8600 VLan Configuratio Question

[SFSRJSTW]

We currently have a sigle VLan with all ports of our 8600 (Running V 3.3.0) included in it. We are running no routing protocols on our 8600. Our network is a full class B with routable addresses for everyone, we use no private IP's. I have a test environment and am working to configuer multiple VLans because we hope to subnet our network sometime after Christmas. My test 8600 has a single 8691SF and a single 8624FX. I have given the management port an address of X.X.0.11/255.255.240.0. The default VLan is X.X.85.254/255.255.240.0. It is a port based VLan with only port 1/3 in it. I have created a second VLan with only port 1/2 in it. When I try to give that VLan an IP address of X.X.5.254/255.255.240.0, it gives me an error about a conflicting IP address. My test network is not using that address anywhere. I'm new to VLans and getting this deep into the 8600. I have read the Nortel document on configuring VLans and STG, but it didn't give me any ideas. Any help would be appreciated!
Thanks!

 

[repaRU]

Only one IP address can be assigned to Passport in one VLAN.
You can use IP address in other IP network/subnetwork.

 

[SFSRJSTW]

What do you mean that only one address can be assigned to the Passport in one VLan?

The 5.254 address isn't in the same subnet as the default VLan IP of 85.254. So shouldn't I be able to use that IP? I should be able to assign IP addresses to teh VLAN's I create as long as the IP's are all on different subnets, right?

Thanks!

 

[anthonyanderberg]

Yes you should be able to assign IPs to VLANs the way I think you're trying to do it. By my math the IP addresses you've got are valid, although I've traditionally avoided using the first and last subnet (x.x.0.0/20 and x.x.240.0/20 in this case.)

Sometimes these things can be hard to explain with sentences, can you cut-n-paste the actual command and errors along with the stg,vlan, and IP sections of the output of 'show config'? You'll want to X out anything private, but I'm thinking that once we see what your current config and the error look like we'll be able to offer more accurate advice.

 

[SFSRJSTW]

I figuered out what one of my problems was. I didn't realize that the Management IP couldn't be part of the same subnet as one of my VLAN's. I was tyring to make VLAN2 be part of the same subnet as my management IP. Once I changed the management IP to be on a different subnet, I was able to create my VLAN's and give them their correct addresses and subnet masks.

Now I'm tryign to figuer out what I all have to set up in order to be able to get my traffic to go from one subnet to the other, say from a desktop in VLAN3 to get to a file share in VLAN2.

Any help you could offer would be much appreciated.

Here's the current setup from config.cfg (I removed sections that dont' have anything in them to save on space):
# WED NOV 16 12:32:41 2005 UTC
# box type : Passport-8010
# software version : 3.3.0.0
# monitor version : 3.2.2.0/019
#
# Asic Info :
# SlotNum |Name |CardType |MdaType |Parts Description
#
# Slot 1 8624FX 0x20310118 0x00000000 IOM: PLRO=3 BFM: OP=2 TMUX=2 RARU=2 CPLD=4
# Slot 2 -- 0x00000001 0x00000000
# Slot 3 -- 0x00000001 0x00000000
# Slot 4 -- 0x00000001 0x00000000
# Slot 5 8691SF 0x200e0100 0x00000000 CPU: CPLD=19 SFM: OP=3 TMUX=2 SWIP=3 FAD=1 CF=16
# Slot 6 -- 0x00000001 0x00000000
# Slot 7 -- 0x00000001 0x00000000
# Slot 8 -- 0x00000001 0x00000000
# Slot 9 -- 0x00000001 0x00000000
# Slot 10 -- 0x00000001 0x00000000
#
#!flags m-mode false
#!flags enhanced-operational-mode false
#!record-reservation filter 4096
#!record-reservation ipmc 500
#!record-reservation local 2000
#!record-reservation mac 2000
#!record-reservation static-route 200
#!end
#
config

# SYSTEM CONFIGURATION
sys set mgmt-virtual-ip X.X.72.10/255.255.254.0

# ACCESS-POLICY CONFIGURATION
sys access-policy policy 1 service ssh enable

# SSH CONFIGURATION
sys set ssh enable true

# WEB CONFIGURATION
web-server enable

# RMON CONFIGURATION
rmon trap-option toAll

# PORT CONFIGURATION - PHASE I
ethernet 1/1 perform-tagging enable
ethernet 1/2 perform-tagging enable
ethernet 1/3 perform-tagging enable
ethernet 1/4 perform-tagging enable

# VLAN CONFIGURATION
vlan 1 ports remove 1/5-1/24 member portmember
vlan 1 ip create X.X.95.254/255.255.240.0 mac_offset 0
vlan 1 ip rip enable
vlan 2 create byport 1 name "Backbone" color 1
vlan 2 ports remove 1/5-1/24 member portmember
vlan 2 ports add 1/1-1/4 member portmember
vlan 2 ip create X.X.15.254/255.255.240.0 mac_offset 1
vlan 2 ip rip enable
vlan 3 create byport 1 name "Library" color 2
vlan 3 ports remove 1/5-1/24 member portmember
vlan 3 ports add 1/1-1/4 member portmember
vlan 3 ip create X.X.31.254/255.255.240.0 mac_offset 2
vlan 3 ip dhcp-relay enable
vlan 3 ip rip enable
vlan 4 create byport 1 name "Academic" color 3
vlan 4 ports remove 1/5-1/24 member portmember
vlan 4 ports add 1/1-1/4 member portmember
vlan 4 ip create X.X.127.254/255.255.240.0 mac_offset 3
vlan 4 ip dhcp-relay enable
vlan 4 ip rip enable

# PORT CONFIGURATION - PHASE II
ethernet 1/1 default-vlan-id 4
ethernet 1/1 ip dhcp-relay enable
ethernet 1/1 ip ospf metric 0
ethernet 1/2 default-vlan-id 2
ethernet 1/2 ip dhcp-relay enable
ethernet 1/2 ip ospf metric 0
ethernet 1/3 ip dhcp-relay enable
ethernet 1/3 ip ospf metric 0
ethernet 1/4 default-vlan-id 3
ethernet 1/4 ip dhcp-relay enable
ethernet 1/4 ip ospf metric 0

# IP ROUTE POLICY CONFIGURATION
ip rip enable

 

[anthonyanderberg]

I don't see anything that is just plain wrong, perhaps its confused about what it should be doing or its config doesn't match your environment. Does the output of these commands yield any clues?
show ip forwarding
show ip interface
show ip route info
show ip rip info

In your original comments you mentioned that the various VLANs only have one port in them, but in your config you're doing VLAN tagging and putting all of the ports in all of the VLANs - is that what you want to do? For example, if there are not going to be any devices in VLAN 3 connected through port 1 you don't need to have that port in that VLAN. And of course in any case the switches hooked to ports 1-4 need to be configured to use VLAN tagging for this configuration to be effective. I'm not sure this is the root cause of your trouble, but it may be unnecessary configuration that could confuse us.

Do you have any other routers to exchange routers with? I see you have RIP configured plus a few OSPF references.

 

[anthonyanderberg]

> # software version : 3.3.0.0
> # monitor version : 3.2.2.0/019

As a side note, does your 8600 complain on bootup about the monitor and software versions being different? Its worth noting that there haven't been any fixes to the 3.3 code stream in a long time. It would be worth thinking about an upgrade to the 3.5 code stream since its actively maintained.

 

[SFSRJSTW]

IP Forwarding enabled

IP Interfaces shows me all my VLans with their correct IP's and subnet masks. There are no Brouter ports.

IP Route Info gives me each of my destination networks, it's mas, and the next hop, type for all is Direct & Best:
x.x.0.0/255.255.240.0/x.x.15.254 (VLan2)
x.x.16.0/255.255.240.0/x.x.31.254 (VLan3)
x.x.80.0/255.255.240.0/x.x.95.254 (Vlan1)
x.x.112.0/255.255.240.0/x.x.127.254 (Vlan4)

IP Rip Info: Import Metric 8, Domain 0, HoldDown Time 120, Queries 0, Rip Enabled, Route Changes 0, Update Time 30

I have tagging enabled in case I ever need to create a VLan in one of the end closet switches...then it's aready active system wide.

The reason the config file had all of the ports in all the VLans was it was just something I was trying. I have since returned it so that each VLan only has one port in it. The only exception is VLan2, which has the server that everyone needs to be able to get to. That port (1/2) is in all the VLans. Ultimately what I want is each of the subnets to exist, but there are company wide servers that exist on VLan2 that need to be accessed by everyone in all the VLans.

I have test machines hanging off each switch that are configuered with appropriate IP Addresses and subnet masks. For their default Gateway they are usinging their respective VLans. The switches are BPS 2000 and BayStack 450's. The switches themselves are only 1 VLan and I changed the fiber port to be of type trunk. (I think this enables tagging on them?)

Our 8600 has never complained on boot that the monitor and software versions are different. We haven't upgraded our code because I only have 128MB in the test lab, and I've heard of some people having problems running 3.5 or higher on only 128.

I don't know if all this made this clearer as to what my problem might be or more complicated...

Thank you for your continued help and patients though...