This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
All VLAN 1 nodes can ping VLAN 2 nodes, except if it is the firewall attempting to ping a node in VLAN 2
All VLAN 2 nodes can ping VLAN 1 nodes, except the firewall device.
It is acting as if the firewall device does not have a gateway configured in it.
Before I call the firewall manufacturer (Fortigate), I noticed that the NETGEAR manual indicates this switch's Maximum Number of Hops is 1 and that this is a COMPILE-TIME constant.
Is tihs possibly what is creating my problem, whereby I can ping all devices within the XS716T, but as soon as I try to ping a device outside of it, I can't?
(not even the firewall itself, although that doesn't make sense to me).
Is this a value that can be changed with a firmware update or any other mechanism?
I also noted that I can configure static routes, but they have no effect, with the exception of the "DefaultRoute", which when configured allows all nodes on VLAN 1 to access the corporate network. VLAN 2 nodes, continue to have visibility only of any device connected to the XS716T switch, but not outside of it.
Any other static route I configure will not get listed in the "Route Status" section of the "Routing Table" -> "Route Configuration" section.
I am sorry for your issue. To me it looks like return route issue on your firewall, or port configuration (PVID, as CarlZhu indicated) issue on that port the firewall is connecting to.
Port configuration: when the firewall connects to VLAN 1, we need to check the port configuration on the switch. Does it match firewall LAN configuration? I am assuming all packets are tagged by the firewall, so XS716T port should be in Tagged mode, with no PVID.
Return routes: we need to check if firewall is correctly returning traffic to XS716T VLAN 1 and VLAN 2 IP interfaces (return static routes). If not, we need to configure these static routes accordingly on the firewall.
I have a last question: are we sure we want to enable Routing on XS716T? With routing enabled, all VLAN 1 nodes and VLAN 2 nodes can see each other, and ACLs will have to be used for access control and inter-VLAN security. If this is a small separate LAN in the company, maybe that switch should remain Layer 2 only, with routing on the firewall?
Either way we want to help you JGrioni: please give us an updtate. Next time we'll need the XS716T configuration file, as well as the firewall routing table and firewall LAN port configuration.
I am sorry for your issue. To me it looks like return route issue on your firewall, or port configuration (PVID, as CarlZhu indicated) issue on that port the firewall is connecting to.
Port configuration: when the firewall connects to VLAN 1, we need to check the port configuration on the switch. Does it match firewall LAN configuration? I am assuming all packets are tagged by the firewall, so XS716T port should be in Tagged mode, with no PVID.
Return routes: we need to check if firewall is correctly returning traffic to XS716T VLAN 1 and VLAN 2 IP interfaces (return static routes). If not, we need to configure these static routes accordingly on the firewall.
I have a last question: are we sure we want to enable Routing on XS716T? With routing enabled, all VLAN 1 nodes and VLAN 2 nodes can see each other, and ACLs will have to be used for access control and inter-VLAN security. If this is a small separate LAN in the company, maybe that switch should remain Layer 2 only, with routing on the firewall?
Either way we want to help you JGrioni: please give us an updtate. Next time we'll need the XS716T configuration file, as well as the firewall routing table and firewall LAN port configuration.
Although I'm familiar with networking, its terminology and its concepts, I was missing a few key thoughts when configuring the switch. The way the article was written, helped me understand a few concepts differently. I'll be circulating it internally with other folks to solidify some routing and switching concepts.
One thing it helped me with was to understand the concept of Next Hop and how it relates to the Gateway (page 8 indicated that the Gateway was also called the Next Hop Address).
What I'm still not understanding is what is meant in the XS716T User Manual when it says that the Maximum Number Hops is limited to one. Does this mean that the TTL value will only be decremented by 1 when a message goes through the switch if Routing is enabled? It certainly doesn't mean I can only have one gateway, since in my configuration I have placed many gateways to satisfy our routing needs.
Thanks for the idea carl_zhu, but the PVID was already set (appropriately I should add) for each VLAN.
The concepts in the document DaneA pointed me to matched what I had configured so I was able to rule the PVID configuration out as a source of my problem.
Hi LaurentMa. Thanks for your post. And to all of the other respondents too.
I have the issue fixed.
To me it looks like return route issue on your firewall, or port configuration (PVID, as CarlZhu indicated) issue on that port the firewall is connecting to.
This was the main problem I had. The firewall's return route was improperly set. Although its static route was correctly set to appropriate switch's VLAN address, its gateway was incorrect. We have some weired subnetting going on and so we were too restrictive on the return route so no packets were coming back to the switch. We had looked at Carl's idea regarding the PVID, but it was correctly set.
Port configuration: when the firewall connects to VLAN 1, we need to check the port configuration on the switch. Does it match firewall LAN configuration? I am assuming all packets are tagged by the firewall, so XS716T port should be in Tagged mode, with no PVID.
The firewall is not VLAN tagging any packets and neither is the switch (except via the PVID to match the port's expected VLAN participation - which is what Carl Zhu had suggested and we had set correctly).
Packets reaching the firewall were doing so either because they came from within the same VLAN but looking for the firewall as a gateway (and in that case I didn't have a problem) or because the switch was routing them from another VLAN (which was when the problem manifested itself), but at that level, Layer 2 (and thus the VLAN number) had no merit in the matter because the packets were already routed within the switch.
Return routes: we need to check if firewall is correctly returning traffic to XS716T VLAN 1 and VLAN 2 IP interfaces (return static routes). If not, we need to configure these static routes accordingly on the firewall.
This was EXACTLY what my problem was. Thanks LaurentMa!
In our case, we are using some weird subnetting and this was causing the firewall to think the packets did not belong anywhere so it wasn't sending them back to the switch.
I have a last question: are we sure we want to enable Routing on XS716T? With routing enabled, all VLAN 1 nodes and VLAN 2 nodes can see each other, and ACLs will have to be used for access control and inter-VLAN security. If this is a small separate LAN in the company, maybe that switch should remain Layer 2 only, with routing on the firewall?
This is an excellent question. We pondered about this ourselves while the problem was manifesting itself. Our objective was not to overwhelm the firewall with having to route packets if the switch itself could do it. That way, we also were assured that the port carrying the traffic between the firewall and the switch was not going to be a bottleneck (most of the traffic between nodes across different VLAN's connected to the switch would never leave the switch. Only traffic into our corporate network or internet bound traffic would go through the firewall and leave the switch). If we couldn't solve the issue, we would have done what you suggested here. Thanks for your insight!
Some final thoughts:
The XS716T has performed very well for us.
I still don't understand when the limitation of the "maximum number of hops" being '1' will manifest itself, if ever.
I think it only means that the TTL will be reduced by one for any packet traversing the switch.
I say this because were have configured several static routes in the switch now, and they all work well.
We are so glad that you managed to solve your configuration issue, and thank you for explaining all this to the community.
You are correct in your understanding of the "maximum number of hops" being '1'. This is inherent limitation of Static Routing implementation, it should not manifest ever in your typical LAN topology.
It only means that the next hop (the next gateway) to which packets are forwarded along the path to their final destination must be the immediate next-hop right after XS716T VLAN egress routing interface.
This is what you have implemented by connecting your firewall right to the switch. In case another switch would have been in the middle, then XS716T static routes would have to point to that other switch routing interfaces instead.
I hope this clarifies this topic, please let us know if anything else can be done for you. I hope you will share how your production is doing on your new XS716T Smart Managed 16-port 10 Gigabit switch!
