Inter Vlan /Routing

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Inter Vlan /Routing

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Inter Vlan /Routing
Inter Vlan /Routing
2020-01-07 20:55:11
Hardware Version: V3
Firmware Version:

Hello,

 

I've been trying to setup multiple Vlan's, and have them talking to each other via L3 settings. the Vlan's work fine, but i can't make any intervlan connections. ping to the switch/router is functional(from most vlans).

 

Can't seem to find what i'm doing wrong.

 

Here is my config:

 

 

 

!T2600G-28TS
#
vlan 2
 name "OLD-units"
#
vlan 10
 name "ISPLan"
#
vlan 20
 name "Voip"
#
vlan 30
 name "CAMERA"
#
vlan 60
 name "KPNITV"
#
vlan 70
 name "PCLan"
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
serial_port baud_rate 38400
#
#
system-time ntp UTC+08:00 133.100.9.2 139.78.100.163 12
no system-time dst
#
#
#
user name admin privilege admin secret 
#
#
#
#
ip dhcp l2relay vlan 30
#
service dhcp server
ip dhcp server excluded-address 192.168.30.1 192.168.30.10
ip dhcp server excluded-address 192.168.2.1 192.168.2.200
ip dhcp server excluded-address 192.168.70.1 192.168.70.100
ip dhcp server excluded-address 192.168.1.1 192.168.1.1
ip dhcp server excluded-address 192.168.10.1 192.168.10.5
ip dhcp server pool "Voip"
network 192.168.20.0 255.255.255.0
default-gateway 192.168.20.1
dns-server 192.168.1.1
#
ip dhcp server pool "ITV"
network 192.168.60.0 255.255.255.0
default-gateway 192.168.60.1
dns-server 192.168.1.1
#
ip dhcp server pool "CAM"
network 192.168.30.0 255.255.255.0
default-gateway 192.168.30.1
dns-server 192.168.1.1
#
ip dhcp server pool "PCLAN"
network 192.168.70.0 255.255.255.0
default-gateway 192.168.70.1
dns-server 192.168.1.1
#
ip dhcp server pool "OLD"
network 192.168.2.0 255.255.255.0
default-gateway 192.168.2.1
dns-server 192.168.1.1
#
ip dhcp server pool "ISPlan"
network 192.168.10.0 255.255.255.0
default-gateway 192.168.10.1
dns-server 192.168.1.1
#
#
#
#
#
#
#
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.2.0 255.255.255.0 192.168.1.1
ip route 192.168.10.0 255.255.255.0 192.168.1.1
ip route 192.168.20.0 255.255.255.0 192.168.1.1
ip route 192.168.30.0 255.255.255.0 192.168.1.1
ip route 192.168.60.0 255.255.255.0 192.168.1.1
ip route 192.168.70.0 255.255.255.0 192.168.1.1
#
#

#
#
#
#
#
#
#
#
interface vlan 1
  ip address 192.168.1.1 255.255.255.0
  ipv6 enable
#
interface vlan 2
  ip address 192.168.2.1 255.255.255.0
  description "OLD"
  ipv6 enable
#
interface vlan 10
  ip address 192.168.10.1 255.255.255.0
  description "ISPLAN"
  ipv6 enable
#
interface vlan 20
  ip address 192.168.20.1 255.255.255.0
  description "Voip"
  ipv6 enable
#
interface vlan 30
  ip address 192.168.30.1 255.255.255.0
  description "CAM"
  ipv6 enable
#
interface vlan 60
  ip address 192.168.60.1 255.255.255.0
  description "ITV"
  ipv6 enable
#
interface vlan 70
  ip address 192.168.70.1 255.255.255.0
  description "PCLAN"
  ipv6 enable
#
interface gigabitEthernet 1/0/1
  switchport general allowed vlan 2 untagged
  switchport pvid 2
  
#
interface gigabitEthernet 1/0/2
  switchport general allowed vlan 10 untagged
  switchport pvid 10
  
#
interface gigabitEthernet 1/0/3
  switchport general allowed vlan 20 untagged
  switchport pvid 20
  
#
interface gigabitEthernet 1/0/4
  switchport general allowed vlan 60 untagged
  switchport pvid 60
  
#
interface gigabitEthernet 1/0/5
  switchport general allowed vlan 2 untagged
  switchport pvid 2
  
#
interface gigabitEthernet 1/0/6
  switchport general allowed vlan 2 untagged
  switchport pvid 2
  
#
interface gigabitEthernet 1/0/7
  switchport general allowed vlan 2 untagged
  switchport pvid 2
  
#
interface gigabitEthernet 1/0/8
  switchport general allowed vlan 30 untagged
  switchport pvid 30
  
#
interface gigabitEthernet 1/0/9
  
#
interface gigabitEthernet 1/0/10
  switchport pvid 2
  
#
interface gigabitEthernet 1/0/11
  switchport general allowed vlan 2 untagged
  switchport pvid 2
  
#
interface gigabitEthernet 1/0/12
  switchport general allowed vlan 30 untagged
  switchport pvid 30
  
#
interface gigabitEthernet 1/0/13
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/14
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/15
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/16
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/17
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/18
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/19
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/20
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/21
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/22
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/23
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/24
  switchport general allowed vlan 70 untagged
  switchport pvid 70
  
#
interface gigabitEthernet 1/0/25
  
#
interface gigabitEthernet 1/0/26
  
#
interface gigabitEthernet 1/0/27
  
#
interface gigabitEthernet 1/0/28
  
#
end
 

 

 

A llittle help would be greatly apreciated.

  0      
  0      
#1
Options
17 Reply
Re:Inter Vlan /Routing
2020-01-08 03:52:02

@AshleyNL 

 

I have the question about the following configuration.

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 192.168.2.0 255.255.255.0 192.168.1.1
ip route 192.168.10.0 255.255.255.0 192.168.1.1
ip route 192.168.20.0 255.255.255.0 192.168.1.1
ip route 192.168.30.0 255.255.255.0 192.168.1.1
ip route 192.168.60.0 255.255.255.0 192.168.1.1
ip route 192.168.70.0 255.255.255.0 192.168.1.1

 

192.168.1.1 is the IP address of VLAN1 interface. But you used it as the default gateway(ip route 0.0.0.0 0.0.0.0 192.168.1.1). It's right that we need  to set default routing, but I think the next hop should be the IP address of your gateway/router rather than IP address of VLAN1 interface.

 

When you create VLAN interface, the switch will generate the routing automatically. I think you don't need to set up the following routing. You can delete all of them.

ip route 192.168.2.0 255.255.255.0 192.168.1.1
ip route 192.168.10.0 255.255.255.0 192.168.1.1
ip route 192.168.20.0 255.255.255.0 192.168.1.1
ip route 192.168.30.0 255.255.255.0 192.168.1.1
ip route 192.168.60.0 255.255.255.0 192.168.1.1
ip route 192.168.70.0 255.255.255.0 192.168.1.1

  0  
  0  
#2
Options
Re:Inter Vlan /Routing
2020-01-08 16:07:31 - last edited 2020-01-08 19:19:33

@Andone 

 

Thanks for your answer. I tried to change to the advised setting, I cannot ping across any vlan now. Not even the switch can be pinged from inter-vlan ip.

 

My setup is: ISP Router > T2600G > clients/other switches/AP's(80 in all)

 

The ISP Router is set @ 192.168.2.254, running DHCP. The ISP router is the whole reason i want to setup vLan with dhcp on the T2600.

The Router cannot be configured at all, i can only set a static IP, rest is fixed(blocked).

 

Are there other settings i need to change to get it to work?

 

This is the current routing table. (i've created 3 Vlans, vlan 70 holds all clients, vlan 30/100 i use for testing with a single pc.

On Vlan 30 & 100, i see the DHCP server working, and from both vlans i can ping the T2600 ip from that subnet. I cannot connect or ping any device in another vlan

 

IPv4 Routing Table

Refresh

Protocol Destination Network Next Hop Distance Metric Interface Name

Static

0.0.0.0/24

192.168.2.254

1

0

VLAN70

Connected

192.168.0.0/24

192.168.0.1

0

1

VLAN1

Connected

192.168.2.0/24

192.168.2.1

0

1

VLAN70

Connected

192.168.30.0/24

192.168.30.1

0

1

VLAN30

Connected

192.168.100.0/24

192.168.100.1

0

1

VLAN100

Total: 5

 

 

Hardware Version:

T2600G-28TS 3.0

Firmware Version:

3.0.3 Build 20181101 Rel.42543(s)

  0  
  0  
#3
Options
Re:Inter Vlan /Routing
2020-01-08 19:01:43 - last edited 2020-01-08 19:02:03

 

Hello,
 

I've also have T2600G-28TS and VLAN issues with it, the only difference is that I don't have DHCP on that switch and have only one default route for non-local traffic.

My issue is that I cannot access default VLAN1:
 

https://community.tp-link.com/en/business/forum/topic/180374

What firmware you are using? Latest one? You said that your ping is working "from most vlans" - so not all VLANs? Seems similar issue to mine...

