jajelinek
asked on
Inter Vlan Routing and Routing to Internet on 3com 4800G Core Switch
Hi experts. I have spent some time putting together my network which consists of the following:
3com Office Connect VPN Router (Acts as Gateway for 2 WAN connections from different ISPs)
3com 4800G Layer 3 Switch (Acts as core switch, houses VLAN/Interface info)
3-3com 4200G Layer 2 Switches (Distribution/Access layer switches)
From a layer 2 standpoint I seem to have things working well. All 3 4200s are trunked via LACP back to the 4800G and VLAN information is allowed to traverse through the trunks and I've tested it as working.
Now on to my question:
I have 9 Vlans (including the default) as I wish to segment different parts of the network for both organizational and security reasons.
I have 2-3 Vlans that should talk to eachother while the others should not route to any other interface save hitting the Internet. So far I'm able to jump on a Vlan (ie Vlan 2 192.168.101/24) and ping the Interface of 192.168.101.1. I can also ping other interfaces such as Vlan 3 192.168.102.1. But I cannot get past the interface to route to the Internet.
Here's the steps I took after assigning the ports to Vlan 2 (Example)
-----
interface vlan 2
undo ip address
ip route-static 192.168.101.0 255.255.255.0 192.168.101.1
interface vlan 2
ip address 192.168.101.1
-----
When I do a display ip routing-table this is the result:
Destination/Mask Proto Pre Cost NextHop Interface
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.100.0/24 Direct 0 0 192.168.100.2 Vlan1
192.168.100.2/32 Direct 0 0 127.0.0.1 InLoop0
192.168.101.0/24 Direct 0 0 192.168.101.1 Vlan2
192.168.101.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.102.0/24 Direct 0 0 192.168.102.1 Vlan3
192.168.102.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.103.0/24 Direct 0 0 192.168.103.1 Vlan4
192.168.103.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.104.0/24 Direct 0 0 192.168.104.1 Vlan5
192.168.104.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.105.0/24 Direct 0 0 192.168.105.1 Vlan6
192.168.105.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.108.0/24 Direct 0 0 192.168.108.1 Vlan9
192.168.108.1/32 Direct 0 0 127.0.0.1 InLoop0
-----
I'm assuming there's something I'm missing here with a Next hop so the 192.168.101.0 network will know to forward requests for Internet traffic to the router at 192.168.101.1.
I also want to know how to limit communication between the Vlans so that they will only route to the Internet and not InterVlan.
I've included my running configuration if it would help. Thanks in advance, guys!
3com Office Connect VPN Router (Acts as Gateway for 2 WAN connections from different ISPs)
3com 4800G Layer 3 Switch (Acts as core switch, houses VLAN/Interface info)
3-3com 4200G Layer 2 Switches (Distribution/Access layer switches)
From a layer 2 standpoint I seem to have things working well. All 3 4200s are trunked via LACP back to the 4800G and VLAN information is allowed to traverse through the trunks and I've tested it as working.
Now on to my question:
I have 9 Vlans (including the default) as I wish to segment different parts of the network for both organizational and security reasons.
I have 2-3 Vlans that should talk to eachother while the others should not route to any other interface save hitting the Internet. So far I'm able to jump on a Vlan (ie Vlan 2 192.168.101/24) and ping the Interface of 192.168.101.1. I can also ping other interfaces such as Vlan 3 192.168.102.1. But I cannot get past the interface to route to the Internet.
Here's the steps I took after assigning the ports to Vlan 2 (Example)
-----
interface vlan 2
undo ip address
ip route-static 192.168.101.0 255.255.255.0 192.168.101.1
interface vlan 2
ip address 192.168.101.1
-----
When I do a display ip routing-table this is the result:
Destination/Mask Proto Pre Cost NextHop Interface
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.100.0/24 Direct 0 0 192.168.100.2 Vlan1
192.168.100.2/32 Direct 0 0 127.0.0.1 InLoop0
192.168.101.0/24 Direct 0 0 192.168.101.1 Vlan2
192.168.101.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.102.0/24 Direct 0 0 192.168.102.1 Vlan3
192.168.102.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.103.0/24 Direct 0 0 192.168.103.1 Vlan4
192.168.103.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.104.0/24 Direct 0 0 192.168.104.1 Vlan5
192.168.104.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.105.0/24 Direct 0 0 192.168.105.1 Vlan6
192.168.105.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.108.0/24 Direct 0 0 192.168.108.1 Vlan9
192.168.108.1/32 Direct 0 0 127.0.0.1 InLoop0
-----
I'm assuming there's something I'm missing here with a Next hop so the 192.168.101.0 network will know to forward requests for Internet traffic to the router at 192.168.101.1.
I also want to know how to limit communication between the Vlans so that they will only route to the Internet and not InterVlan.
I've included my running configuration if it would help. Thanks in advance, guys!
#
version 5.20 Release 2202P01, Release 2202P01
#
sysname 4800G-CORE
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
#
domain default enable system
#
telnet server enable
#
undo cluster enable
#
igmp-snooping
#
vlan 1
description DEFAULT
igmp-snooping enable
#
vlan 2
description 2
ip-subnet-vlan 0 ip 192.168.101.1 255.255.255.0
#
vlan 3
description 3
ip-subnet-vlan 0 ip 192.168.102.1 255.255.255.0
#
vlan 4
description 4
ip-subnet-vlan 0 ip 192.168.103.1 255.255.255.0
#
vlan 5
description 5
ip-subnet-vlan 0 ip 192.168.104.1 255.255.255.0
#
vlan 6
description 6
ip-subnet-vlan 0 ip 192.168.105.1 255.255.255.0
#
vlan 7
description 7
ip-subnet-vlan 0 ip 192.168.106.1 255.255.255.0
#
vlan 8
description 8
ip-subnet-vlan 0 ip 192.168.107.1 255.255.255.0
#vlan 9
description 9
ip-subnet-vlan 0 ip 192.168.108.1 255.255.255.0
#
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool 1
network 192.168.102.0 mask 255.255.255.0
#
user-group system
#
local-user admin
authorization-attribute level 3
service-type telnet terminal
local-user manager
password simple manager
authorization-attribute level 2
service-type telnet terminal
local-user monitor
password simple monitor
authorization-attribute level 1
service-type telnet terminal
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation2
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation3
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation4
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation5
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.100.2 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.101.1 255.255.255.0
#
interface Vlan-interface3
ip address 192.168.102.1 255.255.255.0
#
interface Vlan-interface4
ip address 192.168.103.1 255.255.255.0
#
interface Vlan-interface5
ip address 192.168.104.1 255.255.255.0
#
interface Vlan-interface6
ip address 192.168.105.1 255.255.255.0
#
interface Vlan-interface7
ip address 192.168.106.1 255.255.255.0
#
interface Vlan-interface8
ip address 192.168.107.1 255.255.255.0
#
interface Vlan-interface9
ip address 192.168.108.1 255.255.255.0
#
interface GigabitEthernet1/0/1
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/2
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/3
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/4
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/5
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/6
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/7
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/8
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/9
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/10
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/11
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 4
#
interface GigabitEthernet1/0/12
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 4
#
interface GigabitEthernet1/0/13
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/14
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/15
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/16
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/17
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/18
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/19
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/20
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/21
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/22
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/23
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/24
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/25
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/26
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/27
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/28
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
ip route-static 192.168.100.0 255.255.255.0 192.168.100.1
ip route-static 192.168.101.0 255.255.255.0 192.168.101.1
ip route-static 192.168.102.0 255.255.255.0 192.168.102.1
ip route-static 192.168.102.0 255.255.255.0 192.168.101.1
ip route-static 192.168.103.0 255.255.255.0 192.168.103.1
ip route-static 192.168.104.0 255.255.255.0 192.168.104.1
ip route-static 192.168.105.0 255.255.255.0 192.168.105.1
ip route-static 192.168.106.0 255.255.255.0 192.168.106.1
ip route-static 192.168.107.0 255.255.255.0 192.168.107.1
ip route-static 192.168.108.0 255.255.255.0 192.168.108.1
#
snmp-agent
snmp-agent local-engineid 8000002B03001EC16FA6A9
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info contact
snmp-agent sys-info location
snmp-agent sys-info version all
#
dhcp enable
#
user-interface aux 0
authentication-mode scheme
user-interface aux 1 8
user-interface vty 0 4
authentication-mode scheme
#
return
To stop intervlan routing you need to setup access-lists between vlans and apply them to the vlan interface. (not sure how to do it in a 3Com but in a Cisco it would look like this)
if you Internet IP was on 192.168.108.254 and you wanted vlan 1 to only access the internet vlan 2 to only access vlan 3 and the internet. Notice that I only have permit statements, it is because in access-lists if it is not permitted by default it is denied
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.108.0 0.0.0.255
!
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.108.0 0.0.0.255
!
access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.108.0 0.0.0.255
!
interface vlan 1
ip access-group 100 in
interface vlan 2
ip access-group 101 in
interface vlan 3
ip access-group 102 in
if you Internet IP was on 192.168.108.254 and you wanted vlan 1 to only access the internet vlan 2 to only access vlan 3 and the internet. Notice that I only have permit statements, it is because in access-lists if it is not permitted by default it is denied
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.108.0 0.0.0.255
!
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.108.0 0.0.0.255
!
access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.108.0 0.0.0.255
!
interface vlan 1
ip access-group 100 in
interface vlan 2
ip access-group 101 in
interface vlan 3
ip access-group 102 in
ASKER
Lastly why do you have route to 192.168.100.1 for the 192.168.100.0/24 network when your vlan 1 interface has an IP of 192.168.100.2?
interface Vlan-interface1
ip address 192.168.100.2 255.255.255.0
-----quote------------
Our Internet IP/Router is 192.168.100.1 (Management Vlan 1) I figured since the Vlan1 interface needed an IP I would assign it 192.168.100.2 and the switch would try to hop to the 192.168.100.1 router address. I removed all of the routes and added a static route of: 0.0.0.0 0.0.0.0 192.168.100.1 and I can only hit the Internet from Vlan 1. When I plug into Vlan 2 and assign an ip address of 192.168.101.20 and the gateway as 192.168.101.1 I can ping all of the vlan interfaces but I cannot route past them to hit the Internet or reach 192.168.100.1.
Here is my current configuration:
#
version 5.20 Release 2202P01, Release 2202P01
#
sysname 4800G
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
#
domain default enable system
#
telnet server enable
#
undo cluster enable
#
igmp-snooping
#
vlan 1
description DEFAULT
igmp-snooping enable
#
vlan 2
description ADMIN
ip-subnet-vlan 0 ip 192.168.101.1 255.255.255.0
#
vlan 3
description CAD
ip-subnet-vlan 0 ip 192.168.102.1 255.255.255.0
#
vlan 4
description CLINIC
ip-subnet-vlan 0 ip 192.168.103.1 255.255.255.0
#
vlan 5
description COMM
ip-subnet-vlan 0 ip 192.168.104.1 255.255.255.0
#
description EDU
ip-subnet-vlan 0 ip 192.168.105.1 255.255.255.0
#
vlan 7
description PHONE
ip-subnet-vlan 0 ip 192.168.106.1 255.255.255.0
#
vlan 8
description RADIO
ip-subnet-vlan 0 ip 192.168.107.1 255.255.255.0
#
vlan 9
description SWAT
#
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool 1
network 192.168.102.0 mask 255.255.255.0
#
user-group system
#
local-user admin
authorization-attribute level 3
service-type telnet terminal
local-user manager
password simple manager
authorization-attribute level 2
service-type telnet terminal
local-user monitor
password simple monitor
authorization-attribute level 1
service-type telnet terminal
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation2
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation3
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation4
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation5
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.100.2 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.101.1 255.255.255.0
#
interface Vlan-interface3
ip address 192.168.102.1 255.255.255.0
#
interface Vlan-interface4
ip address 192.168.103.1 255.255.255.0
#
interface Vlan-interface5
ip address 192.168.104.1 255.255.255.0
#
interface Vlan-interface6
ip address 192.168.105.1 255.255.255.0
#
interface Vlan-interface7
ip address 192.168.106.1 255.255.255.0
#
interface Vlan-interface8
ip address 192.168.107.1 255.255.255.0
#
interface Vlan-interface9
ip address 192.168.108.1 255.255.255.0
#
interface GigabitEthernet1/0/1
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/2
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/3
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/4
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/5
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/6
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/7
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/8
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/9
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/10
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/11
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 4
#
interface GigabitEthernet1/0/12
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 4
#
interface GigabitEthernet1/0/13
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/14
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/15
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/16
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/17
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/18
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/19
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/20
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/21
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/22
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/23
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/24
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/25
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/26
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/27
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/28
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
#
snmp-agent
snmp-agent local-engineid 8000002B03001EC16FA6A9
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info contact Jeremy Hyde
snmp-agent sys-info location 2800 Aldine Bender Houston, TX 77039
snmp-agent sys-info version all
#
dhcp enable
#
user-interface aux 0
authentication-mode scheme
user-interface aux 1 8
user-interface vty 0 4
authentication-mode scheme
#
return
interface Vlan-interface1
ip address 192.168.100.2 255.255.255.0
-----quote------------
Our Internet IP/Router is 192.168.100.1 (Management Vlan 1) I figured since the Vlan1 interface needed an IP I would assign it 192.168.100.2 and the switch would try to hop to the 192.168.100.1 router address. I removed all of the routes and added a static route of: 0.0.0.0 0.0.0.0 192.168.100.1 and I can only hit the Internet from Vlan 1. When I plug into Vlan 2 and assign an ip address of 192.168.101.20 and the gateway as 192.168.101.1 I can ping all of the vlan interfaces but I cannot route past them to hit the Internet or reach 192.168.100.1.
Here is my current configuration:
#
version 5.20 Release 2202P01, Release 2202P01
#
sysname 4800G
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
#
domain default enable system
#
telnet server enable
#
undo cluster enable
#
igmp-snooping
#
vlan 1
description DEFAULT
igmp-snooping enable
#
vlan 2
description ADMIN
ip-subnet-vlan 0 ip 192.168.101.1 255.255.255.0
#
vlan 3
description CAD
ip-subnet-vlan 0 ip 192.168.102.1 255.255.255.0
#
vlan 4
description CLINIC
ip-subnet-vlan 0 ip 192.168.103.1 255.255.255.0
#
vlan 5
description COMM
ip-subnet-vlan 0 ip 192.168.104.1 255.255.255.0
#
description EDU
ip-subnet-vlan 0 ip 192.168.105.1 255.255.255.0
#
vlan 7
description PHONE
ip-subnet-vlan 0 ip 192.168.106.1 255.255.255.0
#
vlan 8
description RADIO
ip-subnet-vlan 0 ip 192.168.107.1 255.255.255.0
#
vlan 9
description SWAT
#
radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool 1
network 192.168.102.0 mask 255.255.255.0
#
user-group system
#
local-user admin
authorization-attribute level 3
service-type telnet terminal
local-user manager
password simple manager
authorization-attribute level 2
service-type telnet terminal
local-user monitor
password simple monitor
authorization-attribute level 1
service-type telnet terminal
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation2
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation3
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation4
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
interface Bridge-Aggregation5
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.100.2 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.101.1 255.255.255.0
#
interface Vlan-interface3
ip address 192.168.102.1 255.255.255.0
#
interface Vlan-interface4
ip address 192.168.103.1 255.255.255.0
#
interface Vlan-interface5
ip address 192.168.104.1 255.255.255.0
#
interface Vlan-interface6
ip address 192.168.105.1 255.255.255.0
#
interface Vlan-interface7
ip address 192.168.106.1 255.255.255.0
#
interface Vlan-interface8
ip address 192.168.107.1 255.255.255.0
#
interface Vlan-interface9
ip address 192.168.108.1 255.255.255.0
#
interface GigabitEthernet1/0/1
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/2
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/3
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/4
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/5
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/6
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/7
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/8
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/9
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/10
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/11
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 4
#
interface GigabitEthernet1/0/12
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 4
#
interface GigabitEthernet1/0/13
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/14
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/15
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/16
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 1
#
interface GigabitEthernet1/0/17
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/18
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/19
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/20
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 2
#
interface GigabitEthernet1/0/21
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/22
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/23
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/24
port link-type trunk
port trunk permit vlan all
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
port link-aggregation group 3
#
interface GigabitEthernet1/0/25
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/26
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/27
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
interface GigabitEthernet1/0/28
shutdown
broadcast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
#
snmp-agent
snmp-agent local-engineid 8000002B03001EC16FA6A9
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info contact Jeremy Hyde
snmp-agent sys-info location 2800 Aldine Bender Houston, TX 77039
snmp-agent sys-info version all
#
dhcp enable
#
user-interface aux 0
authentication-mode scheme
user-interface aux 1 8
user-interface vty 0 4
authentication-mode scheme
#
return
On a Cisco Switch you have to enable ip routing with the command "ip routing" maybe the 3Com is simmilar
ASKER
I've researched this and there is no IP Routing. 3com switches will automatically route between Vlans once the interface is setup. So to recap here's where I'm at:
OfficeConnect router: (Lan/Uplink set to 192.168.100.1)
4800G Layer 3 Switch
(Vlan1 Interface set to 192.168.100.2)
(Vlan2 Interface set to 192.168.101.1)
PC Set to 192.168.101.2 gateway 192.168.101.1
I can ping the Vlan interfaces but nothing past it.
If my Internet/uplink to the router is sitting in Vlan1 and I'm trying to gain access to that uplink via Vlan2 technically I won't be able to route to the next hop, only between Vlan interfaces. So here's what I've tried.
I enabled another interface on the router with 192.168.101.1 as the IP, went back and set the VLAN2 Interface on the 4800G to 192.168.101.2. And now Vlan1 and Vlan2 both can reach the Internet through different interfaces.
Now what I'm noticing is that I can ping the Vlan Interfaces, but cannot route traffic Inter-Vlan.
So if I want Internet access for all the Vlans does that mean I'll have to create a new interface and cable for each Vlan from the router?
If this were Cisco I'd do this all on subinterfaces on the router, trunk via one cable from the switch to the router and call it a night. Has anyone else had weird issues like this with 3com? Either I'm ignorant or just really displeased with their equipment.
OfficeConnect router: (Lan/Uplink set to 192.168.100.1)
4800G Layer 3 Switch
(Vlan1 Interface set to 192.168.100.2)
(Vlan2 Interface set to 192.168.101.1)
PC Set to 192.168.101.2 gateway 192.168.101.1
I can ping the Vlan interfaces but nothing past it.
If my Internet/uplink to the router is sitting in Vlan1 and I'm trying to gain access to that uplink via Vlan2 technically I won't be able to route to the next hop, only between Vlan interfaces. So here's what I've tried.
I enabled another interface on the router with 192.168.101.1 as the IP, went back and set the VLAN2 Interface on the 4800G to 192.168.101.2. And now Vlan1 and Vlan2 both can reach the Internet through different interfaces.
Now what I'm noticing is that I can ping the Vlan Interfaces, but cannot route traffic Inter-Vlan.
So if I want Internet access for all the Vlans does that mean I'll have to create a new interface and cable for each Vlan from the router?
If this were Cisco I'd do this all on subinterfaces on the router, trunk via one cable from the switch to the router and call it a night. Has anyone else had weird issues like this with 3com? Either I'm ignorant or just really displeased with their equipment.
what is the default gateway on your clients? it needs to be the switch interface appriopriate for each vlan.
what you did with your router interface is not best practice and I would recommend you undo it.
what you did with your router interface is not best practice and I would recommend you undo it.
ASKER
For Vlan 2 the default gateway is the Vlan Interface 192.168.101.2.
I'd be happy to undo enabling the second interface on the OfficeConnect router but I did it for testing purposes just to make sure the Vlans were working/etc. I'm sort of stuck right now.
Again with Cisco this would be more straight forward, but I'm stuck with the 3com gear right now.
I'd be happy to undo enabling the second interface on the OfficeConnect router but I did it for testing purposes just to make sure the Vlans were working/etc. I'm sort of stuck right now.
Again with Cisco this would be more straight forward, but I'm stuck with the 3com gear right now.
