I'm currently trying to configure a set of switches that we have basically been running in dumb mode for a very long time. The old configuration used essentially a raw base boot, no configuration beyond the bare minimum, etc. Recently we got a SonicWall NSA 3500 as well as a second WAN in that we intend to give to our employee workstations IP subnet so that network use by employees does not affect the website network usage. We also want to put a couple of the servers such as the FTP server on there as well. In order to implement this I decided the best method was to use VLAN association for subnets to dynamically assign people into specific VLAN's, and then route the traffic outside through the appropriate uplink port. The connection going outside the network works fine, however it's breaking down inside the network somehow, specifically on VLAN 4. Nothing can go in or out from VLAN 4 to any other VLAN, including ping requests. Another thing worth noting is that last night systems on VLAN 4 could connect to the internet and were getting the full fiber connection speed using speed test and had no issues browsing the internet. However, by this morning, VLAN 4 doesn't allow anything to go outside the network either (this is likely due to the DNS being controlled by the DHCP server on 126.96.36.199, which is connectable when giving out IP leases to machines, but then immediately becomes unresponsive to the VLAN).
All VLANs dynamically via subnets correctly. VLAN 2 and 3 both can ping eachother with <1ms ping and tracerts, and go outside the network just fine via the primary networking bridge on the SonicWall NSA 3500. VLAN 4 cannot ping anything in VLAN 2 or 3, and can't be pingeed from VLAN 2 or 3 either. It does not have internet connection (due to DNS being run on the DHCP server at 188.8.131.52), however it can access the control panels for the SonicWall on it's secondary bridge IP as well as the Cisco router outside of the Firewall handling the incoming Fiber connection. Traffic appears to be going outside the network just fine, but inside the network is blocked and I'm having difficulty tracking down why. It's also worth noting that if I take one of the machines that has no internet connection, change the DNS information to Google DNS servers and plug it in to the SonicWall it gets internet without any issues, so the problem does not appear to be configuration outside the Dell Switches. Here is the current configuration that I run from boot after clearing the configuration:
enableconfigurestackmember 1 2member 2 2member 3 1exitswitch 2 priority 11switch 3 priority 10ip address 192.168.10.217 255.255.255.128ip default-gateway 192.168.10.129ip routingspanning-tree mode mstpbridge aging-time 1230username ##snip## password ##snip## level 15 encryptedusername ##snip## password ##snip## level 15 encryptedusername ##snip## password ##snip## level 15 encryptedusername ##snip## password ##snip## level 15 encryptedusername ##snip## password ##snip## level 15 encryptedvlan databasevlan 2-4vlan association subnet 184.108.40.206 255.255.255.128 2vlan association subnet 192.168.1.128 255.255.255.128 3vlan association subnet 192.168.2.128 255.255.255.128 4exitinterface vlan 2name 'CIS 12-46-52-X'routingip address 220.127.116.11 255.255.255.128exitinterface vlan 3name 'CIS 192-168-1-X'routingip address 192.168.1.217 255.255.255.128ip helper-address 18.104.22.168 dhcpexitinterface vlan 4name 'CIS 192-168-2-X'routingip address 192.168.2.217 255.255.255.128ip helper-address 22.214.171.124 dhcpexitinterface range ethernet 1/g45,2/g45spanning-tree guard loopdescription 'AT&T T1'switchport mode generalswitchport general pvid 2switchport general allowed vlan add 1-3exitinterface ethernet 3/g21spanning-tree guard loopdescription 'Frontier FiOS'switchport mode generalswitchport general pvid 4switchport general allowed vlan remove 1-3switchport general allowed vlan add 4exitinterface range ethernet 1/g1-1/g44,2/g1-2/g44,3/g1-3/g20,3/xg3-3/xg4switchport mode generalswitchport general pvid 2switchport general allowed vlan add 1-4 exit
A little bit more information of our network setup. We have two incoming internet connections. One is a managed Cisco 2821 router from AT&T, the other is a Cisco RV082 V3 that is connected to our Frontier FiOS connection. From there the connections come in to a Sonicwall NSA 3500, which has both incoming connections set up in layer 2 bridged mode, and then two links go into the switches. The AT&T LAN connection goes into 1/g45 (or 2/g45 in case the switch fails) and the Frontier connection goes into 3/g21. VLAN 2 and 3 are set up on IP blocks configured by AT&T, one being an external IP block and one being an internal IP block. VLAN 4 is a new IP block I setup on the Cisco RV082 for Frontier. No matter what I try I cannot get connections between VLAN 4 and any other VLAN's, which leads me to believe that in order for it to route to those IP addresses on VLAN 2 and 3 that it needs to go out to the AT&T router. I have not dabbled with creating routes yet as I'm wary of breaking what currently works as I don't have a test bed to play with and this is a production network, but I will try some out if I have some solid advice ahead of time.
There is also an extremely peculiar issue with the switches. The vlan subnet associations have to be applied at the end of the script above, or nothing will work correctly. This applies during startup as well. If the switches are rebooted, the network doesn't allow any connections between ANY vlans, effectively breaking half of the network. The only way to remedy this is to run clear config and then import the settings manually ending with the vlan associations. I have no idea what is causing this behavior, but it's been the source of many headaches every time the switches are rebooted.
Do you have a trunk between the 2 PowerConnect switches?
I would recommend updating the firmware on the switch to make sure it is running as smooth as possible.
When you run a tracert to outside world from a VLAN 4 device is it going thru the Cisco? Is VLAN 2,3 have a different tracert path to outside world. If VLAN 4 is going thru the Cisco and VLAN 2,3 are hitting the AT&T then you may need a route between the Cisco and AT&T.
Hope this helps,
Please keep us updated
Get Support on Twitter @DellCaresPro
Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)
The switches are two 6248's on stack members 1 and 2 and a single 6224 on stack member 3. There is no trunk port as the traffic between switches is handled by the stacking modules and it's all controlled as a single unit. As for the firmware, I am currently running on 126.96.36.199 across all the switches. I will upgrade as soon as I have a chance.
When a tracert is run to the outside world via VLAN 4 it hits the Frontier router, and from VLAN 2 and 3 it hits the AT&T one. Running a tracert to a server inside the network from VLAN 4 times out without hitting any nodes at all. My assumption is that it's seeing those IP's are bound to the AT&T router and wants to connect me there but since I don't allow VLAN 4 traffic out through AT&T it breaks down. Is there a way to set up a routing table with these switches to keep all traffic inside the network inside the switch so it only goes out to the router when it needs to talk with the outside world?
Do you have end devices/workstations connected to interface range ethernet 1/g1-1/g44,2/g1-2/g44,3/g1-3/g20,3/xg3-3/xg4?
If so we need to look at setting that range to switchport mode access.
Whatever device is on VLAN 4 would need this set up :
console(config)# interface ethernet xxx
console(config-if)# switchport mode access
console(config-if)# switchport access vlan 4
If you have a port that is unused we could plug a laptop in and make changes to that specific port with the above commands and see how that responds.
Since you have routing enabled on the switch and on the vlans it should resolve any locally aware routes before sending the packet up stream to the AT&T or Frontier.
Going to have to postpone modifications of the switches temporarily as I have some more pressing projects to get done as well as several employees running monthly processes that we can't afford to have interrupted. However I'd like to keep the dialogue going. Why would we want to set the switchport mode to access instead of general? It's my understanding that they work nearly identically, with the major difference being general can support multiple vlans.
As far as the ethernet range goes, most of those connections are dedicated connections to servers. However there are several connections on switch 1 that are connected to a patch panel. From there it goes out to various locations in the building, and the issue comes in to play that workstations, servers and network printers are on those connections. The switchport has to be general in order to maintain the IP configuration that is already in place for non-workstation machines while still giving us the option to slowly migrate peoples workstations onto the new Frontier connection for increased speed.
I'll look in to auditing my network configuration and setting up a majority of the interfaces in access mode and just putting the ones requiring multiple vlans connected to them in general mode. I won't be able to do any more switch configuration until Tuesday however. Thanks for the input so far.