Linksys SGE2000 VLan issue with VMWare hosts.

choatesolutions · ‎09-19-2012

Hello,

I have a Linksys SGE2000 Switch and I've been trying to get Vlan's to work.

How I'm trying to setup is like this

Port 1 - Vlan22 - Plugged into trusted port in firewall

Port 3 - Vlan25 - Plugged into DMZ in firewall

Port 15 - is plugged into a VMWare host. The network is setup as production is Vlan 22, DMZ is Vlan 25.

Port 16 - Internal server so is Vlan 22

Both Vlans have a different IP subnet.

I think I have port 3 configured ok as it's only one Vlan. I'm trying to get Port 15 configured properly and it won't work.

Servers on VMWare hosts are Windows Server O/S.

Thanks.

Gary

Tom Watts · ‎09-19-2012

Hi Gary, the switch may be detecting a spanning tree loop since you have 2 links to the firewall. Classic spanning tree and RSTP does not consider vlan ID for the spanning tree instances.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

choatesolutions · ‎09-19-2012

So in my firewall I'd have to to distingues the the LAN and DMZ traffic instead of the 2 ports?

Tom Watts · ‎09-19-2012

First, I would check the spanning tree interface settings to see if any ports are in a block / discard state

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

choatesolutions · ‎09-19-2012

All ports are forwarding and STP is enabled, every up port is showing the same status.

Tom Watts · ‎09-19-2012

Okay, since we know there is not a port block issue.

In a layer 2 switch environment, from the switches point of view, each vlan is it's own network, meaning, it won't talk to anything but the same nodes in the same vlan. The switch itself is indifferent to anything you connect to it. However, since each port is it's own collision domain, the ingress queue of a switchport identify how the physical interface is assigned (the VLAN). Meaning vlan 25 will only talk to vlan 25. Vlan 22 will only talk to Vlan 22 - as far as the switch is concerned. The inter-communication has to take place at a higher level - the layer 3 device - being the Firewall.

As an example, if you configure your VM box to be an access port with the PVID 25 and your DMZ port of the firewall connecting to the switch is configued as an access port PVID 25, the VM box should have no issue to communicate. However, if your VM box is a member of a different VLAN or subnet (PVID 22) the router has to route the packet to the DMZ subnet.

This begs the questions, when your router receives a request from your Vlan 22 subnet, does the router know how to forward the packet to the DMZ subnet? Does your router have a default state table that prohibits your DMZ from LAN communication?

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

choatesolutions · ‎09-20-2012

Hi Tom,

There is no VLAN configuration existing before. Our web server is a physical server that is connected to the 1 port on the firewall. Different subnet of course.

We are migrating it to the VMWare, hence the Vlan's now. Since that 1 port on the firewall is already configured for the webserver I figured I'd take advantage of it. Btw firewall is a Watchguard firebox.

Gary

Tom Watts · ‎09-20-2012

Gary, it sounds like we need to know what the VM is sending for the vlan packet, tag or untagged packets. Can you run a pcap monitoring the port the server is connecting to?

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/