cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4313
Views
0
Helpful
9
Replies

inter-vlan routing / internet access problem sge2000

adam.flavell
Level 1
Level 1

Hi Guys,

I have been searching these forums for a while, but can't find the answers to 2 questions.  1.  How to allow inter-vlan comms? 2. Why certain machines can't access the internet?

I have an sge2000 (firmware 3.0.0.17, boot version 1.0.0.05) switch configured to layer 3 mode.  I have setup 3 VLANs:

VLAN1 - management vlan - ip address 192.168.1.254/24

VLAN2 - frontend vlan - ip address 172.16.1.254/24

VLAN3 - frontend storage vlan - ip address 172.16.2.254/24

I have 1/g1 plugged into a draytek vigor 2950 - internet gateway ip 192.168.1.1.  This port has no specific set-up (default vlan 1 untagged).

I have one workstation (ip address 172.16.1.15/24 gateway 172.16.1.254) plugged into 1/g3.  This port is set-up as vlan 2 untagged access mode.

I have an esxi 4 server plugged into 1/g6.  The esxi servers (with a ubuntu webserver virtual machine - 2 interfaces one in vlan 1 and one in vlan 2) virtual switch is set up to tag vlan2 and vlan3. This switch port is set-up as general mode vlan 2 and vlan 3 both tagged.

I have set-up one static route on the switch:

1. destination ip -> 0.0.0.0, mask -> 0.0.0.0, next hop -> 192.168.1.1

I have set-up two static routes on the draytek:

1. destination ip -> 172.16.1.0 mask -> 255.255.255.0, gateway ip -> 192.168.1.254

1. destination ip -> 172.16.2.0 mask -> 255.255.255.0, gateway ip -> 192.168.1.254

Phew.  Now that is out of the way.  At first I could not get access to the internet from the workstation or webserver.  Bizarly if I create an acl with 1 rule but don't bind it to any ports I get access to the internet and the rest of the 192.168.1.x network from the workstation.

But for some reason I cannot access the internet from the webserver!!

I can ping the webserver from the workstation however and vice versa.

So the first question is why/how can I get internet access from the webserver?

Second question how do I get access from vlan2 to vlan3?

I have seen some posts say the default behaviour of the sge2000 in layer 3 mode is to allow intervlan comms but I simply can't ping the webserver vlan3 interface from the workstation (vlan2 ip address).

Please help this is driving me bonkers for 2 days.

Thanks in advance

Adam

9 Replies 9

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Guys,

I have been searching these forums for a while, but can't find the answers to 2 questions.  1.  How to allow inter-vlan comms? 2. Why certain machines can't access the internet?

I have an sge2000 (firmware 3.0.0.17, boot version 1.0.0.05) switch configured to layer 3 mode.  I have setup 3 VLANs:

VLAN1 - management vlan - ip address 192.168.1.254/24

VLAN2 - frontend vlan - ip address 172.16.1.254/24

VLAN3 - frontend storage vlan - ip address 172.16.2.254/24

I have 1/g1 plugged into a draytek vigor 2950 - internet gateway ip 192.168.1.1.  This port has no specific set-up (default vlan 1 untagged).

I have one workstation (ip address 172.16.1.15/24 gateway 172.16.1.254) plugged into 1/g3.  This port is set-up as vlan 2 untagged access mode.

I have an esxi 4 server plugged into 1/g6.  The esxi servers (with a ubuntu webserver virtual machine - 2 interfaces one in vlan 1 and one in vlan 2) virtual switch is set up to tag vlan2 and vlan3. This switch port is set-up as general mode vlan 2 and vlan 3 both tagged.

I have set-up one static route on the switch:

1. destination ip -> 0.0.0.0, mask -> 0.0.0.0, next hop -> 192.168.1.1

I have set-up two static routes on the draytek:

1. destination ip -> 172.16.1.0 mask -> 255.255.255.0, gateway ip -> 192.168.1.254

1. destination ip -> 172.16.2.0 mask -> 255.255.255.0, gateway ip -> 192.168.1.254

Phew. Now that is out of the way.  At first I could not get access to the internet from the workstation or webserver.  Bizarly if I create an acl with 1 rule but don't bind it to any ports I get access to the internet and the rest of the 192.168.1.x network from the workstation.

But for some reason I cannot access the internet from the webserver!!

I can ping the webserver from the workstation however and vice versa.

So the first question is why/how can I get internet access from the webserver?

Second question how do I get access from vlan2 to vlan3?

I have seen some posts say the default behaviour of the sge2000 in layer 3 mode is to allow intervlan comms but I simply can't ping the webserver vlan3 interface from the workstation (vlan2 ip address).

Please help this is driving me bonkers for 2 days.

Thanks in advance

Adam

Hi Adam,

For accessing internet you need to configure natting in sge2000 so that inernal users can access internet and if you have cofnigured sge2000 in l3 mode then inter vlan communication should happend without any problem.

Hope to help !!

If helpful do rate the post

Ganesh.h

Thanks for your time ganesh, but how do I configure natting in the sge2000?  Currently I can't ping between vlans please help.

Thanks Adam

Thanks for your time ganesh, but how do I configure natting in the sge2000?  Currently I can't ping between vlans please help.

Thanks Adam

Hi Adam,

Ok I dont think you need to do natting on sge2000 as your connectivty is with router on port 1 as mentioned in the original thread so to have internet access hopefully they would have configured natting in router end and you need to drop a reverse route for your rest of the vlan subnet in your upstream router which needs to access internet.

check out the below link on sge2000 hope that help

https://www.cisco.com/en/US/products/ps9967/products_qanda_item09186a0080a36802.shtml

If helpful do rate the post

Ganesh.H

Thanks ganesh,

As mentioned in the original post I have reverse route in the upstream route and I can access the internet from the workstation that is plugged into 1/g3.  The problem is internet access from the webserver (virtual machine).

Please advise.

Thanks,

Adam

Thanks ganesh,

As mentioned in the original post I have reverse route in the upstream route and I can access the internet from the workstation that is plugged into 1/g3.  The problem is internet access from the webserver (virtual machine).

Please advise.

Thanks,

Adam

Hi Adam,

Are you able to ping the outside interface of sge2000 from virtual machine and when you trace route from virtual machine for any external site till where it goes ?

Ganesh.H

I've gone back to basics and removed all other virtual machines from the vswitch.  I then removed the virtual network adapters and re-added them one at a time.  Restarting the networking service each time, and each time changing the switch port from access to trunk and from 2U to 2T to 2T/3T.  I can now access the internet from the webserver hooray!!

I can now ping 192.168.1.1 from the webserver.

I can also ping the webservers 172.16.1.x address from the workstation.

So my last task (for now) is to be able to connect from the workstation to the vlan3 i.e. ping the webservers vlan3 interface currently this is not routing. As I understand it the sge2000 should route inter-vlans automatically??

You continued help is much appreciated.

Adam

I've gone back to basics and removed all other virtual machines from the vswitch.  I then removed the virtual network adapters and re-added them one at a time. Restarting the networking service each time, and each time changing the switch port from access to trunk and from 2U to 2T to 2T/3T.  I can now access the internet from the webserver hooray!!

I can now ping 192.168.1.1 from the webserver.

I can also ping the webservers 172.16.1.x address from the workstation.

So my last task (for now) is to be able to connect from the workstation to the vlan3 i.e. ping the webservers vlan3 interface currently this is not routing. As I understand it the sge2000 should route inter-vlans automatically??

You continued help is much appreciated.

Adam

Adam,

Just check out in sge2000 all the ports are been tagged to specific vlan and specific port and L3 mode is enabled in sge2000.

HTH

Ganesh.H

After a bit more digging it looks like the webserver is receiving the pings (I checked wireshark) but is not responding.  So the sge2000 may be working as expected.  Just need to figure out why the webserver is not responding now.

After a bit more digging it looks like the webserver is receiving the
pings (I checked wireshark) but is not responding.  So the sge2000 may
be working as expected.  Just need to figure out why the webserver is
not responding now.

Then Just check is there any in built firewall is configured in web servers which is preventing it to send icmp reply to systems and also check are you able to ping from web server to other vlan members and gateway.

Ganesh.H

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: