Solved: Re: VLANs and Internet

markxgzhang · ‎11-03-2008

Hi All,

I have a VLANs set up as the attached diagram. And the VLAN setup command as follow.

Switch(config)# ip routing

Switch(config)# vlan 2

Switch(config-vlan)# name vlan2

Switch(config)# vlan 3

Switch(config-vlan)# name vlan3

Switch(config)# vlan 4

Switch(config-vlan)# name vlan4

Switch(config)# int vlan 2

Switch(config-if)# ip address 192.168.32.1 255.255.240.0

Switch(config-if)# ip helper-address 192.168.16.2

Switch(config-if)# no shut

Switch(config)# int vlan 3

Switch(config-if)# ip address 192.168.48.1 255.255.240.0

Switch(config-if)# ip helper-address 192.168.16.2

Switch(config-if)# no shut

Switch(config)# int vlan 4

Switch(config-if)# ip address 192.168.16.1 255.255.240.0

Switch(config-if)# no shut

Switch(config)#int range fa1/0/7 - 12

Switch(config-if-range)#switchport access vlan 2

Switch(config-if-range)#switchport mode access

Switch(config)#int range fa1/0/13 - 18

Switch(config-if-range)#switchport access vlan 3

Switch(config-if-range)#switchport mode access

Switch(config)#int range fa1/0/19 - 22

Switch(config-if-range)#switchport access vlan 4

Switch(config-if-range)#switchport mode access

The DHCP and DNS server is on a box in VLAN 4.

When the default gateway on the box with DNS and DHCP is set to 192.168.16.1, all clients on all VLANs can get IP Address from the DHCP, and DNS can resolve request for internal names. But DNS cannot resolve request for external names.

When the default gateway on the box with DNS and DHCP is set to 192.168.16.8, which is the ip address of firewall and Internal Proxy server, only clients in VLAN 4 can get IP Address from the DHCP, and DNS can resolve request for both internal and external names for Client in VLAN4 only. I understand that the DNS can get help from DNS from Internet to resolve the external names because it can route the request through the default gateway which is pointing to the firewall box. But also because of this, the DHCP cannot answer the DHCP request for clients from other VLANs through the right gateway.

There must be a way to let clients from all VLANs to get ip address from DHCP, and DNS can resolve names for internal and external. How to do it please?

Jon Marshall · ‎11-04-2008

Mark

You need to set the default-gateway on your DHCP/DNS servers to be 192.168.16.1 so that all clients can get IP addresses.

Then on your 3750

ip route 0.0.0.0 0.0.0.0 192.168.16.8

so your DNS server sends it's request to it's default-gateway which is 192.168.16.1 and then the 3750 forwards it on to the firewall/proxy because of the default-route.

A further note. Ideally you would have your firewall in a separate vlan that your servers for security reasons.

Jon

View solution in original post

Jon Marshall · ‎11-04-2008

Mark

See attached link for adding routes to Linux system -

http://www.linuxquestions.org/questions/linux-networking-3/permanently-add-static-route-16769/

If you are connecting the checkpoint firewalll directly into the 3750 you can use routed or switched. With firewalls i tend to go for switched and use a dedicated vlan. That way if you then want to have a failover firewall later on you can just add the new firewall into the same vlan.

Normally i would pick a /29 subnet eg

192.168.5.0/29 which gives 192.168.5.1 -> 192.168.5.6 with 5.7 as the broadcast.

Whether you choose the routed or switched port option you will need to modify your routing in that the firewall will also now need to know how to get back to the 192.168.16.0 network as it is no longer part of that. It's just a case of adding an additional static route on your firewall.

If you want to use a routed port

int gi1/0

no switchport

ip address x.x.x.x x.x.x.x

Jon

View solution in original post

Jon Marshall · ‎11-04-2008

Mark

You need to set the default-gateway on your DHCP/DNS servers to be 192.168.16.1 so that all clients can get IP addresses.

Then on your 3750

ip route 0.0.0.0 0.0.0.0 192.168.16.8

so your DNS server sends it's request to it's default-gateway which is 192.168.16.1 and then the 3750 forwards it on to the firewall/proxy because of the default-route.

