NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
VLAN Routing for Newbies
Howdy All,
I've recently decided to install a GS752 switch in our offices to segregate traffic to help with security. I've run into a problem that I'm hoping someone can help me with (to keep things simple I'll just go over what VLAN 1 and VLAN 10 look like):
VLAN1 - is fine. Systems attached get IP addresses from DHCP server, and can reach the internet.
All ports are Untagged "U" in the port membership image. (Port 1-10)
VLAN10 - doesn't work. No DHCP traffic through and no access to the internet even when using a static IP address in range.
All ports are Untagged "U" in the port membership image. (Port 1, 11-20)
My setup is:
Broadband Router -> Firewall -> GS752 -> VLANS as follow:
VLAN 1 - NAS, DNS Server, DHCP Server, Wifi APs
VLAN 10 - PCs
How do I allow DHCP and DNS to service VLAN1 and VLAN 10, as well others?
12 Replies
How do I allow DHCP and DNS to service VLAN1 and VLAN 10, as well others?
For DHCP, you need to set up a relay service. There is a guide (example) here:
Though the KB article is for different switches, you should see similar screens on the GS752 (they are there on the GS728).
Standard DNS doesn't use broadcast. so you wouldn't need a relay. Of course you do need to make sure packets on VLAN10 can be routed to the DNS IP address.
VLAN10 - doesn't work. No DHCP traffic through and no access to the internet even when using a static IP address in range.
Internet access should be working with a static IP, so something else is wrong. Is VLAN10 set up to reach the firewall?
Configuring IPv4 shortcut routing isn't more than enabling IPv4 routing in that switch class.
These switches with IPv4 routing enabled use a technique often referred to as "cut-through switching" or "hardware-based forwarding" to speed up IPv4 routing, which acts as a "shortcut" compared to traditional, software-based routing. This process is more accurately called multilayer switching or IP switching.
The need to define a Switched Virtual Interfaces (SVIs) for each of the VLANs and IP subnets attached that need to communicate, acting as their default gateways depends on the exact switch model and the effectively supported higher level routing protocols (like OSPF or RIP) or static routes to advertise reachability to other Layer 3 devices.
To my knowledge, these SVI config is mainly required on the Netgear Managed Switches, but often not on the Netgear Smart Managed Switches like the subject GS752 (unspecified model - and version, there exist about 15 or 20 different models) in absence of the support for other higher level routing protocols or subnet local SNMP for example.
Said that, systems on these IPv4 subnets will never "see" a dedicated default gateway like where SVIs are configured. This makes things very confusing for the devices on the subnet different from the management subnet - you can't quickly ping or thest the default gateway.
StephenB the router LAN IP does not need to be "reachable" in the VLAN 10 for shortcut routing, the switch does the routing over the switch management VLAN as configured. This is the only requirement.
the router LAN IP does not need to be "reachable" in the VLAN 10 for shortcut routing, the switch does the routing over the switch management VLAN as configured.
Thx for the explanation of IP switching. My own GS728TPv2 has a routing mode, but it is not enabled (my vlans are connected to different routers). So not something I have explored.
FWIW, I am thinking that getting more information on the firewall and how the switch connections to it are set up would be useful.
If it has enough LAN ports, then setting up one on VLAN10 should give him internet connectivity. If not, he should be able to put the fireware switch connection on all the VLANs (leaving tagging on for that port). Also I am thinking that there is likely a relay service there that might eliminate the need to set up the relay in the switch.
Thanks for everything so far. Access to the switch again today at the home office. Attached are my SVIs (one for each VLAN) and my routing table (including the default route).
Here's my current test system diagram (crude but relatively accurate). The Network Server can get to the internet, and inbound traffic (filtered and hoppped) makes it in. My PC works (writing this from it). The Test PC is connected, link light is on (10/100 old device but still) the switch, cannot get a DHCP address, cannot get to the internet with a manually configured address.
Just a test if this wonderful SaaS platform does accept images todes (it didn't the lest two or three days)
Still fails. Says "Media upload in progress" "Try again in a few moments" but returns to the edit window after no success.
Wonder who is in charge these days for this community platform - after the always helpful ChristineT was laid off?
Cannot attach images, so I'll try text instead:
SVIs
VLAN Port MAC Address IP Address Subnet Mask Routing
Mode1 vlan 1 38:94:ED:84:13:84 10.1.10.10 255.255.255.0 Enable 10 vlan 10 38:94:ED:84:13:84 10.1.50.1 255.255.255.0 Enable 20 vlan 20 38:94:ED:84:13:84 10.1.60.1 255.255.255.0 Enable 30 vlan 30 38:94:ED:84:13:84 10.1.70.1 255.255.255.0 Enable
RoutesNetwork Address Subnet Mask Protocol Route Type Next Hop Interface Next Hop Address Preference Metric 0.0.0.0 0.0.0.0 Default Static vlan 1 10.1.10.1 1 0 10.1.10.0 255.255.255.0 Local Connected vlan 1 10.1.10.10 0 0 10.1.50.0 255.255.255.0 Local Connected vlan 10 10.1.50.1 0 0 10.1.60.0 255.255.255.0 Local Connected vlan 20 10.1.60.1 0 0 Test Set up
GS752Tv2
- Port 1, VLAN 1 - attached to external
- Port 2&3, VLAN 1 - DHCP/DNS/NAS
- Port 5, VLAN 1 - My PC (writing this, works)
- Port 13, VLAN10 - Test PC
- No DHCP traffic, but I see the "Trusted Client Messages Without Opt82" incrementing
- With a manually configured IP, I can see 10.1.50.1, but nothing beyond the
Cannot attach images, so I'll try text instead:
Yes, this appears to be an SaaS problem for some days now...
Another QUICK question:
ALL of my ports in ALL VLANS are "U"ntagged.
VLAN 1 - U - Ports 1-10
VLAN 10 - U - Ports 1, 11-25
VLAN 20 - U - Ports 1, 27-39
VLAN 30 - U - Ports 41-47 (Isolated)
ALL of my ports in ALL VLANS are "U"ntagged.
VLAN 1 - U - Ports 1-10
VLAN 10 - U - Ports 1, 11-25
VLAN 20 - U - Ports 1, 27-39This looks like a highly illegal configuration to me. The same port 1 can't be in multiple VLANs as [U]ntagged.
Do you expect that any outgoing frames for all these VLAN 1, 10, and 20 can come out of the port 1?
What have you set for the PVID defining the VLAN where incoming frames to port 1 will be assigned to?
This looks to me like an asymmetric VLAN config - something Netgear does not support at all.
Thanks for the reply... in re-visiting some of my pre-planning documentation I found that yes, the port SHOULDN'T be assigned... Changes below to simplify and help me....
VLAN 1 - Ports 1&2 [Port 1 - 10.1.10.10, Port 2 - Empty]
VLAN 10 - Ports 3-10 [10.0.10.0/255.255.255.0]
VLAN 20 - Ports 11-26 [10.0.20.0/255.255.255.0]
VLAN 30 - Ports 27-39 [10.0.30.0/255.255.255.0]
VLAN 40 - Ports 40-52 [10.0.40.0/255.255.255.0]
I've got the switch reconfigured and this seems to be working that VLAN1 can see things, but still haven't gotten traffic from VLAN 10, 20, or 30 to reach OUTSIDE of the switch. I've crated ACLs under security following a Netgear article, but no change..
What I'm trying to get now is as follows:
VLAN 1 & 10 - External DHCP from the Firewall to be "Internal DMZ"-esque
- This works on VLAN 1 but not to VLAN10
VLAN 20 - Routing through VLAN 1 or 10 to the outside world
- Also routing to VLAN 30 as I will be connecting from my system to the classroom systems for maintenance
VLAN 30 - Routing through VLAN 1 or 10 to the outside world
VLAN 40 - Only local traffic, cordoned off if I need a test environment
If anyone can help me
Another update:
From my test PC, manually configured IP address (DHCP relay still not working) I can ping the VLAN10, VLAN20, and VLAN1 SVIs but not the VLAN30. VLAN 30 doesn't share port 1, so I assume that's the reason.
I can still not ping the firewall BEYOND the switch, however.
Update: DHCP relay is working as expected, but routing still is not.
I have configured VLAN 10 & 20, in addition to leaving VLAN 1 in place. (Typing everything out as images are still failing to work)
VLAN 1 Port Membership: Ports 1-6 - "U"
VLAN 20 Port Membership (configured PER Netgear Article): Port 1 - "T", Ports 11-23 "U"
https://kb.netgear.com/30919/How-to-configure-VLANs-with-shared-access-to-the-Internet-on-a-NETGEAR-Easy-Smart-Managed-Switch-with-a-traditional-UI
Routing Table:
Network Address Subnet Mask Protocol Route Type Next Hop Interface Next Hop Address Preference Metric 0.0.0.0 0.0.0.0 Default Static vlan 1 10.1.10.1 1 0 10.0.10.0 255.255.255.0 Local Connected vlan 10 10.0.10.1 0 0 10.0.20.0 255.255.255.0 Local Connected vlan 20 10.0.20.1 0 0 I am manually configuring the IPV4 status on a system attached to port 13, VLAN20, to 10.0.20.11/255.255.255.0 with a default rout of 10.0.20.1
I cannot ping the 10.0.20.1 interface, nor can I route or see anything beyond the interface.
If anyone can, please help!!
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
