I'm playing around with splitting up my existing flat LAN into a couple of separate VLANs. I seem to have everything working and routing as I want but I am having issues with internet connectivity. Quick rundown of the LAN:
1x PowerConnect 6248 (Layer 3)
4x 5448's (Layer 2)
Existing LAN (now vLAN99) 192.168.0.x/24
SnapGear SG580 Firewall is the Main Gateway on this vLAN 192.168.0.251
New vLANs:
10.0.10.x/24 - gateway 10.0.10.254 - virtual interface set on 6248 10.0.11.x/24 - gateway 10.0.11.254 - virtual interface set on 6248 10.0.12.x/24 - gateway 10.0.12.254 - virtual interface set on 6248
I have 4 port trunks (LAG + LACP) from each 5448 to the 6248 - Each 'trunk' is tagged on each VLAN I need to route down through, all the ports in each LAG are set to 'Trunk' mode. All existing servers and workstations were set to vLAN99 and it all worked perfect, no matter which switch you are plugged into. Great start. I setup IP-Helper on the 6248 and pointed it at our DC. I also setup 3 new DHCP scopes to match the new subnets. I can set ports on any switch to be vLAN10, or vLAN11 or vLAN12 and they get the correct IP assigned to them. I can see the new leases. The PC's hit the servers fine, mapped drives, print etc - awesome
But they don't get the internet!
They can resolve IP's fine. I can drop to cmd prompt, ping any web address and its resolving the IP it needs to go to - no responses though. They can ping their respective gateway (the virtual interface on the 6248), they can ping the SnapGear firewall at 192.168.0.251. I can get onto the Snapgear and ping back to the subnets Gateway fine. Something just isn't quite right and its driving me nuts!
Also, just to clarify it in my mind. TAGGED and UNTAGGED ports. From all my reading you TAG ports you want multiple vLANs to access.
So my Trunks (LAGs) are TAGGED in each vLAN I need to access those trunks.
The servers need their ports set to 'general' and TAGGED for each vLAN you want to access those ports and UNTAGGED for its native vLAN?? ie my DC is in vLAN99 so in that vLAN its UNTAGGED but in vLAN12 its TAGGED so that PC's in vLAN12 can access it?? This is how it is currently set and my laptop in vLAN12 can hit the server and access DHCP, shares etc fine - just no net access.
I have my Firewall in vLAN99 and UNTAGGED on that vLAN but TAGGED in vLAN10, vLAN11 and vLAN12.
All my PC's are set to 'Access' regardless of which vLAN they are in, and whatever vLAN they are in they are set to 'UNTAGGED' ie all PC's in vLAN12 are set to UNTAGGED.
Any help or ideas are greatly appreciated ;)
When I do a tracert from any PC on the affected vLANs I get 'Destination Hot unreachable from 10.0.x.254' which is the Virtual Interface on the 6248 for that subnet. Yet I can access the rest of the Internal network fine and ping the SG580 firewall. On the SG580 I have routes defined to get back to the 6248 and the SG580 can ping hte correct Interface on the 6248.
I just get a suspicious feeling its got something to do with the way I've TAGGED and UNTAGGED the ports....
If all the pings work within the network it is likely that you have configured the tagging correctly
A couple questions for clarification
How do you expect devices on the new VLANs to connect to the internet. 1) First hop 6248, then on through the snapgear firewall 2) First hop snapgear firewall
If 1) then is there a default route pointing at the snapgear in the 6248 If 2) then the PC's default gateway needs to be the IP on the snapgear (same VLAN)
You say that "They can resolve IP's fine". How is the nameserver configured on the PC's on the new VLAN? Is this an internet IP address or a local IP address.
If internet (via the snapgear) then I suggest that you need to look at your firewall rules. If local then I guess you need to look at the routing on the 6248