Forum Discussion

Aspirant

Aug 18, 2017

Solved

GS510TLP inter vlan

How do you configure the GS510TP for inter vlan communication. I am new to VLANs, I have a single GS510TPL. How do I configure 3 VLAN to create 3 separate networks which can communicate on the ...

Hardware

Installation

Hopchen
Aug 18, 2017
Hi,

I have tried to outline for you, what you need to do.

1. You must add an IP addresses to each of your VLAN interfaces under "Routing" --> "VLAN" --> "VLAN Routing". You have to create the VLANs first. I think you have already do this?

2. Static routes needs to be done on your Internet router for Internet access to these VLANs. You need static on your router so that the router can be made aware of the networks on the switch.

3. You need a DHCP server in each VLAN as your switch does not support DHCP relay from what I know. You cannot do the DHCP from the router as it will not be aware of the VLANs on your switch and the switch itself can't do DHCP server either, I think. The alternative is of course static IP addresses. That will work, but that is a pain for a large network.

Here is an example of a config. I am using your 3 VLANs for explanation + a VLAN used for routing to the Internet (VLAN 99). I have left VLAN 1 alone here.
VLAN 10 = 192.168.0.0 /24
VLAN 20 =172.16.20.0 /24
VLAN 30 = 192.168.77.0 /24
VLAN 99 = 192.168.99.252 /30

Router IP: 192.168.99.254 /30

Switch VLAN interface IPs (set these under: "Routing" --> "VLAN" --> "VLAN Routing").
Routing VLAN 99 IP: 192.168.99.253 /30
VLAN 10 IP: 192.168.0.250 /24
VLAN 20 IP: 172.16.20.250 /24
VLAN 30 IP: 192.168.77.250 /24

- Go to the routing table of the switch ("Routing" --> "Routing Table") and set the default gateway for the switch to: 192.168.99.254
- Turn on "Routing Mode" on the switch, under "Routing" --> "IP".
- Devices in VLAN 10 must have and IP of 192.168.0.x, with a default gateway address of: 192.168.0.250
- Devices in VLAN 20 must have and IP of 172.16.20.x, with a default gateway address of: 172.16.20.250
- Devices in VLAN 30 must have and IP of 192.168.77.x, with a default gateway address of: 192.168.77.250
- On the switch port that connects to the router, you want to untag that port for VLAN 99 and set a PVID of 99.
- On the switch ports that connects to VLAN 10 common non VLAN-aware devices, you want to untag those ports for VLAN 10 and set PVID of 10.
- On the switch ports that connects to VLAN 20 common non VLAN-aware devices, you want to untag those ports for VLAN 20 and set PVID of 20.
- On the switch ports that connects to VLAN 30 common non VLAN-aware devices, you want to untag those ports for VLAN 30 and set PVID of 30.

On the router you need to set static routes back to the subnets that the router is not aware of: 192.168.0.0 /24 and 172.16.20.0 /24 and 192.168.77.0 /24

So, three static routes in total on the router. They should look like this.
Destination network: 1192.168.0.0
Subnet mask: 255.255.255.0
Gateway/Router/Next Hop: 192.168.99.253

Destination network: 172.16.20.0
Subnet mask: 255.255.255.0
Gateway/Router/Next Hop: 192.168.99.253

Destination network: 192.168.77.0
Subnet mask: 255.255.255.0
Gateway/Router/Next Hop: 192.168.99.253

Hope that makes sense. Else let me know :)

Cheers

mrmabmn

Aspirant

Aug 24, 2017

mrmabmn wrote:
Yes, the mirroring was turned on, mirror from Port 2 to Port 7

OK, I am seeing packets, but the filter does not capture anything while pinging

I have tried ip.addr==192.168.1.1 || ip.addr==8.8.8.8 && icmp and (ip.addr==192.168.1.1||ip.addr==8.8.8.8) && icmp, here are two screen shots, the first without filter, the second with the filter (ip.addr==192.168.1.1||ip.addr==8.8.8.8) && icmp, I have an ongoing ping from the computer on VLAN30

Hopchen

Prodigy

Aug 24, 2017

Hi,

It looks like the traffic you see (without any filter) is indeed VLAN 99 traffic, meaning that the port mirror is working.

You said that you tried to ping and saw nothing in wireshark. Did the ping work, from the PC in VLAN 30 (port 8)? It should work to 192.16.1.1 (and not work to 8.8.8). So, when you pinged 192.168.1.1 - did you get reply?

Try instead a less restrive filter. Type: icmp
and hit "Enter"

Then ping 192.168.1.1 and 8.8.8.8 (respectively) from the VLAN 30 PC.

As a control test, also take a PC in VLAN 99 (port 3-4) and ping 192.168.1.1 and 8.8.8.8 (respectively) - just to see if wireshark on PC in port 7 picks it ups.

And of course let wireshark run, while you are pinging. Ping at the same time as wireshark captures. I think that is what you did already?

Cheers

mrmabmn
Aspirant
Aug 24, 2017
Good day Hopchen,

Sorry about the lack of detail, the ping to 192.168.1.1 from VLAN30 was successful, but nothing was visible on wireshark. The ping to 8.8.8.8 from VLAN30 was NOT successful, again nothing visible on wireshark.

I set the filter to icmp only, and pinged both 192.168.1.1 and 8.8.8.8 from VLAN30 and nothing was visible on wireshark. The ping to 192.168.1.1 was successful, the ping to 8.8.8.8 was NOT successful.

Pinging 192.168.1.1, 192.168.1.250, and 8.8.8.8 from a computer on the VLAN99 (192.168.1.x) with the wireshark filter set to icmp on Port 7 was successful to each address; however NOTHING was visible on Wireshark.
Hopchen
Prodigy
Aug 24, 2017
Hi,

Hmmm....

You are pinging correctly, so that is good. We should see that traffic is wireshark.
I am wondering why Wireshark is not picking it up. I think your port mirror is OK.

Do a quick control test.
- Plug the PC in port 7, into port 6 (still VLAN20).
- Start wireshark capture on that PC, with the filter: icmp
- Then Ping 172.16.20.250 and 192.168.1.1 and 8.8.8.8.

Do you see anything in Wireshark. If not, you must be capturing with the wrong interface. Also try and see if you see the pings with no filter on.

Let me know.
Thanks
mrmabmn
Aspirant
Aug 24, 2017
Hello,

I moved the wireshark PC from port 7 to port 6. I successfully pinged 192.168.1.1 and 172.16.20.250, but was not successful pinging 8.8.8.8 from that PC. I have attached a screen shot of the ping results which are visible in the ICMP filter of Wireshark. So yes, the wireshark is working, and I am getting results with the wireshark on port6.
Hopchen
Prodigy
Aug 24, 2017
Hi,

Thanks for that! So, Wireshark is running correctly and you are capturing using the correct interface. That is good!

Maybe it is the port mirror then afterall. Can you do a screenshot of the port mirror page? So I can see the setup you did?

Thanks!
mrmabmn
Aspirant
Aug 24, 2017
GS510TLP mirror configurationSure, I should have done this originally.
Hopchen
Prodigy
Aug 24, 2017
Hey,

Yeah, that looks good as well. I wonder why Wireshark is not picking anything up???

Can you check that "promiscuous" is enabled in Wireshark? Go to "Capture" --> "Options" --> make sure the box is ticked for: "Enable promiscuous mode on all interfaces".

Can we try again with the capture in port 7 - doublechecking that promiscuous is enabled in Wireshark?

I really have a hard time understanding what is wrong here, why the capture is not working when plugged into port 7??? If that still does not work, I need to try and see if I can somehow "break" my port mirror to make it act yours! Cause I really don't see why this is not working.

Is the switch on the latest fw? Sorry if I asked already, long thread, lol.
mrmabmn
Aspirant
Aug 24, 2017

Here is a trace from VLAN30, to 8.8.8.8, 192.168.1.1, 172.16.20.250 with the wireshark PC on port 7. The only ping which was not successful from the VLAN30 is the ping to IP address 8.8.8.8.

My switch was on firmware revision 6.6.2.6 it is now at 6.6.2.8
mrmabmn
Aspirant
Aug 24, 2017
Here is a better wireshark capture of the ping from VLAN30 computer to 192.168.1.1, 172.16.20.250, and 8.8.8.8. There was no successful ping on 8.8.8.8
Hopchen
Prodigy
Aug 25, 2017
Hi again,

Thank you for those screenshots! The port mirror is working now :)

So, it basically just confirms what I thought was the issue: the Nighthawk.

The packet capture clearly shows that if a VLAN 30 device (or VLAN 20 device for that matter - would be the same result) pings the LAN interface of the Nighthawk (192.168.1.1) then the Nighthawk uses its static routes to find the way back to the PC. However, for some reason, the Nighthawk is not using those static routes when Internet traffic returns.

The switch does its job = sends the traffic the Nighthawk, but some traffic never returns. This not an issue on the switch or with your config :)

The packet capture was really just to prove the theory. I am sorry I cannot help you further because I cannot explain why the Nighthawk won't use the configured static routes for the return of Internet traffic.

You have a clear case here now. My suggestion is to raise this to Netgear and let them see why this behaviour happens.

Please keep us posted. Interesting case. Good luck and thanks for co-operation!
mrmabmn
Aspirant
Aug 25, 2017
Good morning,

I appreciate ALL OF YOUR HELP and PATIENCE.
You have validated my configuration and verified everything for me. I will reach out to Netgear about the Nighthawk and see why the static routes are not working. I could not have completed this without your help. Thank you.

Have a good one.
Hopchen
Prodigy
Aug 25, 2017
Hey again,

No problem at all :)

And do please keep us updated. Will be interesting to see what happens next!

Have a good weekend. Cheers!