Avatar of InnerloopIT
InnerloopIT
 asked on

Routing 101 and VLANS

Astaro Firewall v8.3 has four networks cards Nic2 receives IP address from ISP VIA DHCP. Nic0 and Nic1 are bonded using LACP to form Trunk1. Trunk1 has IP address of 10.0.10.1/24.Trunk1 is physically connected to the Vyatta router v.6.4, network cards, Nic0 and Nic1. Nic0 and Nic1 are bonded using LACP to complete Trunk1 on the Vyatta router.

Nic2 and Nic3 on the Vyatta router form another Trunk, called Trunk2/Bond1. Trunk2/Bond1 has IP address of 10.0.10.6/24. Trunk2 is connected to a Juniper EX2000 switch (SW01), on ge-0/0/0 and ge-0/0/1 ports. Ports 0/0/22 and ge-0/0/23 on SW01 are connected to ports ge-0/0/22 and ge-0/0/23 on SW02 to form Trunk3.
I have configured both Juniper EX2000 switches with 3 identical VLAN profiles. The VLANS can communicate with each other and ping Trunk2 10.0.10.6.
Issues:
1.      Clients connected to the Juniper Switches cannot reach Astaro firewall 10.0.10.1.

Questions:
1.      What would my I P addresses, subnet and default gateway be for the following?
2.      A connection from the Astaro box of 10.0.10.1/24 connecting to the Vyatta router, would it share the dame IP address of 10.0.10.1/24 or would be a new IP?
3.      When OSPF is implemented, is the broadcast address attached to a sub interface like a VLAN address, i.e. IP address for eth4 10.0.10.20 and OSPF 10.0.10.20.40
Network.zip
RoutersSwitches / HubsNetwork Architecture

Avatar of undefined
Last Comment
davewag77

8/22/2022 - Mon
koudry

Hello,

Could we see a simple diagram please?

I suspect you have to work from layer 1 upwards. I know nothing about security devices. But since you have VLANs and Trunks, you need to reassure yourself that the trunks to VLAN and interface mappings, are correct before you start talking about IP addresses and routing protocol.

On Cisco platforms, you can use commands such as "show vlan brief", "show interface trunk" etc.

"Show vlan brief" for example, lists vlans and the interfaces that are in them.  

"Show interface trunk" shows the list of trunks and the interfaces in them.  You need the equivalent of those commands on your respective platforms to make sure both your layer 1 & 2 are working before moving to IP addressing and routing.

You also need to make sure you have applied the correct setting for LACP at both end of our trunk.

See also http://www.astaro.org/astaro-gateway-products/management-networking-logging-reporting/32892-8-000-only-one-link-link-aggregation-cisco-port-channel-via-lacp.html


Good luck
davewag77

Hi,

What are you trying to accomplish?

Which vlans do you need on which switches? A trunk carries multiple vlans. Why the two routers?

You need to give the Vyatta router an ip on the 10.0.10.1 subnet on the side facing the Astaro. You need to create a different subnet on the other side of the Vyatta router. You can create additional subnets per vlan.  You cannot have the Vyatta and Aastaro having the same IP address.

When you can create static routes from each vlan to 10.0.10.1 via the Vyatta's IP on their subnet.  

See attached.


I just saw your other post @ https://www.experts-exchange.com/Networking/Network_Management/Network_Design_and_Methodology/Q_27778087.html and it seems these are related? Do you want to segregate out voip traffic into a vlan for qos? What about the wlan? It would be helpful to know what the end game is.
Q-27783534.jpg
InnerloopIT

ASKER
My primary aim is to learn more about networking and how to shape/separate a network’s traffic. My home network is on a flat network, all on one subnet, and I was tired of all the bottlenecking while streaming videos or transferring large blocks of data.

My first Network design post
did not receive any feedback, so I broke my original project into smaller projects.
 
Your Question:  Do you want to segregate out VOIP traffic into a VLANS for QOS?
 
My Answer: Yes, I want Voice traffic to be on its own VLAN with QOS.
 
Your Question:  What about the WLAN?
 
My Answer: I am going to configure the Astaro’s VPN client once my internal network is up.
 
Current Status: I have given Nic A on the Vyatta Router facing the Astaro an IP address of 10.0.10.2/24, Nic B on the Vyatta Router, which faces Switch A an IP address of 10.10.10.10/24 and Nic C which faces Switch 2 IP address of 10.10.10.20/24.
I have attached the configuration that I have in place. Clients on Switch 2, VLAN 90, can ping 10.10.10.20/24 and ping 10.0.10.2/24, but still cannot  ping 10.0.10.1 or resolve outside websites. I have hardcoded my ISP’s DNS on my end devices.

I have also created the following  masquerade rule:

set nat source rule 10 source address 10.10.10.0/24
set nat source rule 10 outbound-interface bond0
set nat source rule 10 translation address masquerade



Thank you for taking the time out of your schedule to answer my post. Your diagram was very helpful and helped me see things more clearly.
 
I look forward to your response,
 
Matt
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
davewag77

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question