What is the command for turning a port into a trunking port?What we did a long time ago was to make sure that all vlans were trunked to a different switch to make sure that the VLAN was active for L3 to work properly.
What is the command for turning a port into a trunking port?What we did a long time ago was to make sure that all vlans were trunked to a different switch to make sure that the VLAN was active for L3 to work properly.
On the LVL7-derived operating systems? "switchport mode trunk". You may also want "switchport general acceptable-frame-type tagged-only".What is the command for turning a port into a trunking port?
#show ip vlan
MAC Address used by Routing VLANs: X:X:X:X:1B:4A
Logical
VLAN ID Interface IP Address Subnet Mask
------- -------------- --------------- ---------------
1 2/1 192.168.2.1 255.255.255.0
500 2/2 192.168.5.1 255.255.255.0
#show ip route
Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static
B - BGP Derived, IA - OSPF Inter Area
E1 - OSPF External Type 1, E2 - OSPF External Type 2
N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2
S 0.0.0.0/0 [1/0] via x.x.x.1, 01h:17m:02s, 0/28
C x.x.x.0/24 [0/1] directly connected, 0/28
#show vlan 1
VLAN ID: 1
VLAN Name: default
VLAN Type: Default
Interface Current Configured Tagging
---------- -------- ----------- --------
0/1 Exclude Include Untagged
0/2 Exclude Include Untagged
0/3 Exclude Include Untagged
0/4 Exclude Include Untagged
0/5 Exclude Include Untagged
0/6 Exclude Include Untagged
0/7 Exclude Include Untagged
0/8 Exclude Include Untagged
... all the way to 0/27
#show vlan 500
VLAN ID: 500
VLAN Name: VLAN0500
VLAN Type: Static
Interface Current Configured Tagging
---------- -------- ----------- --------
0/1 Exclude Include Tagged
0/2 Exclude Include Tagged
0/3 Exclude Include Tagged
0/4 Exclude Include Tagged
0/5 Exclude Include Tagged
0/6 Exclude Include Tagged
0/7 Exclude Include Tagged
0/8 Exclude Include Tagged
... all the way to 0/27
#show ip interface 2/1
Routing Interface Status....................... Down
Primary IP Address............................. 192.168.2.1/255.255.255.0
Method......................................... Manual
Routing Mode................................... Enable
Administrative Mode............................ Enable
Forward Net Directed Broadcasts................ Disable
Proxy ARP...................................... Enable
Local Proxy ARP................................ Disable
Active State................................... Inactive
Link Speed Data Rate........................... 10 Half
MAC address.................................... X:X:X:X:1B:4A
Encapsulation Type............................. Ethernet
IP MTU......................................... 1500
Bandwidth...................................... 10000 kbps
Destination Unreachables....................... Enabled
ICMP Redirects................................. Enabled
#show port all
Admin Physical Physical Link Link LACP Actor
Intf Type Mode Mode Status Status Trap Mode Timeout
--------- ------ --------- ---------- ---------- ------ ------- ------ --------
0/1 Enable 10G Full 10G Full Up Enable Enable long
0/2 Enable 10G Full Down Enable Enable long
0/3 Enable 10G Full Down Enable Enable long
0/4 Enable 10G Full Down Enable Enable long
0/5 Enable 10G Full Down Enable Enable long
0/6 Enable 10G Full Down Enable Enable long
0/7 Enable 10G Full 10G Full Up Enable Enable long
0/8 Enable 10G Full 10G Full Up Enable Enable long
... all the way to 0/27
2/1 Enable 10 Half Down Enable Enable N/A
2/2 Enable 10 Half Down Enable Enable N/A
Tried that. Doesn't exist.On the LVL7-derived operating systems? "switchport mode trunk". You may also want "switchport general acceptable-frame-type tagged-only".
(Interface 0/1)#switchport ?
protected Configure Switchport to Protected mode.
Sorry. I don't have a LB6M - I have a Powerconnect 8024 in service which uses the same Broadcom OS (formerly LVL7) but comes default with all of the features enabled. It looks like the LB6M comes with some features disabled, but not necessarily the same features for each purchaser.Tried that. Doesn't exist.
#ip route 192.168.2.0 255.255.255.0 x.x.x.150
The specified Static Route Next Hop Router Address is invalid.
#show ip route
Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static
B - BGP Derived, IA - OSPF Inter Area
E1 - OSPF External Type 1, E2 - OSPF External Type 2
N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2
S 0.0.0.0/0 [1/0] via x.x.x.1, 00h:45m:29s, 0/28
C x.x.x.0/24 [0/1] directly connected, 0/28
C 192.168.2.0/24 [0/1] directly connected, 2/1
C 192.168.5.0/24 [0/1] directly connected, 2/2
Any VLAN experts able to troubleshoot what's wrong with my config? I'm trying to get the default VLAN to carry traffic from 192.168.2.0/24 and VLAN 500 to carry traffic for 192.168.5.0/24.
Both VLANs have an IP on their VLAN interfaces which should function as a gateway. ip routing is enabled and should carry public traffic through port 0/28 which has been configured with a public address.Code:#show ip vlan MAC Address used by Routing VLANs: X:X:X:X:1B:4A Logical VLAN ID Interface IP Address Subnet Mask ------- -------------- --------------- --------------- 1 2/1 192.168.2.1 255.255.255.0 500 2/2 192.168.5.1 255.255.255.0
Ports 0/1-0/27 participate in the VLANs. (Why does it show current as Exclude whilst configured as Include)?Code:#show ip route Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static B - BGP Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S 0.0.0.0/0 [1/0] via x.x.x.1, 01h:17m:02s, 0/28 C x.x.x.0/24 [0/1] directly connected, 0/28
Code:#show vlan 1 VLAN ID: 1 VLAN Name: default VLAN Type: Default Interface Current Configured Tagging ---------- -------- ----------- -------- 0/1 Exclude Include Untagged 0/2 Exclude Include Untagged 0/3 Exclude Include Untagged 0/4 Exclude Include Untagged 0/5 Exclude Include Untagged 0/6 Exclude Include Untagged 0/7 Exclude Include Untagged 0/8 Exclude Include Untagged ... all the way to 0/27
The default VLAN interface seems down even though no shutdown has been set.Code:#show vlan 500 VLAN ID: 500 VLAN Name: VLAN0500 VLAN Type: Static Interface Current Configured Tagging ---------- -------- ----------- -------- 0/1 Exclude Include Tagged 0/2 Exclude Include Tagged 0/3 Exclude Include Tagged 0/4 Exclude Include Tagged 0/5 Exclude Include Tagged 0/6 Exclude Include Tagged 0/7 Exclude Include Tagged 0/8 Exclude Include Tagged ... all the way to 0/27
But there are active ports that are participating in the VLANs.Code:#show ip interface 2/1 Routing Interface Status....................... Down Primary IP Address............................. 192.168.2.1/255.255.255.0 Method......................................... Manual Routing Mode................................... Enable Administrative Mode............................ Enable Forward Net Directed Broadcasts................ Disable Proxy ARP...................................... Enable Local Proxy ARP................................ Disable Active State................................... Inactive Link Speed Data Rate........................... 10 Half MAC address.................................... X:X:X:X:1B:4A Encapsulation Type............................. Ethernet IP MTU......................................... 1500 Bandwidth...................................... 10000 kbps Destination Unreachables....................... Enabled ICMP Redirects................................. Enabled
Please help this is extremely frustrating.Code:#show port all Admin Physical Physical Link Link LACP Actor Intf Type Mode Mode Status Status Trap Mode Timeout --------- ------ --------- ---------- ---------- ------ ------- ------ -------- 0/1 Enable 10G Full 10G Full Up Enable Enable long 0/2 Enable 10G Full Down Enable Enable long 0/3 Enable 10G Full Down Enable Enable long 0/4 Enable 10G Full Down Enable Enable long 0/5 Enable 10G Full Down Enable Enable long 0/6 Enable 10G Full Down Enable Enable long 0/7 Enable 10G Full 10G Full Up Enable Enable long 0/8 Enable 10G Full 10G Full Up Enable Enable long ... all the way to 0/27 2/1 Enable 10 Half Down Enable Enable N/A 2/2 Enable 10 Half Down Enable Enable N/A
Thanks!
Hi keoki. Yes I realised I didn't have routes pointing back and I edited my post (probably after you read it). Seems like I was trying to insert them in the wrong place (tried to add it on the switch itself).Josh, are you using NAT anywhere? I don't see any nat statements. I don't have my LB6M running yet, so I don't know if it even supports nat.
Regardless of that, for your public IP'd machine to return ping packets to your private subnets, either you have to be using "overload" NAT on the LB6M's public IP, or the public next hop machine must have routes for all of your private networks, pointed at the LB6M's public IP.
/------------------------------LB6M----------------------\
private network 1 192.168.0.0/24 with .1 on VLAN1
private network 2 192.168.1.0/24 with .1 on VLAN2
Private network 3 192.168.2.0/24 with .1 on VLAN3
Private network 3 192.168.3.0/24 with .1 on VLAN4
Public network 100.100.100.0/24 with .150 on VLAN5 ----------------------------100.100.100.1 Internet router
In this diagram I have 5 vlans on the switch. The first 4 VLANs are private addressed networks, each with a different subnet, with the x.x.x.1 address of the private networks on the vlan interface in the LB6M. So a machine in VLAN1 would have a default gateway of 192.168.0.1. The other private networks would have machines use the .1 network address as default route for each respective subnet.
The LB6M would have it's default gateway set to 100.100.100.1.
So far this is simple. But what is missing is the route from the Internet router to each of the private VLANs.
If you want to route to the internet, so the private vlans can be used to surf the net, you need to have NAT configured in the LB6M. Assuming the LB6M supports NAT, you need to configure the LB6M to translate 192.168.0.0/22 (all 4 private networks) to use the overload NAT IP of 100.100.100.150.
With Nat, if you ping from 192.168.0.4 to 100.100.100.1, the packet will appear to come from 100.100.100.150, and 100.100.100.1 will know how to get there because it is on the local subnet. But 100.100.100.1 cannot ping any of the private networks, it can only see 100.100.100.150.
But lets say you are not using nat, this is just "plain jane" routing. In that case, a client at 192.168.0.3 will have a gateway of 192.168.0.1. The LB6M will have a default gateway of 100.100.100.1. The router at 100 .100.100.1 will need a route of 192.168.0.0/22 with the destination of 100.100.100.150, in addition to whatever routes it has to get to the Internet. If you do this, your private networks can ping 100.1001.00.1, but they still have no way to get traffic back from the Internet. To get traffic back from the Internet, to a private addressyou, must use NAT, or all IP's must be public, with routes that allow the traffic to find it's way to you. You need routes out of the network to the next hop, but you also need routes that point back to you. NAT reduces the need to have external routers know your private IP's to return traffic back to your first public network address. This works because the device that does net makes all of the private IP addresses look like the one public IP.
But in all of your discussion, I don't see any routes back to your private IP's, or any NAT statements.
Does this make sense?
Now as I mentioned, I don't have my LB6M configured yet. And I can't find NAT mentioned in any of the manuals I downloaded from this forum. Generally speaking, NAT is not usually configured on switch, instead it is configured on a router/firewall.
Typically the layer 3 switch in an enterprise is configured with no public IP addresses on the switch itself. A publiv vlan may exist on the switch to transport somewhere else, but with no local IP address. You generally don't want routing between public and private network segments without a natting firewall separating public from private addresses. that way the internet doesn't attack your switch and hack into your private network.
So a likely configuration is you have a /24 of public IP's in a network segment that is between your Internet edge router, and your firewall box, and behind the firewall box you have your LB6M. The firewall will have to have routes for all private subnets pointed at the LB6M, as well as a default route to the Internet pointed at the next hop at the ISP...
In addition to the firewall, other things might live in the /24 of public IP's, such as load balancers, web servers, email servers, etc... Or at least firewalls that sit in front of those public facing servers.
I use a Cisco ASA firewall at home and at the office, but there are many other commercial and open source systems, monowall, Juniper, netopia, etc... You can also use the CPE that is supplied by your Internet provider, and those typically are configured with NAT by default.
And Sleyk, I was pushing vlans at Josh based on a conversation he was having with someone on the whole "no switchport" issue. But Josh needs NAT or routing on both sides of his network to get those pings to work... and he will eventually need a trunk port.
#ip route 192.168.2.0 255.255.255.0 x.x.x.150
The specified Static Route Next Hop Router Address is invalid.
$ip route
192.168.5.0/24 via x.x.x.150 dev eth0 proto zebra
I guess I don't understand what you think is getting lost.I can ping the VLAN "gateway" (192.168.5.1) from the edge router. I can ping a machine on the VLAN itself (192.168.5.2). On the machine I can ping up to the internet gateway (x.x.x.1). Traceroute dies off at x.x.x.1 as well. Something still getting lost between the edge router and the switch.
I just have separate static routes on the edge router pointing each subnet to the public ip on the LB6M. My edge router is literally EdgeRouter by UbiquitiKeep in mind that when you set up nat, you have to nat everything, not just the network directly connected to the edge router. So your nat statements need to cover both the directly connected network, and all of your other private networks as well.
Nat statements vary a lot for different kinds of equipment, and not every cheap soho Internet router can nat for networks that are not directly connected.
So assuming your edge router has enough support to do it, you need to either set a netmask on the nat statement large enough to include everything (like 192.168.0.0/16) or you may have to have a separate NAT statement for each subnet.
I managed to get it to work by fixing my NAT rules after reading your post. I'm trying to figure out another problem. It seems that EQL SANs don't support joining a VLAN. I came up with a theoretical workaround. Is it possible to configure the switch to dynamically add/remove tags from traffic passing through a particular port?I think it is your nat configuration is failing. Same gateway in both cases, I assume... so we know the Internet side works, directly connected nat works, it is the nat for the routed subnets that is failing. The fact your traceroutes get all the way to the edge router means that path is working. Remember things like ping and traceroute test both directions, so I think your internal routing is sound. what I think is failing is that the default NAT behavior is for the locally connected subnet, so you may have to add more nat statements or make the one that is there more inclusive with a fat netmask. I don't know anything about that router, but that is where the issue is. The problem could be that the right support for routed nat isn't there, or that you need to connect your switch to a port with a private network. From a software point of view, anything should be configurable. But most soho routers have a simplified interface, and simple documentation, so they don't expose the full power of the box unless you can get to the actual command line. I don't mean the configuration command line, I mean like a shell.
But I just looked at the docs and the gui seems to be oriented to things you aren't trying to do. You want the Masquerade function, the src and dest are more for allowing public access to servers, but I don't see what I'm looking for. The Masquerade function should be able to be given a private subnet to translate, but the description of source and destination don't seem to be for Masquerade. You may need to ask this question in the ubiquity forums. What you want is to use Masquerade to nat multiple subnets that are not directly connected.