Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

StarLog

2 Intern

 • 

203 Posts

9488

April 25th, 2007 11:00

6224 not getting to internet

Internal dhcp works for all the scopes per vlans.
I can ping the dhcp server, and client pc's.
 
Our network is thru a watchguard firewall, 192.168.111.1
The 6224 port g1 is the direct connection to the watchguard.
The 6224 port g2 is the direct connection to the child switches and servers.
 
The laptop connected to g11 is trying to connect to the internet.
 
 

!Current Configuration:
!System Description "Dell PowerConnect"
!System Software Version 1.0.0.27
! configure
vlan database
vlan 111,115-117
exit

snmp-server location "ServerRoom"
snmp-server contact "IT Deparment"
hostname "CORE1"
stack
member 1 1
exit

ip address 192.168.2.1 255.255.255.0
ip domain-name internal
ip name-server 192.168.111.36
ip name-server 192.168.111.37

interface vlan 111
name "SW-PTR-SERVER"
routing
ip address 192.168.111.254 255.255.255.0
ip local-proxy-arp
ip mtu 1200
exit

interface vlan 115
name "TEST PROGRAMS"
routing
ip address 192.168.115.254 255.255.255.0
ip local-proxy-arp
ip mtu 1200
exit

interface vlan 116
name "EMPLOYEES"
routing
ip address 192.168.116.254 255.255.255.0
ip local-proxy-arp
exit

interface vlan 117
name "ACCT-EXEC"
routing
ip address 192.168.117.254 255.255.255.0
ip local-proxy-arp
ip mtu 1200
exit

ip routing
ip route 0.0.0.0 0.0.0.0 192.168.111.1
bootpdhcprelay enable
bootpdhcprelay serverip 192.168.111.37
username "xxxxxxxxx" password xxxxxxxxxxxxxxxxxxx level 15 encrypted
line console
password xxxxxxxxxxxxx encrypted
exit
line telnet
password xxxxxxxxxxxxxxx encrypted
exit
!

interface ethernet 1/g1
description 'To WatchGuard Trusted'
spanning-tree cost 20000
spanning-tree portfast
switchport mode general
switchport general pvid 111
no switchport general acceptable-frame-type tagged-only
switchport general ingress-filtering disable
switchport general allowed vlan add 111 untagged
switchport general allowed vlan add 115 untagged
switchport general allowed vlan add 116 untagged
switchport general allowed vlan add 117 untagged
exit
!

interface ethernet 1/g2
description 'To Switch1P3'
switchport mode trunk
switchport trunk allowed vlan add 111
switchport trunk allowed vlan add 115
switchport trunk allowed vlan add 116
switchport trunk allowed vlan add 117
switchport trunk allowed vlan remove 1
exit
!

interface ethernet 1/g5
switchport mode trunk
switchport trunk allowed vlan add 111
switchport trunk allowed vlan add 115
switchport trunk allowed vlan add 116
switchport trunk allowed vlan add 117
switchport trunk allowed vlan remove 1
exit
!

interface ethernet 1/g7
switchport mode trunk
switchport trunk allowed vlan add 111
switchport trunk allowed vlan add 115
switchport trunk allowed vlan add 116
switchport trunk allowed vlan add 117
switchport trunk allowed vlan remove 1
exit
!

interface ethernet 1/g11
spanning-tree portfast
switchport access vlan 111
exit
!

interface ethernet 1/g15
spanning-tree portfast
switchport access vlan 115
exit
!

interface ethernet 1/g16
switchport access vlan 116
exit
!

interface ethernet 1/g17
spanning-tree portfast
switchport access vlan 117
exit
exit
 

bh1633

909 Posts

April 25th, 2007 13:00

Do these tests:
 
from the g11 connected PC:
- ping the switch (192.168.111.254)
- ping the firewall (192.168.111.1)
- ping your ISP
 
Some suggestions:
 
Make sure your PC has the correct default gateway (192.168.111.254) and dns servers(192.168.111.36 and 192.168.111.37).
 
It looks a little confusing that you have all the VLANs going to the firewall.  I suggest putting the firewall in its own vlan.  This will send only internet destined traffic to the firewall.  Currently the firewall is seeing all broadcast and multicast traffic on all your vlans.

StarLog

2 Intern

 • 

203 Posts

April 25th, 2007 14:00

Do these tests:
 
from the g11 connected PC:
- ping the switch (192.168.111.254)    pings great   0ms
- ping the firewall (192.168.111.1)      request timed out
- ping your ISP                                   ping great   20ms
 
Some suggestions:
 
Make sure your PC has the correct default gateway (192.168.111.254) and dns servers(192.168.111.36 and 192.168.111.37).
 
ipconfig /all on the laptop:
dhcp enabled: yes
autoconfig enabled: yes
ip: 192.168.111.3
subnet: 255.255.255.0
default g/w: 192.168.111.254
dhcp server: 192.168.111.37
pri. wins: 192.168.111.37
sec. wins: 192.168.111.38
 
So, I can ping the ISP and even 4.2.2.2 ok.
 
switchport general allowed vlan add 115 untagged
switchport general allowed vlan add 116 untagged
switchport general allowed vlan add 117 untagged
So the above for 1/g1 should be removed.?
 
BTW, thanks for the help.




Message Edited by StarLog on 04-25-2007 03:26 PM

bh1633

909 Posts

April 25th, 2007 19:00

For the simplest change do this for 1/g1:
 
interface ethernet 1/g1
description 'To WatchGuard Trusted'
spanning-tree cost 20000
spanning-tree portfast
switchport mode access
switchport access vlan 111
exit
 
Make sure your firewall has routes to the 192.168.115.0, 192.168.116.0, and 192.168.117.0 networks.
 
Your firewall will still see broadcast/multicast traffic in VLAN 111, but it will work and is a simple change.
 
---------------------------------------------------------
 
Alternatively, do this for 1/g1:
 
interface ethernet 1/g1
description 'To WatchGuard Trusted'
spanning-tree cost 20000
spanning-tree portfast
switchport mode access
switchport access vlan YYYY
exit
interface vlan YYY
name "FIREWALL"
routing
ip address 192.168.YYY.254 255.255.255.0
ip local-proxy-arp
ip mtu 1200
exit
 
Change your firewall port connected to 1/g1 to be on the 192.168.YYY.0 network and make sure it has routes to the 192.168.111.0, 192.168.115.0, 192.168.116.0, and 192.168.117.0 networks.
 
This will keep all of your networks broadcast/multicast traffic off of the firewall.

StarLog

2 Intern

 • 

203 Posts

April 26th, 2007 10:00

bh1633,
Made these changes to the 6224:
 
interface ethernet 1/g1
description 'To WatchGuard Trusted'
spanning-tree cost 20000
spanning-tree portfast
switchport mode access
switchport access vlan 107
exit
interface vlan 107
name "FIREWALL"
routing
ip address 192.168.107.254 255.255.255.0
ip local-proxy-arp
ip mtu 1200
exit
ip route 0.0.0.0 0.0.0.0 192.168.107.1
 
I am able to be on the laptop on 1/g11 address is dhcp 192.168.111.3 - same dhcp as above.
 
I can get to the web interface on the Linksys firewall(using this till the Watchguard is available)
 
Cannot ping ISP or 4.2.2.2 - gets request timed out. Should I submit another complete config.?

bh1633

909 Posts

April 26th, 2007 11:00

Can you ping the ISP from the Linksys? 
 
Go ahead and post your config again. 

StarLog

2 Intern

 • 

203 Posts

April 26th, 2007 13:00

Connected directly to the Linksys, and was able to ping the ISP, and 4.2.2.2 and ISP's DNS.
 
!Current Configuration:
!System Description "Dell PowerConnect"
!System Software Version 1.0.0.27
!
configure
vlan database
vlan 107,111,115-117
exit
snmp-server location "ServerRoom"
snmp-server contact "IT Deparment"
hostname "CORE1"
stack
member 1 1
exit
ip address 192.168.2.1 255.255.255.0
ip domain-name internal
ip name-server 192.168.111.36
ip name-server 192.168.111.37
interface vlan 107
name "FIREWALL"
routing
ip address  192.168.107.254  255.255.255.0
ip local-proxy-arp
ip mtu 1200
exit
interface vlan 111
name "SW-PTR-SERVER"
routing
ip address  192.168.111.254  255.255.255.0
ip local-proxy-arp
ip mtu 1200
exit
interface vlan 115
name "TEST PROGRAMS"
routing
ip address  192.168.115.254  255.255.255.0
ip local-proxy-arp
ip mtu 1200
exit
interface vlan 116
name "EMPLOYEES"
routing
ip address  192.168.116.254  255.255.255.0
ip local-proxy-arp
exit
interface vlan 117
name "ACCT-EXEC"
routing
ip address  192.168.117.254  255.255.255.0
ip local-proxy-arp
ip mtu 1200
exit
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.107.1
bootpdhcprelay enable
bootpdhcprelay serverip 192.168.111.37
username "xxxxxxxxx" password xxxxxxxxxxx level 15 encrypted
line console
password xxxxxxxxxxxx encrypted
exit
line telnet
password xxxxxxxxxxxxxx encrypted
exit
!
interface ethernet 1/g1
description 'To Linksys RV042
spanning-tree cost 20000
spanning-tree portfast
switchport access vlan 107
exit
!
interface ethernet 1/g2
description 'To Switch1P3'
switchport mode trunk
switchport trunk allowed vlan add 111
switchport trunk allowed vlan add 115
switchport trunk allowed vlan add 116
switchport trunk allowed vlan add 117
switchport trunk allowed vlan remove 1
exit
!
interface ethernet 1/g5
switchport mode trunk
switchport trunk allowed vlan add 111
switchport trunk allowed vlan add 115
switchport trunk allowed vlan add 116
switchport trunk allowed vlan add 117
switchport trunk allowed vlan remove 1
exit
!
interface ethernet 1/g7
switchport mode trunk
switchport trunk allowed vlan add 111
switchport trunk allowed vlan add 115
switchport trunk allowed vlan add 116
switchport trunk allowed vlan add 117
switchport trunk allowed vlan remove 1
exit
!
interface ethernet 1/g11
spanning-tree portfast
switchport access vlan 111
exit
!
interface ethernet 1/g15
spanning-tree portfast
switchport access vlan 115
exit
!
interface ethernet 1/g16
switchport access vlan 116
exit
!
interface ethernet 1/g17
spanning-tree portfast
switchport access vlan 117
exit
exit
 

bh1633

909 Posts

April 26th, 2007 15:00

What is the IP address of the Linksys port connected to the ISPs router?
Can the PC ping IP address?
 
If it can, then the problem is that the ISP does not have a route to your 192.168.111.0 network (and probably your other networks). 
 
Is it possible to post the Linksys config?

bh1633

909 Posts

April 26th, 2007 16:00

Then use the other config I suggested where you leave port 1 in vlan 111 and let me know what happens.

StarLog

2 Intern

 • 

203 Posts

April 26th, 2007 16:00

That is the issue, I did not change anything in the linksys other then the 192.168.111.1 to 192.168.107.1
 
Just seems like since I made the change to 107 vlan no longer can ping outside. Cannot get the config for the linksys. will not allow me to telnet to it. :(
 
 

StarLog

2 Intern

 • 

203 Posts

April 26th, 2007 18:00

bh,
 
I went back to the first part of your suggestion, it works fine as before.
So I decided to see what was NOT there, and it turns out that the dhcp server is not reflecting the ISP DNS.
I manually added the local DNs for the internal side, and one DNS for the ISP. and it works fine now.
I will go back to your second advisory, and give it a whirl to see if I can remove some of that vlan traffic.
 
Thanks for the excellent advice.

Was this post helpful?

View All

0 events found

No Events found!

Top