Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

jbilliau

20 Posts

15835

March 7th, 2006 17:00

Setting Up 2 VLANS 6024

I cannot figure this out for the life of me.  We originally setup the 6024 on VLAN1, ip address 10.0.0.154 with the help of a DELL technician.  So great, it works nicely.
 
However I need to setup another VLAN to put 5 workstations on.  I created a VLAN 2, and put those ports on it  (Untagged).  I also configured the interface with an IP address on a different subnet. (10.0.1.1)
 
So VLAN2 now has an ip address.  However the workstations cannot get out to the internet.  I dont get it or what Im missing?  To test it, I configured a static IP on one of those workstations. 
 
IP: 10.0.1.4
Subnet: 255.255.255.0
Gateway: 10.0.1.1  (also tried 10.0.0.1) our default gateway (sonicwall)
 
Any ideas?

jbilliau

20 Posts

March 7th, 2006 18:00

yes I read that about 50 times.  However I'm not trying to route between 3 different switches.  I just have 1 6024, and Im trying to get two different VLANs working.  So that article applies, but not really.  Besides, Ive done everything already entailed in it.  Thanks though
 
I just want to know if what I did was about right, or if there is more configuration involved.  If all that is involved in setting up another VLAN on the same switch is assigning it an IP and port, then I should be examing what else is my issue

Message Edited by jbilliau on 03-07-2006 02:33 PM

DELL-Cuong N.

1K Posts

March 7th, 2006 18:00

Did you try looking at the paper on VLAN routing - found here?

 

Information you given here is not enough to know what might be the problem.  There are many possibilities and without knowing exactly what you have in your network and the configuration of the switch it is hard to guess.

Anyway, try looking at the various papers at the link above including the one on "VLAN routing".

Cuong.

jbilliau

20 Posts

March 7th, 2006 18:00

We have a Cisco router wide open that feeds into our firewall (Sonicwall TZ170) 10.0.0.1  This firewall provides our NAT, & DHCP.  We have 40 workstations ( 10.0.0.*) class.  They are all on your basic layer 2 switch (3COM).   In the back here, we have the PowerConnect 6024.  In all honestly, there are only 2 workstations hooked up to it.  Myself and a testmachine.  The 6024 SPF port connects to the 3COM thus getting the network connectivity.  So all and all, pretty basic Id say.
 
The 6024 is already configured with IP: 10.0.0.154  and all ports are on VLAN1, per a DELL technicial when we got the switch last month.  A default route of:  (ip route 0.0.0.0 0.0.0.0 10.0.0.1)
 
So anways, all I'm trying to do is create a new VLAN.  I.E --> VLAN2  assign it an IP (10.0.1.1) or whatever, and get the testmachine on that VLAN via an Untagged port, and have it get internet, network connectivity.  However it doesnt work.  If I switch the testmachine back to VLAN1, it works great.  Any other VLAN, no good.
 
I hope that makes sense.

DELL-Cuong N.

1K Posts

March 7th, 2006 18:00

Post your configuration.  Then also describe your network.  Are all the ports on the 6024 connected to workstations or do you have more switches?  Describe what you are trying to do and what you expected to happen.  Perhaps we can spot the problem if you provide enough info.

Cuong.

jbilliau

20 Posts

March 7th, 2006 19:00


console# show run


Router Configuration
-----------------------------

vlan database
vlan 2
exit
interface ethernet g1
switchport access vlan 2
exit
interface vlan 2
name test
exit
interface vlan 1
ip address 10.0.0.154 255.255.255.0
exit
interface vlan 2
ip address 10.0.1.1 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip dhcp relay address 10.0.0.1
username admin password baef066bb91b53108a52594914ff85d0 level 15 encrypted


OOB host Configuration
-----------------------------

Empty configuration

 


_____________________________
>>Default settings:
_____________________________

>>Router Configuration
-----------------------------
>>Service tag: F1P2381

>>SW version 2.0.0.01 (date  10-Apr-2005 time  08:28:21)

>>Gigabit Ethernet Ports
=============================
>>no shutdown
>>speed 1000
>>duplex full
>>negotiation
>>flow-control off
>>mdix auto
>>no back-pressure

>>interface vlan 1
>>interface port-channel 1 - 7

>>no router RIP

>>no router OSPF enable

>>spanning-tree
>>spanning-tree mode STP

>>qos basic

>>OOB host Configuration
-------------------------

>>interface out-of-band-eth
>>no shutdown
>>speed 100
>>duplex full
>>negotiation
>>flow-control off
>>no back-pressure
>>exit

 

My testmachines static IP configuration is:

IP: 10.0.1.4  (because I want the new VLAN to be 10.0.1.0 subnet)

SubnetMask: 255.255.255.0

Gateway:  10.0.0.1  (although Ive also tried 10.0.1.0 & 10.0.0.154)

DNS:  10.0.0.2  (windows 2003 DNS server)  

Secondary DNS:  63.209.135.242  (our ISP's DNS)

DELL-Cuong N.

1K Posts

March 7th, 2006 19:00

Yes that makes sense.  Can you do a "show run" on your 6024 and post your configuration here please (remove the user password line if you worry about security or blank out the encrypted password - same with the SNMP server line if you configured snmp).

Also how did you configure your test PC?  What's the IP/Mask and gateway address for this PC?  Remember that you need a default gateway configured on your PC (point to the 6024 which is doing your routing) if you want to reach networks that are not in your subnet.

Cuong.

DELL-Cuong N.

1K Posts

March 7th, 2006 20:00

Try setting your PC default gateway to 10.0.1.1 (the IP address of the switch on VLAN 2 where you connected the test PC).  The idea is this:
  • From your PC when you try to send a packet to something on the 10.0.0.X network, the PC first mask that address to see if it matches its interface(s) - in this case it doesn't.  Since your PC IP is on the 10.0.1.X subnet, your PC will not be able to send to the 10.0.0.X subnet but if the default gateway is configured as 10.0.1.1 it will know to send to that gateway which it can reach from its subnet.  Your default gateway IP must be the IP address of the next hop router ON your subnet (which is the 6024 in this case - and must be the IP address of the 6024 on the VLAN2).
  • So the packet arrives at the 6024 with a destination address on the 10.0.0.x subnet.  The 6024 consults its routing table and realize that the packet must be sent out on the other VLAN so it changes the VLAN tag on the packet and then consult the Layer2 forwarding database to find the port on which the MAC address for the specific destination resides.  The packet is then forwarded to this port.
  • The packet arrives at the destination and when the response is returned to the switch back from the 10.0.0.x address to the 10.0.1.x address, the 6024 reverse the process and the packet returns to your PC.

Ok note that by setting up the 6024 to route in this way, you are not blocking ports that are member of one VLAN from accessing ports that are member of the other VLAN since the 6024 will route across the VLANs.  VLAN segmentation occurs only at Layer 2, whereas Layer 3 routing will cross VLAN boundary!  I hope you realize that there is no VLAN segmentation in the 6024 once the routing layer is setup like this.

If you still want to block certain hosts on one VLAN from accessing hosts or services on another VLAN now, you would also need to setup ACL (access control list on the 6024) to specifically filter out packets and prevent them from getting across the VLAN boundary.

If you had setup just the VLANs to provide segmentation and did not configure any IP address to those VLAN then there would not be any routing tables setup and you have VLAN segmentation again.

If you do this and still want management access you can either use the OOB management ethernet port, or you can configure an additional VLANs (three in total).  You would use VLAN 2 and 3 for example for your hosts then use VLAN 1 for management only on some ports for example (this might be a bit more tricky depending on what you are trying to do).

There are a number of whitepapers at the site I pointed to before which discuss VLAN routing (you are doing VLAN routing in the 6024), ACL, LAN segmentation, etc which may help you.

Cuong.

jbilliau

20 Posts

March 8th, 2006 17:00

Well, setting the gateway to 10.0.1.1 (vlan2 IP address) did not work.  Not sure why, but it all seems to be configured correctly.

jbilliau

20 Posts

March 8th, 2006 17:00

I can ping both 10.0.1.1 (VLAN2)  and 10.0.0.154 (VLAN1)  from my test machine.  So thats a good sign.  However I think your right.  I bet that my sonicwall (firewall) needs some sort of static route back to the 6024?
 
 
Thats a screenshot of what I think I might have to configure.  Although Ive tried adding 10.0.1.0 and 255.255.255.0  to that ADD Subnet part, with no luck

Message Edited by jbilliau on 03-08-2006 01:49 PM

DELL-Cuong N.

1K Posts

March 8th, 2006 17:00

From your test PC, can you ping the switch IP address at 10.0.1.1 (IP on VLAN 2)?  Then from your PC can you ping 10.0.0.154 (the IP address on the interface from 6024 to the rest of your network)?

If you can ping both of these interfaces from your PC then it means that the 6024 is correctly routing your packets to the correct interfaces so if you don't get a response I suspect that its because the next hop router in your 10.0.0.x subnet doesn't have a route back to the 6024.

So check the router at the next hop and see if it has a route back to the 6024 for the system on the 10.0.1.x subnet (where your PC resides).  If you have a packet sniffer you could sniff packets coming from the 6024 and see if you can see the packets from your PC toward the 10.0.0.x subnet.

I think what might have happened is that the 6024 is routing from the 10.0.1.x subnet to the 10.0.0.x subnet ok but then the next hop router doesn't have a route back to the 6024 (looks like you are using static routing) so the packets get out but when it tries to return it can't get back to the 6024.

Cuong.

DELL-Cuong N.

1K Posts

March 8th, 2006 18:00

When you add the route back to the 6024 on the sonicwall make sure you specify the correct IP address for the 6024.  So to get back to the 10.0.1.x subnet you need to specify the correct next hop router address for the 6024 (the one on the port connecting the 6024 to the sonicwall) - that's probably the 10.0.0.154 address on your setup.
 
Cuong.

jbilliau

20 Posts

March 8th, 2006 18:00

Either that or configure a static route to that 6024
 
 

jbilliau

20 Posts

March 8th, 2006 22:00

Wow I think I got it.  I made a static route

Destination Network:  10.0.1.0

Subnet Mask:  255.255.255.0

Gateway:  10.0.0.154

 

and now my testmachine gets internet.  Thats great

jbilliau

20 Posts

March 9th, 2006 15:00

Cuong,
 
Does the 6024 have DHCP pool functionality?  I want a DHCP server to hand out IP address's on this new subnet to those connected to VLAN2.  Can the 6024 hand out address (i.e  10.0.1.10-10.0.1.20) to those connected on a specific VLAN?  If so how.
 
If it cant, what If I setup and configure a DHCP server on 2003 server?  When configuring a scope on there, do I just point the router address to 10.0.1.1 (VLAN2)?
 
Hope that makes sense.
 
All Im attempting to do, is for any VLAN created with corresponding workstations assigned to it.  Id like a DHCP pool to hand out address's on the same subnet.

DELL-Cuong N.

1K Posts

March 9th, 2006 18:00

The 6024 doesn't have a built in DHCP server so you will need to setup your own DHCP server.  Unfortunately I'm not familiar with setting up DHCP sever on Win2k3 server so I'm of no help here.  Perhaps the other Forum members might be able to help.  You might want to repost your message under a different heading since this message might get lost under this thread :-).
 
Cuong.

Was this post helpful?

View All

0 events found

No Events found!

Top