i want to route through two different vlans on foundry router

Discussion in 'Networking & NAS' started by frankyjb59, Jul 27, 2018.

Tags:
  1. frankyjb59

    frankyjb59
    Novice Member

    Joined:
    Mar 10, 2016
    Messages:
    5
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    4
    Location:
    lincoln
    Ratings:
    +0
    hello. i'm running a foundry fastiron gs648p running FGSL07202a.bin which as you know is layer 3
    the config is below.
    there are devices on vlan 1 which i want devices on vlan 10 to see. i would try this with routing but how do i do this?

    for example in vlan 1 in port 36. there is a time sync.
    every device can see it on vlan 1 but none can on vlan 10. i want all devices on bot vlans to see it.
    there's also a nas on port 20 which i want visible on both vlans.
    How do i do this? I tried hybrid ports but no luck.
    Thank you.


    ver 07.2.02aT7e1
    !
    module 1 fgs-48-port-management-module
    !
    !
    !
    !
    vlan 1 name DEFAULT-VLAN by port
    router-interface ve 1
    !
    vlan 10 name test by port
    untagged ethe 0/1/1 to 0/1/2 ethe 0/1/13 to 0/1/14
    router-interface ve 10
    !
    !
    !
    !
    !
    !
    !
    !
    aaa authentication web-server default local
    aaa authentication enable default local
    boot sys fl sec
    enable telnet authentication
    enable user disable-on-login-failure 5
    enable user password-masking
    hostname LCRRouter02
    ip dhcp snooping vlan 1
    ip default-network 192.168.1.254/24
    ip dns domain-name broadband
    ip dns server-address 192.168.1.254
    username tech password .....
    no web-management hp-top-tools
    no web-management http
    ssh access-group 50
    interface ethernet 0/1/48
    dhcp snooping trust
    !
    interface ve 1
    ip address 192.168.1.4 255.255.255.0
    !
    interface ve 10
    ip address 192.168.2.4 255.255.255.0
    ip bootp-gateway 192.168.1.254
    !
    !
    !
    access-list 50 permit 192.168.1.0 0.0.0.255
    access-list 50 deny any
    !
    !
    !
    !
    ip ssh authentication-retries 5
    ip ssh idle-time 10
    ip ssh key-authentication no
    ip ssh source-interface ve 1
    !
     
  2. mickevh

    mickevh
    Well-known Member

    Joined:
    Apr 30, 2007
    Messages:
    7,257
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Location:
    West London
    Ratings:
    +1,755
    Do you appreciate that network broadcast traffic does not propagate across routers...? A lot of protocols designed to make life "easy" for SOHO users rely on network broadcasts to (for example) let service providers advertise their presence so that service users can "find" the provider.

    Can you ping any devices on one VLAN from the other?

    Can you ping the default gateway of each VLAN from a device on the respective VLAN?

    Can you ping anything on the Internet (try the BBC) from a client on each VLAN?

    I don't know your router OS, but it would appear you have an ACL for subnet 192.168.1.0 but no interface bound to that subnet.

    It might be useful if you grab a copy of the routers routing table and post it.
     
  3. frankyjb59

    frankyjb59
    Novice Member

    Joined:
    Mar 10, 2016
    Messages:
    5
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    4
    Location:
    lincoln
    Ratings:
    +0
    i can ping the router interface on vlan 1 from i client plugged into vlan 10 but only if i add a route into the client, and i thought the router was supposed to take away the need to do that.

    no. i can ping 192.168.1.254 from any station on vlan 1. they have subnnet 192.168.1. wwhere as the subnet on vlan 2 is 192.168.2 and anything on that can only ping 192.168.2. the router interface on each vlan os supposed to allow routing between the 2, but it isn't doing.
    on vlan 1. yes. on vlan 10 no. wrong subnet and routing isn't working.

    it's bound to 192.168.1. vlan 1. and it's only bound to ssh.

    BR-LCRRouter02(config)#show ip route
    Total number of IP routes: 2, avail: 1018 (out of max 1020)
    D:Connected R:RIP S:Static O:OSPF *:Candidate default
    Destination NetMask Gateway Port Cost Type
    1 192.168.1.0 255.255.255.0 0.0.0.0 v1 1 D
    2 192.168.2.0 255.255.255.0 0.0.0.0 v10 1 D
    BR-LCRRouter02(config)#
     
  4. mickevh

    mickevh
    Well-known Member

    Joined:
    Apr 30, 2007
    Messages:
    7,257
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Location:
    West London
    Ratings:
    +1,755
    I am sorry, I made a couple of mistakes in my last reply - I probably should not have intervened whilst spending time with aunty Stella! Please consider this a bit of a "reset and do over" now that I'm fully sober.

    I presume 192.168.1.254 is your ISP supplied router and link to the Internet and is a DHCP Server.

    I will further assume that the DHCP leases handed out by you ISP router designate 192.168.1.254 as the default gateway for devices on subnet 192.168.1.0. It may not be serving back leases to the 192.168.2.0 subnet at all, of which more later.

    For a device on 192.168.1.0 to reach 192.168.2.0, ideally I would add a static route in router 192.168.1.254 to tell it how to reach the 192.168.2.0 subnet. ie, 192.168.2.0/24 should be reached through gateway 192.168.1.4. Some ISP routers will let you create such a route, some won't.

    Alternatively, as I believe you have discovered, you could add a static route to 192.168.2.0 on each client on the 192.168.1.0 subnet (or possibly include such a static route in a DHCP lease option, though SOHO routers seldom have DHCP server that allow this level of customisation.) Doable, but a bit of a pain - go for the static route on the ISP router if it will let you, then you're not having to fiddle with static routes on VLAN 1 clients.

    For the 192.168.2.0 subnet, things might be a little trickier.

    I see you have set up something that looks like a DHCP Relay agent (ip bootp-gateway 192.168.1.254) The trouble is, I'm not sure a SOHO router will be able to service multiple DHCP scopes (subnets) to provide IP Leases to a second subnet. Are clients on 192.168.2.0 receiving DHCP leases..?

    If you set up 192.16.8.2.0 clients with statically assigned IP addressing, then you'd want to do it much as you might expect: Give each a 192.168.2.X IP address, subnet mask of 255.255.255.0 and default gateway of 192.168.2.4. And DNS Server 192.168.1.254 for good measure. You shouldn't need to give them a route to 192.168.1.0 as the default gateway setting should sort that our via the Foundry.

    On the foundry router, the routing table looks fine apart from I would add a "default route" to it (note "default route" not "default gateway" - they are different things.) Often a default route is expressed as IP address 0.0.0.0/0.0.0.0 (or 0.0.0.0/0 if you prefer CIDR notation) or maybe there's a separate "setting" for it. Check the Foundry manual for "default route" and it will probably give you the correct steer.

    On the Foundry, set a default route pointing to "next hop" 194.168.1.254 which will (should) tell the Foundry to send anything it doesn't know what else to do with to the ISP router to sort out.

    If you care to look, (if it will let you,) your ISP router will have a default route telling the ISP router to "send everything I don't know about to the ISP." (Which is why, ideally, we want to give the ISP router a route to the 192.168.2.0 subnet so it doesn't send all that traffic up to the ISP (or more likely drop it as 192.168.X.Y are not publicly routable networks and many SOHO routers/firewall automatically drop traffic to them.))

    Even though clients on the 192.168.2.0 subnet don't have an explicitly expressed route to 192.168.1.0, because they "know" to send all non-local traffic to 192.168.2.4 (ie the Foundry's VLAN 10 interface) and the Foundry "knows" how to reach 192.168.1.0, that should sort out any 192.168.2.0 to 192.168.1.0 traffic flows.

    Whilst you are initially setting this up and testing it, I would not bother with any ACL's. Get the basic routing functionality working first, then add in some ACL's if you want to police traffic flows. However, if the ACL you have is only on the SSH port, then it's probably no big deal.

    Then, ping everything from everything else and see what does and doesn't reply:

    From a client on the 192.168.1.0 subnet ping 192.168.1.254, 192.168.1.4, 192.168.2.4 and for good measure something else on the 192.168.2.0 subnet if there's something up and running and pingable. And ping something on the Internet (I recommend the BBC or AVF as their web servers usually answer ping - a lot of Web servers have turned off ping response as it's seen as a security risk.)

    From a client on the 192.168.2.0 subnet, ping 192.168.2.4, 192.168.1.4, 192.168.1.254 and again something on the Internet.

    EDIT: Incidentally, this is not the only way to address this, we could make the Foundry the default gateway on VLAN 1 and thence have it hand off all the Internet traffic to your ISP router, but again the lack of granularity of control of a SOHO DHCP Server will make it unlikely to be easy to achieve (you'd have to not use DHCP.) Likewise, creating an additional VLAN for the ISP link, again the lack of functionality in SOHO DHCP servers would mean all IP allocation would probably have to be manual.
     
    Last edited: Jul 29, 2018
  5. maf1970

    maf1970
    Well-known Member

    Joined:
    May 2, 2006
    Messages:
    2,165
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    86
    Location:
    Aberdeen
    Ratings:
    +323
    GS Series are enterprise-class Layer 2/Base Layer 3 switches that have a CLI interface that is very similar to Cisco.
    I would start with show version at the CLI as that will tell us exactly what version we are dealing with.
     

    Attached Files:

Share This Page

Loading...