Solved: Routing problems in VLAN network

Maurizio Zanetti · ‎07-20-2015

Hello everybody.

My organization is composed of two buildings connected together with a PtP wireless bridge solution.

In the main building there are several offices of two business units that works in two different VLAN (id 10 and 20) and a guest wireless network (id 99).

The main switch is an SF300-24P, there also is another SF300-24P and an SF300-40, we also have three Access Point WAP-121 in single point setup mode with three SSID each (an SSID for VLAN). Every switches are connected eachother in uplink ports sets in trunk mode, with VLAN10 untagged and 20-99 tagged.

In the secondary building there is the logistics unit, a small office, and the server room with an SG200-26 switch.

Until some days ago there wasn't the need to propagate VLAN 20 through PtP bridge, but now I should store a server for VLAN 20 in server room, so I've added VLAN 20 tagged in the PtP setup and I'm able to share its file server shared folders between the PtP, the problem is that my server can't browse the internet (default gateway is located in the main building, connected to the main switch).

Here's some facts:

Server room's switch is setup like other switches, connected to the bridge via uplink port in trunk mode.

From the server in VLAN20 I can ping my gateway, but I'm unable to ping its WAN IP, nor any internet host.

VLAN 20 still have another server (main DC) in the main building with DHCP server service enabled; DHCP offer packets didn't pass through the PtP to te server room, if I set up static IP I can browse DC shares and join domain.

Every server in VLAN 10 can browse internet without any problem.

I've talked with my PtP antennas dealer, and they're set up the way they should be: VLAN10 stay untagged and VLAN20 stay tagged (VLAN99 is not transmitted).

There is no need for intra VLAN routing: our two business units have to be separated one from the other, everyone have its own internet access and its own router. They just share the server room, the two buildings and the layer2 infrastructure.

I would greatly appreciate any help.

Thanks.

Mark Malone · ‎07-21-2015

ok i was looking at port 9 for the 1841 description set on it

i understand you dont want intervlan routing this can still be blocked on the svi in the router with acls from speaking to each other use dynamic routing or router on a stick setup but if your getting internet for vlan 20 anyway that's what you need , the problem is only located to the server room with users on vlan 20 cant get internet

If you put a laptop in the server room and set the port to vlan 10 is it the same can that get internet?

If its set as static ip from either vlan can it reach the internet from the server room?

The fact the dhcp requests are not being passed through would suggest something is being blocked in the p2p connection , what is the link set to access or trunk

If the internet works fine for all device until the p2p link then i would capture a wireshark from either side and provide them to who ever supports that link for confirmation that traffic is being blocked

View solution in original post

Mark Malone · ‎07-20-2015

Hi

so layer 2 works fine up to the gateway from your server room switch as you can hit the gateway but you cannot break out to the internet from anything with a source of vlan 20 but vlan 10 is fine

can you post the running config of your routed switch that has the internet connection ?

If you connect a laptop directly to this routed switch on vlan 20 can it break out to the internet from there or is the issue only with devices in the server room on vlan 20 ?

Maurizio Zanetti · ‎07-21-2015

Hi Mark and thank you for your answer.

I've attached the main SF300-24P running config, but there isn't any internet access problems from it (the other switch SF300-48 is uplinked to this and has about 40 PCs connected working in VLAN20)

There are layer3 problems just from the server room: looks like some kind of routing problems, but my PtP bridge is (obviously) a layer 2 device, and I shouldn't have this kind of problems.

The other odd thing is the lack of DHCP offer packet in the server room while connected to any VLAN20 port.

VLAN10 hasn't any problem.

Mark Malone · ‎07-21-2015

Hi just quick look at your config where is the layer 3 routed part of vlan 20 , you have interface vlan 10 but no 20 is it on the 1841 router ?

Maurizio Zanetti · ‎07-21-2015

I don't have any 1841 router: my VLAN20 default gateway is a Zyxel USG20 connected on an untagged port on this vlan.

As i've wrote above, there is no need for intraVLAN routing: each VLAN have to stay apart from the others.

I know it's a strange setup, but in this scenario there are two business units that share these two buildings and the network infrastructure.

Mark Malone · ‎07-21-2015

ok i was looking at port 9 for the 1841 description set on it

i understand you dont want intervlan routing this can still be blocked on the svi in the router with acls from speaking to each other use dynamic routing or router on a stick setup but if your getting internet for vlan 20 anyway that's what you need , the problem is only located to the server room with users on vlan 20 cant get internet

If you put a laptop in the server room and set the port to vlan 10 is it the same can that get internet?

If its set as static ip from either vlan can it reach the internet from the server room?

The fact the dhcp requests are not being passed through would suggest something is being blocked in the p2p connection , what is the link set to access or trunk

If the internet works fine for all device until the p2p link then i would capture a wireshark from either side and provide them to who ever supports that link for confirmation that traffic is being blocked

Maurizio Zanetti · ‎07-21-2015

That's right: I haven't talked about that 1841 'cause it's not the default gateway. Since VLAN20 is a Callcenter, that 1841 is used just for voice traffic, and it's not my work.

In the server room I can't browse the internet, even with a static IP assignment; the link is set as trunk, just like the other switch in the main building.

Our PtP reseller told us that everything in the configuration of the antennas (raytalk devices) is right, but by now I'm starting to doubt about this...

Antennas are linked to that trunk ports with ID10 untagged and ID20 tagged, and network traffic goes trough the link keeping ID10 untagged and 20 tagged. I could set both VLANs tagged, just to understand what could happen: if ID10 start having the same troubles, maybe I've found the problem...

Mark Malone · ‎07-21-2015

Yes as everything works back to the point of this link i would definitely start looking at it , that sounds like a good start

i would check the show interface trunk on each switch as well between the links make sure everything is allowed

Maurizio Zanetti · ‎07-21-2015

Sadly the SG200-26 doesn't allow Telnet login, I can only manage it through the web interface, so I guess I can't type the sh int trunk command.

Anyway I'll update the discussion as soon as I can make the test I've wrote above.

Maurizio Zanetti · ‎07-22-2015

I made a simple test: I've moved the server room's switch into the main building, connected to the same trunk port. Plugging an UTP to a port in VLAN20 my notebook was able to get an IP from DHCP and to browse the internet, so my problem isn't related to VLAN configuration or trunking between switches: I will annoy my PtP reseller, because all my troubles comes from this.

Thank you, Mark, for your support.

Mark Malone · ‎07-22-2015

Ah good glad to hear you have fully isolated the issue to the p2p line, good luck with the provider :)