cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
joep
New Contributor

Learning How to Configure

Jump to solution

Hi Everyone!

Before I ask a specific question, I'd like to see if the community can point me to the appropriate documents to educate myself.  My situation is pretty simple:

1. I have a NetVanta 3133 SDSL router connected to a single SDSL provider

2. I have a number of static IPs which are routed to that router

3. I also have a high-speed cable modem with no static IPs

4. I have two internal subnets, 10.x (personal) and 10.y (business)

5. I have a website and a mail server that live on 10.y and get routed through the SDSL router

6. I have another website that lives on 10.x that I'd like to route through the SDSL router (because of the static IPs)

The high-speed modem is my gateway for 10.x.  My SDSL router is my gateway for 10.y.  Until now I had a Netopia router and it was pretty easy to configure all of this.  With the NetVanta it's a little more challenging, at least for me.  I create two VLANs, one for 10.x and one for 10.y, and assigned each to a different switchport.  I learned how to do port forwarding and I've managed to assign different external static IPs to different internal ports.  I was able to get most of the individual pieces working at one time or another, including access to both the 10.x website and the 10.y website and mail server.  Here are some of the issues I've run across:

1. I can't have both VLANs up unless I filter BPDU.

2. If I don't filter BPDU, as soon as I connect the second port, to my network, one goes to Blocking status and I'm done.

3. If I do filter BPDU, I get other inconsistent results which I haven't yet had the time to completely isolate.

4. I haven't figured out how to originate outbound traffic from within either the 10.x or 10.y subnets, even if I only have one VLAN active and connected (at the end of the day, I may not want to do 10.x, but I definitely need 10.y).

So.  I thought getting two subnets would be easy, but I'm not succeeding just yet.  Right now I've only got one subnet connected, and it's inbound only.  Am I on the right path for what I'm trying to do?  Are there manuals or tutorials I need to read that will help enlighten me?  Am I missing a basic point of some kind here?  It's especially frustrating because I had all of this working with the Netopia.

Anyway, I'm happy to do more reading on my own before I ask silly questions.  But any suggestions or comments are welcomed.  I'm going out of town so I won't be able to do anything this week except read (I'm afraid to do anything that might require a physical reset of the box or involve connecting or disconnecting switchports from the network), but I plan to get back at this full-time this weekend.

Thanks in advance for any support!

P.S. One other thing I found - if the 10.x VLAN is enabled, it tends to shut down other computers in that subnet; they get Windows IP address conflicts, even though there are none.  I have to go in and disable that VLAN and reset the adapters on the affected PCs.

0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Learning How to Configure

Jump to solution

Well, you can collapse your private VLANs to one as follows, first remove VLAN 101:

!

interface vlan 100

  description 10.x-y Internal

  ip address  10.x.0.230  255.255.255.0

  ip address  10.y.1.230  255.255.255.0 secondary

  ip access-policy Private

  no rtp quality-monitoring

  no shutdown

!

The following looks wrong, not sure what you're trying to accomplish: 

!

interface vlan 1

  ip address  MY.ST.IP.65  255.255.255.248

  ip ffe

  ip access-policy Private

  no shutdown

!

This is on the Public subnet but access-policy private.  You can probably just use it as a secondary on the ATM interface along with the others. 

View solution in original post

0 Kudos
8 Replies
jayh
Honored Contributor
Honored Contributor

Re: Learning How to Configure

Jump to solution

Your BPDU issues are due to spanning-tree problems, a layer-2 protocol. Search documentation for spanning tree.   Make sure that any devices that are connected that should only see a single VLAN are configured as access ports for that VLAN.  Avoid connecting "dumb" switches to trunk ports.  Avoid "dumb" switches period.

Your issue with computers shutting down and duplicate address problems could also be related to layer 2.  Look for duplicate DHCP servers.  Be aware that Windows DHCP servers tend to cause problems if connected to a trunk port as they don't handle VLANs very well. Search documentation on DHCP, broadcasts, etc.

Routing your websites through the same WAN link from different LAN subnets should be do-able.  You might have to do some policy routing depending on how the other hosts on that LAN are supposed to route.  Search documentation on NAT, ip policy, and policy routing. .

joep
New Contributor

Re: Learning How to Configure

Jump to solution

After reading about spanning trees, my immediate thought is that I don't really need spanning trees.    Seriously, I've only got a dozen devices and maybe a dozen more virtual machines, most on one of two subnets,  Two of my machines need to talk to both networks, and the rest talk only to one.  I've got three switches that route everything (basically one per floor).  I NAT specific ports from the various static IPs to different internal servers, some 10.x, some 10.y.  All of this has worked flawlessly for years.

I don't have multiple DHCP servers; I only use the cable modem to hand out addresses to mobile devices.  Everything else is statically addressed and in fact the devices getting the errors are statically addressed.  Those devices start getting IP conflict messages when the NetVanta is connected to the internal network.

Again, my real problem is that this all worked wonderfully with the Netopia.  I simply configured the Netopia with two different LAN addresses, one on each subnet, and each device that needed external IP addresses used the Netopia as its gateway.  Those that didn't need external used the 10.x network and pointed to the cable modem as their gateway.  All I want to do is replicate that simple architecture.

jayh
Honored Contributor
Honored Contributor

Re: Learning How to Configure

Jump to solution

If you are seeing ports going into a blocking state and filtering BPDU results in "other inconsistent results" such as a giant storm, you have a bridging loop.  Something is cabled wrong, there are VLAN mismatches, one or more switches are connected in a loop, etc.  So you probably do need spanning-tree to ensure that this situation doesn't happen in the future with a production network.

Are you connecting both VLAN ports to ports on an unmanaged switch anywhere?  Or to put it another way, are you certain that both VLANs isolated throughout the network?

When you configured the Netopia with two different LAN addresses, one on each subnet, was that using a secondary IP on the same layer 2 port, or was it with VLANs?

VLANs are much cleaner than simply having two subnets sharing the wire which is sometimes referred to as "ships passing in the night", but it does take a bit more configuration.

Any chance of posting a sketch of your network layout and the configuration of the box? 

joep
New Contributor

Re: Learning How to Configure

Jump to solution

I understand that VLANs are more isolated, but I've been fine with the situation as is ("ships passing in the night") for a long time.  Basically by selecting an IP and a gateway I was able to easily direct the devices that needed reliable static access and/or external NAT to the slower DSL and the devices with simpler high speed demands to the cable modem.  I'm not planning to change to intelligent switches anytime soon, especially since that would involve running a second backbone cable.  Here's my setup, in very simple terms:

SDSL router (10.x and 10.y)

Switch 1 -- dual-homed workstation, some 10.x devices

|

Switch 2 -- 10.y servers, multi-homed server

|

Switch 3 -- many 10.x devices, 10.x wifi access point

Cable modem (10.x) with DHCP

Here's my configuration minus password stuff.  I substituted 10.x and 10.y to more easily identify the high-speed (10.x) and SDSL (10.y) components, although technically some 10.x devices are routed to the SDSL router by simply using it's 10.x address as their gateway.  As I said, this has all worked wonderfully for some time now.  Instead, what I have right now is inbound only on only the 10.y subnet.  I can't even plug in the 10.x subnet port (switchport 0/1) without getting a storm.  I don't have time at this current moment, but as soon as I get a chance I'll disable BPDU again and report my results.

Note: on this configuration, I can get inbound traffic to both my email server (10.y.1.181) and my web server (10.y.1.180) via MY.ST.IP.69 and MY.ST.IP.68, respectively.  I cannot, however, access my VNC server at MY.ST.IP.68.  Nor can I do any outbound.

hostname "NetVanta3133"

!

clock timezone -8

clock no-auto-correct-DST

!

ip subnet-zero

ip classless

ip routing

!

!

ip domain-proxy

!

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

no dot11ap access-point-control

!

!

ip dhcp-server pool "Private"

  network 10.10.10.0 255.255.255.0

  dns-server 10.10.10.1

  netbios-node-type h-node

  default-router 10.10.10.1

!

!

!

!

!

!

!

!

!

vlan 1

  name "Default"

!

vlan 100

  name "10.x"

  shutdown

!

vlan 101

  name "10.y"

!

!

interface switchport 0/1

  no shutdown

  switchport access vlan 100

!

interface switchport 0/2

  spanning-tree edgeport

  no shutdown

  switchport access vlan 101

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

!

!

interface vlan 1

  ip address  MY.ST.IP.65  255.255.255.248

  ip ffe

  ip access-policy Private

  no shutdown

!

interface vlan 100

  description 10.x Internal

  mac-address 00:A0:C8:8A:C6:2D

  ip address  10.x.0.230  255.255.255.0

  ip access-policy Private

  no rtp quality-monitoring

  shutdown

!

interface vlan 101

  mac-address 00:A0:C8:8A:C6:2E

  ip address  10.y.1.230  255.255.255.0

  ip access-policy Private

  no rtp quality-monitoring

  no shutdown

!

interface sdsl 0/1

  line-rate-mode fixed

  line-rate 384

  no shutdown

!

interface sdsl 0/2

  shutdown

!

!

!

!

interface atm 100 point-to-point

  no shutdown

  cross-connect 100 sdsl 0/1 atm 100

!

interface atm 100.1 point-to-point

  no shutdown

  pvc 0/38

  ip address  MY.EX.WA.IP  255.255.255.0

  ip address  MY.ST.IP.66  255.255.255.255  secondary

  ip address  MY.ST.IP.67  255.255.255.255  secondary

  ip address  MY.ST.IP.68  255.255.255.255  secondary

  ip address  MY.ST.IP.69  255.255.255.255  secondary

  ip address  MY.ST.IP.70  255.255.255.255  secondary

  ip access-policy Public

  no fair-queue

!

interface atm 100.99 point-to-point

  no shutdown

  pvc 0/34

  ip address icmp 255.255.255.0

!

interface atm 200 point-to-point

  no shutdown

  cross-connect 200 sdsl 0/2 atm 200

!

interface atm 200.1 point-to-point

  no shutdown

  pvc 0/38

  no ip address

  no fair-queue

!

interface atm 200.99 point-to-point

  no shutdown

  pvc 0/35

  ip address icmp 255.255.255.252

!

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended web-acl-10

  remark 67:25 -> y.180

  permit tcp any  host MY.ST.IP.67 eq smtp   log

  permit tcp any  host MY.ST.IP.67 eq pop3   log

!

ip access-list extended web-acl-11

  remark 69:25 -> y.181

  permit tcp any  host MY.ST.IP.69 eq smtp   log

  permit tcp any  host MY.ST.IP.69 eq pop3   log

!

ip access-list extended web-acl-12

  remark 68:5900 -> y.51

  permit tcp any  host MY.ST.IP.68 range 5900 5901   log

!

ip access-list extended web-acl-8

  remark 67:80 -> x.180

  permit tcp any  host MY.ST.IP.67 eq www   log

!

ip access-list extended web-acl-9

  remark 68:80 -> y.180

  permit tcp any  host MY.ST.IP.68 eq www   log

!

!

ip policy-class Private

  allow list self self

  allow list self self

  allow list wizard-ics policy Public

  allow list wizard-ics policy Public

!

ip policy-class Public

  nat destination list web-acl-8 address 10.x.0.180

  nat destination list web-acl-9 address 10.y.1.180

  nat destination list web-acl-10 address 10.y.1.180

  nat destination list web-acl-11 address 10.y.1.181

  nat destination list web-acl-12 address 10.y.1.51

  allow list self self

  allow list self policy Private

  allow list self policy Private

  allow list self self

!

!

!

ip route 0.0.0.0 0.0.0.0 atm 100.1

!

no ip tftp server

no ip tftp server overwrite

ip http server

ip http secure-server

no ip snmp agent

ip ftp server

no ip scp server

no ip sntp server

!

!

ip sip udp 5060

ip sip tcp 5060

!

!

jayh
Honored Contributor
Honored Contributor

Re: Learning How to Configure

Jump to solution

Well, you can collapse your private VLANs to one as follows, first remove VLAN 101:

!

interface vlan 100

  description 10.x-y Internal

  ip address  10.x.0.230  255.255.255.0

  ip address  10.y.1.230  255.255.255.0 secondary

  ip access-policy Private

  no rtp quality-monitoring

  no shutdown

!

The following looks wrong, not sure what you're trying to accomplish: 

!

interface vlan 1

  ip address  MY.ST.IP.65  255.255.255.248

  ip ffe

  ip access-policy Private

  no shutdown

!

This is on the Public subnet but access-policy private.  You can probably just use it as a secondary on the ATM interface along with the others. 

0 Kudos
joep
New Contributor

Re: Learning How to Configure

Jump to solution


Thanks for bearing with me, Jay.  I'm getting farther.  I've nuked my second VLAN and inbound email is still working, so that's one step forward.  Now I need to work on the other stuff.

The "vlan 1" you see is what my wonderful DSL provider set up for me.  It's some sort of default; they're really not sure how to set up these modems.  So that VLAN is useless as far as I can tell.

What I need to get working next is outbound traffic.  I'm getting much closer.  I was just able to ping out via the 10.y gateway address on the reconfigured VLAN from one of the 10.y servers.  I have to tend to other things, but I'll try again later.

Thanks again so much for your help.

joep
New Contributor

Re: Learning How to Configure

Jump to solution

Okay, I lied.  I cannot ping outside the local network.  It's odd.  I can ping any of my external IPs from inside the network.  It's like the NetVanta sees that it's really one of its own addresses and returns the ping.  Makes sense, I guess, I just never thought of it.  But trying to ping anything else (even Google, 8.8.8.8) just hangs.  On to the next bit of discovery!

joep
New Contributor

Re: Learning How to Configure

Jump to solution

Okay, I got knocked off the project for a month, but I'm back on it.  Using jayp's instruction and a little playing around, I got just about everything inbound that I need, now I have to figure out how to get outbound traffic.  I'll do some reading and then start another thread.