A further note. Ideally you would have your firewall in a separate vlan that your servers for security reasons.

Jon

markxgzhang · ‎11-04-2008

Hi Jon,

Did what you said. The result is:

Clients from VLAN4 (192.168.16.0/20) can access everything. But clients from VLAN3 (192.168.48.0/20), they can get IP address, can get external name resolved, but cannot ping firewall box both by name or ip, and cannot access Internet.

part of show run is as follow:

!

interface Vlan2

ip address 192.168.32.1 255.255.240.0

ip helper-address 192.168.16.2

!

interface Vlan3

ip address 192.168.48.1 255.255.240.0

ip helper-address 192.168.16.2

!

interface Vlan4

ip address 192.168.16.1 255.255.240.0

!

ip default-gateway 192.168.16.8

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.16.8

no ip http server

By the way, I put the "ip http server" in, and then tried to remove it by "no", and you can see it is still there. Any way to remove it?

Thanks

Jon Marshall · ‎11-04-2008

Mark

Sorry, forgot to mention that the firewall will need to know how to get to vlans other than vlan 4 as it is a member of vlan 4.

Your firewall will have a default-route pointing to the upstream Internet router. You will also need to add routes to your firewall for any vlans on the 3750 that are not vlan 4 so

ip route 192.168.48.0 255.255.240.0 192.168.16.1

Note that the syntax is only to give you an idea of what is needed on the firewall. You don't say which type of firewall it is so to add a route may be different syntax.

Jon

markxgzhang · ‎11-04-2008

Thanks Jon. Currently, it is a testing environment and the firewall is a simple one, firestarter on a Fedora v5.0 box, I will try to figure out the routing things on this box. Another thing is, the company that i am working with is going to use a CheckPoint UTM-1 box as a firewall, and one LAN port is going to be used to connect VLANs. Is that true that Routed-port or another VLAN can do the job? which way is better? It just need one port with a single IP as the connection point (as far as I know at this stage). So, the routed-port is the better way, isn't it? If so, can you show me what command should be used?

Regards

Jon Marshall · ‎11-04-2008

Mark

See attached link for adding routes to Linux system -

http://www.linuxquestions.org/questions/linux-networking-3/permanently-add-static-route-16769/

If you are connecting the checkpoint firewalll directly into the 3750 you can use routed or switched. With firewalls i tend to go for switched and use a dedicated vlan. That way if you then want to have a failover firewall later on you can just add the new firewall into the same vlan.

Normally i would pick a /29 subnet eg

192.168.5.0/29 which gives 192.168.5.1 -> 192.168.5.6 with 5.7 as the broadcast.

Whether you choose the routed or switched port option you will need to modify your routing in that the firewall will also now need to know how to get back to the 192.168.16.0 network as it is no longer part of that. It's just a case of adding an additional static route on your firewall.

If you want to use a routed port

int gi1/0

no switchport

ip address x.x.x.x x.x.x.x

Jon

markxgzhang · ‎11-04-2008

Thank you very much Jon, it is very helpful. I will do some further testing tomorrow, and get back here.

Regards

Mark

markxgzhang · ‎11-06-2008

Hi Jon,

Just want to find out, suppose I use a routed-port, the "ip route" statement is still necessary, isn't it?

int gi1/0

no switchport

ip address 192.168.5.1 255.255.255.248

ip route 0.0.0.0 0.0.0.0 192.168.5.1

am i right?

Mark

Jon Marshall · ‎11-06-2008

Mark

If you use a routed port then yes you would still need a route. However i am a bit confused by the route you have written. Is this route meant to be on the switch ? If so the next-hop wouldn't be 192.168.5.1 because that is the routed port - it would be 192.168.5.x where x is whatever you have given to firewall.

Jon

markxgzhang · ‎11-07-2008

Sorry Jon, I did not check it carefully.

Suppose the firewall port on the firewall device is 192.168.5.2, then on the switch:

int gi1/0

no switchport

ip address 192.168.5.1 255.255.255.252

ip route 0.0.0.0 0.0.0.0 192.168.5.2

it looks right this time, isn't it:

Thanks

Jon Marshall · ‎11-07-2008

Yep, that looks fine now.

Jon