Vlan setup on Linksys / Cisco
Hello,
I just purchased a SLM224G Linksys switch by Cisco.
is a 24+2 Gb
My setup has to be the following:
Ports 1-12 plus G1 are on the same Vlan (Vlan 10 Data)
Ports 13-24 plus G2 are on the same Vlan (Vlan 20 Voice)
My firewall provides two outputs - one in G1 and one in G2
Each one has a DHCP server enabled - one generates 192.168.5.x , the other one generates 192.168.25.x (this range will be used for the VoIP phones)
Looks pretty straight forward - however:
Every port on the switch get IP's from 192.168.5.x, regardless of what Vlan or port is.If I shut down DHCP on VLAN 10 (G1) I will get IP's in the range 192.168.25.x on all teh ports regardless of location or Vlan
It seem that there is a link between Vlans and that could be that all the ports are part of Vlan 1 - default on Cisco. Right now the ports 1-12 plus G1 are part of Vlan1 and 10 , and Ports 13-24 plus G2 are part of Vlan 1 and 20 ....
How can I solve the problem so I have two separate networks - independent of eachother.
Thank you
I just purchased a SLM224G Linksys switch by Cisco.
is a 24+2 Gb
My setup has to be the following:
Ports 1-12 plus G1 are on the same Vlan (Vlan 10 Data)
Ports 13-24 plus G2 are on the same Vlan (Vlan 20 Voice)
My firewall provides two outputs - one in G1 and one in G2
Each one has a DHCP server enabled - one generates 192.168.5.x , the other one generates 192.168.25.x (this range will be used for the VoIP phones)
Looks pretty straight forward - however:
Every port on the switch get IP's from 192.168.5.x, regardless of what Vlan or port is.If I shut down DHCP on VLAN 10 (G1) I will get IP's in the range 192.168.25.x on all teh ports regardless of location or Vlan
It seem that there is a link between Vlans and that could be that all the ports are part of Vlan 1 - default on Cisco. Right now the ports 1-12 plus G1 are part of Vlan1 and 10 , and Ports 13-24 plus G2 are part of Vlan 1 and 20 ....
How can I solve the problem so I have two separate networks - independent of eachother.
Thank you
Can you remove vlan 1 from the switchports?
ASKER
No .... this is something that Linksys/Cisco switches have
Have you configured your ports/vlans as tagged?
ASKER
I did try Tagged or Untagged .... unless I'm doing something wrong
If the switch ports are assigned to different vlans (check test below) then your router (Firewall) must have a route between vlans before they can talk to each other. Drop this route and it should isolate the vlans and the ip numbers received from the independent DHCP servers.
1) Test for Vlans working: Remove the physical link between one of the router ports and the switch. This should remove the DHCP for the that side of the switch. Try a workstation on that "dead" side of the switch. If it gets an ip number from DHCP, then the switch is not configured correctly for vlans. If you do not get a DHCP ip number, the switch (port) is correct (for that vlan).
2) Reconnect that link and do the same for the other vlan link to the router. You should get the same results.
3) If these 2 tests show that the switch is working correctly, Check the routes in the firewall. You should NOT have a route between 192.168.5.0 and 192.168.25.0 networks. Make sure you use the same switch port for all tests on vlan 10 (ie: port 3?) and the same port for all tests on vlan 20 (ie: poer 15?).
That way is those ports work for all tests, make sure all the other ports within the respective vlans are configured the same as the "test" ports.
Is the firewall cisco?
1) Test for Vlans working: Remove the physical link between one of the router ports and the switch. This should remove the DHCP for the that side of the switch. Try a workstation on that "dead" side of the switch. If it gets an ip number from DHCP, then the switch is not configured correctly for vlans. If you do not get a DHCP ip number, the switch (port) is correct (for that vlan).
2) Reconnect that link and do the same for the other vlan link to the router. You should get the same results.
