8 Replies Latest reply on May 24, 2014 6:51 AM by joep

    Learning How to Configure

    joep New Member

      Hi Everyone!

       

      Before I ask a specific question, I'd like to see if the community can point me to the appropriate documents to educate myself.  My situation is pretty simple:

       

      1. I have a NetVanta 3133 SDSL router connected to a single SDSL provider

      2. I have a number of static IPs which are routed to that router

      3. I also have a high-speed cable modem with no static IPs

      4. I have two internal subnets, 10.x (personal) and 10.y (business)

      5. I have a website and a mail server that live on 10.y and get routed through the SDSL router

      6. I have another website that lives on 10.x that I'd like to route through the SDSL router (because of the static IPs)

       

      The high-speed modem is my gateway for 10.x.  My SDSL router is my gateway for 10.y.  Until now I had a Netopia router and it was pretty easy to configure all of this.  With the NetVanta it's a little more challenging, at least for me.  I create two VLANs, one for 10.x and one for 10.y, and assigned each to a different switchport.  I learned how to do port forwarding and I've managed to assign different external static IPs to different internal ports.  I was able to get most of the individual pieces working at one time or another, including access to both the 10.x website and the 10.y website and mail server.  Here are some of the issues I've run across:

       

      1. I can't have both VLANs up unless I filter BPDU.

      2. If I don't filter BPDU, as soon as I connect the second port, to my network, one goes to Blocking status and I'm done.

      3. If I do filter BPDU, I get other inconsistent results which I haven't yet had the time to completely isolate.

      4. I haven't figured out how to originate outbound traffic from within either the 10.x or 10.y subnets, even if I only have one VLAN active and connected (at the end of the day, I may not want to do 10.x, but I definitely need 10.y).

       

      So.  I thought getting two subnets would be easy, but I'm not succeeding just yet.  Right now I've only got one subnet connected, and it's inbound only.  Am I on the right path for what I'm trying to do?  Are there manuals or tutorials I need to read that will help enlighten me?  Am I missing a basic point of some kind here?  It's especially frustrating because I had all of this working with the Netopia.

       

      Anyway, I'm happy to do more reading on my own before I ask silly questions.  But any suggestions or comments are welcomed.  I'm going out of town so I won't be able to do anything this week except read (I'm afraid to do anything that might require a physical reset of the box or involve connecting or disconnecting switchports from the network), but I plan to get back at this full-time this weekend.

       

      Thanks in advance for any support!

       

      P.S. One other thing I found - if the 10.x VLAN is enabled, it tends to shut down other computers in that subnet; they get Windows IP address conflicts, even though there are none.  I have to go in and disable that VLAN and reset the adapters on the affected PCs.

        • Re: Learning How to Configure
          jayh Hall_of_Fame

          Your BPDU issues are due to spanning-tree problems, a layer-2 protocol. Search documentation for spanning tree.   Make sure that any devices that are connected that should only see a single VLAN are configured as access ports for that VLAN.  Avoid connecting "dumb" switches to trunk ports.  Avoid "dumb" switches period.

           

          Your issue with computers shutting down and duplicate address problems could also be related to layer 2.  Look for duplicate DHCP servers.  Be aware that Windows DHCP servers tend to cause problems if connected to a trunk port as they don't handle VLANs very well. Search documentation on DHCP, broadcasts, etc.

           

          Routing your websites through the same WAN link from different LAN subnets should be do-able.  You might have to do some policy routing depending on how the other hosts on that LAN are supposed to route.  Search documentation on NAT, ip policy, and policy routing. .

            • Re: Learning How to Configure
              joep New Member

              After reading about spanning trees, my immediate thought is that I don't really need spanning trees.    Seriously, I've only got a dozen devices and maybe a dozen more virtual machines, most on one of two subnets,  Two of my machines need to talk to both networks, and the rest talk only to one.  I've got three switches that route everything (basically one per floor).  I NAT specific ports from the various static IPs to different internal servers, some 10.x, some 10.y.  All of this has worked flawlessly for years.

               

              I don't have multiple DHCP servers; I only use the cable modem to hand out addresses to mobile devices.  Everything else is statically addressed and in fact the devices getting the errors are statically addressed.  Those devices start getting IP conflict messages when the NetVanta is connected to the internal network.

               

              Again, my real problem is that this all worked wonderfully with the Netopia.  I simply configured the Netopia with two different LAN addresses, one on each subnet, and each device that needed external IP addresses used the Netopia as its gateway.  Those that didn't need external used the 10.x network and pointed to the cable modem as their gateway.  All I want to do is replicate that simple architecture.

                • Re: Learning How to Configure
                  jayh Hall_of_Fame

                  If you are seeing ports going into a blocking state and filtering BPDU results in "other inconsistent results" such as a giant storm, you have a bridging loop.  Something is cabled wrong, there are VLAN mismatches, one or more switches are connected in a loop, etc.  So you probably do need spanning-tree to ensure that this situation doesn't happen in the future with a production network.

                   

                  Are you connecting both VLAN ports to ports on an unmanaged switch anywhere?  Or to put it another way, are you certain that both VLANs isolated throughout the network?

                   

                  When you configured the Netopia with two different LAN addresses, one on each subnet, was that using a secondary IP on the same layer 2 port, or was it with VLANs?

                   

                  VLANs are much cleaner than simply having two subnets sharing the wire which is sometimes referred to as "ships passing in the night", but it does take a bit more configuration.

                   

                  Any chance of posting a sketch of your network layout and the configuration of the box? 

                    • Re: Learning How to Configure
                      joep New Member

                      I understand that VLANs are more isolated, but I've been fine with the situation as is ("ships passing in the night") for a long time.  Basically by selecting an IP and a gateway I was able to easily direct the devices that needed reliable static access and/or external NAT to the slower DSL and the devices with simpler high speed demands to the cable modem.  I'm not planning to change to intelligent switches anytime soon, especially since that would involve running a second backbone cable.  Here's my setup, in very simple terms:

                       

                      SDSL router (10.x and 10.y)

                      Switch 1 -- dual-homed workstation, some 10.x devices

                      |

                      Switch 2 -- 10.y servers, multi-homed server

                      |

                      Switch 3 -- many 10.x devices, 10.x wifi access point

                      Cable modem (10.x) with DHCP

                       

                       

                      Here's my configuration minus password stuff.  I substituted 10.x and 10.y to more easily identify the high-speed (10.x) and SDSL (10.y) components, although technically some 10.x devices are routed to the SDSL router by simply using it's 10.x address as their gateway.  As I said, this has all worked wonderfully for some time now.  Instead, what I have right now is inbound only on only the 10.y subnet.  I can't even plug in the 10.x subnet port (switchport 0/1) without getting a storm.  I don't have time at this current moment, but as soon as I get a chance I'll disable BPDU again and report my results.

                       

                      Note: on this configuration, I can get inbound traffic to both my email server (10.y.1.181) and my web server (10.y.1.180) via MY.ST.IP.69 and MY.ST.IP.68, respectively.  I cannot, however, access my VNC server at MY.ST.IP.68.  Nor can I do any outbound.

                       

                       

                       

                      hostname "NetVanta3133"

                      !

                      clock timezone -8

                      clock no-auto-correct-DST

                      !

                      ip subnet-zero

                      ip classless

                      ip routing

                      !

                      !

                      ip domain-proxy

                      !

                      !

                      event-history on

                      no logging forwarding

                      logging forwarding priority-level info

                      no logging email

                      !

                      !

                      ip firewall

                      no ip firewall alg msn

                      no ip firewall alg mszone

                      no ip firewall alg h323

                      !

                      !

                      no dot11ap access-point-control

                      !

                      !

                      ip dhcp-server pool "Private"

                        network 10.10.10.0 255.255.255.0

                        dns-server 10.10.10.1

                        netbios-node-type h-node

                        default-router 10.10.10.1

                      !

                      !

                      !

                      !

                      !

                      !

                      !

                      !

                      !

                      vlan 1

                        name "Default"

                      !

                      vlan 100

                        name "10.x"

                        shutdown

                      !

                      vlan 101

                        name "10.y"

                      !

                      !

                      interface switchport 0/1

                        no shutdown

                        switchport access vlan 100

                      !

                      interface switchport 0/2

                        spanning-tree edgeport

                        no shutdown

                        switchport access vlan 101

                      !

                      interface switchport 0/3

                        no shutdown

                      !

                      interface switchport 0/4

                        no shutdown

                      !

                      !

                      !

                      interface vlan 1

                        ip address  MY.ST.IP.65  255.255.255.248

                        ip ffe

                        ip access-policy Private

                        no shutdown

                      !

                      interface vlan 100

                        description 10.x Internal

                        mac-address 00:A0:C8:8A:C6:2D

                        ip address  10.x.0.230  255.255.255.0

                        ip access-policy Private

                        no rtp quality-monitoring

                        shutdown

                      !

                      interface vlan 101

                        mac-address 00:A0:C8:8A:C6:2E

                        ip address  10.y.1.230  255.255.255.0

                        ip access-policy Private

                        no rtp quality-monitoring

                        no shutdown

                      !

                      interface sdsl 0/1

                        line-rate-mode fixed

                        line-rate 384

                        no shutdown

                      !

                      interface sdsl 0/2

                        shutdown

                      !

                      !

                      !

                      !

                      interface atm 100 point-to-point

                        no shutdown

                        cross-connect 100 sdsl 0/1 atm 100

                      !

                      interface atm 100.1 point-to-point

                        no shutdown

                        pvc 0/38

                        ip address  MY.EX.WA.IP  255.255.255.0

                        ip address  MY.ST.IP.66  255.255.255.255  secondary

                        ip address  MY.ST.IP.67  255.255.255.255  secondary

                        ip address  MY.ST.IP.68  255.255.255.255  secondary

                        ip address  MY.ST.IP.69  255.255.255.255  secondary

                        ip address  MY.ST.IP.70  255.255.255.255  secondary

                        ip access-policy Public

                        no fair-queue

                      !

                      interface atm 100.99 point-to-point

                        no shutdown

                        pvc 0/34

                        ip address icmp 255.255.255.0

                      !

                      interface atm 200 point-to-point

                        no shutdown

                        cross-connect 200 sdsl 0/2 atm 200

                      !

                      interface atm 200.1 point-to-point

                        no shutdown

                        pvc 0/38

                        no ip address

                        no fair-queue

                      !

                      interface atm 200.99 point-to-point

                        no shutdown

                        pvc 0/35

                        ip address icmp 255.255.255.252

                      !

                      !

                      !

                      ip access-list standard wizard-ics

                        remark Internet Connection Sharing

                        permit any

                      !

                      !

                      ip access-list extended self

                        remark Traffic to NetVanta

                        permit ip any  any     log

                      !

                      ip access-list extended web-acl-10

                        remark 67:25 -> y.180

                        permit tcp any  host MY.ST.IP.67 eq smtp   log

                        permit tcp any  host MY.ST.IP.67 eq pop3   log

                      !

                      ip access-list extended web-acl-11

                        remark 69:25 -> y.181

                        permit tcp any  host MY.ST.IP.69 eq smtp   log

                        permit tcp any  host MY.ST.IP.69 eq pop3   log

                      !

                      ip access-list extended web-acl-12

                        remark 68:5900 -> y.51

                        permit tcp any  host MY.ST.IP.68 range 5900 5901   log

                      !

                      ip access-list extended web-acl-8

                        remark 67:80 -> x.180

                        permit tcp any  host MY.ST.IP.67 eq www   log

                      !

                      ip access-list extended web-acl-9

                        remark 68:80 -> y.180

                        permit tcp any  host MY.ST.IP.68 eq www   log

                      !

                      !

                      ip policy-class Private

                        allow list self self

                        allow list self self

                        allow list wizard-ics policy Public

                        allow list wizard-ics policy Public

                      !

                      ip policy-class Public

                        nat destination list web-acl-8 address 10.x.0.180

                        nat destination list web-acl-9 address 10.y.1.180

                        nat destination list web-acl-10 address 10.y.1.180

                        nat destination list web-acl-11 address 10.y.1.181

                        nat destination list web-acl-12 address 10.y.1.51

                        allow list self self

                        allow list self policy Private

                        allow list self policy Private

                        allow list self self

                      !

                      !

                      !

                      ip route 0.0.0.0 0.0.0.0 atm 100.1

                      !

                      no ip tftp server

                      no ip tftp server overwrite

                      ip http server

                      ip http secure-server

                      no ip snmp agent

                      ip ftp server

                      no ip scp server

                      no ip sntp server

                      !

                      !

                      ip sip udp 5060

                      ip sip tcp 5060

                      !

                      !

                        • Re: Learning How to Configure
                          jayh Hall_of_Fame

                          Well, you can collapse your private VLANs to one as follows, first remove VLAN 101:

                           

                          !

                          interface vlan 100

                            description 10.x-y Internal

                            ip address  10.x.0.230  255.255.255.0

                            ip address  10.y.1.230  255.255.255.0 secondary

                            ip access-policy Private

                            no rtp quality-monitoring

                            no shutdown

                          !

                           

                           

                          The following looks wrong, not sure what you're trying to accomplish: 

                           

                          !

                          interface vlan 1

                            ip address  MY.ST.IP.65  255.255.255.248

                            ip ffe

                            ip access-policy Private

                            no shutdown

                          !

                          This is on the Public subnet but access-policy private.  You can probably just use it as a secondary on the ATM interface along with the others. 

                            • Re: Learning How to Configure
                              joep New Member


                              Thanks for bearing with me, Jay.  I'm getting farther.  I've nuked my second VLAN and inbound email is still working, so that's one step forward.  Now I need to work on the other stuff.

                               

                              The "vlan 1" you see is what my wonderful DSL provider set up for me.  It's some sort of default; they're really not sure how to set up these modems.  So that VLAN is useless as far as I can tell.

                               

                              What I need to get working next is outbound traffic.  I'm getting much closer.  I was just able to ping out via the 10.y gateway address on the reconfigured VLAN from one of the 10.y servers.  I have to tend to other things, but I'll try again later.

                               

                              Thanks again so much for your help.

                                • Re: Learning How to Configure
                                  joep New Member

                                  Okay, I lied.  I cannot ping outside the local network.  It's odd.  I can ping any of my external IPs from inside the network.  It's like the NetVanta sees that it's really one of its own addresses and returns the ping.  Makes sense, I guess, I just never thought of it.  But trying to ping anything else (even Google, 8.8.8.8) just hangs.  On to the next bit of discovery!

                      • Re: Learning How to Configure
                        joep New Member

                        Okay, I got knocked off the project for a month, but I'm back on it.  Using jayp's instruction and a little playing around, I got just about everything inbound that I need, now I have to figure out how to get outbound traffic.  I'll do some reading and then start another thread.