09-25-2017 04:15 AM - edited 03-08-2019 12:09 PM
Hello Everyone,
We want to have multiple SSIDs for different sections of the company, each on their own VLAN. So far, I have each of these up and running. However, on one half of the building, users can't get a DHCP address from the main switch where the pools. So I created a secondary pool for a different block of addresses for that side of the building. Great - everywhere I am getting an IP from DHCP from whatever switch is closest of the two that have the pools. But, there seems to be something wrong with the routing. On the main switch (which is directly connected to the firewall), if I get a DHCP address from that, I can get out to the internet. But on the other side of the building, if I get a DHCP address from that secondary block of addresses, the routing doesn't appear to work.
The static routes in the switches say "Directly Connected "so I can't mess with them at all; They're automatically put in. The route in the firewall is correct and has the entire subnet routed: for example, 10.10.40.0. The first block works in the main swtich : 10.10.40.1-100; but not the second switch, 10.10.40.101-200.
I thought about putting in a new route or something... but nothing seems to work. It's worth noting that the primary pools are on a switch that is directly and separately connected to the firewall. The rest of the network is connected to the firewall directly. Users are connected to each switch.
Switch w/ Primary Pools --- firewall --- Switch 2 --- Switch w/Secondary pools --- switch 4
| |
Router WLC
|
ISP
Solved! Go to Solution.
09-25-2017 05:47 AM
You need to extend the Layer2 boundary of VLAN40 around the firewall, trunking it between switch1 and switch2. This would fix your overall DHCP issue.
What does the switchport configuration of the ports connecting the firewall on switches 1 and 2 look like?
What model is the firewall, can it operate at Layer2?
cheers,
Seb.
09-25-2017 04:53 AM
Hi there,
I assume on the switches which have the DHCP pools, both are in mode router?
Can you provide the routing tables for all your switches and firewall?
cheers,
Seb.
09-25-2017 05:21 AM - edited 09-25-2017 05:22 AM
Thank you for your reply, Seb!
They are in layer 3 mode.
The fw one was sanitized a bit. I can see the route is using the primary and not the secondary pool IP at all... is there a way to point both to the firewall? Or point .14 to the .11?
Swith with Secondary Pool (10.10.110.14):
Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: enabled Codes: > - best, C - connected, S - static S 0.0.0.0/0 [1/1] via 10.10.110.253, 01:40:36, vlan 1 C 10.10.40.0/24 is directly connected, vlan 40 C 10.10.41.0/24 is directly connected, vlan 41 C 10.10.42.0/24 is directly connected, vlan 42 C 10.10.43.0/24 is directly connected, vlan 43 C 10.10.44.0/24 is directly connected, vlan 44 C 10.10.45.0/24 is directly connected, vlan 45 C 10.10.110.0/24 is directly connected, vlan 1
Switch with Primary Pool (10.10.110.11):
Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: enabled Codes: > - best, C - connected, S - static S 0.0.0.0/0 [1/100] via 10.10.110.253, 97:44:25, vlan 1 C 10.10.40.0/24 is directly connected, vlan 40 C 10.10.41.0/24 is directly connected, vlan 41 C 10.10.42.0/24 is directly connected, vlan 42 C 10.10.43.0/24 is directly connected, vlan 43 C 10.10.44.0/24 is directly connected, vlan 44 C 10.10.45.0/24 is directly connected, vlan 45 C 10.10.110.0/24 is directly connected, vlan 1
Switch 2 from diagram (10.10.110.9):
Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: enabled Codes: > - best, C - connected, S - static S 0.0.0.0/0 [1/100] via 10.10.110.253, 73:52:43, vlan 1 C 10.10.40.0/24 is directly connected, vlan 40 C 10.10.41.0/24 is directly connected, vlan 41 C 10.10.42.0/24 is directly connected, vlan 42 C 10.10.43.0/24 is directly connected, vlan 43 C 10.10.44.0/24 is directly connected, vlan 44 C 10.10.45.0/24 is directly connected, vlan 45 C 10.10.110.0/24 is directly connected, vlan 1
Switch 4 from diagram (10.10.110.15):
Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: enabled Codes: > - best, C - connected, S - static S 0.0.0.0/0 [1/100] via 10.10.110.253, 72:19:15, vlan 1 C 10.10.40.0/24 is directly connected, vlan 40 C 10.10.41.0/24 is directly connected, vlan 41 C 10.10.42.0/24 is directly connected, vlan 42 C 10.10.43.0/24 is directly connected, vlan 43 C 10.10.44.0/24 is directly connected, vlan 44 C 10.10.45.0/24 is directly connected, vlan 45 C 10.10.110.0/24 is directly connected, vlan 1
FW Routes:
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via <public IP>, wan1 [10/0] via <public IP>, wan2, [10/0] S 10.10.40.0/24 [10/0] via 10.10.110.11, internal S 10.10.41.0/24 [10/0] via 10.10.110.11, internal S 10.10.42.0/24 [10/0] via 10.10.110.11, internal S 10.10.43.0/24 [10/0] via 10.10.110.11, internal S 10.10.44.0/24 [10/0] via 10.10.110.11, internal S 10.10.45.0/24 [10/0] via 10.10.110.11, internal C 10.10.110.0/24 is directly connected, internal C <public IP> is directly connected, wan1 C <backup public IP> is directly connected, wan2
09-25-2017 05:47 AM
You need to extend the Layer2 boundary of VLAN40 around the firewall, trunking it between switch1 and switch2. This would fix your overall DHCP issue.
What does the switchport configuration of the ports connecting the firewall on switches 1 and 2 look like?
What model is the firewall, can it operate at Layer2?
cheers,
Seb.
09-25-2017 06:03 AM - edited 09-25-2017 07:35 AM
I think I see the issue. This first port, 44, need to be trunked to allow traffic from the VLANs 40-45, right? I'll give that a try now. .. but if that's the case, why don't my other VLANs (cleared from the configs below for clarity) need to be on that trunk? For example, I have another vlan 150 that's for wired in connections on that Switch2....and that works.. .but as you can see, it is not in the allowed vlans for the port leading to the firewall.
The firewall is a Fortinet 90D.
port from Switch 2 (.9) to FW:
Switch2#sh int sw gig 44 Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi44 Port Mode: Access Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 1 1 Untagged V Forbidden VLANS: Vlan Name ---- --------------------------------
interface gigabitethernet44 loopback-detection enable description Firewall storm-control broadcast enable storm-control include-multicast unknown-unicast switchport mode access
Port connecting switch 1 with primary pool to FW:
Switch1#show int sw gig 1 Added by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, T-Guest VLAN, V-Voice VLAN Port : gi1 Port Mode: Trunk Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan Name Egress rule Added by ---- -------------------------------- ----------- ---------------- 1 1 Untagged V 40 GUEST_VLAN40 Tagged S 41 SerDel_VLAN41 Tagged S 42 COL_VLAN42 Tagged S 43 DEV_VLAN43 Tagged S 44 misc_VLAN44 Tagged S 45 Sales_VLAN45 Tagged S
interface gigabitethernet1 loopback-detection enable description Firewall no snmp trap link-status storm-control broadcast enable storm-control include-multicast unknown-unicast switchport trunk allowed vlan add 40-45
09-25-2017 07:48 AM - edited 09-25-2017 07:49 AM
So adding the vlans to that port 44 seems to have resolved the routing and DHCP issue (Huzzah!)... but now it takes quite a while - almost 30 seconds in some cases, for a user to authenticate before being assigned an IP. Is there a way to speed this up? On the old network, authentication is nearly instant. We're using the same auth server in both instances.
09-25-2017 07:51 AM
If switch1 and switch3 are now sharing the same L2 domain for VLAN40, then it probably doesn't help that you are running it with two DHCP pools. Disable the pool on switch3 and see if devices connected at the side of the network are getting leases from switch1.
09-25-2017 07:56 AM
09-25-2017 07:59 AM
OK, good to hear :)
09-25-2017 07:49 AM
Its won't do any good trunking more VLANs from switch2 to the firewall if its receving interface is not configured for VLAN tagged traffic.
My guess if that your firewall just has routed interfaces. You need to move your cabling around so that switch1 and switch2 are directly attached with all necessary VLANs trunked between them. Connect the FW to either switch1 or switch2 and trunk to it only the VLANs that is the gateway for.
This should resolve your routing issues.
cheers,
Seb.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: