Hi Everyone!
Before I ask a specific question, I'd like to see if the community can point me to the appropriate documents to educate myself. My situation is pretty simple:
1. I have a NetVanta 3133 SDSL router connected to a single SDSL provider
2. I have a number of static IPs which are routed to that router
3. I also have a high-speed cable modem with no static IPs
4. I have two internal subnets, 10.x (personal) and 10.y (business)
5. I have a website and a mail server that live on 10.y and get routed through the SDSL router
6. I have another website that lives on 10.x that I'd like to route through the SDSL router (because of the static IPs)
The high-speed modem is my gateway for 10.x. My SDSL router is my gateway for 10.y. Until now I had a Netopia router and it was pretty easy to configure all of this. With the NetVanta it's a little more challenging, at least for me. I create two VLANs, one for 10.x and one for 10.y, and assigned each to a different switchport. I learned how to do port forwarding and I've managed to assign different external static IPs to different internal ports. I was able to get most of the individual pieces working at one time or another, including access to both the 10.x website and the 10.y website and mail server. Here are some of the issues I've run across:
1. I can't have both VLANs up unless I filter BPDU.
2. If I don't filter BPDU, as soon as I connect the second port, to my network, one goes to Blocking status and I'm done.
3. If I do filter BPDU, I get other inconsistent results which I haven't yet had the time to completely isolate.
4. I haven't figured out how to originate outbound traffic from within either the 10.x or 10.y subnets, even if I only have one VLAN active and connected (at the end of the day, I may not want to do 10.x, but I definitely need 10.y).
So. I thought getting two subnets would be easy, but I'm not succeeding just yet. Right now I've only got one subnet connected, and it's inbound only. Am I on the right path for what I'm trying to do? Are there manuals or tutorials I need to read that will help enlighten me? Am I missing a basic point of some kind here? It's especially frustrating because I had all of this working with the Netopia.
Anyway, I'm happy to do more reading on my own before I ask silly questions. But any suggestions or comments are welcomed. I'm going out of town so I won't be able to do anything this week except read (I'm afraid to do anything that might require a physical reset of the box or involve connecting or disconnecting switchports from the network), but I plan to get back at this full-time this weekend.
Thanks in advance for any support!
P.S. One other thing I found - if the 10.x VLAN is enabled, it tends to shut down other computers in that subnet; they get Windows IP address conflicts, even though there are none. I have to go in and disable that VLAN and reset the adapters on the affected PCs.
Well, you can collapse your private VLANs to one as follows, first remove VLAN 101:
!
interface vlan 100
description 10.x-y Internal
ip address 10.x.0.230 255.255.255.0
ip address 10.y.1.230 255.255.255.0 secondary
ip access-policy Private
no rtp quality-monitoring
no shutdown
!
The following looks wrong, not sure what you're trying to accomplish:
!
interface vlan 1
ip address MY.ST.IP.65 255.255.255.248
ip ffe
ip access-policy Private
no shutdown
!
This is on the Public subnet but access-policy private. You can probably just use it as a secondary on the ATM interface along with the others.
Your BPDU issues are due to spanning-tree problems, a layer-2 protocol. Search documentation for spanning tree. Make sure that any devices that are connected that should only see a single VLAN are configured as access ports for that VLAN. Avoid connecting "dumb" switches to trunk ports. Avoid "dumb" switches period.
Your issue with computers shutting down and duplicate address problems could also be related to layer 2. Look for duplicate DHCP servers. Be aware that Windows DHCP servers tend to cause problems if connected to a trunk port as they don't handle VLANs very well. Search documentation on DHCP, broadcasts, etc.
Routing your websites through the same WAN link from different LAN subnets should be do-able. You might have to do some policy routing depending on how the other hosts on that LAN are supposed to route. Search documentation on NAT, ip policy, and policy routing. .
After reading about spanning trees, my immediate thought is that I don't really need spanning trees. Seriously, I've only got a dozen devices and maybe a dozen more virtual machines, most on one of two subnets, Two of my machines need to talk to both networks, and the rest talk only to one. I've got three switches that route everything (basically one per floor). I NAT specific ports from the various static IPs to different internal servers, some 10.x, some 10.y. All of this has worked flawlessly for years.
I don't have multiple DHCP servers; I only use the cable modem to hand out addresses to mobile devices. Everything else is statically addressed and in fact the devices getting the errors are statically addressed. Those devices start getting IP conflict messages when the NetVanta is connected to the internal network.
Again, my real problem is that this all worked wonderfully with the Netopia. I simply configured the Netopia with two different LAN addresses, one on each subnet, and each device that needed external IP addresses used the Netopia as its gateway. Those that didn't need external used the 10.x network and pointed to the cable modem as their gateway. All I want to do is replicate that simple architecture.
If you are seeing ports going into a blocking state and filtering BPDU results in "other inconsistent results" such as a giant storm, you have a bridging loop. Something is cabled wrong, there are VLAN mismatches, one or more switches are connected in a loop, etc. So you probably do need spanning-tree to ensure that this situation doesn't happen in the future with a production network.
Are you connecting both VLAN ports to ports on an unmanaged switch anywhere? Or to put it another way, are you certain that both VLANs isolated throughout the network?
When you configured the Netopia with two different LAN addresses, one on each subnet, was that using a secondary IP on the same layer 2 port, or was it with VLANs?
VLANs are much cleaner than simply having two subnets sharing the wire which is sometimes referred to as "ships passing in the night", but it does take a bit more configuration.
Any chance of posting a sketch of your network layout and the configuration of the box?
I understand that VLANs are more isolated, but I've been fine with the situation as is ("ships passing in the night") for a long time. Basically by selecting an IP and a gateway I was able to easily direct the devices that needed reliable static access and/or external NAT to the slower DSL and the devices with simpler high speed demands to the cable modem. I'm not planning to change to intelligent switches anytime soon, especially since that would involve running a second backbone cable. Here's my setup, in very simple terms:
SDSL router (10.x and 10.y)
Switch 1 -- dual-homed workstation, some 10.x devices
|
Switch 2 -- 10.y servers, multi-homed server
|
Switch 3 -- many 10.x devices, 10.x wifi access point
Cable modem (10.x) with DHCP
Here's my configuration minus password stuff. I substituted 10.x and 10.y to more easily identify the high-speed (10.x) and SDSL (10.y) components, although technically some 10.x devices are routed to the SDSL router by simply using it's 10.x address as their gateway. As I said, this has all worked wonderfully for some time now. Instead, what I have right now is inbound only on only the 10.y subnet. I can't even plug in the 10.x subnet port (switchport 0/1) without getting a storm. I don't have time at this current moment, but as soon as I get a chance I'll disable BPDU again and report my results.
Note: on this configuration, I can get inbound traffic to both my email server (10.y.1.181) and my web server (10.y.1.180) via MY.ST.IP.69 and MY.ST.IP.68, respectively. I cannot, however, access my VNC server at MY.ST.IP.68. Nor can I do any outbound.
hostname "NetVanta3133"
!
clock timezone -8
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip routing
!
!
ip domain-proxy
!
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
no dot11ap access-point-control
!
!
ip dhcp-server pool "Private"
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.1
netbios-node-type h-node
default-router 10.10.10.1
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
vlan 100
name "10.x"
shutdown
!
vlan 101
name "10.y"
!
!
interface switchport 0/1
no shutdown
switchport access vlan 100
!
interface switchport 0/2
spanning-tree edgeport
no shutdown
switchport access vlan 101
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
no shutdown
!
!
!
interface vlan 1
ip address MY.ST.IP.65 255.255.255.248
ip ffe
ip access-policy Private
no shutdown
!
interface vlan 100
description 10.x Internal
mac-address 00:A0:C8:8A:C6:2D
ip address 10.x.0.230 255.255.255.0
ip access-policy Private
no rtp quality-monitoring
shutdown
!
interface vlan 101
mac-address 00:A0:C8:8A:C6:2E
ip address 10.y.1.230 255.255.255.0
ip access-policy Private
no rtp quality-monitoring
no shutdown
!
interface sdsl 0/1
line-rate-mode fixed
line-rate 384
no shutdown
!
interface sdsl 0/2
shutdown
!
!
!
!
interface atm 100 point-to-point
no shutdown
cross-connect 100 sdsl 0/1 atm 100
!
interface atm 100.1 point-to-point
no shutdown
pvc 0/38
ip address MY.EX.WA.IP 255.255.255.0
ip address MY.ST.IP.66 255.255.255.255 secondary
ip address MY.ST.IP.67 255.255.255.255 secondary
ip address MY.ST.IP.68 255.255.255.255 secondary
ip address MY.ST.IP.69 255.255.255.255 secondary
ip address MY.ST.IP.70 255.255.255.255 secondary
ip access-policy Public
no fair-queue
!
interface atm 100.99 point-to-point
no shutdown
pvc 0/34
ip address icmp 255.255.255.0
!
interface atm 200 point-to-point
no shutdown
cross-connect 200 sdsl 0/2 atm 200
!
interface atm 200.1 point-to-point
no shutdown
pvc 0/38
no ip address
no fair-queue
!
interface atm 200.99 point-to-point
no shutdown
pvc 0/35
ip address icmp 255.255.255.252
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-10
remark 67:25 -> y.180
permit tcp any host MY.ST.IP.67 eq smtp log
permit tcp any host MY.ST.IP.67 eq pop3 log
!
ip access-list extended web-acl-11
remark 69:25 -> y.181
permit tcp any host MY.ST.IP.69 eq smtp log
permit tcp any host MY.ST.IP.69 eq pop3 log
!
ip access-list extended web-acl-12
remark 68:5900 -> y.51
permit tcp any host MY.ST.IP.68 range 5900 5901 log
!
ip access-list extended web-acl-8
remark 67:80 -> x.180
permit tcp any host MY.ST.IP.67 eq www log
!
ip access-list extended web-acl-9
remark 68:80 -> y.180
permit tcp any host MY.ST.IP.68 eq www log
!
!
ip policy-class Private
allow list self self
allow list self self
allow list wizard-ics policy Public
allow list wizard-ics policy Public
!
ip policy-class Public
nat destination list web-acl-8 address 10.x.0.180
nat destination list web-acl-9 address 10.y.1.180
nat destination list web-acl-10 address 10.y.1.180
nat destination list web-acl-11 address 10.y.1.181
nat destination list web-acl-12 address 10.y.1.51
allow list self self
allow list self policy Private
allow list self policy Private
allow list self self
!
!
!
ip route 0.0.0.0 0.0.0.0 atm 100.1
!
no ip tftp server
no ip tftp server overwrite
ip http server
ip http secure-server
no ip snmp agent
ip ftp server
no ip scp server
no ip sntp server
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
Well, you can collapse your private VLANs to one as follows, first remove VLAN 101:
!
interface vlan 100
description 10.x-y Internal
ip address 10.x.0.230 255.255.255.0
ip address 10.y.1.230 255.255.255.0 secondary
ip access-policy Private
no rtp quality-monitoring
no shutdown
!
The following looks wrong, not sure what you're trying to accomplish:
!
interface vlan 1
ip address MY.ST.IP.65 255.255.255.248
ip ffe
ip access-policy Private
no shutdown
!
This is on the Public subnet but access-policy private. You can probably just use it as a secondary on the ATM interface along with the others.
Thanks for bearing with me, Jay. I'm getting farther. I've nuked my second VLAN and inbound email is still working, so that's one step forward. Now I need to work on the other stuff.
The "vlan 1" you see is what my wonderful DSL provider set up for me. It's some sort of default; they're really not sure how to set up these modems. So that VLAN is useless as far as I can tell.
What I need to get working next is outbound traffic. I'm getting much closer. I was just able to ping out via the 10.y gateway address on the reconfigured VLAN from one of the 10.y servers. I have to tend to other things, but I'll try again later.
Thanks again so much for your help.
Okay, I lied. I cannot ping outside the local network. It's odd. I can ping any of my external IPs from inside the network. It's like the NetVanta sees that it's really one of its own addresses and returns the ping. Makes sense, I guess, I just never thought of it. But trying to ping anything else (even Google, 8.8.8.8) just hangs. On to the next bit of discovery!
Okay, I got knocked off the project for a month, but I'm back on it. Using jayp's instruction and a little playing around, I got just about everything inbound that I need, now I have to figure out how to get outbound traffic. I'll do some reading and then start another thread.