Link to home
Start Free TrialLog in
Avatar of InnerloopIT
InnerloopIT

asked on

Routing 101 and VLANS

Astaro Firewall v8.3 has four networks cards Nic2 receives IP address from ISP VIA DHCP. Nic0 and Nic1 are bonded using LACP to form Trunk1. Trunk1 has IP address of 10.0.10.1/24.Trunk1 is physically connected to the Vyatta router v.6.4, network cards, Nic0 and Nic1. Nic0 and Nic1 are bonded using LACP to complete Trunk1 on the Vyatta router.

Nic2 and Nic3 on the Vyatta router form another Trunk, called Trunk2/Bond1. Trunk2/Bond1 has IP address of 10.0.10.6/24. Trunk2 is connected to a Juniper EX2000 switch (SW01), on ge-0/0/0 and ge-0/0/1 ports. Ports 0/0/22 and ge-0/0/23 on SW01 are connected to ports ge-0/0/22 and ge-0/0/23 on SW02 to form Trunk3.
I have configured both Juniper EX2000 switches with 3 identical VLAN profiles. The VLANS can communicate with each other and ping Trunk2 10.0.10.6.
Issues:
1.      Clients connected to the Juniper Switches cannot reach Astaro firewall 10.0.10.1.

Questions:
1.      What would my I P addresses, subnet and default gateway be for the following?
2.      A connection from the Astaro box of 10.0.10.1/24 connecting to the Vyatta router, would it share the dame IP address of 10.0.10.1/24 or would be a new IP?
3.      When OSPF is implemented, is the broadcast address attached to a sub interface like a VLAN address, i.e. IP address for eth4 10.0.10.20 and OSPF 10.0.10.20.40
Network.zip
Avatar of koudry
koudry
Flag of United Kingdom of Great Britain and Northern Ireland image

Hello,

Could we see a simple diagram please?

I suspect you have to work from layer 1 upwards. I know nothing about security devices. But since you have VLANs and Trunks, you need to reassure yourself that the trunks to VLAN and interface mappings, are correct before you start talking about IP addresses and routing protocol.

On Cisco platforms, you can use commands such as "show vlan brief", "show interface trunk" etc.

"Show vlan brief" for example, lists vlans and the interfaces that are in them.  

"Show interface trunk" shows the list of trunks and the interfaces in them.  You need the equivalent of those commands on your respective platforms to make sure both your layer 1 & 2 are working before moving to IP addressing and routing.

You also need to make sure you have applied the correct setting for LACP at both end of our trunk.

See also http://www.astaro.org/astaro-gateway-products/management-networking-logging-reporting/32892-8-000-only-one-link-link-aggregation-cisco-port-channel-via-lacp.html


Good luck
Hi,

What are you trying to accomplish?

Which vlans do you need on which switches? A trunk carries multiple vlans. Why the two routers?

You need to give the Vyatta router an ip on the 10.0.10.1 subnet on the side facing the Astaro. You need to create a different subnet on the other side of the Vyatta router. You can create additional subnets per vlan.  You cannot have the Vyatta and Aastaro having the same IP address.

When you can create static routes from each vlan to 10.0.10.1 via the Vyatta's IP on their subnet.  

See attached.


I just saw your other post @ https://www.experts-exchange.com/questions/27778087/Network-Design.html and it seems these are related? Do you want to segregate out voip traffic into a vlan for qos? What about the wlan? It would be helpful to know what the end game is.
Q-27783534.jpg
Avatar of InnerloopIT
InnerloopIT

ASKER

My primary aim is to learn more about networking and how to shape/separate a network’s traffic. My home network is on a flat network, all on one subnet, and I was tired of all the bottlenecking while streaming videos or transferring large blocks of data.

My first Network design post
did not receive any feedback, so I broke my original project into smaller projects.
 
Your Question:  Do you want to segregate out VOIP traffic into a VLANS for QOS?
 
My Answer: Yes, I want Voice traffic to be on its own VLAN with QOS.
 
Your Question:  What about the WLAN?
 
My Answer: I am going to configure the Astaro’s VPN client once my internal network is up.
 
Current Status: I have given Nic A on the Vyatta Router facing the Astaro an IP address of 10.0.10.2/24, Nic B on the Vyatta Router, which faces Switch A an IP address of 10.10.10.10/24 and Nic C which faces Switch 2 IP address of 10.10.10.20/24.
I have attached the configuration that I have in place. Clients on Switch 2, VLAN 90, can ping 10.10.10.20/24 and ping 10.0.10.2/24, but still cannot  ping 10.0.10.1 or resolve outside websites. I have hardcoded my ISP’s DNS on my end devices.

I have also created the following  masquerade rule:

set nat source rule 10 source address 10.10.10.0/24
set nat source rule 10 outbound-interface bond0
set nat source rule 10 translation address masquerade



Thank you for taking the time out of your schedule to answer my post. Your diagram was very helpful and helped me see things more clearly.
 
I look forward to your response,
 
Matt
ASKER CERTIFIED SOLUTION
Avatar of davewag77
davewag77
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial