Unsolved
This post is more than 5 years old
9 Posts
0
93206
April 22nd, 2008 12:00
VLan's, Routing and Other stuff
Hi,
My manager has decided to get a 10GB link between three buildings on our site. Each building has a mixture of two different companies in it so we'd like to implement 3 Vlans, one for each company & a shared resource Lan. We currently use a single Windows AD Domain for all three companies.
We eventually plan to create a sperate AD Domain for each company, but first we would like to properly set up our network.
We have a Powerconnect 6224 in each building (connected via 10GB fible backbone. The 6224's are the main switches and into those ports we plug in smaller switches that are distributed around the buildings.
We're currently using the following ip range in our network:
ip: 192.168.0.0
subnet: 255.255.0.0
It's fallen to me to configure Vlan's on these switches, and as I openly admit I'm not all that knowledgeable, I'm starting to have problems.
So far, Using the web interface I've managed to do the following:
Configured the switch to use the following Settings:
IP: 192.168.20.100
Subnet: 255.255.192.0
Default Gateway: 192.168.9.100
Management VLAN ID: 1
(The default gateway is our firewall - managed by a third party company)
Created 3 VLANS and gave an IP to each:
Vlan 2:
IP: 192.168.71.1
subnet: 255.255.192.0
Vlan 3:
IP: 192.168.141.1
subnet: 255.255.192.0
The Vlan Routes were automatically configured for me and I'm now able to ping any host on VLAN2 from any host on VLAN3 and vice versa. However I can't ping any host on VLAN1, from hosts on either VLAN2 or 3 and vice versa.
We eventually want to create a 'specific to the relevant company' AD Domain on VLAN2 & 3 and any hosts/servers on this vlan will need to be able to connect to the shared resource vlan1 for printers, file servers and access to the firewall & internet.
I can't figure out how to do this.
To add to the mess, I've only been working with one of the switches so far, what complications can I expect when I add the same vlans to the other two switches?
Any help would be really appreciated
Cheers
Niels
bh1633
909 Posts
0
April 22nd, 2008 12:00
It will be easier to help you if you post your config file. Go to the serial interface and type the following:
console> enable
console# show running-config
But, even without that, you issue is typical. The 62xx switches have the concept of a mangement vlan. the managment vlan can not be routed. In your case, this is vlan 1. this explains why you can not ping anaything on vlan 1.
You do not need to use the management vlan. You can manage the switch via the routed vlans also. In your situation, you can either use another vlan for your 3rd routed vlan (instead of vlan 1) or make the management vlan a bogus vlan that you are not using (no ports in this vlan), and then assign an IP address and enable routing on vlan 1 at the vlan level. If you want to use the 192.168.20.100 ip on vlan 1, you will have to change the management vlan IP address to a different subnet also.
Again, post you rconfig, and we can tell you exactly what to do.
bh1633
909 Posts
0
April 22nd, 2008 13:00
I am not at a switch, so this is from memory, but it should work. Type the following in:
console> enable
console# config
console (config)# vlan database
console (config-vlan)# vlan 4000
console (config-vlan)# exit
console (config)# ip address 1.1.1.1 /24
console (config)# ip address vlan 4000
console (config)# interface vlan 1
console (config-if)# ip address 192.168.20.100 255.255.192.0
console (config-if)# routing
console (config-if)# no ip proxy-arp
exit
thesixuk
9 Posts
0
April 22nd, 2008 13:00
Here's my running config:
!Current Configuration:
!System Description "Dell 24 Port Gigabit Ethernet, 2.0.0.12, VxWorks5.5.1"
!System Software Version 2.0.0.12
!
configure
vlan database
vlan 2-3
exit
snmp-server location "Main Server Room"
snmp-server contact "Niels Jensen"
hostname "dell6224-tyc"
stack
member 1 1
exit
ip address 192.168.20.100 255.255.192.0
ip default-gateway 192.168.9.100
ip name-server 192.168.10.2
ip routing
interface vlan 2
name "FDSL LAN"
routing
ip address 192.168.71.1 255.255.192.0
no ip proxy-arp
exit
interface vlan 3
name "FRL LAN"
routing
ip address 192.168.141.1 255.255.192.0
no ip proxy-arp
exit
username "admin" password d1e13b94b7a32426d968b20432a52120 level 15 encrypted
!
interface ethernet 1/g15
switchport access vlan 2
exit
!
interface ethernet 1/g16
switchport access vlan 2
exit
!
interface ethernet 1/g17
switchport access vlan 3
exit
!
interface ethernet 1/g18
switchport access vlan 3
exit
exit
thesixuk
9 Posts
0
April 22nd, 2008 14:00
Hi bh1633,
Thanks for your help so far :)
When I try typing in the commands I get the following error when I type:
console (config)# ip address 1.1.1.1 /24
'IP address and gateway do not reside on the same subnet!'
I figure this is because the subnet will stop the switch from communicating with 192.168.9.100 (the switch's gateway) so I carry on with the commands...
then when I get to:
console (config-if)# ip address 192.168.20.100 255.255.192.0
I get the following:
"Subnet conflict between specified IP Address and current configuration.
All routing interfaces, service ports and network ports must be configured on
different subnets."
I figure at this point there's no pointgoing further as it seems I'm not able to set vlan 1's IP...
I can follow what's happening up to that point but as I mainly use the web interface I'm not too sure.
From what I can make out from the commands, this is what I'm doing:
console (config)# vlan database - Go to the vlan datatbaseconsole (config-vlan)# vlan 4000 - create a new vlan, 4000
console (config-vlan)# exit - leave the database
console (config)# ip address 1.1.1.1 /24 - change the ip address of the switch to 1.1.1.1 /24
console (config)# ip address vlan 4000 - change the management vlan to 4000
console (config)# interface vlan 1 - connect to the vlan 1 interface
console (config-if)# ip address 192.168.20.100 255.255.192.0 - change the ip of vlan 1 to specified
console (config-if)# routing - enable routing on the interface
console (config-if)# no ip proxy-arp - Dunno?
What I don't get though is, if I set the management port to use 1.1.1.1, there will be no way for me to use the web management. Is that right?
Cheers
Niels
bh1633
909 Posts
0
April 22nd, 2008 14:00
Sorry, I did not notice the default gateway. Default gateway is for the mangement interface and can be removed.
console (config)# no ip default-gateway - removes the default gateway
You can manage the switch via the routing interfaces, so you will be able to access the switch via the web just as you did before.
You probably need a default route to replace the default-gateway for management.
cosole (config)# ip route default 192.168.9.100
thesixuk
9 Posts
0
April 22nd, 2008 15:00
I managed to run through those commands once I stripped the default gateway and was able to connect to the switch from 192.168.20.100 so problems.
Unfortunateley, the machines on vlan 2 & 3 still can't ping anything on vlan 1 and likewise, any servers on the network can't connect to 2 or 3 either.
I'm thinking that this could be down to the fact that all the servers are connected to a standard switch which is in turn connected to port 1 of the 6224. As teh servers arn'et directly plugged into a port that is vlanned, would this cause a problem?
Cheers
bh1633
909 Posts
0
April 22nd, 2008 15:00
Post your current config.
Can the vlan 2/3 machines ping the vlan 1 ip address of the switch?
Do the PCs/servers on the vlan 1 network have the vlan 1 IP address of the switch as the default gateway?
thesixuk
9 Posts
0
April 22nd, 2008 16:00
I've just left work for the day so will post the current config first thing tomorrow.
Thanks so much for your help with this so far, I wouldn't have been able to do it without you.
I can see a light at the end of the tunnel now :)
Cheers
Niels
thesixuk
9 Posts
0
April 23rd, 2008 07:00
!Current Configuration:
!System Description "Dell 24 Port Gigabit Ethernet, 2.0.0.12, VxWorks5.5.1"
!System Software Version 2.0.0.12
!
configure
vlan database
vlan 2-3,4000
exit
snmp-server location "Main Server Room"
snmp-server contact "Niels Jensen"
hostname "dell6224-tyc"
stack
member 1 1
exit
ip address 1.1.1.1 255.255.255.0
ip address vlan 4000
ip name-server 192.168.10.2
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.9.100
interface vlan 1
routing
ip address 192.168.20.100 255.255.192.0
no ip proxy-arp
exit
interface vlan 2
name "FDSL LAN"
routing
ip address 192.168.71.1 255.255.192.0
no ip proxy-arp
exit
interface vlan 3
name "FRL LAN"
routing
ip address 192.168.141.1 255.255.192.0
no ip proxy-arp
exit
username "admin" password d1e13b94b7a32426d968b20432a52120 level 15 encrypted
!
interface ethernet 1/g15
switchport access vlan 2
exit
!
interface ethernet 1/g16
switchport access vlan 2
exit
!
interface ethernet 1/g17
switchport access vlan 3
exit
!
interface ethernet 1/g18
switchport access vlan 3
exit
exit
thesixuk
9 Posts
0
April 23rd, 2008 07:00
Here's an update on the situation:
Any PC's in the company using 192.168.20.100 as their default gateway are able to ping hosts on vlan 1, 2 & 3.
Likewise and Hosts on vlan 2 & 3 are able to ping hosts on vlan 1 (as long as the vlan1 hosts have their default gateway set to 192.168.20.100).
The problem now is internet access. Before implementing the vlans, all hosts used 192.21.9.100 as their default gateway, this is our router/firewall. Currently, any PC's using 192.168.9.100 as their default gateway are not able to ping anything on vlan 2 or 3 or vice versa. This stops anything using the new default gateways for vlan1, 2 & 3 from being able to access the internet as they're not able to contact the proxy server (which still uses 192.168.9.100)
I believe what's now happening is that when I try to ping a host the Dell6224 routes the traffic to vlan1 which in turn is able to find the host, however the host is unable to reply because when it tries, it goes via 192.168.9.100 which doesnt know about vlan 2 & 3. I'm assuming if I contact our firewall management company and get them to add routes to the three vlans, this problem will cease to exist. Is this assumption right?
Cheers
Niels
bh1633
909 Posts
0
April 23rd, 2008 11:00
We are almost there. There are only 2 things left to check:
- 62xx switch is not directly connected to the 192.168.9.x network. So you need to add a vlan, assign and IP address to it on the 192.168.9.x network, put a port in that vlan and then plug the firewall/router into that port.
- Make sure the firewall/router has routes to your vlan 1, 2 and 3 networks in it.
For example, if you were to connect the firewall into port 24 of the switch, add the following to the config:
console(config)# vlan database
console(config-vlan)# vlan 9
console(config-vlan)# exit
console(config)# interface vlan 9
console(config-if) #ip address 192.168.9.1
console(config-if)# routing
console(config-if)# exit
console(config)# interface ethernet 1/g24
console(config-if)# switchport access vlan 9
console(config-if)# no ip proxy-arp
console(config-if)# exit
The firewall should have something that looks like this in it to be able to route to your networks:
route add 192.168.71.0 netmask 255.255.192.0 192.168.9.1
route add 192.168.141.0 netmask 255.255.192.0 192.168.9.1
route add 192.168.20.0 netmask 255.255.192.0 192.168.9.1
thesixuk
9 Posts
0
April 23rd, 2008 13:00
Righto,
Before I go any further, I'll need to contact our Security Contactors and get them to add the routes onto the firewall. That can take a couple of days to push, so once I've had that confirmed, I'll do the rest.
Thanks so much for your help. You're a star!
Niels