Re: Communicating with VPN

ualeem101 · ‎09-21-2017

Having trouble with communicating to a point of access gateway. Currently only way to communicate is through a routed port. Working with 3750-x. No distribution layer, they want to go from an access layer where all the PCs are connected to the poag. Point of access gateway communicating at

172.16.16.6 255.255.255.0. I do not have permissions on the hardware. My 3750-x is only able to communicate via routed port. Does not ping back if i program the connected port as a trunk or access port.

gi1/1/1

no switchport

ip address 172.16.16.33 255.255.255.0

pings successfully.

gi1/1/1

switchport mode trunk

switchport trunk encap dot1q

pings unsuccessful

gi1/1/1

switchport mode access

switchport access vlan 1280

pings unsuccessful

The issue is that the customers PCs are on the same subnet with

int vlan 1280

ip address 172.16.16.39 - .62 range with 255.255.255.0

All Pcs on switchports are configured as access ports with 1280 vlan including the server.

Turning on routing did not help since the ip range is overlapping. Looking for guidance on how to tackle this issue without having the luxury of a distribution layer. Customer has limitation on purchasing another distribution layer switch.

Jon Marshall · ‎09-21-2017

Definitely don't use trunk but an access port in the same vlan as your clients should work.

So when you say pings are unsuccessful do you mean from clients or the switch itself ?

Also what has this to do with a VPN ?

Jon

ualeem101 · ‎09-21-2017

From the switch itself. Once the configuration is completely taken off the linking port i.e. gi1/1/1, the engineers just went into the Win 10 machines and manually put in the route to the distant end and got communication working. The POAG itself i am told is a custom Linux distribution.

Jon Marshall · ‎09-21-2017

If you want to ping from the switch itself just create an SVI in vlan 1280 and give

it an IP from that subnet.

Just don't make that IP the default gateway for clients.

Jon

ualeem101 · ‎09-21-2017

The point of access gateway is taking around 12 different subnets on 12 fiber ports and creating a VPN for each subnet and shooting them out an encryptor. Not sure if that is any help but thats where the VPN comes in.

Jon Marshall · ‎09-21-2017

Okay, so it sounds like you actually got it working by setting the default gateway on the clients to be the VPN device and the connecting port as an access port.

So is this fixed or is there still an outstanding query ?

Jon

ualeem101 · ‎09-21-2017

The SVI currently is

interface vlan 1280

ip address 172.16.16.32 255.255.255.0

with a layer 2

vlan 1280

name Data vlan

the connecting port gi1/1/1 is currently unconfigured.

int gi1/1/1

end

Would like to be able to come up with a solution in order to have the switch ports configured as access or trunk. Leaving the ports unconfigured allows the connection to work however it will not pass muster from the inspectors. Thanks for all the replies.

Jon Marshall · ‎09-21-2017

Place the client ports and the port connecting to the VPN device into vlan 1280 and set the client default gateway to be the VPN device.

Or do you need the clients to be routed on the switch ?

Jon

ualeem101 · ‎09-21-2017

So when i have the client ports as members of vlan1280 and set the port connecting to the VPN device on vlan 1280 as an access port, the communication with the device stops. at least the pings from the switches come back unsucessful. Probably should still try pinging from the PCs to test the connectivity.

As per your advice if all i need to do is set the default gateway then there is no need to route.

Jon Marshall · ‎09-21-2017

Try from the PCs because I'm guessing the switch is just used for testing and may be giving you misleading results.

If the clients do not need access to other vlans/subnets that are routed on your switch then yes, the easiest thing is just to set the default gateway to be the VPN device.

Jon