Ethernet Switches & Routers

Reply
New Contributor
Posts: 3
Registered: ‎03-06-2017

FastIron 9604 PREM layer 3 swtich config help

Hello All,

 

I am trying to configure and figure out why the switch is not doing interVLAN communication between vlans I just set up. 

As we are moving to new office pretty soon, I want to do as much pre-move configuration as possible to minimize the time on-site to do the setup 

 

Here is the setup I want to have:

Firewall (172.16.1.1)

      |

FastIron (172.16.1.3)

      |   (use VLAN to segment out voip and workstation traffic)

Other devices (voip desk phones and laptops/workstations) 

 

Here is 'show run' from the swtich .

 

--
Current configuration:
!
ver 04.1.01dTc3
!
!
!
trunk switch ethe 99 to 100
!
vlan 1 name DEFAULT-VLAN by port
router-interface ve 1
!
vlan 10 name general by port
tagged ethe 1
untagged ethe 2 to 48 ethe 97 to 98
router-interface ve 10
!
vlan 20 name phone by port
tagged ethe 1
untagged ethe 49 to 96
router-interface ve 20
!
vlan 30 name mgmt by port
tagged ethe 1
router-interface ve 30
!
!
!
!
dot1x-enable
enable all
!
aaa authentication web-server default local
aaa authentication login default local
enable super-user-password .....
hostname FASTIRONswitch
ip default-network 172.16.1.1/24
ip default-network 172.16.10.1/24
ip default-network 172.16.20.1/24
ip default-network 172.16.30.1/24
ip directed-broadcast
ip show-subnet-length
ip forward-protocol udp bootpc
ip route 0.0.0.0 0.0.0.0 172.16.1.2
ip route 172.16.10.0/24 172.16.1.2
ip route 172.16.20.0/24 172.16.1.2
ip route 172.16.30.0/24 172.16.1.2
!
ip router-id 172.16.1.5
username root password .....
username admin password .....
password-change any
web-management enable vlan 10
router ospf
area 0
!
interface loopback 1
ip address 172.16.1.5/32
!
interface ethernet 1
sflow-forwarding
sflow sample 128
!
interface ethernet 2
sflow-forwarding
sflow sample 128
!
interface ethernet 3
sflow-forwarding
sflow sample 128
!
!   (physical port output omitted)

!
interface ethernet 94
sflow-forwarding
sflow sample 128
!
interface ethernet 95
sflow-forwarding
sflow sample 128
!
interface ethernet 96
sflow-forwarding
sflow sample 128
!
interface ve 1
ip directed-broadcast
!
interface ve 10
ip address 172.16.10.1/24
ip directed-broadcast
ip helper-address 10 172.16.1.2
ip ospf area 0
ip ospf passive
!
interface ve 20
ip address 172.16.20.1/24
ip directed-broadcast
ip helper-address 10 172.16.1.2
ip ospf area 0
!
interface ve 30
ip address 172.16.30.1/24
ip directed-broadcast
ip helper-address 10 172.16.1.2
ip ospf area 0
!
!
!
!
!
!
!
!
!
end

--

The firewall will also serve as dhcp server as well. 

 

vlan 10 will be general use vlan 20 will be for phone speicifically. lastly vlan 30, i would wish to make this as management vlan. 

 

So far, when i set a windows laptop with static ip and gateway to 10.1 or 20.1 or 30.1, it pings out to its gateway, but I can't ping from 10.x ip to 20.1 or anything outside of that gateway. 

 

I am thinking I didn't setup the routing part of the switch. But I might be wrong. 
Can anybody has an input on this that I can try?

 

Thanks!

 

 

 

Frequent Contributor
Posts: 98
Registered: ‎07-12-2011

Re: FastIron 9604 PREM layer 3 swtich config help

In your static routes you are telling your locally routed subnets to talk to something else to get to the local subnets. Remove those 3 and see if things don't clear up to talk to each other.

 

ip route 0.0.0.0 0.0.0.0 172.16.1.2
ip route 172.16.10.0/24 172.16.1.2
ip route 172.16.20.0/24 172.16.1.2
ip route 172.16.30.0/24 172.16.1.2

 

to get rid of these do the following

 

config terminal

no ip route 172.16.10.0/24 172.16.1.2
no ip route 172.16.20.0/24 172.16.1.2
no ip route 172.16.30.0/24 172.16.1.2

 

What is 172.16.1.2 on your network? Why are you using it as your default route?

 

The next step is talking to the firewall, are you connecting your firewall directly to this switch? If so you'll need a port in the same subnet as the firewall and with the IP that you mentioned of 172.16.1.3/24. Give us more info on that and we can help

 

I would suggest avoiding using VLAN 1 for this, but that is a design decision.

 

Create a new VLAN as follows if the firewall is plugged directly into the switch as an untagged or access port

 

vlan 40 name Firewall by port

untag ethe {insert port here}

router-interface ve 40

 

interface ve 40
ip address 172.16.1.3/24
ip directed-broadcast
ip ospf area 0
ip ospf passive

 

 

If the firewall is on an upstream router or switch then you need to know what VLAN it is in, create that VLAN as a tagged interface and then create the VE the same way.

 

New Contributor
Posts: 3
Registered: ‎03-06-2017

Re: FastIron 9604 PREM layer 3 swtich config help

[ Edited ]

Hello,

 

Thank you very much for the reply. 

 

I am using 172.16.1.2 as default route because (at the end of day after we move to different office place, our firewall (sonicwall) will have IP of 172.16.1.2(or something else in that sense; also can be changeable) 

 

Firewall is currently in-service. i'd have to re-configure the firewall later, however, I am doing this work so I don't have spend much time on dealing with switch to make live network when we move to new office. 

 

I am totally in for not using VLAN1. I love the going with VLAN 40,

So, say I connect the firewall to ethe 1 on switch, and do vlan setup, at the end of the day, will it be able to route voice (vlan20) and data(vlan10) to firewall and to the outer internet?

 

Also,  to new ve 40, woud i need to add helper address? so firewall(with dhcp) can give out the addresses? 

 

 

Thanks!

Frequent Contributor
Posts: 98
Registered: ‎07-12-2011

Re: FastIron 9604 PREM layer 3 swtich config help

Your FastIron box is doing the routing for the subnets, you don't need to get them to the firewall the way you are thinking.

 

Basically your router will have a default route as follows ip route 0.0.0.0 0.0.0.0 172.16.1.2, this tells the router that for everything it doesn't know about go to the firewall.

 

You only need an IP helper for subnets that you actually want to use DHCP on, if you don't need DHCP for the firewall subnet then there is no reason to place an IP helper there.

 

You are also going to have to configure the firewall to route internally to your Brocade switch by configuring routes pointing to your router (172.16.1.3 based on what you have here). You will also have to have some sort of Network Address Translation (NAT) for your outgoing traffic on the firewall itself.

New Contributor
Posts: 3
Registered: ‎03-06-2017

Re: FastIron 9604 PREM layer 3 swtich config help

[ Edited ]

Thank you John.liehr for the reply.

 

I think it clarifies a bit now. 

 

One part that I am still confused and curious is (I maybe completely wrong and thinking it other way),

 

I was thinking, if i plug 2 different computer in vlan 10 and vlan 20, and set a random static ip to the computer with 172.16.10.1 and 172.16.20.1 as default gateway tentatively , it should ping each other. instead of ping,

Instead of ping, i get destination not found message when i ping from computer A (in vlan 10) to computer B (in vlan 20). this is happening because I don't have firewall yet? 

If the routing is correctly done, ping should go through, isn't it?

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.