VLAN Routing

Netgear Gsm7324 24port layer 3 managed g...
October 19, 2010 at 03:17:07
Specs: Windows 7
I currenly have a GSM7324 Layer 3 with several GS748T layer 2.
I also have 4 different internet connections coming into the layer3 for each department.

I am trying to setup VLANs and having some difficulties getting the VLANS to communicate with each other.

Here is how I am currently configured:

Layer 3 = 192.168.0.1
Gateway = 192.168.0.254

ALL servers are connected to a Layer 2 via port 2 on Default VLAN 1
The Internet for the servers go through 192.168.0.254 connected to port 3

I then have VLAN 2 setup to 192.168.1.1 which is set to port 17 and 18.
The internet gateway is set to 192.168.1.254 and plugs into 17 and then have another layer2 conneceted to port 18.

Then VLAN 3 setup to 192.168.9.1 which is set to port 19 and 20.
The internet is on 192,168.9.254 and plugs in to 19 and then another layer 2 plugs into port 20 which has all the workstations attached to it.

My test pcs are connected to VLAN2 and I can get the internet etc but I cannot get access to the Servers

I have not setup any VLANS on the layer2

Can you please help?

Thanks


See More: VLAN Routing

Report •


#1
October 19, 2010 at 06:49:28
How many workstations/servers are we talking here?

Vlans are hardware switches. IP is a protocol. Figure out your vlans then figure out your ip routing.

If vlan1 has the servers and vlan2 the workstations they can't talk since they have no common vlan in common.
Then you have the two different subnets for each vlan.


Report •

#2
October 19, 2010 at 07:11:58
Thanks for the response.

We are talking about 40 Servers and 200 workstations so far

However I am testing on 2 laptops with the servers.

Basically I need to try and segregate the network off to seperate departments like finance, warehouse, office staff etc.
However ALL departments MUST be able to access most if not all of the servers, for various tasks.

I thought that VLAN was the way to go to resolve the issue as I cant have every machine on 1 subnet through 1 VLAN as the network speed is slowing down rapidly and we are taking on another 50 staff at the end of the month, which would exceed the IP addresses in the subnet.


Report •

#3
October 19, 2010 at 07:40:13
VLAN'ing is likely your best solution.

However ALL departments MUST be able to access most if not all of the servers, for various tasks.

You would want the server's to all be on their own VLAN accessible from all other VLAN's. However, the other VLAN's need not necessarily communicate with any other (aside from the server VLAN) unless there's a specific need. This reduces the number of static routes that must be maintained. Access to actual server resources should be controlled via User and Group accounts and permissions........not via subnet/VLAN.

Might I also suggest a separate VLAN for printers.

It goes without saying each VLAN should be it's own subnet.

Since VLAN 1 is the default on every managed switch I've ever worked on, I would keep it as such and use it only for network appliances (switches, routers etc) and would make it subnet 1

ex:
VLAN 1 = 192.168.1.0 (management VLAN)

VLAN 2 = 192.168.2.0 (servers)

VLAN 3 = 192.168.3.0 (printers)

VLAN 4 = 192.168.4.0 (finance)

etc, etc.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

Related Solutions

#4
October 19, 2010 at 07:57:27
Thanks Curt R

I thought this was the best soilution.

In my test environment I have got the Layer 3 setup on VLAN 1 192.168.0.1

I have my sonicwall 192.168.0.254 also on VLAN 1 along with all the Servers as they use this gateway for the internet acces

VLAN 2 is setup as 192.168.2.1 and has the workstations on which has a Draytek Vigor set to 192.168.2.254 as this is the office internet access.
VLAN 3 is 192.168.9.1 and has a sonicwall with a seperate ineternet connection 192.168.9.254

I have plugged in to VLAN 2 and cannot seem to ping or access any of the servers on VLAN 1 and I cannot get any reposnses from VLAN 4 machines either.

The routing in the Layer 3 is all setup to have the next hop as 192.168.x.1 and default gateway on the machines are 192.168.x.1

I will try this evening to move the servers onto their own VLAN and make VLAN 1 192.168.1.1 and Create a new VLAN for the servers on 192.168.0.1

However is there something else i am missing which is stopping me from talking to the servers?

Thanks


Report •

#5
October 19, 2010 at 08:06:20
"It goes without saying each VLAN should be it's own subnet."

This prevalent idea is based on a misapplication of Cisco training imho.

There is a point where to reduce ip broadcast domains you additionally subnet with vlans. The amount of devices is within a class c subnet and as such does not need to be subnetted. The vlans alone will minimize the broadcast domains.

This application of the macro to the micro, what you do with class A and B ip networks applied to a class c network, accomplishes nothing except complicate the situation. What vlans and ip subnetting addresses does not exist with 254 hosts.

Just my 2 cents.


Report •

#6
October 19, 2010 at 09:54:42
I won't disagree with you wanderer. But I've found (at least around here) there's very few times it's necessary to subnet within a VLAN. Not that I'm adverse to doing so, we can and we have.

We have one situation here where I work where subnetting within a VLAN was preferable. Our video conference VLAN is a supernet with 4 separate networks (one per major location) and all are within the same subnet.

Other than that though, we pretty much use up an entire VLAN/subnet before bringing another into play so we tend to go with a one VLAN = one Subnet configuration.


mfox:
As I advised you earlier, if you're going with a one subnet per VLAN scenario, you will want your subnet to match your VLAN tag. It makes things a lot simpler.

Ultimately, you have to go with whatever setup works best for you but I'd keep my management VLAN separate from all others.

I have plugged in to VLAN 2 and cannot seem to ping or access any of the servers on VLAN 1 and I cannot get any reposnses from VLAN 4 machines either.

Again, separate your servers from your management VLAN and leave the management VLAN to network appliances only.

As per my example above, VLAN 2 would be your servers. At layer 3 you would need to establish routes from the other subnets to the server subnet to allow users to access the servers

ex:

192.168.3.0/24 access to 192.168.2.0/24
(VLAN 3 <<>> VLAN 2)

192.168.4.0/24 access to 192.168.2.0/24
(VLAN 4 <<>> VLAN 2)

and so on.

Once you have your routes setup correctly, communication between other VLAN's and the servers will work.

I would concentrate on getting one subnet to communicate properly with the server subnet and then it's simple enough to do the rest of your routes using the working one as your example.

However is there something else i am missing which is stopping me from talking to the servers?

Show us your VLAN setup as per my example above and then show me your routing table with all static routes and we'll have a look and see if we can't figure out what's going on.

Also, I'd like an idea on your physical setup. What plugs into what and how your trunk ports are setup including VLAN's on them.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#7
October 20, 2010 at 03:51:19
Thanks Curt

I shall have a go this evening and put in place the VLAN as you have advised, once in place will send you a network Map and the routing table details

Again thanks for all your help.


Report •

#8
October 21, 2010 at 09:16:29
Hi Curt

Just would like to say thanks for all your help.
I have sucessfully created the VLANs with routing and All VLANs can now talk to the servers.

Thanks again for the help


Report •

#9
March 13, 2011 at 07:38:44
Hi curt, I have a cisco 3560 L3 Switch, now what i have done is that i have setup vlan 1 & vlan10, on port 48 i have connected the cable coming from the firewall, inter vlan is working fine i created a route on the firewall so users on vlan 10 can access internet, now my problem is that on vlan1 i have servers to access those servers i have to add static routes and then only i able to see from vlan10,

vlan 1:- 10.10.10.254 GW 10.10.10.1
vlan 10:- 172.16.16.1

route created on the firewall is desti:- 172.16.16.0/24 next hop value 10.10.10.254

if i dont add the static route on the servers i can only ping, to be able to access them i had the following route... route add -p 172.16.16.0/24 mask 255.255.255.0 10.10.10.254, my problem is we have an exchange server & we are unable to access them as they are not a physical server its all virtualizations


Report •


Ask Question