I take the chance of restarting this thread as I have still no working
> solution. I tried with the PVE feature of the SRW2016 and I was able to
> connect to the internet, but very intermittently. It seemed that the
> workstation had trouble selecting which uplink port to select to get to
> the internet and which one to use for getting to the domain controller.
Do you know what the cause was for the intermittent connectivity? When I looked at the picture, it looked like the design ought to work. You might be able to get a clue by looking at what happens to the MAC address tables in the classroom's switch when the connection to the Internet switch is removed and then restored.
The classroom switches are not managed, how can I check their MAC address tables then..?
Someone told me that the reason for the intermittent connections was that the computer did not know whether it should establish contact via the domain controller uplink or the gateway uplink, it could not connect to both simultaneously, he said. I don't know the theory behind this so I cannot judge ;-|
However I will be more than glad to test any suggestion, so if there are alternatives, describe them ;-)
That is incorrect. The computer knows which device it needs to reach. If it tries to get out on the Internet, then it knows to go through the default gateway (presumably the firewall) and it will ARP for the gateway's IP to get it's MAC address. If the link to the firewall has been removed, this ARP will never receive a response, but if once it is plugged in, then it should see a response. The ARPs will get forwarded to both uplinks but only the firewall will respond if it happens to be connected.
A few things that you can check for when the connectivity doesn't work:
- Check to see if the computers in the classroom that are trying to connect to the Internet have resolved the default gateway's address, using for example, 'arp -a' at the windows command prompt.
- Check to see if the computer's MAC address and the MAC address of the firewall have been learned in the "Internet Connection Switch".
Do you observe only the connectivity to the Internet intermittent, or is all connectivity intermittent with this setup?
It looks to me as if you want:- NO VLANS - well one on each switch i.e. the default.
On the Domain Controller switch:- Configure all ports except the Domain Controller as PVE Configure the Domain Controller port as the uplink
On the Internet switch:- In order to prevent classes talking to each other when more than one is pluggeg into the internet you do the same thing on the Internet switch. i.e. Firewal port PVE Nothing else
Done.
This will allow the following.
All PCs/printers will be able to talk to the DC No PCs will be able to talk to another class No PCs will be able to talk to the internet PCs within a class will be able to talk to each other.
Then you can plug in the Internet cable to class room switches as you require.
Is that what you want?
The only think left though is that you mentioned "subnets". I think you didn't mean it.
I bet you have a central printer:-(((
A professional level solution to this would be to put each PC on a different subnet and change the firewall permissions as required to permit/deny access.
Possibly- You could manually assign IP addresses (via DHCP) such that each class had a range and then do the firewall permissions thing to control access.
Many firewalls have time of day rules so you could easily set things up in advance.
Can both the domain controller switch and the internet switch be combined into one SRW2016? Domain range: Port 1-6 with uplink Port 8 and Internet range: Port 9-14 and uplink port 16? Or will this cause unexpected side effects?
Yeah, exactly.
However, PVE's are used between like switches to extend your VLAN topology across your switch topology so if you had 2 or more SRW2016s, they can all be combined to make it look like you had on really big SRW2016 that had 32 ports or more that you can then split up into separate VLANs. It does not apply here to the specific scenario that you want a solution to. And per the parameters that you gave, this feature does not work with non-linksys, non-PVE capable switches, so the 2 unmanaged switches fitting into the non-linksys, non-PVE capable catagory will not work.
All workstation computers, the domain controller and the router's LAN address are on the same subnet.
Yes, several.
The classes consist almost always of different students (with different subject choices) so this will be very difficult to manage.
I don't know how the SRW2016 handles learning between partitions. If it handles learning separately for each partition then you should be OK. If not, you'll see the clients' MAC addresses bounce back and forth between the "Domain" partition and the "Internet" partition leading to intermittent connectivity.
Have you resolved all the prior intermittent connectivity issues?
This should be fine. I am not expreienced with this hardware though. It is what VLANS are for and is prretty much the definition of a VLAN.
This is not what the Linksys user guide says.
"PVE. For Gigabit Ethernet switches. When a port is a Private VLAN Edge (PVE) port, it bypasses the Forwarding Database and forwards all unicast, multicast, and broadcast traffic to an uplink, except for MAC-to-me packets. Uplinks can be ports or LAGs."
Who knows what MAC-to-me packets are though?
These will be OK as long as the print jobs are going via the server.
AS far as I can see there is no siginficant difference.
1 - Log on to firewall and activate class rule
2 - log on to switch and make class connection.
I made a typo, sorry should read On the Domain Controller switch:- Configure all ports except the Domain Controller as PVE Configure the Domain Controller port as the uplink
On the Internet switch:- In order to prevent classes talking to each other when more than one is pluggeg into the internet you do the same thing on the Internet switch. i.e. Configure all ports except the Firewall as PVE Configure the Firewall port as the uplink
One problem is scalability. You have only one server port.
You could though:-
1, 2, 3, 4, 5, 6 PVE ports VLAN 2
7 uplink port for server VLAN 2
8, 9, 10, 11 more server ports - normal ports VLAN 3
Link 7 to 8 and you will be able to plug servers into 9, 10, 11
"Wastes" 2 ports but buys you more server ports.
An external switch would of course do too.
At first I thought no way - but looks not too bad after all.
Finally I had time to set this up using two SRW2016 boxes. As I had no luck using *one box* with PVE ports 1-7 with 8 as uplink to the domain controller and 9-15 with 16 as uplink to the internet firewall.
Using two different boxes, the first one with PVE ports 1-10 with 16 as uplink to the domain controller and the second box using ports 1-10 with
16 as uplink to the internet firewall.
When I wired box1's port 1 and box2's port1 to the Classroom1 switch, box1's port 2 and box2's port 2 to the Classroom2 switch etc I ufortunately got the same result as I did when using two separate PVEs within one box - i.e. getting access to only one of the resources, most often the domain controller and not the two at a time.
I can ping the domain controller but I do not get any internet access. If I wire the firewall's LAN port directly to one classroom switch I (of course) get internet access..
How do I troubleshoot this setup to try to track dow what is happening..?
Thanks for tips, I'm ready to follow any advice to get this up and running, if possible.
Assuming the switch is a managed switch, the CLI command used by most vendors is "show mac-address-table". If it's an unmanaged switch I don't think there would be a way to do this.
- Sniff the traffic between the "Internet connection switch" and the firewall and see if you're seeing the ARPs from clients.
- See if you also see the ARP response.
- If both the above look OK, sniff the traffic between the client switch and the "Internet connection switch" and see if you pick up the ARP reply.
Short of some problem with the cabling itself, I can't see why this setup should not work. Are you sure the port is really up when you plug it in? You can do a "show interfaces" or something like that to see what the switch thinks is up. There may be issues with crossover vs. straight cables.
I was going to suggest removing the PVE configuration and using the two big switches as dumb Ethernet switches, but the PVE configuration appears to work for the domain controller so I doubt that is the cause of the problem.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.