× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

Re: M4100-D12G VLAN routing - ping VLAN1

chfascik
Tutor

M4100-D12G VLAN routing - ping VLAN1

Hi,

 

I have simple lab network:

netgear.jpg

 

Router, switch M4100, external DHCP server and 2 hosts.

I try to setup 2 VLANs and intervlan routing.

 

1. set static routing on router (172.16.5.1):

a) for VLAN 7: 172.16.7.0/24 GW: 172.16.5.254

b) for VLAN 8: 172.16.8.0/24 GW: 172.16.5.254

 

2. on switch M4100: move management VLAN to 500 so I have free VLAN 1 and can set routing

a) set VLAN 7 and VLAN 8. Add port to VLAN: port 7 to VLAN 7, Untagged. Add port to VLAN: port 8 to VLAN 8 Untagged. Add port 1 (uplink to router) Tagged for VLAN 7 and 8. Add port 2 Tagged for VLAN 7 and 8.

b) set VLAN routing and routing table - screenshot below

1routing.png

2_vlanrouting.png

3. Set DHCP relay (UDP relay) on switch to 172.16.5.2 and set DHCP Pool for VLAN7 and VLAN8 on external DHCP server.

 

And now....

1. Hosts in VLAN 7, 8 get IP from DHCP, get DNS, get GW

2. Hosts in VLAN 7 and VLAN 8 ping each other and ping VLAN 7 and VLAN 8 interface

3. Hosts in VLAN 7 and VLAN 8 have access to internet

4. Hosts in VLAN 1 ping hosts in VLAN 7 nad VLAN 8.

5. Hosts in VLAN 7 and 8 can ping VLAN 1 addresses but only: 172.16.5.1 (router/gateway) and VLAN1 interface (172.16.5.254). When I try to ping DHCP 172.16.5.2 i had request timed out.

 

What I forgot to do or what done wrong? 😉

 

 

Model: M4100-D12G (GSM5212)|ProSAFE 12-port Gigabit Fully Managed L2 Switch
Message 1 of 9

Accepted Solutions
DaneA
NETGEAR Employee Retired

Re: M4100-D12G VLAN routing - ping VLAN1

Hi chfascik,

 

Kindly click on this article and it might help.  Kindly use it as your guide.

 

 

Regards,

 

DaneA

NETGEAR Community Team

View solution in original post

Message 2 of 9

All Replies
DaneA
NETGEAR Employee Retired

Re: M4100-D12G VLAN routing - ping VLAN1

Hi chfascik,

 

Kindly click on this article and it might help.  Kindly use it as your guide.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 9
Jedi_Exile
NETGEAR Expert

Re: M4100-D12G VLAN routing - ping VLAN1

Not sure which was your question about ping.. but I assume you meant.

 

Hosts in VLAN 7 and 8 can ping VLAN 1 addresses but only: 172.16.5.1 (router/gateway) and VLAN1 interface (172.16.5.254). When I try to ping DHCP 172.16.5.2 i had request timed out.

 

Ping is not really a switch issue here.  Ping within vlan or across vlan uses the same principal here.  Verify the ARP table shows entry for 172.16.5.2 on vlan.  Additionaly you are able to get DHCP from that server on VLAN 7 and 8 indicating clearly that you have communication possibility from the server to VLAN 1 (relay agent is switch VLAN 1 routing address since your server is on VLAN 1)

 

show arp 

 

If ARP is there then ping is being blocked at the server level.  Since you can reach both the gateway and vlan 1 interface from other VLAN but not the DHCP, you issue will then likely be limited to 1 of following:

1. Your server has firewall that only trust the VLAN 1 network or block ICMP incoming

2. You have mis configured the whole thing.. see below for basic implemetation.

 

Also, you don't need the move management VLAN to 500 in order to use VLAN 1.  You can configure routing on VLAN 1 interface, by default all routing interface will allow access to Switch via telnet, ssh, http, https.  You will need to configure ACL to limit access to specific source address only if you want to prevent this.

 

Here is sample configuration to help you out based on diagram you provided.  You can clear config and paste this to enable prompt on the switch via USB or serial console if you like.  Or download the txt configuration and read it and see what you did wrong, or pm it to me and I will correct it.  !!! are comments

 

!!! We create vlan and enable routing on them

vlan database

vlan 1, 7, 8

vlan routing 1

vlan routing 7

vlan routing 8

exit

!!! enter global config mode

config

!!! enable DHCP relay UDP ip helper service

ip helper enable

!!! enable global routing which can be static or rip or ospf or bgp depending on switch

ip routing

!!! add default route to send all traffic to firewall router for internet

ip route 0.0.0.0 0.0.0.0 172.16.5.1

!!! configure vlan 1 routing interface

interface vlan 1

ip address 172.16.5.254 255.255.255.0

exit

!!! configure vlan 7 and enable dhcp request to be relayed to dhcp server for this vlan only

interface vlan 7

ip address 172.16.7.254 255.255.255.0

ip helper-address 172.16.5.2 dhcp

exit

!!! configure vlan 8 and enable dhcp request to be relayed to dhcp server for this vlan only

interface vlan 8

ip address 172.16.8.254 255.255.255.0

ip helper-address 172.16.5.2 dhcp

exit

!!! configure interface port 1 to vlan 1 which is your internet and dhcp vlan at this time.  No need to tag it for other vlan as router won't know how to treat that data instead it should be routed to router address by switch

 

 

interface 0/1

description "Port to Router"

vlan pvid 1

vlan participation include 1

exit

 

!!! DHCP does not need to vlan 7 or 8.  DHCP UDP relay service on switch will send DHCP request via routing from source 172.16.5.254 address to the dhcp server.  the server will then send the offer packet via relay address 172.16.5.254.  As such the dhcp server does not need to be present on vlan 7 or 8 locally.

 

interface 0/2

description "Port to DHCP Server"

vlan pvid 1

vlan participation include 1

exit

 

interface 0/7

description "access port vlan 7"

vlan pvid 7

vlan participation include 7

vlan participation exclude 1

exit

 

interface 0/8

description "access port vlan 8"

vlan pvid 8

vlan participation include 8

vlan participation exclude 1

exit

 

exit

save

y

 

_-----------------------------------_

Now log into your firewall Router and configure a static Routes for VLAN 7 and 8 to send traffic back to switch.  Since the firewall is 172.16.5.1 it need to send traffic to 172.16.5.2 when the destination IP is either vlan 7 or 8.   On the Switch we are sending all traffic to firewall when the destination is not 5.x , 7.x, or 8.x

 

Network | Mask | Gateway

172.16.7.0 255.255.255.0 172.16.5.2

172.16.8.0 255.255.255.0 172.16.5.2

 

_-----------------------------------_

Log into your DHCP and create a pool for VLAN 7 and 8 with Gateway value of 172.16.x.254 where x is 7 or 8 depending on pool.  DNS can be whatever you have.

 

------------------------------------

You don't need to do tagging of VLAN 7 or 8 or participation of those vlan to get internet to those vlan and this is now taken care of by routing.   You can tag the port going to another switch for vlan 7 and 8 if you are creating a trunk link where the other switch is aware of vlan 7 and 8 and will have ports for those vlans.  See example below.  The other switch will need to have vlan capable.   Plus and above switches can do basic vlans.

 

interface 0/6

description "Trunk port to another vlan aware switch"

vlan participation include 1,7,8

vlan tagging 7,8

exit

 

 

 

Hope this is useful.

 

Message 3 of 9
chfascik
Tutor

Re: M4100-D12G VLAN routing - ping VLAN1

Jedi_Exile - thanks for reply.

 

I made configuration as You described. Here is the show running-config. I add only VLAN 7 and change uplink ports (port1 is to DHCP, port 26 is uplink to router). Change switch to M1400-26G.

 

Of course interface 0/1 is:

interface 0/1

vlan pvid 1

vlan participation include 1

 

vlan database
vlan 7
vlan routing 1 1
vlan routing 7 3
exit

configure
time-range
ip route 0.0.0.0 0.0.0.0 172.16.5.1
ip helper enable
ip helper-address 172.16.5.2 dhcp
line console
exit

line telnet
exit

line ssh
exit

!

interface 0/1
description 'Port to DHCP Server'
exit

interface 0/7
description 'access port vlan 7'
vlan pvid 7
vlan participation exclude 1
vlan participation include 7
exit

interface 0/26
description 'Port to Router'
exit

interface vlan 1
routing
ip address 172.16.5.254 255.255.255.0
exit

interface vlan 7
routing
ip address 172.16.7.254 255.255.255.0
exit

service dhcp
exit

Also I changed router and DHCP server configuration.

Here is static routes on router

router.png

 

And DHCP server settings

nas.png

and if I done that host in VLAN 7 can't get IP address. From VLAN 7 host I can't ping any host in VLAN 1 (gateway, clients, DHCP server).

