NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
M4100-D12G VLAN routing - ping VLAN1
Hi,
I have simple lab network:
Router, switch M4100, external DHCP server and 2 hosts.
I try to setup 2 VLANs and intervlan routing.
1. set static routing on router (172.16.5.1):
a) for VLAN 7: 172.16.7.0/24 GW: 172.16.5.254
b) for VLAN 8: 172.16.8.0/24 GW: 172.16.5.254
2. on switch M4100: move management VLAN to 500 so I have free VLAN 1 and can set routing
a) set VLAN 7 and VLAN 8. Add port to VLAN: port 7 to VLAN 7, Untagged. Add port to VLAN: port 8 to VLAN 8 Untagged. Add port 1 (uplink to router) Tagged for VLAN 7 and 8. Add port 2 Tagged for VLAN 7 and 8.
b) set VLAN routing and routing table - screenshot below
3. Set DHCP relay (UDP relay) on switch to 172.16.5.2 and set DHCP Pool for VLAN7 and VLAN8 on external DHCP server.
And now....
1. Hosts in VLAN 7, 8 get IP from DHCP, get DNS, get GW
2. Hosts in VLAN 7 and VLAN 8 ping each other and ping VLAN 7 and VLAN 8 interface
3. Hosts in VLAN 7 and VLAN 8 have access to internet
4. Hosts in VLAN 1 ping hosts in VLAN 7 nad VLAN 8.
5. Hosts in VLAN 7 and 8 can ping VLAN 1 addresses but only: 172.16.5.1 (router/gateway) and VLAN1 interface (172.16.5.254). When I try to ping DHCP 172.16.5.2 i had request timed out.
What I forgot to do or what done wrong? ;-)
8 Replies
DaneA wrote:Hi chfascik,
Kindly click on this article and it might help. Kindly use it as your guide.
Regards,
DaneA
NETGEAR Community Team
DaneA I made exactly the same configuration as described in Your link.
Setup VLAN routing
Setup static routing
Setup default route
Setup DHCP server.
1. DCHP server (located in vlan 1) give IP addresses to all VLAN7 and VLAN8 clients.
2. I can ping from VLAN 1 to VLAN 7 and 8 VLAN interface and clients
3. I can ping from VLAN 7 to VLAN 8 VLAN interface and clients
4. I can ping from VLAN 7 to VLAN 1 interface (172.16.5.254)
5. I can ping from VLAN 7 to router/gateway (172.16.5.1) located in VLAN 1
6. I can't ping any host conncted to VLAN 1 on switch.
7. I can ping from VLAN 7 WiFi clients connected to router (client addresses 172.16.5.x/24).
There is only problem with traffic from VLAN 7 and 8 to VLAN 1 clients connected to VLAN 1 on switch ports.
try to do that on M4100-d12g and M4100-26G. The same resault. :(
Sorry for forum spam but I solved the problem.
What was wrong? Gateway IP address on DHCP server for VLAN 1 and on all clients connected to switch to VLAN 1 ports. So I have to change Default Gateway for 172.16.5.x/24 network from 172.16.5.1 to 172.16.5.254 and now works fine.
thanks for You for Your help and directinons :)
Not sure which was your question about ping.. but I assume you meant.
Hosts in VLAN 7 and 8 can ping VLAN 1 addresses but only: 172.16.5.1 (router/gateway) and VLAN1 interface (172.16.5.254). When I try to ping DHCP 172.16.5.2 i had request timed out.
Ping is not really a switch issue here. Ping within vlan or across vlan uses the same principal here. Verify the ARP table shows entry for 172.16.5.2 on vlan. Additionaly you are able to get DHCP from that server on VLAN 7 and 8 indicating clearly that you have communication possibility from the server to VLAN 1 (relay agent is switch VLAN 1 routing address since your server is on VLAN 1)
show arp
If ARP is there then ping is being blocked at the server level. Since you can reach both the gateway and vlan 1 interface from other VLAN but not the DHCP, you issue will then likely be limited to 1 of following:
1. Your server has firewall that only trust the VLAN 1 network or block ICMP incoming
2. You have mis configured the whole thing.. see below for basic implemetation.
Also, you don't need the move management VLAN to 500 in order to use VLAN 1. You can configure routing on VLAN 1 interface, by default all routing interface will allow access to Switch via telnet, ssh, http, https. You will need to configure ACL to limit access to specific source address only if you want to prevent this.
Here is sample configuration to help you out based on diagram you provided. You can clear config and paste this to enable prompt on the switch via USB or serial console if you like. Or download the txt configuration and read it and see what you did wrong, or pm it to me and I will correct it. !!! are comments
!!! We create vlan and enable routing on them
vlan database
vlan 1, 7, 8
vlan routing 1
vlan routing 7
vlan routing 8
exit
!!! enter global config mode
config
!!! enable DHCP relay UDP ip helper service
ip helper enable
!!! enable global routing which can be static or rip or ospf or bgp depending on switch
ip routing
!!! add default route to send all traffic to firewall router for internet
ip route 0.0.0.0 0.0.0.0 172.16.5.1
!!! configure vlan 1 routing interface
interface vlan 1
ip address 172.16.5.254 255.255.255.0
exit
!!! configure vlan 7 and enable dhcp request to be relayed to dhcp server for this vlan only
interface vlan 7
ip address 172.16.7.254 255.255.255.0
ip helper-address 172.16.5.2 dhcp
exit
!!! configure vlan 8 and enable dhcp request to be relayed to dhcp server for this vlan only
interface vlan 8
ip address 172.16.8.254 255.255.255.0
ip helper-address 172.16.5.2 dhcp
exit
!!! configure interface port 1 to vlan 1 which is your internet and dhcp vlan at this time. No need to tag it for other vlan as router won't know how to treat that data instead it should be routed to router address by switch
interface 0/1
description "Port to Router"
vlan pvid 1
vlan participation include 1
exit
!!! DHCP does not need to vlan 7 or 8. DHCP UDP relay service on switch will send DHCP request via routing from source 172.16.5.254 address to the dhcp server. the server will then send the offer packet via relay address 172.16.5.254. As such the dhcp server does not need to be present on vlan 7 or 8 locally.
interface 0/2
description "Port to DHCP Server"
vlan pvid 1
vlan participation include 1
exit
interface 0/7
description "access port vlan 7"
vlan pvid 7
vlan participation include 7
vlan participation exclude 1
exit
interface 0/8
description "access port vlan 8"
vlan pvid 8
vlan participation include 8
vlan participation exclude 1
exit
exit
save
y
_-----------------------------------_
Now log into your firewall Router and configure a static Routes for VLAN 7 and 8 to send traffic back to switch. Since the firewall is 172.16.5.1 it need to send traffic to 172.16.5.2 when the destination IP is either vlan 7 or 8. On the Switch we are sending all traffic to firewall when the destination is not 5.x , 7.x, or 8.x
Network | Mask | Gateway
172.16.7.0 255.255.255.0 172.16.5.2
172.16.8.0 255.255.255.0 172.16.5.2
_-----------------------------------_
Log into your DHCP and create a pool for VLAN 7 and 8 with Gateway value of 172.16.x.254 where x is 7 or 8 depending on pool. DNS can be whatever you have.
------------------------------------
You don't need to do tagging of VLAN 7 or 8 or participation of those vlan to get internet to those vlan and this is now taken care of by routing. You can tag the port going to another switch for vlan 7 and 8 if you are creating a trunk link where the other switch is aware of vlan 7 and 8 and will have ports for those vlans. See example below. The other switch will need to have vlan capable. Plus and above switches can do basic vlans.
interface 0/6
description "Trunk port to another vlan aware switch"
vlan participation include 1,7,8
vlan tagging 7,8
exit
Hope this is useful.
Jedi_Exile - thanks for reply.
I made configuration as You described. Here is the show running-config. I add only VLAN 7 and change uplink ports (port1 is to DHCP, port 26 is uplink to router). Change switch to M1400-26G.
Of course interface 0/1 is:
interface 0/1
vlan pvid 1
vlan participation include 1
vlan database vlan 7 vlan routing 1 1 vlan routing 7 3 exit configure time-range ip route 0.0.0.0 0.0.0.0 172.16.5.1 ip helper enable ip helper-address 172.16.5.2 dhcp line console exit line telnet exit line ssh exit ! interface 0/1 description 'Port to DHCP Server' exit interface 0/7 description 'access port vlan 7' vlan pvid 7 vlan participation exclude 1 vlan participation include 7 exit interface 0/26 description 'Port to Router' exit interface vlan 1 routing ip address 172.16.5.254 255.255.255.0 exit interface vlan 7 routing ip address 172.16.7.254 255.255.255.0 exit service dhcp exit
Also I changed router and DHCP server configuration.
Here is static routes on router
And DHCP server settings
and if I done that host in VLAN 7 can't get IP address. From VLAN 7 host I can't ping any host in VLAN 1 (gateway, clients, DHCP server).
and here is "show arp" from switch:
;
(M4100-26G) #show arp Age Time (seconds)............................. 1200 Response Time (seconds)........................ 10 Retries........................................ 10 Cache Size..................................... 509 Dynamic Renew Mode ............................ Enable Total Entry Count Current / Peak .............. 7 / 7 Static Entry Count Configured / Active / Max .. 0 / 0 / 16 IP Address MAC Address Interface Type Age --------------- ----------------- -------------- -------- ----------- 172.16.5.1 00:11:32:72:34:B4 vlan 1 Gateway 0h 0m 19s 172.16.5.2 00:11:32:55:A3:1E vlan 1 Dynamic 0h 3m 57s 172.16.5.40 00:00:00:00:00:00 vlan 1 Dynamic 0h 0m 4s 172.16.5.41 E4:A4:71:90:95:A2 vlan 1 Dynamic 0h 0m 52s 172.16.5.254 C0:FF:D4:AC:67:98 vlan 1 Local n/a 172.16.7.2 C8:5B:76:3A:2F:ED vlan 7 Dynamic 0h 0m 4s 172.16.7.254 C0:FF:D4:AC:67:98 vlan 7 Local n/a
And if I changed static route Gateway to 172.16.7.254 for VLAN 7 I can ping gateway 172.16.5.1 and other host in VLAN1 (172.16.5.0/24) but not 172.16.5.2 (I disabled firewall on DHCP server).
... error. Can ping from VLAN7 only hosts in VLAN1 which are connected to router (gateway) WiFi :( When I connect host to M4100 to VLAN 1 I can't ping it from VLAN 7
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
