VLANS TO INTERNET

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
M

mcktx752

New Member
Dec 17, 2024
6
0
1
Hi All,

Been pulling my hair out (What's left anyway) for 2 days on this. Hoping to get some expert advice. This isn't my forte so bear with me. I did a quick sketch of the system.

I cannot seem to get the individual VLANS to get access to the internet through the VPN router. Intra routing works fine. VLANS receive IP addresses, can ping from machines across vlans. I can ping all targets from the switch (OS) , vlans to vlans fine everything seems to work as intended with the exception of being able to access the internet. Any help would be much appreciated by me and the family who hasn't seen me for 2 days lol.

Here is the config:
DCS-7050SX-64 running EOS64-4.25.1F

dhcp server
dns server ipv4 192.168.1.254 8.8.8.8
!
subnet 10.62.5.0/24
name Management-DHCP
dns server 10.62.0.1 192.168.1.254
default-gateway 10.62.5.1
range 10.62.5.180 10.62.5.199
!
subnet 10.62.10.0/24
name Physical
dns server 10.62.0.1 8.8.8.8
default-gateway 10.62.10.1
range 10.62.10.180 10.62.10.199
!
subnet 10.62.20.0/24
name Virtual
dns server 10.62.0.1 8.8.8.8
default-gateway 10.62.20.1
range 10.62.20.180 10.62.20.199
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model ribd
!
ip name-server vrf default 192.168.1.254
ip name-server vrf default 8.8.8.8
!
ntp server us.pool.ntp.org
!
spanning-tree mode mstp
!
no aaa root
!
vlan 5
name Management
!
vlan 10
name Physical
!
vlan 20
name Virtual
!
interface Ethernet1
switchport trunk allowed vlan 1,5,10,20
switchport mode trunk
!
interface Ethernet2
!
interface Ethernet3
!
interface Ethernet4
switchport access vlan 5
!
interface Ethernet15
switchport access vlan 5
!
interface Ethernet16
switchport access vlan 10
!
interface Ethernet27
switchport access vlan 10
!
interface Ethernet28
switchport access vlan 20
!
interface Ethernet39
switchport access vlan 20
!
interface Management1
ip address 10.62.2.1/24
!
interface Vlan1
ip address 10.62.0.1/24
!
interface Vlan5
ip address 10.62.5.1/24
dhcp server ipv4
!
interface Vlan10
ip address 10.62.10.1/24
dhcp server ipv4
!
interface Vlan20
ip address 10.62.20.1/24
dhcp server ipv4
ip routing
!
ip route 0.0.0.0/0 10.62.0.1
!
router multicast
ipv4
routing
!
end
 

Attachments

fohdeesha

fohdeesha

Kaini Industries
Nov 20, 2016
2,891
3,400
113
34
fohdeesha.com
I see you have a default route on the arista pointing upstream to the firewall as you should, but does your firewall have routes pointing to the arista as the next-hop for these 10.62 vlans? if not, your firewall will have no clue where to send traffic destined for those vlans. Also, your default route on the arista that should be pointing to the firewall, is pointing to 10.62.0.1 - which you've also assigned to the arista as well!? :

interface Vlan1
ip address 10.62.0.1/24

What's the IP of the firewall on this 10.62.0.x subnet?

also that'll be 900 dollars
 
  • Like
  • Haha
Reactions: cyinite, itronin, mourgne and 1 other person
M

mcktx752

New Member
Dec 17, 2024
6
0
1
Hi thanks for responding. Not sure why that says 10.62.0.1. Im reviewing the config now and the vlan 1 assigned ip address is 10.62.0.2. Obviously set as the VPN router gateway is 10.62.0.1

As is now all seems to work from the COM console. (How I am connected) except from the vlans.