 

and here is "show arp" from switch:

;

(M4100-26G) #show arp

Age Time (seconds)............................. 1200
Response Time (seconds)........................ 10
Retries........................................ 10
Cache Size..................................... 509
Dynamic Renew Mode ............................ Enable
Total Entry Count Current / Peak .............. 7 / 7
Static Entry Count Configured / Active / Max .. 0 / 0 / 16

  IP Address        MAC Address      Interface        Type        Age
---------------  -----------------  --------------  --------  -----------
172.16.5.1       00:11:32:72:34:B4  vlan 1          Gateway    0h  0m 19s
172.16.5.2       00:11:32:55:A3:1E  vlan 1          Dynamic    0h  3m 57s
172.16.5.40      00:00:00:00:00:00  vlan 1          Dynamic    0h  0m  4s
172.16.5.41      E4:A4:71:90:95:A2  vlan 1          Dynamic    0h  0m 52s
172.16.5.254     C0:FF:D4:AC:67:98  vlan 1          Local         n/a
172.16.7.2       C8:5B:76:3A:2F:ED  vlan 7          Dynamic    0h  0m  4s
172.16.7.254     C0:FF:D4:AC:67:98  vlan 7          Local         n/a

 

 And if I changed static route Gateway to 172.16.7.254 for VLAN 7 I can ping gateway 172.16.5.1 and other host in VLAN1 (172.16.5.0/24) but not 172.16.5.2 (I disabled firewall on DHCP server).

 

Message 4 of 9
chfascik
Tutor

Re: M4100-D12G VLAN routing - ping VLAN1


@DaneA wrote:

Hi chfascik,

 

Kindly click on this article and it might help.  Kindly use it as your guide.

 

 

Regards,

 

DaneA

NETGEAR Community Team


thanks DaneA - I'll try to read and configure it.

Message 5 of 9
chfascik
Tutor

Re: M4100-D12G VLAN routing - ping VLAN1

... error. Can ping from VLAN7 only hosts in VLAN1 which are connected to router (gateway) WiFi 😞 When I connect host to M4100 to VLAN 1 I can't ping it from VLAN 7

Message 6 of 9
chfascik
Tutor

Re: M4100-D12G VLAN routing - ping VLAN1


@DaneA wrote:

Hi chfascik,

 

Kindly click on this article and it might help.  Kindly use it as your guide.

 

 

Regards,

 

DaneA

NETGEAR Community Team


DaneA I made exactly the same configuration as described in Your link.

 

Setup VLAN routing

Setup static routing

Setup default route

Setup DHCP server.

 

1. DCHP server (located in vlan 1) give IP addresses to all VLAN7 and VLAN8 clients.

2. I can ping from VLAN 1 to VLAN 7 and 8 VLAN interface and clients

3. I can ping from VLAN 7 to VLAN 8 VLAN interface and clients

4. I can ping from VLAN 7 to VLAN 1 interface (172.16.5.254)

5. I can ping from VLAN 7 to router/gateway (172.16.5.1) located in VLAN 1

6. I can't ping any host conncted to VLAN 1 on switch.

7. I can ping from VLAN 7 WiFi clients connected to router (client addresses 172.16.5.x/24).

 

There is only problem with traffic from VLAN 7 and 8 to VLAN 1 clients connected to VLAN 1 on switch ports.

 

try to do that on M4100-d12g and M4100-26G. The same resault. 😞

Message 7 of 9
chfascik
Tutor

Re: M4100-D12G VLAN routing - ping VLAN1

Sorry for forum spam but I solved the problem.

What was wrong? Gateway IP address on DHCP server for VLAN 1 and on all clients connected to switch to VLAN 1 ports. So I have to change Default Gateway for 172.16.5.x/24 network from 172.16.5.1 to 172.16.5.254 and now works fine.

 

thanks for You for Your help and directinons 🙂

Message 8 of 9
DaneA
NETGEAR Employee Retired

Re: M4100-D12G VLAN routing - ping VLAN1

@chfascik,

 

On behalf of @Jedi_Exile, you're welcome 🙂  I'm glad to know that you were able to solve the problem and thanks for sharing what you did to solve it.  🙂 

 

Since your concern has been resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

 


Cheers,

 

DaneA

NETGEAR Community Team

Message 9 of 9
Discussion stats
  • 8 replies
  • 7585 views
  • 0 kudos
  • 3 in conversation
Announcements