Quanta LB6M (10GbE) -- Discussion

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

josh

Active Member
Oct 21, 2013
615
190
43
I followed every step in that post. I've used the console port to set up more than the management IP. I've set up VLANs and interVLAN routing. The IP on #show network is static. Does it matter that 192.168.1.1 (gateway IP) is the address of another router which serves as a gateway to the internet and also runs a DHCP server?

Also, if I connect machines to a VLAN with an IP address set, does it mean that this IP serves as the IP to the switch and can be used for SSH as well?
 

josh

Active Member
Oct 21, 2013
615
190
43
Yeah, I think having the same ip for your switch as another router on the same subnet/network might cause problems. I mean, if you wanna log into your router, will it say "cannot connect" as it is seeing the ip for the switch and not the router? Remember, the switch doesn't have a http/gui server as yet (looking at you, Sorin) so it depends on what may come up when you type in your default gateway address.
I don't think you're getting my setup. The gateway router is set to 192.168.1.1 while the LB6M is set to 192.168.1.254. They just share the same subnet. I'm getting "request timed out" when I ping the LB6M but the IP 192.168.1.254 shows up in the ARP.

Posting this again from earlier:

#show network

Interface Status............................... Up
IP Address..................................... 192.168.1.254
Subnet Mask.................................... 255.255.255.0
Default Gateway................................ 192.168.1.1
Burned In MAC Address.......................... X:X:X:X:1B:47
Locally Administered MAC address............... 00:00:00:00:00:00
MAC Address Type............................... Burned In
Configured IPv4 Protocol....................... None
Management VLAN ID............................. 1
 

josh

Active Member
Oct 21, 2013
615
190
43
I've already tried that. It doesn't work. I can't even ping the gateway from the switch.
 

josh

Active Member
Oct 21, 2013
615
190
43
Also, of note, if you have jumbo frames enabled on your pc and not on the switch, you will not be able to ping anything. I found that out the hard way my friend. The switch has to have the interfaces/ports enabled to pass through jumbo frames as they aren't enabled by default. It wasn't until I discovered this, I was able to ping the switch from my pc after turning jumbo frames off on my network adapter. I then got the commands to enable jumbo frames on the switch from the guys in the thread here. Once enabled, I then turned back on jumbo frames on my PC and then it worked. I included this info in my post as well.
I have jumbo frames on my switch but not on my PC. That shouldn't be a problem right?
 

josh

Active Member
Oct 21, 2013
615
190
43
After going back and reading through the thread, I realized that I missed something. You can actually ssh into the switch through the management ports if you set a static ip address. This is done by setting the serviceport ip address. (Big thanks to djflow195)

So, login, then type "enable"

then type: serviceport protocol none
then type: serviceport ip (your static ip you wanna set) (your subnet mask) (your default gateway ip address)

Example: serviceport ip 192.168.1.10 255.255.255.0 192.168.1.1

Type: write memory, then press Y.

Then you should be able to ssh into the switch using the management ports.
YES. This is exactly what I'm looking for. Thanks! This works for MGNT1 but what is MGNT2 called?
 

josh

Active Member
Oct 21, 2013
615
190
43
Also, is there a similar command for the Cisco "no switchport" command? Trying to configure 0/28 with an uplink to the internet router. The manual has a whole plethora of "switchport xxx" commands which don't seem to be what I'm looking for. "The no switchport command makes the interface Layer 3 capable. The IP address is in the same subnet as the default router."

Switch(config)#interface FastEthernet 0/1
Switch(config-if)#no switchport
Switch(config-if)#ip address 200.1.1.1 255.255.255.0
Switch(config-if)#no shutdown
 

Toby

New Member
May 6, 2016
17
4
3
50
Also, is there a similar command for the Cisco "no switchport" command? Trying to configure 0/28 with an uplink to the internet router. The manual has a whole plethora of "switchport xxx" commands which don't seem to be what I'm looking for. "The no switchport command makes the interface Layer 3 capable. The IP address is in the same subnet as the default router."

Switch(config)#interface FastEthernet 0/1
Switch(config-if)#no switchport
Switch(config-if)#ip address 200.1.1.1 255.255.255.0
Switch(config-if)#no shutdown
I think what you're looking for is "Port Routing" instead of "VLAN routing".

Here is some info from a manual I downloaded at some point. I tested it and my LB6M does support this "routing" command on the interface.

Code:
Use the following commands to enable routing for ports on the switch. The default link-level encapsulation format is Ethernet. Configure the IP addresses and subnet masks for the ports. Network directed broadcast frames are dropped and the maximum transmission unit (MTU) size is 1500 bytes.
Please note, setting upPort based routing is not possible on all Kontron products, e.g. CP6923 does not provide this feature, but Routing must be configured based on VLANs.
(Ethernet Fabric) #config
(Ethernet Fabric) (Config) #interface 0/2
(Ethernet Fabric) (Config) (Interface 0/2) #routing
(Ethernet Fabric) (Config) (Interface 0/2) #ip address 192.150.2.2 255.255.255.0
(Ethernet Fabric) (Config) (Interface 0/2) #exit
(Ethernet Fabric) (Config) #exit
(Ethernet Fabric) (Config) #config
(Ethernet Fabric) (Config) #interface 0/3
(Ethernet Fabric) (Config) (Interface 0/2) #routing
(Ethernet Fabric) (Config) (Interface 0/2) #ip address 192.130.3.1 255.255.255.0
(Ethernet Fabric) (Config) (Interface 0/2) #exit
(Ethernet Fabric) (Config) #exit
(Ethernet Fabric) (Config) #config
(Ethernet Fabric) (Config) #interface 0/5
(Ethernet Fabric) (Config) (Interface 0/2) #routing
(Ethernet Fabric) (Config) (Interface 0/2) #ip address 192.64.4.1 255.255.255.0
(Ethernet Fabric) (Config) (Interface 0/2) #exit
(Ethernet Fabric) (Config) #exit
I don't think the switch actually does layer 3. The firmware shows dregs of it because it is a firmware that was written to match other quanta products i believe. I am not too positive on this though. Last I heard, I don't think the LB6M can do Layer 3. It would be nice to have though.
Of course it does "Layer 3". It supports VLAN's and routing of those VLAN's. So yes, that is layer 3. It does IPV4 routing, but no IPv6. That's the only piece I really am missing that I need.

Oh and Slyek, I can't help you with any more information on LACP than I already gave everyone in the post I made. I posted exact snips from my config. That's about the best I can explain it.
 

keoki

New Member
Jun 2, 2016
21
19
3
62
I generally prefer VLAN routing, as it gives me the ability to have more flexibility and control over the network ports. It gives you a one size fits all configuration, so a single layer 3 point to point port has the same general configuration as ports you use for a multi-port vlan, and le lets you move the physical port of of a layer 3 ptp connection to another switch in your stack... But then I have operated a number of networks where you have arbitrarily large numbers of switches, and lots of redundancy, but once I became comfortable with vlan routing, I configure all of my networks this way, even at home. This is really handy when you have failover ports from a offsite location that are configured for separate building entry, and you have your core switches spread across the physical space. When a big disaster strikes a facility and takes down a couple of isles, it is handy to have your redundant core gear spread across some distance, so hopefully half of it remains up. But the bottom line is that a port is a port on the outside, so picking one over the other doesn't affect the physical wiring, it is more of a choice on picking flexibility over hard configuring a single port. I suppose there could be some advantage to port based routing as well, for example if you have a failover event, and you need a port to go down to trigger failover because of some feature your failover requires... But the best examples of that I can think of are not ethernet protocols, so it is more of a guess than a real example.

I like to have all of my layer three configurations consistent, and sometimes a new application comes along that requires a second vlan on a port. For example I have some access equipment that I support, and the proprietary SFP's are $2500 each. So rather than spend $5000 to have a trunk AND a management interface, I spend $2500 for a single port, and configure trunking for the access paths, and set the port-native access vlan to the management vlan.

I say all of this from many years experience running Cisco based networks where I use trunks everywhere I might have more than one logical network path, and the physical speed is much greater than the speed of the normal traffic. I just got my LB6M today, and I have not yet had a chance to dive into this aspect of configuration yet, so I could easily change my mind.

I didn't always prefer VLAN routing over port routing. But that was only because I started out with port based routing before the vlan standards were developed, so port layer 3, and port bridging was pretty much all I knew back then. The first time I stepped into a really large environment, the advantages of keeping all of the layer 3 on VLANS seemed elegant to me, and it is simply how it is done in many environments for many reasons. You CAN mix the techniques, but anytime you mix configuration techniques, you increase debug time, and create complexity.

I saw one blog from someone that works for a company that writes network monitoring systems, and he went on and on about how his network has no vlans, and never will have a vlan, and how vlans make things harder to debug, harder to understand, and in his 20 years of experience he never found a use for a vlan. The blog comments were divided with lesser experienced people thanking him for his words of wisdom, and enterprise network experts that could rattle-off endless reasons vlans were important and made things easier to debug. The point here is that once you learn how to use vlans for everything in your switch gear, AND layer 3 devices, you should find that configurations can scale much easier, and many network configuration design changes can be made from your desk without moving a lot of wires constantly, so your patch bays stay cleaner, and your knowledge of how the network goes together is easier to document and support.

And a final treason is it allows you to entertain self-configuring designs. The hospital network I ran had ports that configured themselves after you plugged into the port. So any ethernet port anywhere was set up for anyone to use it. The port joined the vlan appropriate for your machine, and if you had no business in the port, or were a guest, you were handed off to a captive portal vlan. It does not get more elegant than that. And if you have thousands of switches, 10's of thousands of ports, and rigid configuration change management procedures, elegant solutions are a godsend.

Yes, learning the ways vlans can be used is some work, and may seem like overkill for just one switch at home. But it is easy (once you learn it) scalable, flexible, and can make the difference between a network admin earning 44k per year, and being a network expert making $150k.

I'm sorry if I come off a bit opinionated. I /am/ very opinionated. But I have also been building networks for some 30 years, some really large, and some really small. Vlans don't make sense everywhere, but they are used in surprising places. Millions of people have them in their homes, as many ISP's use them to split Internet, voice, multicast video and management networks

Sleyk, this is what comes out when I scream like a gorilla... ;)
 
Last edited:
  • Like
Reactions: King Keroppi

josh

Active Member
Oct 21, 2013
615
190
43
Glad we got a breakthrough there for ya! I think mgmt 2 port is for failover/insurance in case mgmt port 1 goes down. Test to see if you can login with the ip address you set on mngt port 1. if it doesn't work, then you may need to set the ip for mgmt port 2. Perhaps serviceport 2?
Tried that. Didn't work. Does not pick up the IP set under serviceport.

I think what you're looking for is "Port Routing" instead of "VLAN routing".

Here is some info from a manual I downloaded at some point. I tested it and my LB6M does support this "routing" command on the interface.

Code:
Use the following commands to enable routing for ports on the switch. The default link-level encapsulation format is Ethernet. Configure the IP addresses and subnet masks for the ports. Network directed broadcast frames are dropped and the maximum transmission unit (MTU) size is 1500 bytes.
Please note, setting upPort based routing is not possible on all Kontron products, e.g. CP6923 does not provide this feature, but Routing must be configured based on VLANs.
(Ethernet Fabric) #config
(Ethernet Fabric) (Config) #interface 0/2
(Ethernet Fabric) (Config) (Interface 0/2) #routing
(Ethernet Fabric) (Config) (Interface 0/2) #ip address 192.150.2.2 255.255.255.0
(Ethernet Fabric) (Config) (Interface 0/2) #exit
(Ethernet Fabric) (Config) #exit
(Ethernet Fabric) (Config) #config
(Ethernet Fabric) (Config) #interface 0/3
(Ethernet Fabric) (Config) (Interface 0/2) #routing
(Ethernet Fabric) (Config) (Interface 0/2) #ip address 192.130.3.1 255.255.255.0
(Ethernet Fabric) (Config) (Interface 0/2) #exit
(Ethernet Fabric) (Config) #exit
(Ethernet Fabric) (Config) #config
(Ethernet Fabric) (Config) #interface 0/5
(Ethernet Fabric) (Config) (Interface 0/2) #routing
(Ethernet Fabric) (Config) (Interface 0/2) #ip address 192.64.4.1 255.255.255.0
(Ethernet Fabric) (Config) (Interface 0/2) #exit
(Ethernet Fabric) (Config) #exit
Does setting an IP + routing for an individual port mean that all traffic over that subnet will be routed through that port itself? I've done this on the port I want to use (0/28) as well as set the frames to untagged and I'm just wondering if there's anything else I need to do to let the switch know that I don't want it to be a trunk port and I just want it to forward all external traffic through this port. I've also set a default gateway as the gateway on my (0/28) subnet but it doesn't show up under #route.

Oh is there a way to set a port as a trunk for all VLANs instead of adding each individual VLAN to the port? There's no switchport mode trunk command.
 

Caleb

Member
Nov 16, 2015
39
8
8
36
I followed every step in that post. I've used the console port to set up more than the management IP. I've set up VLANs and interVLAN routing. The IP on #show network is static. Does it matter that 192.168.1.1 (gateway IP) is the address of another router which serves as a gateway to the internet and also runs a DHCP server?

Also, if I connect machines to a VLAN with an IP address set, does it mean that this IP serves as the IP to the switch and can be used for SSH as well?
From my rudimentary understanding of networking, I believe your gateway IP should indeed be the IP of your edge router.
 

josh

Active Member
Oct 21, 2013
615
190
43
What we did a long time ago was to make sure that all vlans were trunked to a different switch to make sure that the VLAN was active for L3 to work properly.
What is the command for turning a port into a trunking port?
 

josh

Active Member
Oct 21, 2013
615
190
43
Any VLAN experts able to troubleshoot what's wrong with my config? I'm trying to get the default VLAN to carry traffic from 192.168.2.0/24 and VLAN 500 to carry traffic for 192.168.5.0/24.

Code:
#show ip vlan

MAC Address used by Routing VLANs:   X:X:X:X:1B:4A

           Logical
VLAN ID   Interface        IP Address       Subnet Mask
-------  --------------  ---------------  ---------------
1        2/1             192.168.2.1      255.255.255.0
500      2/2             192.168.5.1      255.255.255.0
Both VLANs have an IP on their VLAN interfaces which should function as a gateway. ip routing is enabled and should carry public traffic through port 0/28 which has been configured with a public address.

Code:
#show ip route

Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static
       B - BGP Derived, IA - OSPF Inter Area
       E1 - OSPF External Type 1, E2 - OSPF External Type 2
       N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2

S      0.0.0.0/0 [1/0] via x.x.x.1,   01h:17m:02s,  0/28
C      x.x.x.0/24 [0/1] directly connected,   0/28
Ports 0/1-0/27 participate in the VLANs. (Why does it show current as Exclude whilst configured as Include)?

Code:
#show vlan 1
VLAN ID: 1
VLAN Name: default
VLAN Type: Default

Interface   Current   Configured   Tagging
----------  --------  -----------  --------
0/1         Exclude   Include      Untagged
0/2         Exclude   Include      Untagged
0/3         Exclude   Include      Untagged
0/4         Exclude   Include      Untagged
0/5         Exclude   Include      Untagged
0/6         Exclude   Include      Untagged
0/7         Exclude   Include      Untagged
0/8         Exclude   Include      Untagged
... all the way to 0/27

Code:
#show vlan 500

VLAN ID: 500
VLAN Name: VLAN0500
VLAN Type: Static

Interface   Current   Configured   Tagging
----------  --------  -----------  --------
0/1         Exclude   Include      Tagged
0/2         Exclude   Include      Tagged
0/3         Exclude   Include      Tagged
0/4         Exclude   Include      Tagged
0/5         Exclude   Include      Tagged
0/6         Exclude   Include      Tagged
0/7         Exclude   Include      Tagged
0/8         Exclude   Include      Tagged
... all the way to 0/27
The default VLAN interface seems down even though no shutdown has been set.

Code:
#show ip interface 2/1

Routing Interface Status....................... Down
Primary IP Address............................. 192.168.2.1/255.255.255.0
Method......................................... Manual
Routing Mode................................... Enable
Administrative Mode............................ Enable
Forward Net Directed Broadcasts................ Disable
Proxy ARP...................................... Enable
Local Proxy ARP................................ Disable
Active State................................... Inactive
Link Speed Data Rate........................... 10 Half
MAC address.................................... X:X:X:X:1B:4A
Encapsulation Type............................. Ethernet
IP MTU......................................... 1500
Bandwidth...................................... 10000 kbps
Destination Unreachables....................... Enabled
ICMP Redirects................................. Enabled
But there are active ports that are participating in the VLANs.

Code:
#show port all
                  Admin    Physical   Physical   Link   Link    LACP   Actor
Intf      Type   Mode     Mode       Status     Status Trap    Mode   Timeout
--------- ------ --------- ---------- ---------- ------ ------- ------ --------
0/1              Enable    10G Full   10G Full   Up     Enable  Enable long
0/2              Enable    10G Full              Down   Enable  Enable long
0/3              Enable    10G Full              Down   Enable  Enable long
0/4              Enable    10G Full              Down   Enable  Enable long
0/5              Enable    10G Full              Down   Enable  Enable long
0/6              Enable    10G Full              Down   Enable  Enable long
0/7              Enable    10G Full   10G Full   Up     Enable  Enable long
0/8              Enable    10G Full   10G Full   Up     Enable  Enable long
... all the way to 0/27
2/1              Enable    10 Half               Down   Enable  Enable N/A
2/2              Enable    10 Half               Down   Enable  Enable N/A
Please help this is extremely frustrating.

Thanks!
 

josh

Active Member
Oct 21, 2013
615
190
43
On the LVL7-derived operating systems? "switchport mode trunk". You may also want "switchport general acceptable-frame-type tagged-only".
Tried that. Doesn't exist.

Code:
(Interface 0/1)#switchport ?

protected                Configure Switchport to Protected mode.
 

Terry Kennedy

Well-Known Member
Jun 25, 2015
1,143
596
113
New York City
www.glaver.org
Tried that. Doesn't exist.
Sorry. I don't have a LB6M - I have a Powerconnect 8024 in service which uses the same Broadcom OS (formerly LVL7) but comes default with all of the features enabled. It looks like the LB6M comes with some features disabled, but not necessarily the same features for each purchaser.
 

josh

Active Member
Oct 21, 2013
615
190
43
Alright seems like I managed to make it work for now. It appears that the pvid was set to a non-default VLAN. Setting it back seems to have brought up all the VLANs which is pretty interesting. I'm still not getting interVLAN routing to work though.

x.x.x is a public routable subnet. I am able to ping x.x.x.1 (internet gateway) from the switch. However, I'm unable to ping this gateway from a machine on the default VLAN (192.168.2.x). According to the routing table, the packet should travel - 192.168.2.x -> 192.168.2.1 -> port 0/28 -> x.x.x.1 -> internet. However, it just seems to stall at the IP on port 0/28. Am I missing something from the routing table? routing is enabled on all VLANs and so is ip routing.

Edit: Seems like I'm missing a route from 192.168.2.0/24 to the port 0/28 ip (x.x.x.150). Problem is, I can't seem to add such a route.

Code:
#ip route 192.168.2.0 255.255.255.0 x.x.x.150

The specified Static Route Next Hop Router Address is invalid.
Code:
#show ip route

Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static
       B - BGP Derived, IA - OSPF Inter Area
       E1 - OSPF External Type 1, E2 - OSPF External Type 2
       N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2

S      0.0.0.0/0 [1/0] via x.x.x.1,   00h:45m:29s,  0/28
C      x.x.x.0/24 [0/1] directly connected,   0/28
C      192.168.2.0/24 [0/1] directly connected,   2/1
C      192.168.5.0/24 [0/1] directly connected,   2/2
Any VLAN experts able to troubleshoot what's wrong with my config? I'm trying to get the default VLAN to carry traffic from 192.168.2.0/24 and VLAN 500 to carry traffic for 192.168.5.0/24.

Code:
#show ip vlan

MAC Address used by Routing VLANs:   X:X:X:X:1B:4A

           Logical
VLAN ID   Interface        IP Address       Subnet Mask
-------  --------------  ---------------  ---------------
1        2/1             192.168.2.1      255.255.255.0
500      2/2             192.168.5.1      255.255.255.0
Both VLANs have an IP on their VLAN interfaces which should function as a gateway. ip routing is enabled and should carry public traffic through port 0/28 which has been configured with a public address.

Code:
#show ip route

Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static
       B - BGP Derived, IA - OSPF Inter Area
       E1 - OSPF External Type 1, E2 - OSPF External Type 2
       N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2

S      0.0.0.0/0 [1/0] via x.x.x.1,   01h:17m:02s,  0/28
C      x.x.x.0/24 [0/1] directly connected,   0/28
Ports 0/1-0/27 participate in the VLANs. (Why does it show current as Exclude whilst configured as Include)?

Code:
#show vlan 1
VLAN ID: 1
VLAN Name: default
VLAN Type: Default

Interface   Current   Configured   Tagging
----------  --------  -----------  --------
0/1         Exclude   Include      Untagged
0/2         Exclude   Include      Untagged
0/3         Exclude   Include      Untagged
0/4         Exclude   Include      Untagged
0/5         Exclude   Include      Untagged
0/6         Exclude   Include      Untagged
0/7         Exclude   Include      Untagged
0/8         Exclude   Include      Untagged
... all the way to 0/27

Code:
#show vlan 500

VLAN ID: 500
VLAN Name: VLAN0500
VLAN Type: Static

Interface   Current   Configured   Tagging
----------  --------  -----------  --------
0/1         Exclude   Include      Tagged
0/2         Exclude   Include      Tagged
0/3         Exclude   Include      Tagged
0/4         Exclude   Include      Tagged
0/5         Exclude   Include      Tagged
0/6         Exclude   Include      Tagged
0/7         Exclude   Include      Tagged
0/8         Exclude   Include      Tagged
... all the way to 0/27
The default VLAN interface seems down even though no shutdown has been set.

Code:
#show ip interface 2/1

Routing Interface Status....................... Down
Primary IP Address............................. 192.168.2.1/255.255.255.0
Method......................................... Manual
Routing Mode................................... Enable
Administrative Mode............................ Enable
Forward Net Directed Broadcasts................ Disable
Proxy ARP...................................... Enable
Local Proxy ARP................................ Disable
Active State................................... Inactive
Link Speed Data Rate........................... 10 Half
MAC address.................................... X:X:X:X:1B:4A
Encapsulation Type............................. Ethernet
IP MTU......................................... 1500
Bandwidth...................................... 10000 kbps
Destination Unreachables....................... Enabled
ICMP Redirects................................. Enabled
But there are active ports that are participating in the VLANs.

Code:
#show port all
                  Admin    Physical   Physical   Link   Link    LACP   Actor
Intf      Type   Mode     Mode       Status     Status Trap    Mode   Timeout
--------- ------ --------- ---------- ---------- ------ ------- ------ --------
0/1              Enable    10G Full   10G Full   Up     Enable  Enable long
0/2              Enable    10G Full              Down   Enable  Enable long
0/3              Enable    10G Full              Down   Enable  Enable long
0/4              Enable    10G Full              Down   Enable  Enable long
0/5              Enable    10G Full              Down   Enable  Enable long
0/6              Enable    10G Full              Down   Enable  Enable long
0/7              Enable    10G Full   10G Full   Up     Enable  Enable long
0/8              Enable    10G Full   10G Full   Up     Enable  Enable long
... all the way to 0/27
2/1              Enable    10 Half               Down   Enable  Enable N/A
2/2              Enable    10 Half               Down   Enable  Enable N/A
Please help this is extremely frustrating.

Thanks!
 
Last edited:

keoki

New Member
Jun 2, 2016
21
19
3
62
Josh, are you using NAT anywhere? I don't see any nat statements. I don't have my LB6M running yet, so I don't know if it even supports nat.

Regardless of that, for your public IP'd machine to return ping packets to your private subnets, either you have to be using "overload" NAT on the LB6M's public IP, or the public next hop machine must have routes for all of your private networks, pointed at the LB6M's public IP.

/------------------------------LB6M----------------------\
private network 1 192.168.0.0/24 with .1 on VLAN1
private network 2 192.168.1.0/24 with .1 on VLAN2
Private network 3 192.168.2.0/24 with .1 on VLAN3
Private network 3 192.168.3.0/24 with .1 on VLAN4
Public network 100.100.100.0/24 with .150 on VLAN5 ----------------------------100.100.100.1 Internet router

In this diagram I have 5 vlans on the switch. The first 4 VLANs are private addressed networks, each with a different subnet, with the x.x.x.1 address of the private networks on the vlan interface in the LB6M. So a machine in VLAN1 would have a default gateway of 192.168.0.1. The other private networks would have machines use the .1 network address as default route for each respective subnet.

The LB6M would have it's default gateway set to 100.100.100.1.

So far this is simple. But what is missing is the route from the Internet router to each of the private VLANs.

If you want to route to the internet, so the private vlans can be used to surf the net, you need to have NAT configured in the LB6M. Assuming the LB6M supports NAT, you need to configure the LB6M to translate 192.168.0.0/22 (all 4 private networks) to use the overload NAT IP of 100.100.100.150.

With Nat, if you ping from 192.168.0.4 to 100.100.100.1, the packet will appear to come from 100.100.100.150, and 100.100.100.1 will know how to get there because it is on the local subnet. But 100.100.100.1 cannot ping any of the private networks, it can only see 100.100.100.150.

But lets say you are not using nat, this is just "plain jane" routing. In that case, a client at 192.168.0.3 will have a gateway of 192.168.0.1. The LB6M will have a default gateway of 100.100.100.1. The router at 100 .100.100.1 will need a route of 192.168.0.0/22 with the destination of 100.100.100.150, in addition to whatever routes it has to get to the Internet. If you do this, your private networks can ping 100.1001.00.1, but they still have no way to get traffic back from the Internet. To get traffic back from the Internet, to a private addressyou, must use NAT, or all IP's must be public, with routes that allow the traffic to find it's way to you. You need routes out of the network to the next hop, but you also need routes that point back to you. NAT reduces the need to have external routers know your private IP's to return traffic back to your first public network address. This works because the device that does net makes all of the private IP addresses look like the one public IP.

But in all of your discussion, I don't see any routes back to your private IP's, or any NAT statements.

Does this make sense?

Now as I mentioned, I don't have my LB6M configured yet. And I can't find NAT mentioned in any of the manuals I downloaded from this forum. Generally speaking, NAT is not usually configured on switch, instead it is configured on a router/firewall.

Typically the layer 3 switch in an enterprise is configured with no public IP addresses on the switch itself. A publiv vlan may exist on the switch to transport somewhere else, but with no local IP address. You generally don't want routing between public and private network segments without a natting firewall separating public from private addresses. that way the internet doesn't attack your switch and hack into your private network.

So a likely configuration is you have a /24 of public IP's in a network segment that is between your Internet edge router, and your firewall box, and behind the firewall box you have your LB6M. The firewall will have to have routes for all private subnets pointed at the LB6M, as well as a default route to the Internet pointed at the next hop at the ISP...

In addition to the firewall, other things might live in the /24 of public IP's, such as load balancers, web servers, email servers, etc... Or at least firewalls that sit in front of those public facing servers.

I use a Cisco ASA firewall at home and at the office, but there are many other commercial and open source systems, monowall, Juniper, netopia, etc... You can also use the CPE that is supplied by your Internet provider, and those typically are configured with NAT by default.

And Sleyk, I was pushing vlans at Josh based on a conversation he was having with someone on the whole "no switchport" issue. But Josh needs NAT or routing on both sides of his network to get those pings to work... and he will eventually need a trunk port.
 
Last edited:
  • Like
Reactions: Chuntzu

josh

Active Member
Oct 21, 2013
615
190
43
Hi keoki

Josh, are you using NAT anywhere? I don't see any nat statements. I don't have my LB6M running yet, so I don't know if it even supports nat.

Regardless of that, for your public IP'd machine to return ping packets to your private subnets, either you have to be using "overload" NAT on the LB6M's public IP, or the public next hop machine must have routes for all of your private networks, pointed at the LB6M's public IP.

/------------------------------LB6M----------------------\
private network 1 192.168.0.0/24 with .1 on VLAN1
private network 2 192.168.1.0/24 with .1 on VLAN2
Private network 3 192.168.2.0/24 with .1 on VLAN3
Private network 3 192.168.3.0/24 with .1 on VLAN4
Public network 100.100.100.0/24 with .150 on VLAN5 ----------------------------100.100.100.1 Internet router

In this diagram I have 5 vlans on the switch. The first 4 VLANs are private addressed networks, each with a different subnet, with the x.x.x.1 address of the private networks on the vlan interface in the LB6M. So a machine in VLAN1 would have a default gateway of 192.168.0.1. The other private networks would have machines use the .1 network address as default route for each respective subnet.

The LB6M would have it's default gateway set to 100.100.100.1.

So far this is simple. But what is missing is the route from the Internet router to each of the private VLANs.

If you want to route to the internet, so the private vlans can be used to surf the net, you need to have NAT configured in the LB6M. Assuming the LB6M supports NAT, you need to configure the LB6M to translate 192.168.0.0/22 (all 4 private networks) to use the overload NAT IP of 100.100.100.150.

With Nat, if you ping from 192.168.0.4 to 100.100.100.1, the packet will appear to come from 100.100.100.150, and 100.100.100.1 will know how to get there because it is on the local subnet. But 100.100.100.1 cannot ping any of the private networks, it can only see 100.100.100.150.

But lets say you are not using nat, this is just "plain jane" routing. In that case, a client at 192.168.0.3 will have a gateway of 192.168.0.1. The LB6M will have a default gateway of 100.100.100.1. The router at 100 .100.100.1 will need a route of 192.168.0.0/22 with the destination of 100.100.100.150, in addition to whatever routes it has to get to the Internet. If you do this, your private networks can ping 100.1001.00.1, but they still have no way to get traffic back from the Internet. To get traffic back from the Internet, to a private addressyou, must use NAT, or all IP's must be public, with routes that allow the traffic to find it's way to you. You need routes out of the network to the next hop, but you also need routes that point back to you. NAT reduces the need to have external routers know your private IP's to return traffic back to your first public network address. This works because the device that does net makes all of the private IP addresses look like the one public IP.

But in all of your discussion, I don't see any routes back to your private IP's, or any NAT statements.

Does this make sense?

Now as I mentioned, I don't have my LB6M configured yet. And I can't find NAT mentioned in any of the manuals I downloaded from this forum. Generally speaking, NAT is not usually configured on switch, instead it is configured on a router/firewall.

Typically the layer 3 switch in an enterprise is configured with no public IP addresses on the switch itself. A publiv vlan may exist on the switch to transport somewhere else, but with no local IP address. You generally don't want routing between public and private network segments without a natting firewall separating public from private addresses. that way the internet doesn't attack your switch and hack into your private network.

So a likely configuration is you have a /24 of public IP's in a network segment that is between your Internet edge router, and your firewall box, and behind the firewall box you have your LB6M. The firewall will have to have routes for all private subnets pointed at the LB6M, as well as a default route to the Internet pointed at the next hop at the ISP...

In addition to the firewall, other things might live in the /24 of public IP's, such as load balancers, web servers, email servers, etc... Or at least firewalls that sit in front of those public facing servers.

I use a Cisco ASA firewall at home and at the office, but there are many other commercial and open source systems, monowall, Juniper, netopia, etc... You can also use the CPE that is supplied by your Internet provider, and those typically are configured with NAT by default.

And Sleyk, I was pushing vlans at Josh based on a conversation he was having with someone on the whole "no switchport" issue. But Josh needs NAT or routing on both sides of his network to get those pings to work... and he will eventually need a trunk port.
Hi keoki. Yes I realised I didn't have routes pointing back and I edited my post (probably after you read it). Seems like I was trying to insert them in the wrong place (tried to add it on the switch itself).

Code:
#ip route 192.168.2.0 255.255.255.0 x.x.x.150

The specified Static Route Next Hop Router Address is invalid.
Can I just place the NAT routes on my edge router and treat it as the "firewall"?

Edit: This is a temporary measure till I get a proper firewall box.
 
Last edited:
  • Like
Reactions: Chuntzu

josh

Active Member
Oct 21, 2013
615
190
43
So I logged into the edge router and added a static route back to port 0/28 on the LB6M.

Code:
$ip route
192.168.5.0/24 via x.x.x.150 dev eth0 proto zebra
I can ping the VLAN "gateway" (192.168.5.1) from the edge router. I can ping a machine on the VLAN itself (192.168.5.2). On the machine I can ping up to the internet gateway (x.x.x.1). Traceroute dies off at x.x.x.1 as well. Something still getting lost between the edge router and the switch.
 
  • Like
Reactions: Chuntzu

keoki

New Member
Jun 2, 2016
21
19
3
62
Yes, any natting router can be your basic firewall.

Generally you don't typically see public IP's connect directly to interior switches, but that is not a hard rule, as you might have a DMZ, and use private IP's for say a database server feeding data into a web server, with the web server in the DMZ. Without going into a lot of detail, the DMZ typically has limited access both in to the private network, and out to the public network, so firewalls might be on either end of the DMZ.

But yes, a firewall at the edge, with the firewall able to route to each subnet internally.

There are different levels of security, and basic nat is a good starting point. Obviously you will want protections on that edge router to prevent it from being hacked, so the fewer ports it has open to the Internet, the better. In an ideal world, the only open ports it has are part of the NAT flows, and no local services like ssh, SNMP, etc... In fact, you can make it not respond to pings or traceroutes from the outside, and reduce the attack surface to nearly zero. When NAT is set up, one of the first goals of the firewall is to protect itself. And you can do some of that with your basic natting router.

For the purposes of this discussion, nat is enough to start with. Nat is the way to connect the private network to the public network.

I have a network simulation lab with a lot of different types of network equipment, so I have a router, a firewall, and another router, and then my layer 3 switches, and other equipment. That way I can place public subnets outside the firewall, or behind the firewall. Sometimes I have to deliver a public network all the way to the desktop, so I try to always do that past the firewall, and the vlan I use for that has no IP addresses in my switches to keep the switches unreachable to the traffic flowing through them. Public networks inside the lab are dangerous, but are part of what I need to be able to do. Sometimes I need equipment in the DMZ to support the DMZ, like PPPoE servers, or DHCP servers. One way to reduce the attack profile of those servers is to not give them a default route. A tunnel server might only have a route to the other endpoint, and no default route. So for example I have a router that someone on the other side of the world needs to access over the internet to test some code, and for sanity that don't want a firewall at all. I restrict the ports as much as I can with access lists on the router, and then give it a route to the network the engineers come from, but give it a default gateway that points to something like a unused local IP, or it's own loopback interface... anything other than the Internet gateway. None of this is perfect security, but it is pretty good, and avoids people blaming my firewall every time they do something wrong. The point is, you don't /have/ to have a firewall, even on a network with a lot of public IP's... just don't do anything stupid like connect a machine that has a public address to an internal network. Don't let a hacker turn a test server into a jump server to the inter regions of your network. And be aware that any router can be turned into a jump server... So let your routers route traffic to other machines, but don't let your router become a destination.