Thats OK I just know Cisco not 3Com. Can you post your routing table again now that you have removed all the static routes.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is my current routing table:
Routing Tables: Public
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost NextHop Interface
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.100.0/24 Direct 0 0 192.168.100.2 Vlan1
192.168.100.2/32 Direct 0 0 127.0.0.1 InLoop0
192.168.101.0/24 Direct 0 0 192.168.101.2 Vlan2
192.168.101.2/32 Direct 0 0 127.0.0.1 InLoop0
Routing Tables: Public
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost NextHop Interface
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.100.0/24 Direct 0 0 192.168.100.2 Vlan1
192.168.100.2/32 Direct 0 0 127.0.0.1 InLoop0
192.168.101.0/24 Direct 0 0 192.168.101.2 Vlan2
192.168.101.2/32 Direct 0 0 127.0.0.1 InLoop0
ASKER
Update: This is the only way I'm able to get things working right now:
Setup 2 interfaces on the Office Connect router (192.168.100.1 Vlan1 and 192.168.101.1 Vlan2)
On the 4800G setup 2 Vlan interfaces Vlan1 192.168.100.2 and Vlan2 192.168.101.2
On Vlan 1 host: IP: 192.168.100.20 Sub: 255.255.255.0 GW: 192.168.100.1
On Vlan 2 host: IP: 192.168.101.20 Sub: 255.255.255.0 GW: 192.168.101.1
I can ping from both hosts between Vlans and route traffic through the Internet.
If I set the Vlan interfaces on the switch as .1 and the Lan interfaces on the Router as another subnet it's not going to work as there's no common interface for the Vlans to route to (either via RIP or Static).
So far this is the only way I've gotten it to work and I feel that I'm wasting a $3000USD switch right now and that I'm probably doing something wrong with my config. 3com support is NO help so far... (Surprise)
Setup 2 interfaces on the Office Connect router (192.168.100.1 Vlan1 and 192.168.101.1 Vlan2)
On the 4800G setup 2 Vlan interfaces Vlan1 192.168.100.2 and Vlan2 192.168.101.2
On Vlan 1 host: IP: 192.168.100.20 Sub: 255.255.255.0 GW: 192.168.100.1
On Vlan 2 host: IP: 192.168.101.20 Sub: 255.255.255.0 GW: 192.168.101.1
I can ping from both hosts between Vlans and route traffic through the Internet.
If I set the Vlan interfaces on the switch as .1 and the Lan interfaces on the Router as another subnet it's not going to work as there's no common interface for the Vlans to route to (either via RIP or Static).
So far this is the only way I've gotten it to work and I feel that I'm wasting a $3000USD switch right now and that I'm probably doing something wrong with my config. 3com support is NO help so far... (Surprise)
Since you are using IP subnet VLAN assignments how are you doing your IP addressing? DHCP? or Static?
ASKER
Most of our Vlans have have very few hosts so we will be using static for those workstations/devices. The two major Vlans will have DHCP running with a /24 scope in each.
We'll have a total of 9 Vlans (including the default). Out of which only 4 need Internet access, the rest will be isolated with ACLs put in place (I assume this will work) to block traffic between Vlans).
We'll have a total of 9 Vlans (including the default). Out of which only 4 need Internet access, the rest will be isolated with ACLs put in place (I assume this will work) to block traffic between Vlans).
ip route-static 0.0.0.0 0.0.0.0 x.x.x.x (Internet gateway ip address)
Secondly you can remove
ip route-static 192.168.100.0 255.255.255.0 192.168.100.1
ip route-static 192.168.101.0 255.255.255.0 192.168.101.1
ip route-static 192.168.102.0 255.255.255.0 192.168.102.1
ip route-static 192.168.102.0 255.255.255.0 192.168.101.1
ip route-static 192.168.103.0 255.255.255.0 192.168.103.1
ip route-static 192.168.104.0 255.255.255.0 192.168.104.1
ip route-static 192.168.105.0 255.255.255.0 192.168.105.1
ip route-static 192.168.106.0 255.255.255.0 192.168.106.1
ip route-static 192.168.107.0 255.255.255.0 192.168.107.1
ip route-static 192.168.108.0 255.255.255.0 192.168.108.1
By default a switch knows where directly connected networks are. So if traffic is bound for the 192.168.101.x network the switch will automatically send it out the directly connected interface of 192.168.101.1 without being told.
Lastly why do you have route to 192.168.100.1 for the 192.168.100.0/24 network when your vlan 1 interface has an IP of 192.168.100.2?
interface Vlan-interface1
ip address 192.168.100.2 255.255.255.0