3) If these 2 tests show that the switch is working correctly, Check the routes in the firewall. You should NOT have a route between 192.168.5.0 and 192.168.25.0 networks. Make sure you use the same switch port for all tests on vlan 10 (ie: port 3?) and the same port for all tests on vlan 20 (ie: poer 15?).
That way is those ports work for all tests, make sure all the other ports within the respective vlans are configured the same as the "test" ports.
Is the firewall cisco?
ASKER
1) I removed one link - G1 (vlan 10 and 1)
a. With a PC in port 1 (Vlan 10 and 1) I get DHCP address from G2 (Vlan 20 and 1) - 192.168.25.x
b. With a PC in prot 12 (Vlan 20 and 1) I get DHCP address from G2 (Vlan 20 and 1) - 192.168.25.x
2) I removed one link - G2 (vlan 20 and 1)
a. With a PC in port 1 (Vlan 10 and 1) I get DHCP address from G1(Vlan 10 and 1) - 192.168.5.x
b. With a PC in prot 12 (Vlan 20 and 1) I get DHCP address from G1(Vlan 10 and 1) - 192.168.5.x
3) With both uplinks connected:
no matter where I am in the switch - I get IP's from G1 (Vlan 10 and 1) .... The only way that I can get IP's from the other subnet - if is I disconnect G1.
The routes are assigned auto by the firewall - based on connectivity. Nothing fancy
The firewall is a Fortigate 50 B - not a Cisco (I wish)
a. With a PC in port 1 (Vlan 10 and 1) I get DHCP address from G2 (Vlan 20 and 1) - 192.168.25.x
b. With a PC in prot 12 (Vlan 20 and 1) I get DHCP address from G2 (Vlan 20 and 1) - 192.168.25.x
2) I removed one link - G2 (vlan 20 and 1)
a. With a PC in port 1 (Vlan 10 and 1) I get DHCP address from G1(Vlan 10 and 1) - 192.168.5.x
b. With a PC in prot 12 (Vlan 20 and 1) I get DHCP address from G1(Vlan 10 and 1) - 192.168.5.x
3) With both uplinks connected:
no matter where I am in the switch - I get IP's from G1 (Vlan 10 and 1) .... The only way that I can get IP's from the other subnet - if is I disconnect G1.
The routes are assigned auto by the firewall - based on connectivity. Nothing fancy
The firewall is a Fortigate 50 B - not a Cisco (I wish)
According to your setup above:
"My setup has to be the following:
Ports 1-12 plus G1 are on the same Vlan (Vlan 10 Data)
Ports 13-24 plus G2 are on the same Vlan (Vlan 20 Voice)"
Ports 1 and 12 are on the same vlan (10).
you will need to plug a workstation into the Voice vlan to test this correctly.
What switchports are the links to the router's G1 & G2 links plugged into?
You mention Vlan 20 and 1 and Vlan 10 and 1. A switch port can only be assigned to one vlan at a time. I don't understand what you mean by that statement. Are the switchports that link to your firewall setup as trunks? In this configuration they should NOT be setup as trunks, but should be connected to ports listed as within their respective vlans. (ie: G1 should be connected to one of the ports from 1 to 12, G2 should be connected to one of the ports from 13-24.
"My setup has to be the following:
Ports 1-12 plus G1 are on the same Vlan (Vlan 10 Data)
Ports 13-24 plus G2 are on the same Vlan (Vlan 20 Voice)"
Ports 1 and 12 are on the same vlan (10).
you will need to plug a workstation into the Voice vlan to test this correctly.
What switchports are the links to the router's G1 & G2 links plugged into?
You mention Vlan 20 and 1 and Vlan 10 and 1. A switch port can only be assigned to one vlan at a time. I don't understand what you mean by that statement. Are the switchports that link to your firewall setup as trunks? In this configuration they should NOT be setup as trunks, but should be connected to ports listed as within their respective vlans. (ie: G1 should be connected to one of the ports from 1 to 12, G2 should be connected to one of the ports from 13-24.
At the console prompt, have you verified that all ports are defined as you say by using this command:
> show vlan or
> show vlan id 10
If the ports are indeed defined as you say, you must have a vlan trunk defined.
Enter
> show run
then look at the interface definition for your switch port. If you have something like....
> switchport trunk allowed vlan 1, 10
that will be your common bridge. If that is what you find you can do ....
> no switchport trunk allowed vlan 1, 10 and then
>switchport trunk allowed 10 getting rid of VLAN 1 in the trunk. This will isolate VLAN10. Do the same for VLAN 20.
> show vlan or
> show vlan id 10
If the ports are indeed defined as you say, you must have a vlan trunk defined.
Enter
> show run
then look at the interface definition for your switch port. If you have something like....
> switchport trunk allowed vlan 1, 10
that will be your common bridge. If that is what you find you can do ....
> no switchport trunk allowed vlan 1, 10 and then
>switchport trunk allowed 10 getting rid of VLAN 1 in the trunk. This will isolate VLAN10. Do the same for VLAN 20.
ASKER
Vlan 1 is the default Vlan in a CISCO switch (or Linksys). I cannot get rid of it. Is the management Vlan
By default every port is part of Vlan 1
Being a Linksys switch - I do not have CLI .... only GUI - bummer.
To be more explicit .... the switch has 24 10/100 ports (E1-24) and 2 Gb ports ....G1 and G2
Physically looking at the switch I have :
E1 E2 E3 ......E12 G1
E13 E14 .......E24 G2
So I defined the top part as Vlan 10 with G1 as uplink
and the bottom part as Vlan 20
There is nothing special on the setup of the uplinks G1 or G2 ... they are just like regular ports - only they are Gb ports.
By default every port is part of Vlan 1
Being a Linksys switch - I do not have CLI .... only GUI - bummer.
To be more explicit .... the switch has 24 10/100 ports (E1-24) and 2 Gb ports ....G1 and G2
Physically looking at the switch I have :
E1 E2 E3 ......E12 G1
E13 E14 .......E24 G2
So I defined the top part as Vlan 10 with G1 as uplink
and the bottom part as Vlan 20
There is nothing special on the setup of the uplinks G1 or G2 ... they are just like regular ports - only they are Gb ports.
wsenter, What you say is true but he is trying to separate the vlans to 2 different ports on the firewall and use 2 different DHCP servers (attached to each router port). Using a Cisco router, he could define sub-ports on one physical router port, and assign DHCP to each sub-port and accomplish this but this is pretty complicated and I'm not sure his router would support that.
OH, I just realized something - When you refer to G1 & G2 you are talking about switch ports and not router ports. Make sure G1 & G2 are assigned to respective vlans within the switch. Vlan 1 , which can not be deleted, should be assigned to a virtual port with a different ip and not to a physical port. vlan 1 should NOT be assigned to any physical ports. If that is not possible, select 1 port th assign it to and make that the only port that is in vlan 1.
Make sure the virtual port IP is outside the scope of vlan 10 and vlan 20 (ie: 192.168.3.3). In this case you could trunk G1 & G2 ports to their respective vlans + vlan1 and they shouldn't bleed over. Check your router for routes connecting your vlan networks. That is most likely where your DHCP problem is coming from.
OH, I just realized something - When you refer to G1 & G2 you are talking about switch ports and not router ports. Make sure G1 & G2 are assigned to respective vlans within the switch. Vlan 1 , which can not be deleted, should be assigned to a virtual port with a different ip and not to a physical port. vlan 1 should NOT be assigned to any physical ports. If that is not possible, select 1 port th assign it to and make that the only port that is in vlan 1.
Make sure the virtual port IP is outside the scope of vlan 10 and vlan 20 (ie: 192.168.3.3). In this case you could trunk G1 & G2 ports to their respective vlans + vlan1 and they shouldn't bleed over. Check your router for routes connecting your vlan networks. That is most likely where your DHCP problem is coming from.
Using your web browser, click the tab "VLAN Management". Under "Select VLAN" setting make sure that all ports are set to "tagged" and not "Untagged"
ASKER
They are ..... I just can't find a way to create (a) trunk port
If you assign G1 and G2 to their respective vlans, they don't need to be trunks. Trunks are only needed if you want to send more that one vlan across a single physical cable.
If you tag ports 1-12 and G1 As VLAN 10 and 12-23 and G2 As VLAN 20 and you want to keep them seperate, that is all you should need to do. These DHCP servers... Are they seperate servers on the network outbound from this switch or are they built in ?
ASKER
I can tag the ports and that will do nothing ....
For example port e1 will be part of 1U and 10T (Vlan 1 untagged and 10 tagged)
Port e13 will haev 1U and 20T
If I set that the ports accept ONLY tagged packets - I cannot get to the DHCP server ....
For example port e1 will be part of 1U and 10T (Vlan 1 untagged and 10 tagged)
Port e13 will haev 1U and 20T
If I set that the ports accept ONLY tagged packets - I cannot get to the DHCP server ....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
" helper definition for passing dhcp requests across a network is not setup properly."
That might be what the problem is ...
As explained before the firewall is the one doing the DHCP .... For each interface (2 in my case) I can have a DHCP server enabled .... This is how I get the IP's currently ....
However - there are no Vlans setup in teh Firewall ... for the specific interface(s). That was over my head - in this respect
That might be what the problem is ...
As explained before the firewall is the one doing the DHCP .... For each interface (2 in my case) I can have a DHCP server enabled .... This is how I get the IP's currently ....
However - there are no Vlans setup in teh Firewall ... for the specific interface(s). That was over my head - in this respect
Each interface is part of a separate network (or vlan). In your case there doesn't need to be any special setup for the vlans within the firewall. However, in the firewall, or more accurately, in the router portion of the firewall is where the vlans (interfaces) are either allowed to communicate with each other or kept separated.
Normally the default is no communication between ports unless static routes are manually entered, or a routing protocol is running to automatically setup routes. If there is a routing protocol running, it could cause the overlapping of the DHCP servers.
Let me look for a manual on your Fortigate 50 B and maybe I can see what you are dealing with there.
Normally the default is no communication between ports unless static routes are manually entered, or a routing protocol is running to automatically setup routes. If there is a routing protocol running, it could cause the overlapping of the DHCP servers.
Let me look for a manual on your Fortigate 50 B and maybe I can see what you are dealing with there.
atvrocks, I didn't find a manual, but I found the specifications on your router. Your router has 2wan ports and 3 lan ports. The lan ports are part of a build in switch and not a part of the router. My assumption was that the ports you are plugging into on the firewall were router ports and not switch ports. That was my error. This puts a different spin on things.
To make this work the way you want it to, you are going to have to set up matching vlans within the firewall and assign the switch ports (lan ports) that go to the linksys switch to their respective vlan. You will need to check the documentation on the router to see if it supports vlans and how to set them up.
To make this work the way you want it to, you are going to have to set up matching vlans within the firewall and assign the switch ports (lan ports) that go to the linksys switch to their respective vlan. You will need to check the documentation on the router to see if it supports vlans and how to set them up.
ASKER
Agree .... The whole Vlan setup on the Fortigates will be "interesting" ....
The Fortigate has one "Internal" interface with 3 ports ..... and two "Wan" ports.
The naming convention has nothing to do with the functionality. Each port is independent and can be used as I wish .... like for example I can use Internal instead of Wan .....
So in my configuration I use Wan1 -> Internet, Internal -> G1 (Linksys vlan 10), Wan2 ->G2 (Linksys vlan 20)
What makes me mad is the inability to go CLI on this switch and the lack of documentation for the Linksys. If I completely separate the Vlans - mean getting rid of Vlan 1 - I cannot control the switch anymore .... Vlan 1 is the management Vlan.
The Fortigate has one "Internal" interface with 3 ports ..... and two "Wan" ports.
The naming convention has nothing to do with the functionality. Each port is independent and can be used as I wish .... like for example I can use Internal instead of Wan .....
So in my configuration I use Wan1 -> Internet, Internal -> G1 (Linksys vlan 10), Wan2 ->G2 (Linksys vlan 20)
What makes me mad is the inability to go CLI on this switch and the lack of documentation for the Linksys. If I completely separate the Vlans - mean getting rid of Vlan 1 - I cannot control the switch anymore .... Vlan 1 is the management Vlan.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Vlan 1 cannot be assigned ... is in ALL the ports
In teh firewall I have exactly those 4 basic routes .... nothing between "Internal" and " Wan2"
I did check with the support on Fortigate and they said:
"Yes, you can use WAN2 for an internal network. The interface name does not affect the interface operation in anyway.
Other than this, your only option is to use a VLAN on internal."
Attached are couple pics from the Linksys switch.
So - just to be on teh same page ... once I plugged a PC in the port(s) 1-12 - I would like to have an IP: 192.168.5.x
Once I plug a phone on port(s) 13-24 - I would like to have an IP: 192.168.25.x
I want this doen like that so the traffic from teh PC's do not interefere with teh Phone traffic .... QoS is in place for the ports 13-24.
Thank you again for all your help
clip-image002.jpg
clip-image003.jpg
clip-image004.jpg
clip-image005.jpg
clip-image006.jpg
clip-image007.jpg
clip-image008.jpg
clip-image009.jpg
In teh firewall I have exactly those 4 basic routes .... nothing between "Internal" and " Wan2"
I did check with the support on Fortigate and they said:
"Yes, you can use WAN2 for an internal network. The interface name does not affect the interface operation in anyway.
Other than this, your only option is to use a VLAN on internal."
Attached are couple pics from the Linksys switch.
So - just to be on teh same page ... once I plugged a PC in the port(s) 1-12 - I would like to have an IP: 192.168.5.x
Once I plug a phone on port(s) 13-24 - I would like to have an IP: 192.168.25.x
I want this doen like that so the traffic from teh PC's do not interefere with teh Phone traffic .... QoS is in place for the ports 13-24.
Thank you again for all your help
clip-image002.jpg
clip-image003.jpg
clip-image004.jpg
clip-image005.jpg
clip-image006.jpg
clip-image007.jpg
clip-image008.jpg
clip-image009.jpg
Good info. Can you post screen shots from the IP screen (like #2) for the other 2 vlans?
ASKER
And ..... "drums" .... problem solved.
I called CISCO - It turns up that there is a tremendous difference between the Linksys switches and Cisco Switches (duh). We did a Webex session and the technician explained me the following based on the good practice:
- Have Vlan 1 for Data and Vlan 20 for Voice.
- Data and management Data will always be on Vlan 1 (good practice)
- Voice Vlan stayed on 20 adn changed the PVID to 20.
- No tagging for any of the ports since the Linksys is NOT connected to a switch ....
Bottom line - it works. Leson learned - Buy Cisco not Linksys
Thank you all for your help ...
I called CISCO - It turns up that there is a tremendous difference between the Linksys switches and Cisco Switches (duh). We did a Webex session and the technician explained me the following based on the good practice:
- Have Vlan 1 for Data and Vlan 20 for Voice.
- Data and management Data will always be on Vlan 1 (good practice)
- Voice Vlan stayed on 20 adn changed the PVID to 20.
- No tagging for any of the ports since the Linksys is NOT connected to a switch ....
Bottom line - it works. Leson learned - Buy Cisco not Linksys
Thank you all for your help ...
ASKER
I did split the points since the two of you (dosdet2 and Wsenter) helped me with this .... appreciate the help.
Thank you
Thank you