STP, VLANs redundant router problem
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by BCCS on January 8, 2006, 8:13 am
Please log in for more thread options I have a fully redundant network that is being migrated from an externally managed Cisco network to an internally managed network. We have three Dell 5324's and two firewalls that failover For the sake of simplicity I'll refer to them as 5324.1, 5324.2 & 5324.3. When a specific is referenced, I'll add it to the end of the name (i.e. 5324.1.23 = 1st 5324, port 23). All 5324's have the following in common: VLAN 20 = WAN, ports g1-4 - 200.x.x.x VLAN 30 = DMZ, ports g5-10 - 20.x.x.x VLAN 40 = LAN, ports g11-23 - 2.x.x.x All have default gateway set to 2.x.x.3 No IP address is assigned to the WAN VLAN The DMZ VLAN is assigned an address The LAN VLAN is assigned an address Both routers have WAN, DMZ, LAN and failover interfaces Both routers have the following in common: Port 0 = WAN - 200.x.x.x Port 1 = DMZ - 20.x.x.x Port 2 = LAN - 2.x.x.x The failover allows for a virtual IP address on the LAN and WAN interfaces. I'll refer to the Routers and their ports are follows: RTR.1.2 = 1st Router, port 2 (or LAN) WAN (VLAN) connections RTR.1.0 - 5324.1.1 - 200.x.x.1 RTR.2.0 - 5324.3.1 - 200.x.x.2 Virtual IP -200.x.x.3 DMZ (VLAN) Connections RTR.1.1 - 5324.1.5 - 20.x.x.1 RTR.2.1 - 5324.3.5 - 20.x.x.2 LAN (VLAN) Connections RTR.1.2 - 5324.1.11 - 2.x.x.1 RTR.2.2 - 5324.2.11 - 2.x.x.2 Virtual IP - 2.x.x.3 STP (Rapid) Configuration 5324.1.21 - 5324.2.21 (root bridge priority 4096) 5324.2.22 - 5324.3.22 (bridge priority 8192) 5324.1.23 - 5324.3.23 (bridge priority 32768) None of the 5324's show that any STP or blocking. The root bridge shows FRW, Desg status on 1.21 & 1.23 The bridge with priority 8192 shows 2.21 as FRD, Root & 2.22 as FRW, Desg The bridge with priority 32768 shows 3.22 as DSCR, Altn & 3.23 as FRW, Root Now for the problem: The default gateway for all 5324's is the Virtual LAN IP of the routers. I can ping from any 5324 LAN IP address to any other of the 5324 LAN IP addresses. I can ping also the DMZ interface from 5324.1, but not the other two (.2 &.3). All switches can ping out to the internet and can use DNS for name resolution. A device plugged into a DMZ port on 5324.1 can not access other devices with the DMZ VLAN but connected to one of the other 5324's. I'm sure in all the detail I'm missing a simple problem, but. Any thoughts are appreciated!! | |||||||||||||
|
Posted by anoop on January 8, 2006, 4:55 pm
Please log in for more thread options BCCS wrote: [..] >From your description it's hard to see how things are wired so
it's near impossible to tell why it's not working. Not being able
to ping from a DMZ device on one switch to a DMZ device on another switch is weird because there should be no router involved. However, this is dependent on there being a switched path between that VLAN on all of your switches. Anoop | |||||||||||||
|
Posted by BCCS on January 9, 2006, 12:05 pm
Please log in for more thread options
anoop wrote: > BCCS wrote:
> > [..] > > > A device plugged into a DMZ port on 5324.1 can not access other devices with
> > the DMZ VLAN but connected to one of the other 5324's. >
> >From your description it's hard to see how things are wired so
> it's near impossible to tell why it's not working. Not being able
> to ping from a DMZ device on one switch to a DMZ device > on another switch is weird because there should be no router > involved. However, this is dependent on there being a switched > path between that VLAN on all of your switches. > > Anoop Anoop, Thanks for the reply. I'm sorry it wasn't more clear. I was trying to give as clear as possible overview that contains a lot of info. There's one patch cable from switch 1 to switch 2, 1 cable from switch 2 to switch 3 and one cable from switch 1 to switch 3. All inter-connects are connected using ports that are members of the LAN VLAN. If I connect cables from switch to switch within the other VLANs, STP will block the redundant connections as the Dell 5324's do not support per VLAN STP. Does that clarify? Again, thanks for the help! - B | |||||||||||||
|
Posted by anoop on January 9, 2006, 8:20 pm
Please log in for more thread options
BCCS wrote: > There's one patch cable from switch 1 to switch 2, 1 cable from switch
> 2 to switch 3 and one cable from switch 1 to switch 3. All > inter-connects are connected using ports that are members of the LAN > VLAN. If I connect cables from switch to switch within the other > VLANs, STP will block the redundant connections as the Dell 5324's do > not support per VLAN STP. Based on what you write, there's a loop so at least one of the switches should have a port that is blocked by STP. Also, what is the connectivity between the switches for the DMZ vlan? You were trying to get your ping from a DMZ device on one switch to a DMZ device on another switch. There has to be a switched path for that VLAN that spans all the switches. Anoop | |||||||||||||
| Similar Threads | Posted |
| STP, VLANs redundant router problem | January 8, 2006, 8:13 am |
| ADSL Router connected to another router problem | September 28, 2006, 3:34 am |
| redundant ports in trunk | January 10, 2006, 7:25 pm |
| Q: redundant uplinks between gigabit switches? | June 25, 2005, 2:16 am |
| Problem with 2 NAT boxes behind a router | February 10, 2006, 12:23 pm |
| Netgear router setup problem | January 7, 2006, 6:56 pm |
| Netgear router setup problem | January 7, 2006, 6:56 pm |
| Problem Accessing a Yahoo Server with SMC2804WBRP-G Barricade G Router | March 6, 2006, 9:46 pm |
| Problem: 2 ISP, 1 router, 1 modem, 1 modem/router | September 20, 2006, 10:14 am |
| 802.1q vlans trunking | June 13, 2005, 5:09 am |
| An interface on many VLANs | November 24, 2005, 8:05 pm |
| Two different VLANs on the same port | December 15, 2006, 8:02 am |
| VLANS and subnetting | September 30, 2007, 5:44 pm |
| Mac address and VLAns | June 17, 2008, 1:27 am |
| I have PC->Router->DSL Modem->ISP, Does ISP Router learn the PC MAC address? | April 25, 2005, 9:33 am |
> the DMZ VLAN but connected to one of the other 5324's.