VLAN Question

Post Reply
EmptySet
Member
Posts: 8
Joined: 30 Mar 2017 12:22

VLAN Question

Post by EmptySet » 07 Mar 2018 10:05

Hello,

I'm not well versed in AL OS... I'm trying to use a layer 2 VLAN in a 6850 but I must have missed something... I've created an interface on my firewall and assigned it to VLAN Tag 10, gave the interface address 172.16.10.254 on a /24 block. I went into the OS6850 and created VLAN 10, and then did vlan 10 802.1q 1/20 "TAG PORT 1/20 VLAN 10"

However, I am unable to ping 172.16.10.254 from the 6850. It simply times out. I have another VLAN on the same port which works without issue... VLAN 50 is created on my firewall with 192.168.50.254/24 and I can ping that from the 6850.

VLANs are tagged as follows :

vlan 10 802.1q 1/20 "TAG PORT 1/20 VLAN 10"
vlan 50 802.1q 1/20 "TAG PORT 1/20 VLAN 50"
vlan 10 802.1q 1/21 "TAG PORT 1/21 VLAN 10"
vlan 50 802.1q 1/21 "TAG PORT 1/21 VLAN 50"

Port 21 connects to a Cisco switch.

10 1/20 qtagged forwarding
10 1/21 qtagged forwarding
50 1/20 qtagged forwarding
50 1/21 qtagged forwarding


I'm sure I'm missing a step?

Thanks.

devnull
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 901
Joined: 07 Sep 2010 10:16
Location: Germany

Re: VLAN Question

Post by devnull » 08 Mar 2018 05:16

What IP does the 6850 have?
Where are you pinging from? A device in VLAN 10? The OS6850?
Does the switch have an IP in VLAN 10 or 50? What routes are known in the Firewall/switch?
What is the port config on the firewall? both 10 and 50 tagged on 1/20 1/21? what is the native/untagged vlan in the firewall?

If you (temporary) create an IP in vlan 10 on the switch... does it work?

EmptySet
Member
Posts: 8
Joined: 30 Mar 2017 12:22

Re: VLAN Question

Post by EmptySet » 08 Mar 2018 10:14

6850 has an IP of 172.16.1.250. I am pinging from the 6850.

The only routes in the 6850 are 0.0.0.0 to the firewall as the gateway 172.16.1.254. The switch does not have an IP in either VLAN 10 or 50, only in VLAN 1 (which is the default VLAN).

eth4 from firewall to port 20 on 6850 is tagged as VLAN 10 and VLAN 50. Port 21 on 6850 is connected to Cisco switch. Native VLAN is 1 on firewall. Routes in firewall include 192.168.50.0/24 --> ANY --> IP4 and 172.16.10.0/24 --> ANY --> IP4.

For some reason VLAN 50 gateway is reacable from 6850 but VLAN 10 gateway is not.

EmptySet
Member
Posts: 8
Joined: 30 Mar 2017 12:22

Re: VLAN Question

Post by EmptySet » 08 Mar 2018 11:10

So... the issue seems to be that I'm creating a VLAN using an IP range within our network range. So we use 172.16.1.0/20 for our network. If I change VLAN 10 to 192.168.10.0/24, I have no issues with the VLAN communicating but if I use 172.16.10.0/24 (which is obviously within 172.16.1.0/20), it doesn't work.

Does that make sense?

User avatar
David_Klancar
Member
Posts: 12
Joined: 01 Dec 2017 04:56

Re: VLAN Question

Post by David_Klancar » 09 Mar 2018 08:07

Hi!
It totally makes sense, the network 172.16.1.0/20 is hosted on the firewall or is available through routing? What firewall are you using?
You may have a antispoofing issue on the firewall since the network 172.16.10.0/24 is inside 172.16.1.0/20 and is supposed to come from another interface than your interface in vlan 10.
It is not a good idea to use the network /24 if you use a bigger /20 in the same network.

David

EmptySet
Member
Posts: 8
Joined: 30 Mar 2017 12:22

Re: VLAN Question

Post by EmptySet » 12 Mar 2018 09:01

It does make sense that the /24 inside of the /20 wouldn't work now... sadly I had to sit down and draw it out to have it make sense to me.

With that said, I'm temporarily keeping it on the 192.168.10.0/24 but I have another question... the only routing I have in place for that network is 192.168.10.0/24-->ANY-->IP4 but for some reason 192.168.10.0/24 can ping 172.16.1.0/20; that's not normal is it?

Post Reply

Return to “OmniSwitch 6850 / 6850E”