "outside"
exit
username "removed from post"level 15 encrypted
monitor session 1 destination interface 1/g12
monitor session 1 source interface 1/g2
monitor session 1 source interface 1/g3
monitor session 1 source interface 1/g4
monitor session 1 source interface 1/g5
monitor session 1 mode
!
interface ethernet 1/g1
mtu 9216
exit
!
interface ethernet 1/g2
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g3
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g4
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g5
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g6
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g7
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g8
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g9
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g10
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g11
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g12
mtu 9216
switchport access vlan 4
exit
!
interface ethernet 1/g13
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g14
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g15
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g16
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g17
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g18
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g19
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g20
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g21
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g22
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g23
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g24
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g25
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g26
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g27
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g28
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g29
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g30
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g31
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g32
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g33
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g34
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g35
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g36
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g37
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g38
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g39
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g40
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g41
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g42
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g43
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g44
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g45
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g46
mtu 9216
switchport access vlan 2
exit
!
interface ethernet 1/g47
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/g48
mtu 9216
switchport access vlan 3
exit
!
interface ethernet 1/xg1
mtu 9216
exit
!
interface ethernet 1/xg2
mtu 9216
exit
!
interface ethernet 1/xg3
mtu 9216
exit
!
interface ethernet 1/xg4
mtu 9216
exit
enable password a1208ed11204cad632d752adbcd68ae8 encrypted
exit

Victor_Nomura

8 Posts

January 31st, 2014 11:00

The load balancer is not connected to anything else.  port1 is upstream and port2 is downstream to the servers.

I'll post the config soon.

Victor

Victor_Nomura

8 Posts

January 31st, 2014 11:00

Hi,

Firstly, thanks for your reply.  

The 6248 by default layer 3 from the factory?.  How does one place this switch into layer 2 mode?

It's being cabled together in a flat network.  Internet -> Vlan1 -> firewall -> Vlan2 -> Port1 on Load Balancer port2  ->Vlan3 -> servers.  Vlan2 and Vlan3 need to be on the same network but the only device between them is the load balancer.

Regards,

Victor

Victor_Nomura

8 Posts

January 31st, 2014 11:00

Correction, firewall public side is connect to port 11 on 6248 as port 12 is the destination to the mirrored ports 2,3,4,5.

Web servers are unreachable when the last VLAN is connected to the web servers.  Only when I use a separate switch, it works.

Victor

Victor_Nomura

8 Posts

January 31st, 2014 11:00

The load balancer sits in between the web servers and the rest of the network.  It listens for HTTP requests on port 1 and distributes the load on port2 where the servers are located.

There are other minor servers connected right behind the firewall so there needs to be a Vlan in the "middle"

IF there were any traffic "leaking" between the last 2, I'd think there would be a network loop as you could just pretend the load balancer as a piece of network cable.

Victor

Victor_Nomura

8 Posts

January 31st, 2014 13:00

Alteon 184.

I'll do some tests monday.  It's a production environment so I can't experiment too much.  I'll first see if I have enough equipment to reproduce this in a lab environment.

Maybe I'm just grasping at straws...but....

I wonder if the load balancer gets confused with MAC addresses.  Will each VLAN have the same MAC address? So port1/2 (upstream and downstream) on the load balancer see the same MAC on the 2 ports and just get confused.

 Anyways, thanks for all the help so far.  It's giving me ideas.

Regards,

Victor

StealthSingh

3 Posts

February 6th, 2014 14:00

Hello,

A quick answer would be to ensure that your switch does not have ip routing enabled.

Without IP routing the switch is just layer 2, and you might be able to do what you are trying.

If you have IP routing enabled:

This will not work for multiple reasons. While having same subnets on different vlan's is possible(at layer 2, only MACs matter IP doesn't come into play). The problem comes into play the moment you have to do routing. you can't have same subnets on more than 1 port of the router.

If your try doing inter-vlan routing on the switch it won't work.

If your try routing through firewall, it still won't work.

Think of it this way, traffic from 10.*.*.1/8 doesn't need routing to get to 10.10.*.1/8 but traffic from 10.10.10.1/24 will need routing to get to 10.10.20.1/24

Your problem might go away if you narrow down your network to /24 or something like that.

Was this post helpful?

View All

Top