No Internet Access over VLAN 1

[ProUser]

Hi,

This is my first post here so hope to find a solution from you guys..

I have a Netgear L3 Managed switch (GSM7324) and have configured 3 VLANs over it. But for some reason I am unable to access the internet through the VLANs. I am using a BT Business Router (BT2700HGV)

My config is as below:

VLAN 1 (Default) IP 169.254.100.100 Ports 12-24
VLAN 2 192.168.1.254 for connection to the Internet ADSL port 11
VLAN 3 192.168.2.1 port 1-5 and
VLAN 4 192.168.3.1 port 6-10

I have enabled default routing on the Switch to my ADSL Modem (192.168.1.1). I have also added two static routes on the ADSL (192.168.2.0 / 255.255.255.0 DG 192.168.1.254 and 192.168.3.0 / 255.255.255.0 DG 192.168.1.254)

I can ping the ADSL Modem, all the VLANs and the PCs on the VLANs but I don't have internet access with teh PCs on the VLANs.

Mo ADSL is working fine when i connect it directly to a PC.

Anything to do with the ADSL Router / Modem? Someone told me that the modem should support VLAN routing, which seems doubtful as I have enabled routing on each VLANs and the L3 switch is supposed to be doing all the VLAN routing bit??

Any idea what can be wrong?

Cheers.

 

[ProUser]

When I ping 4.2.2.2 or 8.8.8.8 no reply (Request time out), but i can ping my external IP (81.139.xx xx)

Show Running Config:

!Current Configuration:
!
!System Description "GSM7324 L3 Managed Gigabit Switch"
!System Description 6.3.3.6
!
set prompt "GSM7324"
vlan database
vlan 2
vlan name 2 2-auto
vlan 3
vlan name 3 3-auto
vlan 4
vlan name 4 4-auto
vlan routing 4
vlan routing 3
vlan routing 2
exit

configure
sntp client mode unicast
! sntp server status is active
sntp server time-d.netgear.com
logging buffered
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.1
lineconfig
exit

spanning-tree configuration name 00-18-4D-D9-74-A0
router ospf
router-id 192.168.1.254
exit

router rip
exit

interface 0/1
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/2
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/3
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/4
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/5
vlan pvid 3
vlan participation exclude 1
vlan participation include 3
exit

interface 0/6
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/7
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/8
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/9
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/10
vlan pvid 4
vlan participation exclude 1
vlan participation include 4
exit

interface 0/11
vlan pvid 2
vlan participation exclude 1
vlan participation include 2
exit

interface 0/12
vlan participation exclude 1
vlan participation include 2
exit
interface 0/13
exit

interface 0/14
exit

interface 0/15
exit

interface 0/16
exit

interface 0/17
exit

interface 0/18
exit

interface 0/19
exit

interface 0/20
exit

interface 0/21
exit

interface 0/22
exit

interface 0/23
exit

interface 0/24
exit

interface vlan 4
routing
ip address 192.168.3.1 255.255.255.0
ip ospf
ip rip
exit
interface vlan 3
routing
ip address 192.168.2.1 255.255.255.0
ip ospf
ip rip
exit

interface vlan 2
routing
ip address 192.168.1.254 255.255.255.0
ip ospf
ip rip
exit

exit

 

[DrB0b]

Not 100% sure, but I think your static route subnet should be 255.0.0.0 but if you can ping the external IP, starting to think th route might be fine. Easy thing to change to see tho. Do you not have an internal DNS server? Why not force one of the PCs on the VLAN to use it, say prolly 192.168.1.1 and try to ping other PCs by their conical names and then IPs to make sure both DHCP and DNS are functioning.

"Silence is golden, duct tape is silver...

 

[ProUser]

Here is the link to the file on mediafire

http://www.mediafire.com/?9gfrp0l3hgi0q14

 

[GeekyDeaks]

Cheers Pro,

There is no response to the dns request, so next step is to figure out if it reaches the adsl router. This is a bit more interesting. You will need to mirror port 11 to another port (port span in cisco speak) and then attach the pc you have installed wireshark on to that port. Once done, start the capture again and do a nslookup on another pc on vlan 3. This will show you the packets going to and from the router, so you should be able to tell if it's the switch blocking something or the modem is not replying.

Cheers,
Scott

 

[ProUser]

Hi Scott,

How do I mirror the ports? Do I only need to have both ports in the same VLAN? Is that enough or do I need to do anything else as well?

 

[GeekyDeaks]

Hi Pro,

I need to check the manual for the netgear to figure it out. I only know cisco from memory. Unfortunately having it on the same vlan is not enough as the switch will only deliver the traffic to the adsl router because it it unicast not broadcast.

Cheers,
Scott

 

[ProUser]

Am trying to do the Port mirroring, just bear with me please..