Best regards,

  0  
  0  
#4
Options
Re:Inter Vlan /Routing
2020-01-08 19:25:05 - last edited 2020-01-08 19:25:40

I read your Config, i miss all the vlan port settings for the sockets;

 

mine reads: # interface gigabitEthernet 1/0/15 switchport general allowed vlan 70 untagged switchport pvid 70

 

yours reads: # interface gigabitEthernet 1/0/15 voice vlan lldp med-status auto-voip 2

 

It appears you have no pvid set, which means the vlan sepparation is not active i think? or am i wrong?

  0  
  0  
#5
Options
Re:Inter Vlan /Routing
2020-01-08 20:03:23
The PVID is by default set to 1 and this is what I'm using on all access ports (and to this VLAN belongs all untagged traffic). VLAN 2 is tagged for VoIP on access ports.
  0  
  0  
#6
Options
Re:Inter Vlan /Routing
2020-01-08 20:21:03 - last edited 2020-01-08 20:21:22

I'm no expert, but i think that means all clients send all packets to all ports, and they are only separated because they have a different ip scope.

 

That way all the traffic just runs beside each other, as if it was an unmanaged switch. Surely there are some experts on this forum who can explain?

  0  
  0  
#7
Options
Re:Inter Vlan /Routing
2020-01-08 20:38:37 - last edited 2020-01-08 21:44:42

 

AshleyNL wrote

 

IPv4 Routing Table

Refresh

Protocol Destination Network Next Hop Distance Metric Interface Name

Static

0.0.0.0/24

192.168.2.254

1

0

VLAN70

Connected

192.168.0.0/24

192.168.0.1

0

1

VLAN1

Connected

192.168.2.0/24

192.168.2.1

0

1

VLAN70

Connected

192.168.30.0/24

192.168.30.1

0

1

VLAN30

Connected

192.168.100.0/24

192.168.100.1

0

1

VLAN100

Total: 5

 

Your router is in broadcast domain 192.168.2.0/24 VLAN 70, your default route points the router, but your network route points to 192.168.2.1, the switch's VIF. That's pretty weird. Either remove the 192.168.2.0 route (the default route already takes care of it) or – even better – use a different transit VLAN or a routed port to connect the remaining networks to the router. The VLAN 1 route routes traffic to the VIF, but I'm not sure what you want to achieve with this VLAN 1.

 

What you probably want, is something like this:

 

 

This topology uses a routed port for communication with the router (just to save a VLAN, but you could also use a VLAN if you want).

 

You have three subnets. The switch must have at least one VLAN interface (VIF) in each subnet to do routing. The gateway to VLAN 30 is VIF 192.168.30.1, that's an interface assigned to the VLAN (just imagine it's »the switch« in this network). The gateway to VLAN 70 is VIF 192.168.70.1 (imagine it's »another« switch in this network).

 

The gateway to every other destination (Internet) is the router with IP 172.16.0.1. To reach this third network, another VIF is needed (either a VLAN, say 172, or a routed port with an IP from the 172.16.0.0 network, imagine this as the »third« switch).

 

The default gateway of the switch therefore is the router with IP 172.16.0.1. Since the routed port (or VLAN) has a VIF, the switch knows how to reach the default gateway in network 172.16.0.0. For clients in VLANs 30 and 70 their default gateway is the VIF of the switch inside their network, that's 192.168.30.1 resp. 192.168.70.1.

 

Now, how can the router reach clients in VLAN 30 and 70? It needs to send traffic back to the switch. Thus, the router needs two network routes pointing to the gateway for the VLANs inside the router's network, that's the switch's VIF 172.16.0.254.

 

Do you see the problem of your original setup? You had a router inside an already switch-routed network.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#8
Options
Re:Inter Vlan /Routing
2020-01-08 20:52:04 - last edited 2020-01-08 21:03:48

 

Burczymucha wrote

The PVID is by default set to 1 and this is what I'm using on all access ports (and to this VLAN belongs all untagged traffic). VLAN 2 is tagged for VoIP on access ports.

 

That's a wrong setup if all your PVIDs are 1.

 

Access ports need to be a member of only one VLAN (say, 2) and their PVID needs to be 2 in this case. Any port which is a member of more than one VLAN becomes a trunk port and in most cases trunk ports handle tagged traffic destined to other VLAN-aware devices (except if you use tricky setups such as asymmetric VLANs).

 

Inside a managed switch there exists no »untagged traffic«. The switch always assigns a VLAN ID. Of course, on egress any traffic in every VLAN can be untagged too, that's needed to connect VLAN-unaware devices to a VLAN-aware switch. So it's not correct to say »VLAN 1 belongs to all untagged traffic«.

 

VLAN 1 is often the Default (also called Native or System) VLAN and it exists solely to have a VLAN for untagged traffic arriving on your switch over a trunk port. It has been introduced once to handle traffic from VLAN-aware servers which use protocols causing untagged traffic over a trunk port (among tagged traffic) such as protocols which exist in legacy servers from HP. A default VLAN also helps when migrating from a non VLAN-aware network to a VLAN-aware network. Thus, it is correct to say »inside VLAN networks there is no untagged traffic at all«.

 

The default VLAN is also used to assign so-far unconfigured ports to an initial VLAN, but it's just a normal VLAN as any other you define.

 

I suggest to remove access ports from the default VLAN if you assign them membership in any other VLAN except you use very special setups.

 

Always set the Port VLAN ID (PVID) to the VLAN to which untagged traffic should be directed.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#9
Options
Re:Inter Vlan /Routing
2020-01-08 21:34:22 - last edited 2020-01-08 21:52:21

@R1D2  That setup is indeed what i was looking for. I did not remove the ports from vlan 1, could that be part of the problem?

 

Also i'm kinda migrating from the 192.168.2.xxx subnet, so i wanted to test the vlan system, before i move all the clients. 

The route for 192.168.2.0 is automaticly added by the router, as soon as i create an interface for the vlan 70.

 

thanks for the explaination, i'll try to separate the router first.

 

just a thought; the router is in vlan 70 right now, along with a bunch of clients.

Didn't i in fact create a 3rd vlan which contains the router like you said?

the switch is in that subnet with ip 192.168.2.1, so if I set the default gateway for the switch to 192.168.2.254(Router) it should work?

And the default routes in the other vlans should be like this: 192.168.30.0 -> 192.168.30.1 ? 

 

 

 

 

  0  
  0  
#10
Options
Re:Inter Vlan /Routing
2020-01-08 22:02:29 - last edited 2020-01-08 22:21:52

 

AshleyNL wrote

I did not remove the ports from vlan 1, could that be part of the problem?

 

Unless you don't send traffic to VLAN 1 (by having an access port with PVID=1 or tagged traffic with VID=1 arriving over a trunk on the switch), it's no problem.

 

However, I don't use VLAN 1 at all except for unused ports and to drop untagged traffic arriving accidently over a trunk on a switch, caused by a wrong setup on a more distant switch. In smart and easy switches I can »drop« untagged traffic only by forwarding it to this (otherwise unused) VLAN 1. Thus, on my switches the PVID of trunk ports is 1, too. In managed switches (T series) I can configure a trunk to drop any untagged traffic, so VLAN 1 is unused on those switches.

 

Of course, you could use VLAN 1 for things like the management of VLAN-aware devices (switches, routers, APs, servers etc.) which are able to send traffic tagged with VID=1 back to the switch. You would then connect a management laptop to an access port with PVID=1 (or connect your admin laptop with a VLAN-aware interface to a trunk, so you can change networks on-the-fly by selecting different network profiles on your laptop). But you could also use VLAN 100 or whatever for this mgmt task.

 

It is important to note: there are no such things as »access ports« or »trunk ports« in the standard. It's just conventional to have such terms. The rules are:

 

  • A port which is a member of only one VLAN is an access port. It's PVID equals the VLAN ID for this VLAN. Egress and ingress traffic of such ports is always untagged (outside the VLAN »domain«!).
  • A port which is member of more than one VLAN is a trunk port. It's PVID defines to which VLAN untagged traffic (if any, but where from?!) is being forwarded. You can even drop untagged traffic arriving on a trunk. All devices (switches, routers, servers) connected to a trunk port need to be VLAN-aware. Traffic always is tagged (inside the whole VLAN »domain«).

 

My tip: for any VLAN design, draw a network topology with separate networks, separate switches, separat routers, separate servers, separate APs etc. much like you do for legacy (non-VLAN) networks. Then decide which switches, routers, servers, APs etc. are VLAN-aware and can handle all networks in only one device over only one cable (trunk). The outermost VLAN-aware devices on the edges of the VLAN-aware network start or terminate the VLAN »domain«. Thus, outside the VLAN »domain« there are no VLANs anymore, just networks handling always untagged traffic. Then create routes between those networks on their gateways just as you would do with non-VLAN networks.

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#11
Options

Information

Helpful: 0

Views: 12884

Replies: 17

Related Articles