Support
Community

Your BPDU issues are due to spanning-tree problems, a layer-2 protocol. Search documentation for spanning tree.   Make sure that any devices that are connected that should only see a single VLAN are configured as access ports for that VLAN.  Avoid connecting "dumb" switches to trunk ports.  Avoid "dumb" switches period.

Your issue with computers shutting down and duplicate address problems could also be related to layer 2.  Look for duplicate DHCP servers.  Be aware that Windows DHCP servers tend to cause problems if connected to a trunk port as they don't handle VLANs very well. Search documentation on DHCP, broadcasts, etc.

Routing your websites through the same WAN link from different LAN subnets should be do-able.  You might have to do some policy routing depending on how the other hosts on that LAN are supposed to route.  Search documentation on NAT, ip policy, and policy routing. .

After reading about spanning trees, my immediate thought is that I don't really need spanning trees.    Seriously, I've only got a dozen devices and maybe a dozen more virtual machines, most on one of two subnets,  Two of my machines need to talk to both networks, and the rest talk only to one.  I've got three switches that route everything (basically one per floor).  I NAT specific ports from the various static IPs to different internal servers, some 10.x, some 10.y.  All of this has worked flawlessly for years.

I don't have multiple DHCP servers; I only use the cable modem to hand out addresses to mobile devices.  Everything else is statically addressed and in fact the devices getting the errors are statically addressed.  Those devices start getting IP conflict messages when the NetVanta is connected to the internal network.

Again, my real problem is that this all worked wonderfully with the Netopia.  I simply configured the Netopia with two different LAN addresses, one on each subnet, and each device that needed external IP addresses used the Netopia as its gateway.  Those that didn't need external used the 10.x network and pointed to the cable modem as their gateway.  All I want to do is replicate that simple architecture.

If you are seeing ports going into a blocking state and filtering BPDU results in "other inconsistent results" such as a giant storm, you have a bridging loop.  Something is cabled wrong, there are VLAN mismatches, one or more switches are connected in a loop, etc.  So you probably do need spanning-tree to ensure that this situation doesn't happen in the future with a production network.

Are you connecting both VLAN ports to ports on an unmanaged switch anywhere?  Or to put it another way, are you certain that both VLANs isolated throughout the network?

When you configured the Netopia with two different LAN addresses, one on each subnet, was that using a secondary IP on the same layer 2 port, or was it with VLANs?

VLANs are much cleaner than simply having two subnets sharing the wire which is sometimes referred to as "ships passing in the night", but it does take a bit more configuration.

Any chance of posting a sketch of your network layout and the configuration of the box? 

I understand that VLANs are more isolated, but I've been fine with the situation as is ("ships passing in the night") for a long time.  Basically by selecting an IP and a gateway I was able to easily direct the devices that needed reliable static access and/or external NAT to the slower DSL and the devices with simpler high speed demands to the cable modem.  I'm not planning to change to intelligent switches anytime soon, especially since that would involve running a second backbone cable.  Here's my setup, in very simple terms:

SDSL router (10.x and 10.y)

Switch 1 -- dual-homed workstation, some 10.x devices

|

Switch 2 -- 10.y servers, multi-homed server

|

Switch 3 -- many 10.x devices, 10.x wifi access point

Cable modem (10.x) with DHCP

Here's my configuration minus password stuff.  I substituted 10.x and 10.y to more easily identify the high-speed (10.x) and SDSL (10.y) components, although technically some 10.x devices are routed to the SDSL router by simply using it's 10.x address as their gateway.  As I said, this has all worked wonderfully for some time now.  Instead, what I have right now is inbound only on only the 10.y subnet.  I can't even plug in the 10.x subnet port (switchport 0/1) without getting a storm.  I don't have time at this current moment, but as soon as I get a chance I'll disable BPDU again and report my results.

Note: on this configuration, I can get inbound traffic to both my email server (10.y.1.181) and my web server (10.y.1.180) via MY.ST.IP.69 and MY.ST.IP.68, respectively.  I cannot, however, access my VNC server at MY.ST.IP.68.  Nor can I do any outbound.

hostname "NetVanta3133"

!

clock timezone -8

clock no-auto-correct-DST

!

ip subnet-zero

ip classless

ip routing

!

!

ip domain-proxy

!

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

no dot11ap access-point-control

!

!

ip dhcp-server pool "Private"

  network 10.10.10.0 255.255.255.0

  dns-server 10.10.10.1

  netbios-node-type h-node

  default-router 10.10.10.1

!

!

!

!

!

!

!

!

!

vlan 1

  name "Default"

!

vlan 100

  name "10.x"

  shutdown

!

vlan 101

  name "10.y"

!

!

interface switchport 0/1

  no shutdown

  switchport access vlan 100

!

interface switchport 0/2

  spanning-tree edgeport

  no shutdown

  switchport access vlan 101

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  no shutdown

!

!

!

interface vlan 1

  ip address  MY.ST.IP.65  255.255.255.248

  ip ffe

  ip access-policy Private

  no shutdown

!

interface vlan 100

  description 10.x Internal

  mac-address 00:A0:C8:8A:C6:2D

  ip address  10.x.0.230  255.255.255.0

  ip access-policy Private

  no rtp quality-monitoring

  shutdown

!

interface vlan 101

  mac-address 00:A0:C8:8A:C6:2E

  ip address  10.y.1.230  255.255.255.0

  ip access-policy Private

  no rtp quality-monitoring

  no shutdown

!

interface sdsl 0/1

  line-rate-mode fixed

  line-rate 384

  no shutdown

!

interface sdsl 0/2

  shutdown

!

!

!

!

interface atm 100 point-to-point

  no shutdown

  cross-connect 100 sdsl 0/1 atm 100

!

interface atm 100.1 point-to-point

  no shutdown

  pvc 0/38

  ip address  MY.EX.WA.IP  255.255.255.0

  ip address  MY.ST.IP.66  255.255.255.255  secondary

  ip address  MY.ST.IP.67  255.255.255.255  secondary

  ip address  MY.ST.IP.68  255.255.255.255  secondary

  ip address  MY.ST.IP.69  255.255.255.255  secondary

  ip address  MY.ST.IP.70  255.255.255.255  secondary

  ip access-policy Public

  no fair-queue

!

interface atm 100.99 point-to-point

  no shutdown

  pvc 0/34

  ip address icmp 255.255.255.0

!

interface atm 200 point-to-point

  no shutdown

  cross-connect 200 sdsl 0/2 atm 200

!

interface atm 200.1 point-to-point

  no shutdown

  pvc 0/38

  no ip address

  no fair-queue

!

interface atm 200.99 point-to-point

  no shutdown

  pvc 0/35

  ip address icmp 255.255.255.252

!

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended web-acl-10

  remark 67:25 -> y.180

  permit tcp any  host MY.ST.IP.67 eq smtp   log

  permit tcp any  host MY.ST.IP.67 eq pop3   log

!

ip access-list extended web-acl-11

  remark 69:25 -> y.181

  permit tcp any  host MY.ST.IP.69 eq smtp   log

  permit tcp any  host MY.ST.IP.69 eq pop3   log

!

ip access-list extended web-acl-12

  remark 68:5900 -> y.51

  permit tcp any  host MY.ST.IP.68 range 5900 5901   log

!

ip access-list extended web-acl-8

  remark 67:80 -> x.180

  permit tcp any  host MY.ST.IP.67 eq www   log

!

ip access-list extended web-acl-9

  remark 68:80 -> y.180

  permit tcp any  host MY.ST.IP.68 eq www   log

!

!

ip policy-class Private

  allow list self self

  allow list self self

  allow list wizard-ics policy Public

  allow list wizard-ics policy Public

!

ip policy-class Public

  nat destination list web-acl-8 address 10.x.0.180

  nat destination list web-acl-9 address 10.y.1.180

  nat destination list web-acl-10 address 10.y.1.180

  nat destination list web-acl-11 address 10.y.1.181

  nat destination list web-acl-12 address 10.y.1.51

  allow list self self

  allow list self policy Private

  allow list self policy Private

  allow list self self

!

!

!

ip route 0.0.0.0 0.0.0.0 atm 100.1

!

no ip tftp server

no ip tftp server overwrite

ip http server

ip http secure-server

no ip snmp agent

ip ftp server

no ip scp server

no ip sntp server

!

!

ip sip udp 5060

ip sip tcp 5060

!

!

Thanks for bearing with me, Jay.  I'm getting farther.  I've nuked my second VLAN and inbound email is still working, so that's one step forward.  Now I need to work on the other stuff.

The "vlan 1" you see is what my wonderful DSL provider set up for me.  It's some sort of default; they're really not sure how to set up these modems.  So that VLAN is useless as far as I can tell.

What I need to get working next is outbound traffic.  I'm getting much closer.  I was just able to ping out via the 10.y gateway address on the reconfigured VLAN from one of the 10.y servers.  I have to tend to other things, but I'll try again later.

Thanks again so much for your help.

Okay, I lied.  I cannot ping outside the local network.  It's odd.  I can ping any of my external IPs from inside the network.  It's like the NetVanta sees that it's really one of its own addresses and returns the ping.  Makes sense, I guess, I just never thought of it.  But trying to ping anything else (even Google, 8.8.8.8) just hangs.  On to the next bit of discovery!

Okay, I got knocked off the project for a month, but I'm back on it.  Using jayp's instruction and a little playing around, I got just about everything inbound that I need, now I have to figure out how to get outbound traffic.  I'll do some reading and then start another thread.