One thing that I wanted to ask, is it possible that this is not working because my ADSL does not support VLAN Routing?? This is what i was told by Netgear after the agent told me he did a test with the same config but with a Netgear DG834Gv4 Modem Router. I checked off the net and there is nothing special about this modem, which is being given for free by Sky and other Internet Providers to their customers (and available on ebay for around £30).

 

[GeekyDeaks]

Well, from the perspective of the modem, it should make no difference if you are on a vlan or not. If you had vlan tagging on the port for the adsl modem, you would have problems with a basic ping as the modem would not understand the packets arriving to it. The fact you can ping also suggests it has no problems with routing to other subnets. Unfortunately though, some modems have problems with nat/masquerading and subnets (there is a difference between a subnet and a vlan BTW, but that is another topic).

I realise this seems like a real ball ache - in my old job I was a professional troubleshooter, so I dislike guessing by swapping kit or changing configs without evidence, but I know I'm a bit weird too

Feel free to change the modem. You might also try and see if you can connect to a website with the IP address to see if it's just DNS causing a problem.

I'll dig for the netgear manual now and if you still want to go through the process I'll be able to offer help.

Cheers,
Scott

 

[GeekyDeaks]

Right, I have read the netgear manual and the bits you are interested in can be found in chapter 17.

The manual is a little vague however on exactly how you turn the mirroring/monitoring on, and without an actual switch to work on I'm going to have to guess a bit.

First configure the monitor session as follows from the switch CLI:

monitor session 1 source interface 0/11
monitor session 1 destination interface 0/24

Check this looks ok with the following CLI command:

show port all

You are looking to see that port 11 is mirroring and port 24 is a probe. If it looks ok, then try and enable the session. This is the bit am unsure of. I expect the command to be something like this:

monitor session 1 mode enable

but the manual seems to miss off the enable... you might need to play a bit with this, or even do it before setting the source/destination.

anyway, if you do get it to accept it, then plug the PC you have wireshark on into port 24 to capture the traffic to/from the adsl router.

Good luck!
Scott

 

[ProUser]

Well said, the manual is so badly explained that despite of having one here I find it much easier to get the instructions off the internet than from it. I am going through the manual and will create the Mirror and get back to you in a bit...

 

[GeekyDeaks]

after re-reading chapter 17 I think the command toggles the monitoring on/off. So I'd first check if the monitoring is enabled, if not try turning it on with the following CLI command:

monitor session 1 mode

Cheers,
Scott

 

[ProUser]

Thanks for the instructions, I managed to do the Mirroring. Mirror: Port 0/11 and Probe: Port 0/22

Which record do I have to look for / filter exactly in the Wireshark?

 

[ProUser]

Do i need to specify the DNS when i put the PC on static IP? Please confirm as well if DG should be 192.168.2.1 on the PCs (Wireshark and VLAN3)

 

[ProUser]

DrBOB:

I tried specifying the DNS as well but no luck

 

[GeekyDeaks]

Hi Pro,

Sorry - probably was not very clear. You will need to do the nslookup on another PC within vlan3, so this should still have an IP address and DNS configured via DHCP. The PC you have wireshark on will not have any access due to the nature of the monitor port, so don't worry about it's network config. Just run wireshark as before and do the nslookup on another PC whilst it is capturing. After that do the filter on dns like before.

Cheers,
Scott

 

[ProUser]

I just uploaded the new report.. Tell me we are nearly there now... :~

http://www.mediafire.com/?wln7o7yetn81c38

 

[GeekyDeaks]

Hi Pro,

That trace does not look good. Would you be able to e-mail it to me unfiltered so I can examine it in more detail?

sdeaks at gmail.com

It might be that the port is not mirroring properly - the traffic looks like broadcast/multicast.

Cheers,
Scott

 

[ProUser]

Hi Scott,

It just about time for me to leave office now (Its friday and am already 30 mins overtime, i dont believe it!). Do you mind if i send you it on monday? MAny thanks for all your help up to now..

Have a great weekend !

 

[ProUser]

Hi Scott,

Hope you ahve a nice weekend.

So here we go. See below the link to the full Wireshark report.

http://www.mediafire.com/?h7563bkm7m880z2

Am about to save the config file and start a fresh config, so lets hope either of them works..

Cheers

 

[GeekyDeaks]

Hi Pro,

Just took a quick look at the report and it's showing typical traffic for a normal switch port, not a probe port.

Do you have time to check that the mirroring is setup correctly and that the PC with wireshark is on the correct port? What I would do to begin with is start a constant ping from a PC in VLAN3 (ping -t 192.168.1.1), and then start the wireshark capture. If you can see the ping's to the router, then you have it setup correctly and the trace you send just missed the DNS queries. Otherwise it means there is something wrong with the mirroring.

Also, can you save the capture as a .pcap file and post that in future rather than a screen capture? It's much better for looking at the diagnostics.

Cheers,
Scott