inter-vlan routing / internet access problem sge2000

Unanswered Question
Feb 17th, 2010
User Badges:

Hi Guys,


I have been searching these forums for a while, but can't find the answers to 2 questions.  1.  How to allow inter-vlan comms? 2. Why certain machines can't access the internet?


I have an sge2000 (firmware 3.0.0.17, boot version 1.0.0.05) switch configured to layer 3 mode.  I have setup 3 VLANs:


VLAN1 - management vlan - ip address 192.168.1.254/24

VLAN2 - frontend vlan - ip address 172.16.1.254/24

VLAN3 - frontend storage vlan - ip address 172.16.2.254/24


I have 1/g1 plugged into a draytek vigor 2950 - internet gateway ip 192.168.1.1.  This port has no specific set-up (default vlan 1 untagged).


I have one workstation (ip address 172.16.1.15/24 gateway 172.16.1.254) plugged into 1/g3.  This port is set-up as vlan 2 untagged access mode.


I have an esxi 4 server plugged into 1/g6.  The esxi servers (with a ubuntu webserver virtual machine - 2 interfaces one in vlan 1 and one in vlan 2) virtual switch is set up to tag vlan2 and vlan3. This switch port is set-up as general mode vlan 2 and vlan 3 both tagged.


I have set-up one static route on the switch:

1. destination ip -> 0.0.0.0, mask -> 0.0.0.0, next hop -> 192.168.1.1


I have set-up two static routes on the draytek:

1. destination ip -> 172.16.1.0 mask -> 255.255.255.0, gateway ip -> 192.168.1.254

1. destination ip -> 172.16.2.0 mask -> 255.255.255.0, gateway ip -> 192.168.1.254


Phew.  Now that is out of the way.  At first I could not get access to the internet from the workstation or webserver.  Bizarly if I create an acl with 1 rule but don't bind it to any ports I get access to the internet and the rest of the 192.168.1.x network from the workstation.


But for some reason I cannot access the internet from the webserver!!


I can ping the webserver from the workstation however and vice versa.


So the first question is why/how can I get internet access from the webserver?


Second question how do I get access from vlan2 to vlan3?


I have seen some posts say the default behaviour of the sge2000 in layer 3 mode is to allow intervlan comms but I simply can't ping the webserver vlan3 interface from the workstation (vlan2 ip address).


Please help this is driving me bonkers for 2 days.


Thanks in advance


Adam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Thu, 02/18/2010 - 01:09
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Guys,


I have been searching these forums for a while, but can't find the answers to 2 questions.  1.  How to allow inter-vlan comms? 2. Why certain machines can't access the internet?


I have an sge2000 (firmware 3.0.0.17, boot version 1.0.0.05) switch configured to layer 3 mode.  I have setup 3 VLANs:


VLAN1 - management vlan - ip address 192.168.1.254/24

VLAN2 - frontend vlan - ip address 172.16.1.254/24

VLAN3 - frontend storage vlan - ip address 172.16.2.254/24


I have 1/g1 plugged into a draytek vigor 2950 - internet gateway ip 192.168.1.1.  This port has no specific set-up (default vlan 1 untagged).


I have one workstation (ip address 172.16.1.15/24 gateway 172.16.1.254) plugged into 1/g3.  This port is set-up as vlan 2 untagged access mode.


I have an esxi 4 server plugged into 1/g6.  The esxi servers (with a ubuntu webserver virtual machine - 2 interfaces one in vlan 1 and one in vlan 2) virtual switch is set up to tag vlan2 and vlan3. This switch port is set-up as general mode vlan 2 and vlan 3 both tagged.


I have set-up one static route on the switch:

1. destination ip -> 0.0.0.0, mask -> 0.0.0.0, next hop -> 192.168.1.1


I have set-up two static routes on the draytek:

1. destination ip -> 172.16.1.0 mask -> 255.255.255.0, gateway ip -> 192.168.1.254

1. destination ip -> 172.16.2.0 mask -> 255.255.255.0, gateway ip -> 192.168.1.254


Phew. Now that is out of the way.  At first I could not get access to the internet from the workstation or webserver.  Bizarly if I create an acl with 1 rule but don't bind it to any ports I get access to the internet and the rest of the 192.168.1.x network from the workstation.


But for some reason I cannot access the internet from the webserver!!


I can ping the webserver from the workstation however and vice versa.


So the first question is why/how can I get internet access from the webserver?


Second question how do I get access from vlan2 to vlan3?


I have seen some posts say the default behaviour of the sge2000 in layer 3 mode is to allow intervlan comms but I simply can't ping the webserver vlan3 interface from the workstation (vlan2 ip address).


Please help this is driving me bonkers for 2 days.


Thanks in advance


Adam

Hi Adam,


For accessing internet you need to configure natting in sge2000 so that inernal users can access internet and if you have cofnigured sge2000 in l3 mode then inter vlan communication should happend without any problem.


Hope to help !!


If helpful do rate the post


Ganesh.h

adam.flavell Thu, 02/18/2010 - 01:50
User Badges:

Thanks for your time ganesh, but how do I configure natting in the sge2000?  Currently I can't ping between vlans please help.


Thanks Adam

Ganesh Hariharan Thu, 02/18/2010 - 02:49
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Thanks for your time ganesh, but how do I configure natting in the sge2000?  Currently I can't ping between vlans please help.


Thanks Adam


Hi Adam,


Ok I dont think you need to do natting on sge2000 as your connectivty is with router on port 1 as mentioned in the original thread so to have internet access hopefully they would have configured natting in router end and you need to drop a reverse route for your rest of the vlan subnet in your upstream router which needs to access internet.


check out the below link on sge2000 hope that help


https://www.cisco.com/en/US/products/ps9967/products_qanda_item09186a0080a36802.shtml


If helpful do rate the post


Ganesh.H

adam.flavell Thu, 02/18/2010 - 03:19
User Badges:

Thanks ganesh,


As mentioned in the original post I have reverse route in the upstream route and I can access the internet from the workstation that is plugged into 1/g3.  The problem is internet access from the webserver (virtual machine).


Please advise.


Thanks,


Adam

Ganesh Hariharan Thu, 02/18/2010 - 03:38
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Thanks ganesh,


As mentioned in the original post I have reverse route in the upstream route and I can access the internet from the workstation that is plugged into 1/g3.  The problem is internet access from the webserver (virtual machine).


Please advise.


Thanks,


Adam


Hi Adam,


Are you able to ping the outside interface of sge2000 from virtual machine and when you trace route from virtual machine for any external site till where it goes ?


Ganesh.H

adam.flavell Thu, 02/18/2010 - 04:19
User Badges:

I've gone back to basics and removed all other virtual machines from the vswitch.  I then removed the virtual network adapters and re-added them one at a time.  Restarting the networking service each time, and each time changing the switch port from access to trunk and from 2U to 2T to 2T/3T.  I can now access the internet from the webserver hooray!!


I can now ping 192.168.1.1 from the webserver.


I can also ping the webservers 172.16.1.x address from the workstation.


So my last task (for now) is to be able to connect from the workstation to the vlan3 i.e. ping the webservers vlan3 interface currently this is not routing. As I understand it the sge2000 should route inter-vlans automatically??


You continued help is much appreciated.


Adam

Ganesh Hariharan Thu, 02/18/2010 - 04:58
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I've gone back to basics and removed all other virtual machines from the vswitch.  I then removed the virtual network adapters and re-added them one at a time. Restarting the networking service each time, and each time changing the switch port from access to trunk and from 2U to 2T to 2T/3T.  I can now access the internet from the webserver hooray!!


I can now ping 192.168.1.1 from the webserver.


I can also ping the webservers 172.16.1.x address from the workstation.


So my last task (for now) is to be able to connect from the workstation to the vlan3 i.e. ping the webservers vlan3 interface currently this is not routing. As I understand it the sge2000 should route inter-vlans automatically??


You continued help is much appreciated.


Adam


Adam,


Just check out in sge2000 all the ports are been tagged to specific vlan and specific port and L3 mode is enabled in sge2000.


HTH


Ganesh.H

adam.flavell Thu, 02/18/2010 - 06:04
User Badges:

After a bit more digging it looks like the webserver is receiving the pings (I checked wireshark) but is not responding.  So the sge2000 may be working as expected.  Just need to figure out why the webserver is not responding now.

Ganesh Hariharan Thu, 02/18/2010 - 08:54
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

After a bit more digging it looks like the webserver is receiving the
pings (I checked wireshark) but is not responding.  So the sge2000 may
be working as expected.  Just need to figure out why the webserver is
not responding now.


Then Just check is there any in built firewall is configured in web servers which is preventing it to send icmp reply to systems and also check are you able to ping from web server to other vlan members and gateway.


Ganesh.H

Actions

This Discussion