VLANs what have I done wrong?

CashG
Getting noticed

VLANs what have I done wrong?

Subnet             ID       MX IP

10.10.0.0/24     1     10.10.0.2

10.10.8.0/24     8     10.10.8.1

 

Devices on 10.10.0.0 can ping 10.10.8.0 but devices on 10.10.8.0 can not ping 10.10.0.0

On my MX all ports are set to Trunk and Native VLAN 1 and all VLANs allowed. I have a single line from my MX to my switch.On my switch, SG200, I added a VLAN ID 8. I set the port going to the MX and the port going to the server to have Administrative VLANs 1 & 8 with the mode Trunk. Am I missing something?

30 Replies 30
BrandonS
Kind of a big deal

Do you have the correct default gateway on the devices you are testing with?

 

- Ex community all-star (⌐⊙_⊙)
CashG
Getting noticed

@BrandonS I've tested from two devices on 10.10.8.0. One is complicated cause its a virtual IP on a UNIX server. I did however connect a single windows computer with IP-10.10.8.50, 255.255.255.0, Gateway-10.10.8.1, and got the same result. The computer was connected directly to the MX and I did change the port to have Native VLAN 8. 

BrandonS
Kind of a big deal

Maybe a typo somewhere or a firewall rule you forgot about?  Sorry, that's all I got..

- Ex community all-star (⌐⊙_⊙)
BrandonS
Kind of a big deal

Maybe the device you can't reach has ping block/disabled?  Did you try to reach other resources besides ping?

- Ex community all-star (⌐⊙_⊙)
CashG
Getting noticed

@BrandonS so from what I said it should work? Cause I thought it should work too and its not and its driving me crazy. Only firewall rule I've added is some port forwarding to allow a software vendor to a server and they tested that and it works.

 

ww
Kind of a big deal
Kind of a big deal

did you already removed your wrong static routes?

are you sure your devices accept ping both ways? when you connect both devices in vlan1 they can both ping eachother?

 

CashG
Getting noticed

@ww All I have set up are VLANs there are no static routes set. So I feel a little dumb, I didn't notice that when the PC connected it set it to a public network instead of private....so now I can ping both ways. I'll try connecting the PC into the switch next instead of directly connected to the MX. Something else do I need to set the ports on the switch to tagged? I just noticed they are set to untagged.

Nash
Kind of a big deal

Please don't feel dumb. Do you know how many times I've gotten caught out by Windows firewall due to accidentally setting a network as public?

 

I wrote a document for my team on how to fix it. That's how many times. I kept having to look up how to reclassify networks in my registry, and got tired of Googling it every month.

 

RE: your switchports on the switch itself. You said it's an SG200? Does it work when you connect your PC to the switch as it current is?

 

If it's not working untagged, then yeah, tag them switchports with the correct VLAN. Cisco's got a nice doc here.

nuo
Getting noticed

Have you setup the static routes between the VLAN's? You said it was working in one direction. Maybe double checking those routes is worth while?

Nash
Kind of a big deal

@nuo If the MX is being used as the default gateway, it will perform routing between the two VLANs automatically.

CashG
Getting noticed

I'm going to be doing more testing later today. I only have a small window where I can switch the LAN over to the MX and test. I'm going to hook a PC to the same switch as everyone else on 10.10.8.0 and test. My issue is a Unix server that has a IP  of 10.10.0.60 but then also has a virtual IP of 10.10.8.60. The virtual IP has no static gateway set for the VIO. 

CashG
Getting noticed

I can't get anything on 10.10.8.0 to work once I switch over to the MXsg200.jpgVLANs.jpg

CashG
Getting noticed

@Nash @nuo @ww Is there something I did wrong? Something I need to do? 

ww
Kind of a big deal
Kind of a big deal

if you can ping from a cliënt on the cisco switch vlan 8 to a cliënt in vlan 1 then it works? how your virtual server works i dont know

 

if it all works in the fortige you should get that config and build the same in de mx.

CashG
Getting noticed

@ww I cant ping across from my PC on 10.10.0.0 to anything on 10.10.8.0 threw the switch. 

I could ping when I have a PC on 10.10.0.0 connected directly to the MX with its port set to Native VLAN 1 and then a PC on 10.10.8.0 connected directly to the MX with its port set to Native VLAN 8.

 

I've added the VLANs to my Cisco Switches,  I've added the the VLANs to the ports that need access to both subnets on the switch, everything is set to Trunk. I'm not sure what else I'm missing. 

ww
Kind of a big deal
Kind of a big deal

did you try add vlan 1 access port and vlan 8 access port on the switch and ping between two normal clients?

CashG
Getting noticed

@ww Someone said that the ports that connect the switch to the MX and from switch to switch should be set to Trunk then all the others should be set to Access. Does that sound right?

ww
Kind of a big deal
Kind of a big deal

that sounds right.   but also some  servers can be capable of running on a trunk .

so it  depends on your design and what you want to connect

CashG
Getting noticed

@ww "but also some  servers can be capable of running on a trunk. so it  depends on your design and what you want to connect" I hope the server in question does. It has a 10.10.0.0 IP but has a VIP (Virtual IP) of 10.10.8.0 so I would need both VLANs on one port, right?

 

@BrandonS "Is it possible the Unix server has no default gateway assigned?  Or one different than you think it is?" EN0 on the server has a 10.10.0.60 with a Gateway of 10.10.0.2. However from what I understand the VIP is only an IP of 10.10.8.60. It being UNIX I'm not sure how it works. I am not the administrator of the UNIX server but I can access it and test things like ping, ftp, traceroute. Pings work fine from it cause it uses 10.10.0.60 but if I try to FTP to a printer, thats how the server sends print jobs, it wont work. I figured out that when I do a traceroute to a printer it uses the 10.10.8.60 IP.  I think my issue boils down to how do I tag the correct VLAN on one port since one port is using both VLANs. 

BrandonS
Kind of a big deal

What is the subnet of the virtual IP on the server?  I am suspecting this maybe something a bit odd like two IP addresses assigned to the same interface and subnet (like /16). Or- hopefully the VIP is assigned tagged to a sub interface and in that case you would want the port connected to the server to be trunk with VLAN 8 tagged.

 

- Ex community all-star (⌐⊙_⊙)
CashG
Getting noticed

@BrandonS This is what the Admin of the server sent me

 

The VLAN research I did for AIX highly recommends having VLAN take place in the switches NOT on the RS/6000 NIC cards.

 

There is not a static gateway for the VIO 10.10.8.60. 

 

Since it is a virtual IP created by combining the 4 NIC that have 10.10.0.2 as their gateway, it has no entry.

 

Change / Show a Virtual IP Address Interface

 

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

 

                                                        [Entry Fields]

  Network Interface Name                                                               vi0

  INTERNET ADDRESS (dotted decimal)                                    [10.10.8.60]

  Network MASK (hexadecimal or dotted decimal)         [255.255.255.0]

  Current STATE                                                                               up                     +

  Network Interface(s) using this VIPA

          Interface Name(s)                                                                  [en0,en1,en2,en3]       +

          ADD/REMOVE Interface(s)                                                  ADD                    +

 

IBM RS/6000 IP information:

It has a 4-port NIC card.

 

NIC:                            EN0

Hostname:                 cashwell

IP:                               10.10.0.60

Newtwork Mask:       255.255.255.0

G/W:                           10.10.0.2

 

NIC:                            EN1

Hostname:                 cashwell

IP:                               10.10.5.60

Newtwork Mask:       255.255.255.0

G/W:                           10.10.0.2

 

NIC:                            EN2

Hostname:                 cashwell

IP:                               10.10.3.60

Newtwork Mask:       255.255.255.0

G/W:                           10.10.0.2

 

NIC:                            EN3

Hostname:                 cashwell

IP:                               10.10.7.60

Newtwork Mask:       255.255.255.0

G/W:                           10.10.0.2

 

 

# named virtual ips

10.10.8.60      vipa60

10.10.8.10      vipa10

10.10.8.11      vipa11

10.10.8.12      vipa12

10.10.8.13      vipa13

nuo
Getting noticed

Yes, this is well worth checking!

CashG
Getting noticed

@BrandonS "Or- hopefully the VIP is assigned tagged to a sub interface and in that case you would want the port connected to the server to be trunk with VLAN 8 tagged."

 

If I have it set with VLAN 8 tagged and VLAN 1 untagged you think 10.10.0.80 will still work? Or No VLAN 1 added at all? If so would the 10.10.0.80 still work?

BrandonS
Kind of a big deal


@CashG wrote:

@BrandonS "Or- hopefully the VIP is assigned tagged to a sub interface and in that case you would want the port connected to the server to be trunk with VLAN 8 tagged."

 

If I have it set with VLAN 8 tagged and VLAN 1 untagged you think 10.10.0.80 will still work? Or No VLAN 1 added at all? If so would the 10.10.0.80 still work?


I would consider trying this.  You would need to ask the server admin if she can/will verify it is possible to add the IP as a sub-interface with a VLAN ID.  That should allow it to be more like a "normal" client with a subnet and default gateway.  In that case you would need to connect to a switch port configured as trunk with VLAN 8 tagged.

 

The output you posted with the 4 NICs is confusing to me.  It shows interface ip addresses with default gateways outside of their subnet.  That does not compute for standard networking, but I am sure there is some reason..

 

- Ex community all-star (⌐⊙_⊙)
nuo
Getting noticed

@ww 

 

Someone said that the ports that connect the switch to the MX and from switch to switch should be set to Trunk then all the others should be set to Access. Does that sound right?

 

I would say that between the switches you will want trunk ports that have all VLANs.

 

Also, going to the MX you will either want a trunk port with all the required VLANs or maybe even all VLANs. You may be able to setup an access port for the switch and then add on the required VLANs but if it is not working - then Keep IT Simple!

 

Start With TRUNK ports between the switches and then setup an ACCESS port on the VLAN you are having issues with and connect a computer to that port via ethernet to ensure that the VLAN is working before introducing anything else into the mix.

CashG
Getting noticed

@nuo Ok I understand now what is going on and why its not working. I did have a PC plugged into the switch with an IP of 10.10.8.40 - The port it was plugged into set to Access with the VLAN set to 8. It worked so that tells me VLANs are working as they should. I was able to get to it and was able to ping other devices on the network. So now its just the UNIX server that I don't know what to do with. I cant set the port to access because it needs to use both VLAN's and setting it to Trunk isn't working. 

nuo
Getting noticed

Okay, if your VLANs on the switch are sorted the tagging is enabled on this port it should just be a matter of setting up the appropriate virtual interfaces on the ethernet device. This is pretty much up to the system admin of that system. If they said it worked on a different brand of switch then you could try using that. But personally, I have not had any issues with Meraki or CISCO switches and this kind of tagging to a device (even using VMWare / other virtualisation software).

 

I would suggest that if you have a macOS device floating around, (BSD backend) not sure what system you are using. Then you could try setting up VLANS on the ethernet interface. It is straight froward and you can do it all from the GUI (network settings). Could be worth a try!

BrandonS
Kind of a big deal


@CashG wrote:

 

I could ping when I have a PC on 10.10.0.0 connected directly to the MX with its port set to Native VLAN 1 and then a PC on 10.10.8.0 connected directly to the MX with its port set to Native VLAN 8.

 

I would take this to the next step and make a trunk port to your switch and then have an access port for each VLAN to do the same test between two of your own machines that you know have default gateway.  I expect it will still work and then you can tell whomever supports the UNIX server that they need to check their end again.  I think you mentioned that you do not have access to the UNIX server, right?

- Ex community all-star (⌐⊙_⊙)
BrandonS
Kind of a big deal


@CashG wrote:

My issue is a Unix server that has a IP  of 10.10.0.60 but then also has a virtual IP of 10.10.8.60. The virtual IP has no static gateway set for the VIO. 


Is it possible the Unix server has no default gateway assigned?  Or one different than you think it is?

 

 

- Ex community all-star (⌐⊙_⊙)
nuo
Getting noticed

Okay, that is good to know. Thanks!

Get notified when there are additional replies to this discussion.