VLAN not working with window clients

vchawla · 10-15-2007, 02:19 AM

I am using fedora7. My eth0 is connected to Internet and eth1 is connected to LAN. I have used following commands:
#vconfig add eth1.2
#vconfig add eth1.3
for adding vlan 2 and vlan 3.
Further for assigning IP addresses

#ifconfig eth1.2 192.168.2.1 netmask 255.255.255.0 up
#ifconfig eth1.3 192.168.3.1 netmask 255.255.255.0 up

#route add -net 192.168.2.0 netmask 255.255.255.0 up
#route add -net 192.168.3.0 netmask 255.255.255.0 up

After this I connected my Windows XP professional machine directly with Fedora7 server and assigned it an IP 192.168.2.55 with netmask 255.255.255.0 BUT it did not ping either way.

I even making changes to /etc/sysconfig/network-scripts/ifcfg-eth1.2
DEVICE=eth1.2
IPADDR==192.168.2.1
NETMASK=255.255.255.0
VLAN=yes
ONBOOT=yes
BOOTPROTO=none

followed by service network restart command.

But still fedora7 did not ping Windows XP machine and Windows XP did not ping Fedora Machine.

Any suggestions.

acid_kewpie · 10-15-2007, 04:21 AM

what do you mean "connected directly"? with a xover cable? if so then that's never going to work. your vlan's on the linux side require a trunked connection, IEEE802.1q, to handle multiple VLans on the switch side. what switch are you using?

i'd also suggest that you back up a long way, it's not that they don't work with "windows clients" that makes no sense. if these clients are connecting to a switch then they need a single untagged connectino and the switch needs to connect the untagged links to the tagged trunk for the server side. it's impossible for a client operating system to know anything about the existinance of vlands on a server side link. The fact that you've not even mentioned a switch at all leads me to think you're not clear on what vlans are for or how they work.

vchawla · 10-15-2007, 05:08 AM

Hi acid_kewpie,
I am using L3 3750 Switch which is further connected to 2950SX.
The configuration of 3750 is as under:
I am using port 10 as inlet to switch and port 12 as outlet to 2nd gigaport of 2950SX.

interface GigabitEthernet1/0/10
switchport access vlan 15
switchport mode access
!
interface GigabitEthernet1/0/11
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport mode trunk

Configuration of 2950SX is as under:
port 10 of 3750 is connected to 2nd gigabit port of 2950SX.

!
interface FastEthernet0/1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/6
switchport mode access
!
interface FastEthernet0/7
switchport mode access
!
interface FastEthernet0/8
switchport mode access
!
interface FastEthernet0/9
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/1
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/21
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/22
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/23
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/24
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
!

Regards

acid_kewpie · 10-15-2007, 05:21 AM

Lucky i know 3750 is a cisco catalyst ehh?

well Gi1/0/10 is clearly an access port, not a trunk port, so will never establish a functional connection with the 2950.

Assuming that it is vlan 2 you want access to, create a vlan 2 interface on the 3750, give it an ip and ping the server from there...

Code:

conf t
int vlan 2
  ip address 192.168.2.123 255.255.255.0
  no shut
^z
ping 192.168.2.1
sh arp

so try and ping it, if that fails, check for an arp entry at least.

divide and conquer... you're testing an awfully long chain in one single test...

vchawla · 10-19-2007, 03:53 AM

acid_kewpie,
Many thanks for your guidance.
VLAN's are working now on both layer 3 and layer 2 switches.
My next question is connecting these vlans with WAN.
eth0 is connected to Internet.
eth1.2,1.3,1.4,1.5 is connected to LAN.

So far I have tried this:
Configured my eth0 with the details provided by ISP. Internet
on the server is working fine.

iptables:
#iptables --flush
#iptables --delete nat --delete-chain
#iptables --tables nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
# iptables --append FORWARD --in-interface eth1 -j ACCEPT
#iptables --append FORWARD --in-interface eth1.2 -j ACCEPT
#iptables --append FORWARD --in-interface eth1.3 -j ACCEPT

#echo 1 > /proc/sys/net/ipv4/ip_forward

#route add -net 192.168.1.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev eth1
#route add -net 192.168.2.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev eth1.2
#route add -net 192.168.3.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev eth1.3

XXX.XXX.XXX.XXX is the gateway provide by the ISP and this is what I
have used.

Thanks

acid_kewpie · 10-19-2007, 04:52 AM

it looks as if your return packets are all going to be dropped. rules at that level are not stateful, so a packet is probably being allowed from the inside vlan's out to the WAN, but the return traffic is going to be dropped. i'd suggest not using specific forward entries yet, just hit the ip_forward file as is and you should be able to then route between the vlans. if you don't want to route between each internal network, then you can filter that at a later stage, but the next level is routing without security.

vchawla · 10-22-2007, 01:36 AM

Thanks Once again Acid Kewpie.
I will try your suggestion.
Just have a look at layer 3 details as under:
The IP address of interface VLAN 2 is 192.168.2.1
and the IP address of eth1.2 is 192.168.2.5
I used the gateway on windows client machines as 192.168.2.1
is this OK or I should use 192.168.2.5 which is the IP of eth1.2
Also, I will just use #echo 1 > /proc/sys/net/ipv4/ip_forward
and in line with your suggestion I will remove these commands:

#iptables --append FORWARD --in-interface eth1 -j ACCEPT
#iptables --append FORWARD --in-interface eth1.2 -j ACCEPT
#iptables --append FORWARD --in-interface eth1.3 -j ACCEPT

Layer 3 details.
interface GigabitEthernet1/0/10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/11
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/12
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
ip address 192.168.6.1 255.255.255.0
!
interface Vlan7
ip address 192.168.7.1 255.255.255.0
!
interface Vlan15
ip address 192.168.15.2 255.255.255.0
!
ip default-gateway 192.168.15.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.15.1
ip http server