INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

No Internet Access over VLAN

No Internet Access over VLAN

(OP)
Hi,

This is my first post here so hope to find a solution from you guys..

I have a Netgear L3 Managed switch (GSM7324) and have configured 3 VLANs over it. But for some reason I am unable to access the internet through the VLANs. I am using a BT Business Router (BT2700HGV)

My config is as below:

VLAN 1 (Default) IP 169.254.100.100 Ports 12-24
VLAN 2 192.168.1.254 for connection to the Internet ADSL port 11
VLAN 3 192.168.2.1 port 1-5 and
VLAN 4 192.168.3.1 port 6-10

I have enabled default routing on the Switch to my ADSL Modem (192.168.1.1). I have also added two static routes on the ADSL (192.168.2.0 / 255.255.255.0 DG 192.168.1.254 and 192.168.3.0 / 255.255.255.0 DG 192.168.1.254)

I can ping the ADSL Modem, all the VLANs and the PCs on the VLANs but I don't have internet access with teh PCs on the VLANs.

Mo ADSL is working fine when i connect it directly to a PC.

Anything to do with the ADSL Router / Modem? Someone told me that the modem should support VLAN routing, which seems doubtful as I have enabled routing on each VLANs and the L3 switch is supposed to be doing all the VLAN routing bit??

Any idea what can be wrong?

Cheers.  

RE: No Internet Access over VLAN

Hi ProUser,

It sounds like you have already done a few checks, but I'd also do the following:

1. extend VLAN2 to port 12 and see if a PC on VLAN2 can access the internet - if it works then it sounds like the routing on the ADSL modem needs to be looked at closer.  Although if you can ping from VLAN3/4 to the ADSL modem, then I cannot see this really being the problem, but it might be an issue with NATing not working quite right from subnets not directly connected.
2. can the PC's correctly resolve DNS names into IP addresses?  If they cannot, then you need to review the DHCP settings (assuming you are using a DHCP server).

Cheers,
Scott

RE: No Internet Access over VLAN

Your config looks OK.
 
Does the ADSL router have a default route set?
 
What is the default GW set on your PCs on each VLAN?
 
Just to clarify, can the PCs ping the ADSL router?
 
From a PC, use a command-line window to ping www.google.com. What happens?
 

RE: No Internet Access over VLAN

(OP)
Hi Geeky:

I previously did enable all ports  of my (Default) VLAN 1 but still no luck. I believe this is pretty much what you mean to test by extending the VLAN2 to port 12.
I tried to connect a PC to any of the remaining ports (12 - 24) and leave my PC IP on dynamic or even set it on a static address (192.168.1.10 255.255.255.0 192.168.1.254 - DNS 192.168.1.1), I still cannot connect to the internet.

I extended VLAN2 to port 11 and 12 and still cannot connect to the net being both on a dynamic or static IP.

Hi Vince:

As mentionned above, I have set a static route on my router to 2.0 and 3.0. I tried gateways as 192.168.1.1 and 192.168.1.254 none works. The PCs can ping ADSL (192.168.1.1). No reply when i ping www.google.com.

Confusing thing...!

We are swapping the ADSL router to test the connection in case it is something to do with the crap BT Router BT2700..

 

RE: No Internet Access over VLAN

Hi Pro,

Sorry - I actually meant you put port 12 on the same VLAN as the ADSL router.  Don't worry, I am more interested to know if the PC's correct resolve names first.  When you ping www.google.com, does it correctly resolve the IP address?

Cheers,
Scott
 

RE: No Internet Access over VLAN

(OP)
Hi Scott,

I put port 11 and 12 on VLAN2 still no luck.

When i ping www.google.com I get 'ping request could not find host www.google.com'

I have made changes according to the settings explained here: http://www.astaro.org/astaro-gateway-products/management-networking-logging-reporting/36088-unable-get-l3-router-access-internet.html#post184051 but no chance at all. We even changed the ADSL router just in case but still no internet.

RE: No Internet Access over VLAN

(OP)
Sorry, concerning the above, when I connect my ADSL to port 11 and a PC on port 12 the internet works (dynamic IP)

RE: No Internet Access over VLAN

Ok, sounds like dns is not workin on the other vlans. Can you show us the output from the following commands on one if the pc's you cannot get Internet access:

nslookup www.google.com

ipconfig /all

RE: No Internet Access over VLAN

Jeez, my spelling is atrocious. In my defence I am on my iPhone, but even so....

RE: No Internet Access over VLAN

(OP)
nslookup www.google.com:

DNS request timeout
timeout was 2 seconds.
Server: Unknown
Address: 192.168.1.1

DNS request timeout
timeout was 2 seconds.

DNS request timeout
timeout was 2 seconds.

ipconfig/all:

IPv4: 192.168.2.22
subnet mast: 255.255.255.0
DG: 192.168.2.1
DNS: 192.168.1.1

 

RE: No Internet Access over VLAN

can the PCs ping the DNS server 192.168.1.1?

-------------------------------

If it doesn't leak oil it must be empty!!

RE: No Internet Access over VLAN

(OP)
192.168.1.1 is my router / ADLS modem IP, yes i can ping it..

RE: No Internet Access over VLAN

(OP)
I have DHCP enabled both on the ADSL Router and the L3 Switch

RE: No Internet Access over VLAN

Correct me if Im wrong, it has been awhile since I've played with Vlans but if your setup is as follows:

ISP - Modem/router - L3 switch - separate vlans

not

ISP - Modem/router - random PCs and L3 switch w/ separate vlans

Why do you have DHCP enabled on both the modem and switch?  Could you not just allow DHCP with the switch and point to the gateway as long as your setup is as my first example?

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

(OP)
' Does the ADSL router have a default route set? '

What is the default route needs to be on the ADSL Router and where should I check that?

RE: No Internet Access over VLAN

Hi Pro,

Thanks for taking the time to provide the information. Whilst you may well have a number if problems affecting you, the one we can definitely say is that dns is not working within vlan3. Your settings look fine, so my next suggestion would be to determine why the dns request is failing. There are a number of approaches to this, but the one I would recommend us to get detailed diagnostics to narrow down the cause of the fault. To do this I would first install wireshark on a pc in vlan3 and repeat the nslookup. From this you can determine if the response is getting back to the pc or not. The next stage depends on the results, but you are looking to narrow down the cause, so if the response is not seen, then you need to determine if the request or response is getting blocked.  In this example I would mirror the adsl router port and get another wireshark trace to determine if the adsl router actually gets the request and/or sends a response.  Other scenarios will require alternative approaches. Do the initial capture first and let us know what you find.

Btw, you can just start swapping kit to determine the cause of the fault to, but the above approach will show you precisely where and how the problem is occurring, so you can be confident in the fix.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Bob,

The Modem is in use by other users as well (using WIFI for internet access), reason why it has DHCP enabled. Concerning the L3 switch, even if i disabled the DHCP it changed nothing, i mean it still did not give me access to internet. If you ask to disable it and check few other things i dont mind at all as long as it will get the VLANs access the net.

If I am rightly understanding your term, then my VLAN is ISP - Modem/router - L3 switch - separate vlans (My L3 router has a dedicated port 11 which is connected to the ADSL Modem, while Port 1-5 are for VLAN 3 and Port 6-10 are for VLAN 4).

RE: No Internet Access over VLAN

(OP)
Hi Scott,

I should be thanking you to trying to help me out, thanks.

I have installed Wireshark. What information do you require from that? This is the first time that i am using Wireshark, so please bear with me..

Cheers

RE: No Internet Access over VLAN

You would still need the correct static route set up between the Vlans and the gateway.  If you dont have DHCP enabled on the switch, you can still set those static routes.  Make sure your routes and ports are enabled and not down.  Like I said previously, and anyone feel free to contradict with proof, its been awhile with Vlans but I had an issue similar and it was a route thing.

The DNS issue sounds plausible too.  Can you show the running config on the switch? And do you have the modem configured as well for this or is it just default set up?  Also, on some modems, you can differentiate between the Wifi DHCP and Lan allowing for Lan to be DHCP disabled allowing the switch to pick up the slack DHCP wise

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

Hi Pro,

You need to get wireshark to capture the network traffic whilst you run nslookup. To do this, you first need to identify the interface to capture on.  The easiest way to do this is simply start a continous ping to the adsl router as follows:

ping -t 192.168.1.1

Then start capturing on each interface and you will quickly see the icmp packets when you have the right one. Then without stopping the trace, execute the nslookup again and stop the capture once finished.

You will then need to see what happens to the dns request. You can just type 'dns' into the filter box near the top and it will only show dns packets. With this you should be able to quickly determine if there is a response from the adsl router. There are a couple of scenarios you are likely to hit:

1. You do not see any response. This means either the switch may be blocking the request/response, or the adsl modem is not sending a response. You will need to capture the traffic to and from the router via a mirror port to continue.
2. You see a dns response, but there is something wrong with it, such as the modem has not masquerade the source ip address, so it does not come from 182.168.1.1
3. You see a correct dns response.

Anyway, have a go at the capture and see what you get. Wireshark is an amazing tool, you can inspect the packets in detail for protocols it recognises and it's one of my regular tools for diagnosing problems quickly and efficiently.


Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
When I ping 4.2.2.2 or 8.8.8.8 no reply (Request time out), but i can ping my external IP (81.139.xx xx)

Show Running Config:

!Current Configuration:
!
!System Description "GSM7324 L3 Managed Gigabit Switch"
!System Description 6.3.3.6
!
set prompt "GSM7324"
vlan database
vlan 2
vlan name 2 2-auto
vlan 3
vlan name 3 3-auto
vlan 4
vlan name 4 4-auto
vlan routing 4
vlan routing 3
vlan routing 2
exit

configure
sntp client mode unicast
! sntp server status is active
sntp server time-d.netgear.com
logging buffered
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.1
lineconfig
exit

spanning-tree configuration name 00-18-4D-D9-74-A0
router ospf
router-id 192.168.1.254
exit

router rip
exit

interface 0/1
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/2
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/3
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/4
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/5
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/6
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/7
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/8
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/9
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/10
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/11
vlan pvid 2
vlan participation exclude 1
vlan participation include 2
exit

interface 0/12
vlan participation exclude 1
vlan participation include 2
exit
interface 0/13
exit

interface 0/14
exit

interface 0/15
exit

interface 0/16
exit

interface 0/17
exit

interface 0/18
exit

interface 0/19
exit

interface 0/20
exit

interface 0/21
exit

interface 0/22
exit

interface 0/23
exit

interface 0/24
exit

interface vlan 4
routing
ip address 192.168.3.1 255.255.255.0
ip ospf
ip rip
exit
interface vlan 3
routing
ip address 192.168.2.1 255.255.255.0
ip ospf
ip rip
exit

interface vlan 2
routing
ip address 192.168.1.254 255.255.255.0
ip ospf
ip rip
exit

exit  

RE: No Internet Access over VLAN

Not 100% sure, but I think your static route subnet should be 255.0.0.0 but if you can ping the external IP, starting to think th route might be fine.  Easy thing to change to see tho.  Do you not have an internal DNS server?  Why not force one of the PCs on the VLAN to use it, say prolly 192.168.1.1 and try to ping other PCs by their conical names and then IPs to make sure both DHCP and DNS are functioning.

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

Cheers Pro,

There is no response to the dns request, so next step is to figure out if it reaches the adsl router. This is a bit more interesting. You will need to mirror port 11 to another port (port span in cisco speak) and then attach the pc you have installed wireshark on to that port. Once done, start the capture again and do a nslookup on another pc on vlan 3. This will show you the packets going to and from the router, so you should be able to tell if it's the switch blocking something or the modem is not replying.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

How do I mirror the ports? Do I only need to have both ports in the same VLAN? Is that enough or do I need to do anything else as well?

RE: No Internet Access over VLAN

Hi Pro,

I need to check the manual for the netgear to figure it out. I only know cisco from memory. Unfortunately having it on the same vlan is not enough as the switch will only deliver the traffic to the adsl router because it it unicast not broadcast.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Am trying to do the Port mirroring, just bear with me please..

One thing that I wanted to ask, is it possible that this is not working because my ADSL does not support VLAN Routing?? This is what i was told by Netgear after the agent told me he did a test with the same config but with a Netgear DG834Gv4 Modem Router. I checked off the net and there is nothing special about this modem, which is being given for free by Sky and other Internet Providers to their customers (and available on ebay for around £30).

RE: No Internet Access over VLAN

Well, from the perspective of the modem, it should make no difference if you are on a vlan or not.  If you had vlan tagging on the port for the adsl modem, you would have problems with a basic ping as the modem would not understand the packets arriving to it.  The fact you can ping also suggests it has no problems with routing to other subnets.  Unfortunately though, some modems have problems with nat/masquerading and subnets (there is a difference between a subnet and a vlan BTW, but that is another topic).

I realise this seems like a real ball ache - in my old job I was a professional troubleshooter, so I dislike guessing by swapping kit or changing configs without evidence, but I know I'm a bit weird too :)

Feel free to change the modem.  You might also try and see if you can connect to a website with the IP address to see if it's just DNS causing a problem.

I'll dig for the netgear manual now and if you still want to go through the process I'll be able to offer help.

Cheers,
Scott

RE: No Internet Access over VLAN

Right, I have read the netgear manual and the bits you are interested in can be found in chapter 17.

The manual is a little vague however on exactly how you turn the mirroring/monitoring on, and without an actual switch to work on I'm going to have to guess a bit.

First configure the monitor session as follows from the switch CLI:

monitor session 1 source interface 0/11
monitor session 1 destination interface 0/24

Check this looks ok with the following CLI command:

show port all

You are looking to see that port 11 is mirroring and port 24 is a probe.  If it looks ok, then try and enable the session.  This is the bit am unsure of.  I expect the command to be something like this:

monitor session 1 mode enable

but the manual seems to miss off the enable... you might need to play a bit with this, or even do it before setting the source/destination.

anyway, if you do get it to accept it, then plug the PC you have wireshark on into port 24 to capture the traffic to/from the adsl router.

Good luck!
Scott  

RE: No Internet Access over VLAN

(OP)
Well said, the manual is so badly explained that despite of having one here I find it much easier to get the instructions off the internet than from it. I am going through the manual and will create the Mirror and get back to you in a bit...

RE: No Internet Access over VLAN

after re-reading chapter 17 I think the command toggles the monitoring on/off.  So I'd first check if the monitoring is enabled, if not try turning it on with the following CLI command:

monitor session 1 mode

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Thanks for the instructions, I managed to do the Mirroring. Mirror: Port 0/11 and Probe: Port 0/22

Which record do I have to look for / filter exactly in the Wireshark?

RE: No Internet Access over VLAN

(OP)
Do i need to specify the DNS when i put the PC on static IP? Please confirm as well if DG should be 192.168.2.1 on the PCs (Wireshark and VLAN3)

RE: No Internet Access over VLAN

(OP)
DrBOB:

I tried specifying the DNS as well but no luck

RE: No Internet Access over VLAN

Hi Pro,

Sorry - probably was not very clear.  You will need to do the nslookup on another PC within vlan3, so this should still have an IP address and DNS configured via DHCP.  The PC you have wireshark on will not have any access due to the nature of the monitor port, so don't worry about it's network config.  Just run wireshark as before and do the nslookup on another PC whilst it is capturing.  After that do the filter on dns like before.

Cheers,
Scott

RE: No Internet Access over VLAN

Hi Pro,

That trace does not look good.  Would you be able to e-mail it to me unfiltered so I can examine it in more detail?

sdeaks at gmail.com

It might be that the port is not mirroring properly - the traffic looks like broadcast/multicast.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

It just about time for me to leave office now (Its friday and am already 30 mins overtime, i dont believe it!). Do you mind if i send you it on monday? MAny thanks for all your help up to now..

Have a great weekend !

RE: No Internet Access over VLAN

(OP)
Hi Scott,

Hope you ahve a nice weekend.

So here we go. See below the link to the full Wireshark report.

http://www.mediafire.com/?h7563bkm7m880z2

Am about to save the config file and start a fresh config, so lets hope either of them works..

Cheers

RE: No Internet Access over VLAN

Hi Pro,

Just took a quick look at the report and it's showing typical traffic for a normal switch port, not a probe port.

Do you have time to check that the mirroring is setup correctly and that the PC with wireshark is on the correct port?  What I would do to begin with is start a constant ping from a PC in VLAN3 (ping -t 192.168.1.1), and then start the wireshark capture.  If you can see the ping's to the router, then you have it setup correctly and the trace you send just missed the DNS queries.  Otherwise it means there is something wrong with the mirroring.

Also, can you save the capture as a .pcap file and post that in future rather than a screen capture?  It's much better for looking at the diagnostics.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

Am about to do it, but tell me, would you like the Wireshark Report to be from the config that i sent you, or can i send you a report based on the config found as per here. http://forum1.netgear.com/showthread.php?t=69844 . This is another thread that I am having concerning this issue.

Cheers

RE: No Internet Access over VLAN

Hi Pro,

I don't mind, either will be fine.  I cannot see anything wrong with your config on the netgear anyway and since you can route correctly across it I suspect it's the modem having a problem with NAT and indirect subnets.  Need the trace to confirm though.

BTW, I read the responses on the other forum.  Some of the comments are not very helpful.

Cheers,
Scott
 

RE: No Internet Access over VLAN

(OP)
Hi Scott,

I mirrored the Port 11 to Port 22, which is showing as 0/11 Mirror and 0/22 Probe.

I have attached 3 files from the Wireshark report:
1 is based on a routing (on the router table) to 192.168.1.1
http://www.mediafire.com/?42t6h0o1s9m7y0x

1 is based on a routing (on the router table) to 192.168.1.254
http://www.mediafire.com/?196mu43bycv52wm

this is based on a routing (on the router table) to 192.168.1.254, but where i have removed the static DNS on the PC (no dns specified)
http://www.mediafire.com/?196mu43bycv52wm

and the nslookup report to www.google.com
http://www.mediafire.com/?t6el2tooh2h83ia

Hope this helps finding the culprit...
 

RE: No Internet Access over VLAN

Hi Pro,

It still does not look like the mirroring is working properly. All the traces show traffic on an idle switch port.  Looking at the broadcast traffic it seems to be on 169.254.100/24.  Can you post the switch configuration again?  I want to check the mirror commands are still there and got saved correctly.

When you do re-start the capture, put 'icmp || udp.port == 53' in the filter on the wireshark PC and click 'apply', then do a 'ping -t 192.168.1.1' from a PC in VLAN3.  When you see the packets appearing on the wireshark PC, you know it's working.

FYI - the filter causes only ping (icmp) and DNS (udp port 53) packets to show.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

See the config below.

I ran the Wireshark again with the filters you mentionned. There is no data at all, which I believe would mean there is no packet transmission..

GSM7324) #show running-config config

[ config ] File extension other than '.scr' is not allowed.
Please use file extension .scr.

(GSM7324) #show running-config
!Current Configuration:
!
!System Description "GSM7324 L3 Managed Gigabit Switch"
!System Description 6.3.3.6
!
set prompt "GSM7324"
vlan database
vlan  2
vlan name 2 2-auto
vlan  3
vlan name 3 3-auto
vlan  4
vlan name 4 4-auto
vlan routing 4
vlan routing 3
vlan routing 2

exit

configure
sntp client mode unicast
! sntp server status is active
sntp server time-d.netgear.com
logging buffered
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.1
monitor session 1 destination interface 0/22
monitor session 1 source interface 0/11
lineconfig
exit

spanning-tree configuration name 00-18-4D-D9-74-A0
router ospf
router-id 192.168.1.254
exit

router rip
exit

interface  0/1
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface  0/2
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface  0/3
vlan pvid 3

vlan participation exclude 1
vlan participation include 3
exit

interface  0/4
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface  0/5
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface  0/6
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface  0/7
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface  0/8
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface  0/9
vlan pvid 4

vlan participation exclude 1
vlan participation include 4
exit

interface  0/10
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface  0/11
vlan pvid 2
vlan participation exclude 1
vlan participation include 2
exit

interface  0/12
vlan participation exclude 1
vlan participation include 2
exit

interface  0/13
exit

interface  0/14
exit

interface  0/15
exit

interface  0/16
exit

interface  0/17
exit

interface  0/18
exit

interface  0/19

exit

interface  0/20
exit

interface  0/21
exit

interface  0/22
exit

interface  0/23
exit

interface  0/24
exit

interface vlan 4
routing
ip address  192.168.3.1  255.255.255.0
ip ospf
ip rip
exit

interface vlan 3
routing
ip address  192.168.2.1  255.255.255.0
ip ospf
ip rip
exit

interface vlan 2
routing
ip address  192.168.1.254  255.255.255.0
ip ospf
ip rip
exit

exit

RE: No Internet Access over VLAN

Hi Pro,

The config looks correct from what I know.  Can you send me the output of the following two commands?:

1. show monitor session 1
2. show port all

Unfortunately I don't have the same switch to try this out on myself.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)

Here we go..

GSM7324) #show monitor session 1

Session ID   Admin Mode   Probe Port   Mirrored Port
----------   ----------   ----------   -------------
1            Disable      0/22         0/11


(GSM7324) #show port all

                 Admin   Physical    Physical    Link   Link    LACP
 Intf     Type    Mode    Mode        Status    Status  Trap    Mode
--------- ------ ------- ---------- ----------- ------ ------- -------
0/1               Enable  Auto                   Down   Enable  Enable
0/2               Enable  Auto                   Down   Enable  Enable
0/3               Enable  Auto                   Down   Enable  Enable
0/4               Enable  Auto       1000T Full  Up     Enable  Enable
0/5               Enable  Auto                   Down   Enable  Enable
0/6               Enable  Auto                   Down   Enable  Enable
0/7               Enable  Auto                   Down   Enable  Enable
0/8               Enable  Auto                   Down   Enable  Enable
0/9               Enable  Auto                   Down   Enable  Enable
0/10              Enable  Auto                   Down   Enable  Enable
0/11      Mirror Enable  Auto       1000T Full  Up     Enable  Enable
0/12              Enable  Auto                   Down   Enable  Enable
0/13              Enable  Auto                   Down   Enable  Enable
0/14              Enable  Auto                   Down   Enable  Enable
0/15              Enable  Auto                   Down   Enable  Enable
0/16              Enable  Auto                   Down   Enable  Enable
0/17              Enable  Auto                   Down   Enable  Enable
0/18              Enable  Auto                   Down   Enable  Enable
0/19              Enable  Auto       100T Full   Up     Enable  Enable
0/20              Enable  Auto                   Down   Enable  Enable
0/21              Enable  Auto                   Down   Enable  Enable
0/22      Probe Enable  Auto       100T Full   Up     Enable  Enable
0/23              Enable  Auto                   Down   Enable  Enable
0/24              Enable  Auto                   Down   Enable  Enable
vlan 4            Enable                         Down   Enable  Enable
vlan 3            Enable                         Up     Enable  Enable
vlan 2            Enable                         Up     Enable  Enable

RE: No Internet Access over VLAN

Ok - so the mirror is not active.

This is the poorly document part of the manual.  Try the following command in config mode:

monitor session 1 mode

then check the 'show monitor session 1' output to see if it says enable.  If that fails, try something like:

monitor session 1 mode enable

and check 'show monitor session 1' again.

Good luck!
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

I enabled it, thanks.

(GSM7324) #show monitor session 1

Session ID   Admin Mode   Probe Port   Mirrored Port
----------   ----------   ----------   -------------
1            Enable       0/22         0/11

I have captured a new session on the Wireshark, I believe this one makes more sense. I have uploaded it here.. (File name mirror enabled)

http://www.mediafire.com/?k20b9uj57xtj6mb

Give me the good news ... :)

Cheers,
 

RE: No Internet Access over VLAN

ok, that trace looks much better.

I can see the pings from 192.168.2.22 to 192.168.1.1, which is good.  

I cannot however see any DNS queries from 192.168.2.22, or from anybody for that matter.

Did you do an nslookup whilst the trace was running?  If so that would suggest the switch is blocking them.  If you did not do an nslookup, can you do the following on 192.168.2.22 whilst capturing:

ping -n 1 <external ip of adsl router>
nslookup www.google.com
ping -n 1 <external ip of adsl router>

This will nicely mark the trace.

Cheers,
Scott
 

RE: No Internet Access over VLAN

(OP)
Hi Scott,

you were right, I did not run the nslookup at the same time.

I have attached 2 files here, 'ping and nslookup together' http://www.mediafire.com/?j7ctlt837b0x0po is as you asked to do just above. The other file, 'full ping and nslookup together' http://www.mediafire.com/?7lail76pk9tpl19 is where i ran a full ping (ping 192.168.1.1 -t) and in another window i ran the nslookup.

http://www.mediafire.com/?j7ctlt837b0x0po
http://www.mediafire.com/?7lail76pk9tpl19

Lets hope you could find me the solution finally. Really appreciate your help.

Cheers

RE: No Internet Access over VLAN

ok - so definitely no DNS queries coming out of the switch.  I can clearly see the pings, so no IP routing problems.

Let's just do a quick sanity check and ensure the DNS settings on the PC are ok.  Can you post the output from 'ipconfig /all' on 192.168.2.22 please?  I know you summarised it before, but can you post the output verbatim this time?

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
I have uploaded the ipconfig/all in a text file. But I cant remember if i had specified the DNS when i last sent you the Wireshark configs. I have been plating with the dns, IP, DG etc, dats the reason why.

I have thus uploaded 2 more Wireshark Configs, 1 with Static DNS and the other without specifying the DNS. Please find the files below

Ipconfig/all: http://www.mediafire.com/?i08idg5wrdcg7td
Static DNS: http://www.mediafire.com/?1srdv27p54b7vtz
No DNS Specified: http://www.mediafire.com/?ghy7fjgv9b0bkhd

IF we find out it is a problem with the DNS, do you think you will be able to help me further till we have it working?

Cheers,

 

RE: No Internet Access over VLAN

Hi Pro,

The new traces show routing issues even with the pings.  Have you changed something on the ASDL router?  I can see the ping and dns packets going to the router (192.168.1.1), then after that I can see ARP requests from your *outside* IP address asking for 192.168.1.254.  This is completely wrong and I did not see this before.  Basically the router is trying to work out how to contact the gateway to 192.168.2.x, which is 192.168.1.254, but it's using it's external address in the query.  This will never work, it needs to ask from it's 192.168.1.1 address.  Just to confirm I saw correct routing before, so just want to make sure nothing has changed, as this might indicate a dodgy router.

I am about to take a plane to Madrid, so I might not be able to continue this until tomorrow.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
I think i added another Static routing yesterday, for test purposes, can't quite remember if it was yesterday or before though. It was 192.168.1.0 255.255.255.0 DG 192.168.1.254. Am sure it Could that be it

I deleted this routing already though, so i am sending you the new Wireshark report (link below) from a pc with IP: 192.168.2.22 255.255.255.0 DG.192.168.2.1 DNS.192.168.1.1

http://www.mediafire.com/?n6r9cqbhart6pxh

Bon voyage and Have a nice trip :)

RE: No Internet Access over VLAN

(OP)
Tell me one thing, I can see on the switch (router>configured routes) that the Metric value is 0. Should that not be at least 1 to be considered as a preferred routing?
 

RE: No Internet Access over VLAN

Maybe Im not seeing it in your posted configs, but, do you have the port configured for the physical connection between the modem/router and the L3 switch?  I know you have a static route set up for it but I cant find the physical port info.  Look here about midway through the page, granted this is Cisco but the general theories are similar.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

Did you ever verify that this switch worked with a basic default settings before Vlan'ing it up?

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

(OP)
Hi Doc,

(Feels like talking to my doctor, but in terms of connections rather than injections..)

Did you ever verify that this switch worked with a basic default settings before Vlan'ing it up? - At some point yes I could access the internet if i had 2 PCs with similar IP range.

I configured VLAN1 port 11 (192.168.1.254) which is connected with the Modem / Router. This is also mirrored with port 22, and I got port 12 which is on the same vlan as port 11 (if this is what you mean)

Can i change the Metric from 0 to 1 on the switch's default routing?


 

RE: No Internet Access over VLAN

Since Deaks is outa town, Ill through my thoughts in until he can return and most likely help you before I will. You'll have to forgive me as Im not versed in the Netgear switches:

http://support.netgear.com/ci/fattach/get/96/1268666783/redirect/1/session/L2F2LzEvdGltZS8xMzE2Nzk1MDg5L3NpZC80d2hSUFBFaw==/filename/Layer%203%20switches%20-%20Routing%20VLANs%20with%20Shared%20Internet%20Access%20v2.pdf

Look at the very first pic and the configs below.  Looking at your config, I dont think I see what Im told in the PDF but please prove me wrong.

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

Hi Pro,

Don't worry about the metric.  It's just a value assigned to show the priority of the route against other routes to the same destination.  Since you only have one default route, then the priority is ignored.  At any rate, a lower number is better, so 0 is the highest priority you can have.  The value can be derived from different characteristics of the network, such as number of hops to the gateway.

I took a look at the latest traces.  I can clearly see the DNS requests getting sent to the router, but no reply.  This means there is an issue with the router.  I'll need to dig up the manual for the model you have.  Are you still using the BT2700HGV?  The reason I ask is because the MAC address of the router in the latest trace is a D-Link one.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Doc,

I based myself on that same pdf to do my config. As far as i can see it, I configured it pretty much as described in that doc, with the only exception being 2 ports on my vlan2 instead of 8 there, and me having a Mirrored port. I dont think this makes a big difference, does it? Anything else that i missed in the config?

RE: No Internet Access over VLAN

Hi Pro,

I cannot see anything wrong with the netgear config and the diags you have provided show it not to be at fault.  I think we need to concentrate on the router now.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Note that I have changed my DNS from automatic to the following:

Preferred DNS: 208.67.222.222
Alternate DNS: 208.67.220.220

I changed this because previously when i was going under Maintenance > Diagnostics (on the ADSL Modem), the Ping Preferred DNS server: was failing (Under Internet Connectivity check)

RE: No Internet Access over VLAN

Hi Pro,

Ok - let's take one step back now.   Can you ping either of the DNS servers from a PC in VLAN3?

If you cannot do that, then there is a basic routing/nat issue we need to deal with first.

This scenario differs from the previous in one subtle way.  In the first you were asking the router to do the DNS lookup, which can have problems with the DNS service on the router itself.  In the new scenario, you are just nat'ing the DNS UDP packets to the DNS servers. i.e. you are not using a DNS service on the router.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

I hope the changes did not really spoil the situation more..

I did the ping to both DNS but getting Time Out..

RE: No Internet Access over VLAN

(OP)
Do you think using a Netgear Router will give us less hassle and start working instantly? Just guessing since the Netgear service agent said he did the test on a Netgear ADSL Router and it worked (Though i dont really believe him)

RE: No Internet Access over VLAN

Hi Pro,

Don't worry to much.  Changing stuff does mean you have to back track a little, but it would be pretty mean of me to ask you not to change anything :)

Ok, so I can ping both those servers.  This means they are not ignoring the ICMP requests and you are likely to still have a routing/nat issue on the router itself.

Let me take a look at the manual this afternoon and I'll get back to you.  But in the meantime, is it possible to get a config dump from it?  I don't know if it has a command line or summary config page...

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

I can't seem to see any way to get the config dump from the Router. Any other way we can do that?

RE: No Internet Access over VLAN

(OP)
Hi Doc,

could you tell what is different from my config and the one explained in the document? Just in case it's a slight thing that we can't seem to be noticing and is creating all the fuss.

Cheers,

RE: No Internet Access over VLAN

Hi Pro,

Ok - have not had much time to review the manual.  It looks pretty basic.  I think we need to check a few things first once again.


1. plug a PC into port 12 again (vlan2) and make sure it can ping 209.85.227.147 (www.google.com)
2. start wireshark to monitor the router port
3. From the PC on vlan2, execute 'ping -l 100 86.2.106.208' (one of my external IP addresses)
4. From the PC on vlan3, execute 'ping -l 200 86.2.106.208'

I have network monitoring setup to look for ICMP packets, so we can check they are leaving and arriving here ok first.

Cheers,
Scott

RE: No Internet Access over VLAN

Maybe Im missing something, but I dont see the static routes for VLAN 3 or 4 in your config.  You have 1 static route for the 1.x VLAN to see the router but you dont have a static route set up in your vlan 3 or 4 to point them to VLAN 2 so they know how to get out.

I think there should be two more static routes set up in the VLAN interfaces.

 

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

Hi Doc,

You need the route on the devices within VLAN3 and VLAN4.  The netgear itself already has interfaces on VLAN3 and VLAN4, consequently it will have routes to the following networks within it's tables:

192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

From the traces Pro has provided, the routing is fine.  I can see packets traversing the switch without any issues (well, there is an strange thing with the MAC addresses not being 100% correct, but I think that is just a mirroring artefact).

Cheers,
Scott

RE: No Internet Access over VLAN

I would say you are prolly right,

Just curious tho, if you hook a PC to VLAN 1 can you get out to the internet?

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

Vlan 2 sorry

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

(OP)
Hi Scott,

I can't seem to be able to ping it. Hooked a PC to VLAN2, configured static IP with DG 192.168.1.1 but am not even able to ping anything, neither 192.168.1.254 nor 1.1, so obviously not going to get 209.xx.xx .

It used to work previously but i can't see why it's not working now.. I will have a check at it again tomorrow as am off home now..

RE: No Internet Access over VLAN


How are your IP addresses NATd on the ADSL router?

RE: No Internet Access over VLAN

(OP)
Hi Vince,

I have no idea to be honest. If you can explain me how to check that I can do it.  

RE: No Internet Access over VLAN

(OP)
I cant get to the internet through VLAN2.. PC connected to Port 12 and ADSL cable to Port 11. Cant Ping the router as well nor Port 12 (192.168.1.254)... I just uploaded a config that was working before.. weired!

RE: No Internet Access over VLAN

(OP)
I can run a ping from the Switch to any IP. Tried with 192.168.1.1, 8.8.8.8, 209.85.227.147 and i get reply for them all...

RE: No Internet Access over VLAN

:) - You are not having much luck Pro.

Ok - you need to go back a step again.  Check that the configuration for port 12 is actually on VLAN2.  Then check that the PC is getting an IP address on 192.168.1.0/24

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

The config looks fine on port 12. I just checked, port 11 and 12 are for VLAN2.

When I have the PC on VLAN2 (Port 12) with no static IP, it does not give me an IP in the range of 192.168.1.xx. Instead am getting 169.254.245.234. What is that suppose to mean??

Do you think adding 8.8.8.8. or 208.67.222.222 / 208.67.220.220 in the DNS part of the L3 switch would help?

RE: No Internet Access over VLAN

Hi Pro,

The 169.x.x.x address is assigned when no DHCP server responds (or something like that).  Is DHCP active on the ADSL modem?

Cheers,
Scott

RE: No Internet Access over VLAN

If you set up your vlan structure off of the model in the PDF, and you have your static routes set, and the IP's correspond to the correct ports, you should be able to connect via VLAN 2 at least.

According to your very first post, VLAN 2 is 1 port while 3 and 4 are the ports before and the default VLAN 1 the ones after.  Port 12 falls into vlan 1, so as Deaks said, you need to make sure 12 is in 2.

If you went off the PDF, VLAN 2 consists of the physical connection to the Router, where as your VLAN 2 is only the physical connection to the Router with no additional ports.

If I was in your shoes, I would start fresh and copy exactly what is shown because this should be a fairly trivial procedure.  If you do it that way, only setup VLAN 2 as shown and get it to work before moving on and possibly complicating it more.

I would go with what Deaks is saying first but eventually I would just start over.

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

Doc is quite right.

All this playing around makes it easy to make mistakes, as I know too well first hand...

Cheers,
Scott

RE: No Internet Access over VLAN

You definitely need to check the Router for two things,

1) is the physically connected port to the switch actually assigned 192.168.1.254?
2) is DHCP enabled as Deaks asked

If those are set correctly then, as I stated above

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

(OP)
I configured it 3 times to be honest, but as you said earlier it does not look to be with the Switch but more with the router. So I am just guessing if i do it again, will it really help finding the routing problem on the D-Link?

RE: No Internet Access over VLAN

Have you been inside the config for the router yet?  If so I missed it but this is a large thread :)

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

Hi Pro,

Is port 12 definately on VLAN2?  The last config post you did shows something slightly different between 11 and 12:

CODE

interface  0/11
vlan pvid 2
vlan participation exclude 1
vlan participation include 2
exit

interface  0/12
vlan participation exclude 1
vlan participation include 2
exit

0/12 is missing the vlan pvid 2

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

you can see it in the link i mentionned above (and below here as well) that port ports 11 and 12 are on VLAN2

http://www.mediafire.com/?ln9zogprwvj1q3h   

RE: No Internet Access over VLAN

(OP)
Ok you are right, 0/12 is missing the vlan pvid 2. Thanks for reminding. I just added it.

Now the new config is

interface  0/11
vlan pvid 2
vlan participation exclude 1
vlan participation include 2


interface  0/12
vlan pvid 2
vlan participation exclude 1
vlan participation include 2

RE: No Internet Access over VLAN

Sorry Pro.

I had seen the image, I should have been clearer in my question.  I think the 'vlan pvid 2' is an important parameter and wanted to know if it is still missing in the current config.  Usually this indicates which is the native VLAN the port belongs to.  It might be confusing the switch to have it missing.  I am just guessing though...

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

Going back to this now:

1. plug a PC into port 12 again (vlan2) and make sure it can ping 209.85.227.147 (www.google.com)
2. start wireshark to monitor the router port
3. From the PC on vlan2, execute 'ping -l 100 86.2.106.208' (one of my external IP addresses)
4. From the PC on vlan3, execute 'ping -l 200 86.2.106.208'

I have network monitoring setup to look for ICMP packets, so we can check they are leaving and arriving here ok first.

I just did the ping, you might have it in your ICMP monitoring.

I have also attached the Wireshart report for this process.

http://www.mediafire.com/?6l4nurdvljf1d6f
 

RE: No Internet Access over VLAN

(OP)
Update:

I have added 192.168.1.1 in the DNS Server on the Switch and I can now ping www.google.com, yahoo.com etc.

Note that in the previous wireshark capture 192.168.1.1 was not in the DNS list

RE: No Internet Access over VLAN

Hi Pro,

Did you ping the address from a PC on vlan3? (i.e. step 4)  I cannot see anything in mirror trace, but there is something in my traces.

All the source address are ok - so the NAT'ing seems to be working if that is the case.

Cheers,
Scott

RE: No Internet Access over VLAN

Look at page 9 of the PDF, this is what Deaks is talking about, is it set to the correct PVID for VLAN 2 here?

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

Could you do a "show ip route" and "show vlan" commands on the switch?

"Silence is golden, duct tape is silver..."

RE: No Internet Access over VLAN

(OP)
Hi Doc,

the PVID thing is sorted now. It was not there on VLAN2 for port 12 but i added it and it is there now (see above)
 

RE: No Internet Access over VLAN

(OP)
CENTURY!! We did a 100 reply ! (but without finding the solution.. :( )

Scott, I indeed did a ping from a PC on VLAN 3 -l 200 and another ping from a PC on VLAN 2 -l 100

RE: No Internet Access over VLAN

Previous failure was my mistake - I left ICMP blocking on my firewall....sorry!

Ok - this is good.  I can see that the NAT'ing and routing are working fine from both vlans now.

Next, make sure DNS is working fine.  Try the following from the command prompt on both a PC on VLAN2 and VLAN3

CODE

nslookup www.google.com 192.168.1.1
nslookup www.google.com 208.67.222.222

each one tries a DNS request against the server IP at the end.  This way you can check which ones work and which do not.

Cheers,
Scott  

RE: No Internet Access over VLAN

(OP)
Hi Scott,

I have attached the report on the link below

http://www.mediafire.com/?mybhacbh18rnypn

Sometimes little details makes a big difference, so i think its worth mentionning that the PC on vlan 3 has a static DNS configured 192.168.1.1 while the pc on vlan 2 is on dynamic IP>

Cheers,

RE: No Internet Access over VLAN

Hi Pro,

Was that trace from running the PC on VLAN2 only?  I can only see DNS requests from 192.168.1.7.  Both nslookups seem to work fine though.

Just so you are aware, the nslookup command overrides the DNS settings when you specify the server address at the end.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

Yes it was indeed running from the PC on VLAN 2 (connected on port 12). Both the trace and Wireshark are on the same PC.  

RE: No Internet Access over VLAN

(OP)
Hi Scott,

Am off for now, but dplz do let me know what you thing can be the prob. Got my CCNA class on tue and Weds.

RE: No Internet Access over VLAN

Hi Pro,

Doh... I was vague again in my instructions.  The trace is fine from the PC on VLAN2. I assume you resolved the IP address for www.google.com each time?

You need to do the same with a PC on VLAN3...

Sorry,
Scott

RE: No Internet Access over VLAN

Hi Pro,

I can see the requests, but no response.  It looks like the router is not handling the DNS queries correctly when they are from a different subnet.

Can you just confirm one thing though.  When you pinged 86.2.106.208 from VLAN3, did it work.  You seem to mention that it did, but I just want to double check.

If you can ping, then we need to play with the setting on the router for DNS.

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Hi Scott,

Ok to answer your question, yes when I ping my external IP I do get a response.

I thought dealing with this a different way.. Rather than curing the patient, I opted to kill him, so no more illness.. Well as mentionned earlier I bought another router, a Netgear DG834Gv4 / v5. And now, the bloody thing WORKS! Honestly I dont believe it! Is it that Netgear L3 Switched will work only on Netgear Routers??

One thing that i noticed when i configured the Netgear is that it was still not working. Could not even ping 192.168.1.1. I went to the router and checked my Static IPs, and there i noticed that despite the fact that i had the static routing, I have an option to enable it. Once i enabled it I could ping 192.168.1.1, could ping www.google.com and could instantly go to internet.

So anything you guys would like to conclude over this, apart from the fact that Netgear is being a bit of Microsoft type??

Are we going to get an award for this, for the much of replies we had in this ? :)

Thanks a lot Scott, u been a star. I highly appreciate your help in all this..

Cheers,

Arvin

 

RE: No Internet Access over VLAN

Nice one Arvin!  Just glad you got it fixed.

To be honest I don't think this a netgear issue.  I think the routers you previously had did not correctly handle the subnets after manipulating the DNS queries.

Hopefully you can now use your experience with wireshark and port mirroring to solve other issues in future...  They are very useful skills to have!

Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
The thing is that the D-Link was configured with all the basic settings, just like the previous BT Router. So i still cant seem to understand why it did not work.

Concerning Wireshark I still dont know much how to read the information from it, like the different commands. Do you have a quick way to learn it, or a maual somewhere?

RE: No Internet Access over VLAN

I have to confess I am a bonafide geek  and have been dissecting protocols for over 25 years now, so never really had to look at any tutorials for wireshark.

I took a quick look though and this one seems to be pretty good.  It initially shows how to capture a simple web transaction and the instructions are clear and concise, so I'd recommend starting here:

http://www.youtube.com/watch?v=NHLTa29iovU


Cheers,
Scott

RE: No Internet Access over VLAN

(OP)
Thanks Scott,

You're always there to give a helping hand.. I really appreciate.

Cheers,

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close