Link to home
Start Free TrialLog in
Avatar of InnerloopIT

asked on

Routing 101 and VLANS

Astaro Firewall v8.3 has four networks cards Nic2 receives IP address from ISP VIA DHCP. Nic0 and Nic1 are bonded using LACP to form Trunk1. Trunk1 has IP address of is physically connected to the Vyatta router v.6.4, network cards, Nic0 and Nic1. Nic0 and Nic1 are bonded using LACP to complete Trunk1 on the Vyatta router.

Nic2 and Nic3 on the Vyatta router form another Trunk, called Trunk2/Bond1. Trunk2/Bond1 has IP address of Trunk2 is connected to a Juniper EX2000 switch (SW01), on ge-0/0/0 and ge-0/0/1 ports. Ports 0/0/22 and ge-0/0/23 on SW01 are connected to ports ge-0/0/22 and ge-0/0/23 on SW02 to form Trunk3.
I have configured both Juniper EX2000 switches with 3 identical VLAN profiles. The VLANS can communicate with each other and ping Trunk2
1.      Clients connected to the Juniper Switches cannot reach Astaro firewall

1.      What would my I P addresses, subnet and default gateway be for the following?
2.      A connection from the Astaro box of connecting to the Vyatta router, would it share the dame IP address of or would be a new IP?
3.      When OSPF is implemented, is the broadcast address attached to a sub interface like a VLAN address, i.e. IP address for eth4 and OSPF
Avatar of koudry
Flag of United Kingdom of Great Britain and Northern Ireland image


Could we see a simple diagram please?

I suspect you have to work from layer 1 upwards. I know nothing about security devices. But since you have VLANs and Trunks, you need to reassure yourself that the trunks to VLAN and interface mappings, are correct before you start talking about IP addresses and routing protocol.

On Cisco platforms, you can use commands such as "show vlan brief", "show interface trunk" etc.

"Show vlan brief" for example, lists vlans and the interfaces that are in them.  

"Show interface trunk" shows the list of trunks and the interfaces in them.  You need the equivalent of those commands on your respective platforms to make sure both your layer 1 & 2 are working before moving to IP addressing and routing.

You also need to make sure you have applied the correct setting for LACP at both end of our trunk.

See also

Good luck

What are you trying to accomplish?

Which vlans do you need on which switches? A trunk carries multiple vlans. Why the two routers?

You need to give the Vyatta router an ip on the subnet on the side facing the Astaro. You need to create a different subnet on the other side of the Vyatta router. You can create additional subnets per vlan.  You cannot have the Vyatta and Aastaro having the same IP address.

When you can create static routes from each vlan to via the Vyatta's IP on their subnet.  

See attached.

I just saw your other post @ and it seems these are related? Do you want to segregate out voip traffic into a vlan for qos? What about the wlan? It would be helpful to know what the end game is.
Avatar of InnerloopIT


My primary aim is to learn more about networking and how to shape/separate a network’s traffic. My home network is on a flat network, all on one subnet, and I was tired of all the bottlenecking while streaming videos or transferring large blocks of data.

My first Network design post
did not receive any feedback, so I broke my original project into smaller projects.
Your Question:  Do you want to segregate out VOIP traffic into a VLANS for QOS?
My Answer: Yes, I want Voice traffic to be on its own VLAN with QOS.
Your Question:  What about the WLAN?
My Answer: I am going to configure the Astaro’s VPN client once my internal network is up.
Current Status: I have given Nic A on the Vyatta Router facing the Astaro an IP address of, Nic B on the Vyatta Router, which faces Switch A an IP address of and Nic C which faces Switch 2 IP address of
I have attached the configuration that I have in place. Clients on Switch 2, VLAN 90, can ping and ping, but still cannot  ping or resolve outside websites. I have hardcoded my ISP’s DNS on my end devices.

I have also created the following  masquerade rule:

set nat source rule 10 source address
set nat source rule 10 outbound-interface bond0
set nat source rule 10 translation address masquerade

Thank you for taking the time out of your schedule to answer my post. Your diagram was very helpful and helped me see things more clearly.
I look forward to your response,
Avatar of davewag77
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial