LAN Routing
1748043 Members
4905 Online
108757 Solutions
New Discussion юеВ

Re: No Internet on non-native VLAN

 
VEC-Solutions
Advisor

No Internet on non-native VLAN

I am very new to networking and switching in general so please let me know if I am not making sense at any point. 

Here is my switch config:

; J9147A Configuration Editor; Created on release #W.15.14.0015
; Ver #06:04.18.63.ff.35.05:b6
hostname "Switch-Core"
module 1 type j9147a
module 2 type j9008a
module 3 type j9008a
trunk 45-46 trk1 lacp
trunk 47-48 trk2 lacp
trunk 43-44 trk10 lacp
trunk 25-26 trk30 lacp
trunk 13-14 trk40 lacp
ip dns server-address priority 1 192.168.200.4
ip route 0.0.0.0 0.0.0.0 192.168.200.1
ip route 192.168.0.0 255.255.255.0 192.168.0.254
ip route 192.168.100.0 255.255.255.0 192.168.100.1
ip route 192.168.200.0 255.255.255.0 192.168.200.1
ip route 192.168.201.0 255.255.255.0 192.168.201.1
ip routing
interface 1
name "Switch-SAN Mgmt"
exit
interface 2
name "Data-WAN-Uplink"
exit
interface 3
name "Phone-WAN-Uplink"
exit
interface 4
name "Cameras-WAN-Uplink"
exit
interface 5
name "Security-WAN-Uplink"
exit
interface 6
name "XenServer01 Phone"
exit
interface 12
name "Pelco DSSRV"
exit
interface 13
name "XenServer01 Mgmt"
exit
interface 14
name "XenServer01 Mgmt"
exit
interface 25
name "XenServer01 Security"
exit
interface 26
name "XenServer01 Security"
exit
interface 31
name "Production SAN Mgmt"
exit
interface 32
name "Production SAN Mgmt"
exit
interface 33
name "Backup SAN Mgmt"
exit
interface 34
name "Backup SAN Mgmt"
exit
interface 37
name "Security Controller Reyn's Office"
exit
interface 41
name "220T1a"
exit
interface 42
name "220T1a"
exit
interface 43
name "Switch-Phone Uplink"
exit
interface 44
name "Switch-Phone Uplink"
exit
interface 45
name "Switch-Shop Uplink"
exit
interface 46
name "Switch-Shop Uplink"
exit
interface 47
name "Switch-Front Uplink"
exit
interface 48
name "Switch-Front Uplink"
exit
interface A1
name "Switch-Desktops Uplink"
exit
interface A2
disable
exit
interface B2
name "XenServer01 Data"
exit
snmp-server community "public" unrestricted
snmp-server location "Server Room"
vlan 1
name "DATA"
no untagged 3-6,12,37,41-42,Trk30,Trk40
untagged 1-2,7-11,15-24,27-36,38-40,A2,B1-B2
tagged A1,Trk1-Trk2,Trk10
ip address 192.168.200.254 255.255.255.0
ip helper-address 192.168.200.4
exit
vlan 10
name "PHONE"
untagged 3,6,41-42
tagged Trk10
ip address 192.168.0.1 255.255.255.0
ip helper-address 192.168.200.4
voice
exit
vlan 20
name "CAMERA"
untagged 4,12
tagged Trk1-Trk2
ip address 192.168.201.254 255.255.255.0
exit
vlan 30
name "SECURITY"
untagged 5,37,Trk30
tagged Trk1-Trk2
ip address 192.168.100.254 255.255.255.0
exit
vlan 40
name "XEN MANAGEMENT"
untagged Trk40
ip address 192.168.50.254 255.255.255.0
exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk10 priority 4
spanning-tree Trk30 priority 4
spanning-tree Trk40 priority 4

I have a small business network that I am in charge of as an employee. The network is a star topology with 4 VLANs (1, 10, 20, 30). The VLAN routing is set up as no ACL with layer 3 interfaces for inter-VLAN routing. This works flawlessly. What does not work is the routing of those VLANs to a NAT capabale device (at least I think this is the issue). My core switch performing all of my routing (2910al) happens to not provide NAT. The next device up the chain that I know provides NAT is our TZ300 Sonicwall Firewall. I cannot ping 8.8.8.8 from ANY of the non-native VLANs (10, 20, 30), but I can do it all day from ANY device in the native VLAN (1). 

The reason I believe the problem is with my 2910al setup is because I was on the phone with Sonicwall support today and one main issue occured. When pinging 8.8.8.8 from a non-native VLAN the Sonicwall logged that the request was not made on the intended port assigned to the non-native VLAN and therefore didn't use the VLAN routing (route from non-native VLAN subnet to firewall interface on same subnet). In fact, the request came in on the native VLAN through what I can only assume is the first route I have setup. 

Also, if I try to remove the 0.0.0.0 0.0.0.0 192.168.200.1 route and replace it with a more specific route of 192.168.200.0 255.255.255.0 192.168.200.1 then I lose internet on native VLAN as well..........

The interfaces on the Firewall are static and as follows:

  • Data (Native) - 192.168.200.1
  • Phone - 192.168.0.254
  • Cameras - 192.168.201.1
  • Security - 192.168.100.1
7 REPLIES 7
VEC-Solutions
Advisor

Re: No Internet on non-native VLAN

It seems after a bit of research that it might not be a lack of NAT from my TZ300 firewall that is the issue, but rather the issue is the 2010al does not support routing multiple VLANs to different interfaces through VLAN ACLs.  Can someone correct me on this is possible?

VEC-Solutions
Advisor

Re: No Internet on non-native VLAN

I have never set up an ACL so I don't really know what's involved, but there does not seem to be an option in the CLI for assigning a specific default route to multiple VLANs.

Vince-Whirlwind
Honored Contributor

Re: No Internet on non-native VLAN

You need to decide what's going to do your routing - your firewall or your switch.

Your ip route statements have no effect because those subnets are local subnets to the switch because the switch has IP addresses in each of them.

Either your firewall does all your routing so you trunk all your VLANs to the firewall and remove the IP addresses from the switch.

Or the switch does your routing and so you remove those subnets from the firewall and stop trunking the VLANs to them.
As all your VLANs appear to have hosts on them, you need to create a new VLAN with a point to point subnet linking firewall to switch, with routes on the firewall for each of your internal subnets, pointing at the switch.

VEC-Solutions
Advisor

Re: No Internet on non-native VLAN

For sure the switch is going to be doing the layer 2 routing. I have all of the VLANs setup and I can ping from any VLAN to any VLAN. The problem is my last hop to the router. The switch sends all default route frames to the router @ 0.0.0.0 0.0.0.0 192.168.200.1 (the IP address of the native VLAN firewall interface) which is recognized as an IP spoof on the firewall if sent from a non-native VLAN (192.168 - .201.0, 0.0, 100.0 . Currectly our consultants and I are looking into ACL's. The 2910al does not support VACLs, but our 2920's do. It could be as simple as settings up VACLs that forbid the layer 1 links from the switch to the firewall (the firewall VLAN uplinks) and setting up 4 different default routes, but that's just me shooting in the dark.

If I understand what you are saying correctly, you are suggesting I create a VLAN strictly for firewall communication to the switch (let's say 192.168.1.0) and then have the switch take care of the routing on the layer 3 interfaces. So the firewall could be 192.168.1.1 (single interface on firewall) and the layer 3 interface on the switch could be 192.168.1.254 and this will take care of everything? Sorry if the is a dumb question......

Vince-Whirlwind
Honored Contributor

Re: No Internet on non-native VLAN

Not a dumb question, that is exactly right.

Basically you have 2 Layer3 devices: the "core" switch and the firewall. You should not span Layer2 segments between the two - each Layer2 segment needs to belong to one Layer3 device or the other.

So you have 192.168.0.0/24 and 192.168.200.0/24 as subnets on the "core" switch. Each belongs to its own VLAN on that switch. The "core" switch VLAN interface has the IP address on it that is used in those subnets as the "default gateway". These subnets belong to the switch, and you extend the VLANs out that switch's ports to where they are needed by hosts.

Then you create another subnet, 192.168.1.0/24. You put 192.168.1.1 on the firewall interface that is patched to the switch. You create a new VLAN, say 99 on the "Core" switch, put 192.168.1.254 on that VLAN interface, and assign the port that is patched to the firewall as untagged in VLAN99.

On the "Core" switch, you need a route 0.0.0.0 0.0.0.0 192.168.1.1
On the Firewall you need a route for each of the subnets on the "Core", eg 192.168.200.0/24 192.168.1.254

Just one other thing - I never ever use 192.168 subnets, they are ugly.

My schema looks like this:
10.1.10.0/24 VLAN10 "Data"
10.1.20.0/24 VLAN20 "Voice"
10.1.99.0/24 VLAN99 "WAN Link"
10.1.254.0/24 VLAN254 "Management"

etc...

VEC-Solutions
Advisor

Re: No Internet on non-native VLAN

I'm still wondering if this will solve my IP spoofing problem on the firewall. Technically, the firewall is rejecting requests to the internet because it's seeing for instance a 192.168.0.0 subnet address coming in on the 192.168.200.1 interface. The problem, I think, is the fact I can only setup one default route. That's why I think I have to setup multiple default routes and restrict access to those routes through ACLs. Am I thinking about this wrong?

Vince-Whirlwind
Honored Contributor

Re: No Internet on non-native VLAN

Your firewall needs to be told for each of your internal subnets that they are in the "LAN" zone, presumably.

That's a question for whoever knows how that particular model of firewall is configured.