This post is more than 5 years old
6 Posts
0
26484
PowerConnect 5448 Multiple VLANs between upstream firewall and downstream server
I am struggling with what I thought would be a simple task: route multiple subnets, each on a different VLAN, from a firewall to a server. In fact, I can't seem to get even one non-default VLAN through despite everything looking correct in address tables and STP.
Port 1 = firewall, VLAN 1 untagged, VLAN 2 tagged, PVID 1, tried both trunk and general modes
Port 17 = server NIC, VLAN 1 untagged, VLAN 2 tagged, PVID 1 and 2 tried, tried both trunk and general modes
VLAN 1 (untagged from firewall) 10.84.195.0/24, IP Interface 10.84.195.2, default gateway 10.84.195.1
VLAN 2 (tagged from firewall) 10.101.0.0/16, IP Interface 10.101.0.2 for VLAN 2, firewall is .1
The first thing I assumed was that something wasn't tagged correctly either from the server (Hyper-V, using SC VMM 2012 SP1) or the firewall (Watchguard XTM 520). Simple test: VPN to firewall, ping the switch at 10.101.0.2 with tag and it works, remove the tag and it doesn't. Dynamic address table shows both pathways to firewall. Row 18 below appears right after the ping as expected on VLAN 2 with same MAC address as VLAN 1. Also, I can ping the switch 10.101.0.2 from the server and it works fine. The table shows only VLAN 2 from the host (and 1 other VM) so it seems to me that everything is tagged properly.
15 | VLAN 1 | 00907f8f571b | g1 | |||
16 | VLAN 2 | 00155d1f1b07 | g17 | |||
17 | VLAN 2 | 001dd8b71c01 | g17 | |||
18 | VLAN 2 | 00907f8f571b | g1 | |||
What I can't do is ping across the switch on VLAN 2. I cannot ping the server (10.101.20.1) from my VPN and I cannot ping the gateway (10.101.0.1) from the server. Note, it is not due to any firewall rules on either end.
What am I missing? I don't believe I need any Layer 3 routing here, I'm not trying to cross VLANs, just have multiple VLANs pass from one port to another.
Other things worth noting in case it helps:
- I do have untagged connectivity with everything else through the switch 10.84.195.xxx/24.
- If I remove the VLAN 2 tagged trunk from port 1, I can suddenly ping the VLAN 2 gateway (10.101.0.1) from the server, although I suspect that is because the same port is the default gateway for the switch.
- For brevity, only 2 lines of the STP are shown below, but all ports match accordingly based on whether they are connected or not.
g1 enabled 128.1 4 Frw Desg No P2P (STP)
g2 enabled 128.2 100 Dsbl Dsbl No -
- Latest firmware installed.
- Also, for the security-minded folks, I do intend to remove the default VLAN usage in the future.
DELL-Willy M
802 Posts
1
February 13th, 2013 09:00
Would it be possible for you to paste your show run output here in the forum. That way we can take a closer look at what you have configured.
If you plug a laptop/desktop (with and IP in the 10.101.0.0 /16 range) into a port with switchport access mode for VLAN 2 are you able to ping IP Interface 10.101.0.2 for VLAN 2? You might try disconnecting the firewall and the configurations for that port and work on getting communication thru the switch with 2 end devices on a single VLAN. Then once that is confirmed as working connect the firewall back up with a trunk/general mode adding the needed VLANs.
Are you connecting to the firewall on a Layer 3 interface? You may need Layer 3 routing to reach the firewall properly.
Arizona Joe
6 Posts
0
February 13th, 2013 11:00