In summary

Ping from 7050 CLI.
10.62.0.1 GOOD
192.168.1.254 GOOD
yahoo.com GOOD (Also confims DNS is working)

ping 10.62.0.1 source vlan 1 GOOD
ping 192.168.1.254 source vlan 1 GOOD
ping yahoo.com from source vlan 1 GOOD

ping 10.62.0.1 source vlan 5 (or 10, or 20)


PING yahoo.com (74.6.143.25) from 10.62.5.1 : 72(100) bytes of data.
--- yahoo.com ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 40ms


Same for vlan 1,10,20
 
fohdeesha

fohdeesha

Kaini Industries
Nov 20, 2016
2,891
3,400
113
34
fohdeesha.com
See the first part of my reply. Your firewall has no idea where to send the return traffic until you've added routes to it to these vlan subnets with a next hop of the arista 10.62.0.2. until then, when your firewall has traffic destined for 10.62.5.1 for example, it will look in its routing table, find nothing specific for it, and just shove it out it's default gateway (which would be your internet connection)
 
  • Like
Reactions: mcktx752
M

mcktx752

New Member
Dec 17, 2024
6
0
1
Sorry for the haste :) The routing table from the vpn router


110.62.0.0255.255.255.0192.168.1.80LAN_LOCALNET0
20.0.0.00.0.0.0192.168.1.254SFP+ WAN10
368.94.156.9255.255.255.255192.168.1.254SFP+ WAN10
4192.168.1.0255.255.255.00.0.0.0SFP+ WAN10
5192.168.1.254255.255.255.2550.0.0.0SFP+ WAN10
610.62.0.0255.255.255.00.0.0.0LAN_LOCALNET0
 
M

mcktx752

New Member
Dec 17, 2024
6
0
1
I think i got it. THANK YOU for putting me on track :)

Added route for vlan 5 and all is accessible. Thanks again!

110.62.5.0255.255.255.010.62.0.2LAN_LOCALNET0

Just to ensure my hair does grow back a quick add on:

I have and IP pool for the VPN inbound. (10.62.90.X) When i vpn in i cannot ping to the VLANS (5,10,20). Would a route need to be created on the switch to allow traffic?
 
Last edited:
K

kapone

Well-Known Member
May 23, 2015
1,329
784
113
You've used a /24 mask for this route...when it should be /16 based on your IP address.

110.62.0.0255.255.255.0192.168.1.80LAN_LOCALNET

If you had used a /16 mask, you would not need to define the route for 10.62.5.0 separately.

Edit: I don't understand the last line.

10.62.0.0255.255.255.00.0.0.0LAN_LOCALNET0

Why is this address (10.62.0.0) in your routing table twice? And that too, it's pointing to 0.0.0.0 the second time?
 
M

mcktx752

New Member
Dec 17, 2024
6
0
1
Morning,

The info in the boxes are from the vpn/firewall. That was not entered by me. The default route in the switch was though. Are you saying that’s not required.

at this stage I can change the netmask to 16 for the net 10.62.0 Network. Not a problem :)
 
K

kapone

Well-Known Member
May 23, 2015
1,329
784
113
mcktx752 said:
Morning,

The info in the boxes are from the vpn/firewall. That was not entered by me. The default route in the switch was though. Are you saying that’s not required.

at this stage I can change the netmask to 16 for the net 10.62.0 Network. Not a problem :)
Click to expand...
I'm confused.

Is this router/firewall/VPN (whatever) not maintained by you? If not, how did the route for 10.62.0.0 even get there in the first place?
 
M

mcktx752

New Member
Dec 17, 2024
6
0
1
Yes. I maintain it all. Its my home.

These routes I created at the suggestion of fohdeesha. This allowed the VLANS to access the internet

110.62.10.0255.255.255.010.62.0.2LAN_LOCALNET0
210.62.20.0255.255.255.010.62.0.2LAN_LOCALNET0
310.62.5.0255.255.255.010.62.0.2LAN_LOCALNET0

The routes were created by the VPN/Firewall. I am not able to modify these


40.0.0.00.0.0.0192.168.1.254SFP+ WAN10
568.94.156.9255.255.255.255192.168.1.254SFP+ WAN10
6192.168.1.0255.255.255.00.0.0.0SFP+ WAN10
7192.168.1.254255.255.255.2550.0.0.0SFP+ WAN10
810.62.0.0255.255.0.00.0.0.0LAN_LOCALNET0


the one route in the switch i created. Without that no access to the internet
 
You must log in or register to reply here.
Top Bottom