Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

VLAN problem

Pierre_p
Occasional Visitor

VLAN problem

Hi,

Im trying to add a VLAN to an already existing network and changing the speed of fiber transfer between two equipments at the same time. Maybe not the best idea, but it shoudnt be a problem as far as I know. :)

We previously used a 2424M switch connected via a J4112A 100Mb/s fiber module to a 2524 switch which had a 100Mb/s J4853A module plugged-in.

We wanted to use a 2824 instead of the 2424 and have a 1Gb/s link between it and the existing 2524.

To this end, we bought a mini-Gbic tranciever (J4858B) for the 2824, and plugged in a J4131B in our 2524.

The network, so to speak, works ; we got link and traffic.

We had 3 VLANs using private addresses and when trying to add another one, we couldnt get it to work.

This new VLAN is in fact directly connected to our Internet router.

If we remove all the previously existing VLANs and only leave the one we try to add, it works. As soon as we add another one, it ceases to.

Im a bit confused as I dont see what could cause such a behaviour. Apart from the fact we cant use a management adress on this particular VLAN since its using public addressing, I fail to see which specificity it has.

So, we tried reinstalling the 100 mb/s devices and restored the original VLANs hoping to get closer to the solution. This works but once we try to add that particular 'internet' VLAN, the issue resurfaces.

Thanks in advance for your help.
6 REPLIES
Pierre_p
Occasional Visitor

Re: VLAN problem

Sorry i just realised that I forgot to mention that we were back to using the 2424 switch for the moment so that we can use 100mb/s trancievers.
Ben Dehner
Trusted Contributor

Re: VLAN problem

Offhand, I'd say it sounds more like a VLAN/Routing problem than a switch problem. Especially since you see the same problem with the original configuration. Also, in your description "couldn't get it to work", I'm not clear about what you couldn't get to work. Did the original 3 VLANs still work, but you couldn't see the forth one? Or did everything stop working?

The 2500 is a layer-2 only switch, so somewhere some device has to handle the routing between the various VLANs. If everything works when you have only one VLAN, its possible that there's no route available to your new VLAN. When you collaps the network to a single VLAN, everything still talks.

The intermediate router that handles the inter-VLAN traffic needs to be on all of the VLANS, including the new one. It either needs a single, tagged interface on all VLANS or multiple interfaces on one VLAN each. It will also need a default route that points it to the internet router.

If the internet router is on multiple VLANs, its possible that the router is not configured with the VLAN information to deal with tagged packets. It will also need to do the tagging on the packets it sends back into your network.

The 2800 can changes the rules somewhat, because it is a layer 3 switch. However, if you are not using the layer 3 features, then the above still applies.

Also, not to belabor the obvious, the interlink between the two switches must always be tagged, and must always be a member of all VLANs on the switches. So when adding the new VLANs, make sure the interlink port is on that VLAN on both ends.
Trust me, I know what I'm doing
Pierre_p
Occasional Visitor

Re: VLAN problem

Thanks for answering.

What i meant by "couldnt get it to work" is that the VLAN is present, and ports are tagged accordingly, but we cant ping anything through it. We addded it to the others but couldnt get anything to pass through it.

I made a little scheme in the attachment so that you can see how our network configuration looks like.

Its very classic and it seems to me that the ports have been tagged the right way.

For for helping.
Ben Dehner
Trusted Contributor

Re: VLAN problem

Thanks, that helps.

I am almost certain that your problem is at layer 3 with the IP routing. (Or whatever layer 3 protocol you are using.) Either your VLAN 1-3 devices don't have the proper routing information to reach VLAN 4, or the router on VLAN 4 does not have the proper routing information to get back to VLANs 1-3. Here are some questions to ponder:

What are the IP subnets assigned to the VLANs?
What is the default gateway on the VLAN 1-3 devices?
What device owns the default gateway IP?
What routing protocols -- if any -- are on the internet router?

Try doing a ping and a traceroute from both directions. That is, going from a VLAN 1 device to the router, and try going from the router back to the VLAN 1 device. Make sure that the router isn't trying to reach the internal networks via the external interface.

For a simple stub configuration, the internet router would not need to run any routing protocols. It would have a default route pointing to the ISP, and one or more static routes pointing to the internal subnets. If the router cannot see the internal gateway to the VLANs, then this would be causing your problems.
Trust me, I know what I'm doing
Pierre_p
Occasional Visitor

Re: VLAN problem

From your questions, I do realize that my scheme is false, it is in fact slightly more complicated.

The VLANs arent supposed to communicate with each other. We're using a router/firewall (a PC with IPCop installed namely) to allow the users to access the internet. So typically you would access that firewall from VLAN 1 and the 'Internet' network would be on VLAN 4. VLANs 2 and 3 are connected to another IPCop machine and this works at the moment.

There are no outbound limitations whatsoever on the firewall itself, its only here to act as a modem and protect the network from external attacks.

Our Internet router, on the top of the scheme is in bridge mode, so its only there to give us web access.

That said i think you're probably right, routing is probably not working properly.


Thanks for the help
Ben Dehner
Trusted Contributor

Re: VLAN problem

In a logical sense, what I see is that VLAN 4 is your "backbone" VLAN, which is used by all of your internal IPCop servers to connect to the internet gateway. So here's how I would see things being configured.

Each internal VLAN 1-3 has its own IPCop server that all systems within that VLAN use that as the default gateway. The external interface of each IPCop server will be on VLAN 4, which also has the internal interface of the internet router. The IPCop servers will only need a default route pointing to the internet router, since they will see their respective VLANs as local (direct-attached) routes. The internet router will have a default route pointing to the upstream ISP, and will need to have static routes for each of the VLANs pointing to the respective IPCop server.

At this point, if you want to isolate your VLANs, you will need to add firewall rules. Otherwise, the internet gateway will bounce traffic from one IPCop server to another with ICMP re-directs. On the other hand, if you *want* inter-VLAN communication, it would be best to add static routes in the IPCop servers to avoid the ICMP re-directs.

From a layer 2 perspective, the IPCop servers' external interface and the internet router internal interface must all be on VLAN 4. If this VLAN is on seperate switches, then the switch interlinks must also be members of this VLAN and tagged. This also implies they must be on the same IP subnet.
Trust me, I know what I'm doing