How to configure VLAN and IP interfaces properly for 802.1x
How to configure VLAN and IP interfaces properly for 802.1x
I want to configure our 6850 switches for 802.1x authentication with a radius server but am having problem with setting up the vlan and IP interfaces properly.
Our setup
5x 6850 each connected over opto to a alcatel Coreswitch. Each 6850 has three vlans configured (one for management of the switches and two for business needs). The IP interfaces for each "business vlan" is only configured in the core switch and both are spread across all 6850s and the core switch. The only configured ip interface in the 6850:s is the management interface. Now I am adding a 6850 for test with VLAN. Now to my question:
Since the "Business vlans" have no interfaces configured on the 6850:s, how can radius packets be exchanged between the switch and the radius server? Should I configure an IP interface? How should the ports be configured? The 802.1x ports must be mobile..
Our setup
5x 6850 each connected over opto to a alcatel Coreswitch. Each 6850 has three vlans configured (one for management of the switches and two for business needs). The IP interfaces for each "business vlan" is only configured in the core switch and both are spread across all 6850s and the core switch. The only configured ip interface in the 6850:s is the management interface. Now I am adding a 6850 for test with VLAN. Now to my question:
Since the "Business vlans" have no interfaces configured on the 6850:s, how can radius packets be exchanged between the switch and the radius server? Should I configure an IP interface? How should the ports be configured? The 802.1x ports must be mobile..
Re: How to configure VLAN and IP interfaces properly for 802
Well, the solution was obvious, I created a new VLAN for the radius traffic and set an IP interface for the VLAN on each switch and enabled routing between the radius VLAN and the VLAN the radius server was on. I also set the switch to use the IP interface of the radius VLAN for radius traffic (aaa radius agent preferred [ip]).
Re: How to configure VLAN and IP interfaces properly for 802
If you have a management interface on the 6850 and this interface can reach the radiusserver it should work as well..
No need to have a special VLAN, the switch will try to reach the radisuserver (if not directley connected vlan , than by the routing table)
Never did a special radius vlan in my installations.
No need to have a special VLAN, the switch will try to reach the radisuserver (if not directley connected vlan , than by the routing table)
Never did a special radius vlan in my installations.
Re: How to configure VLAN and IP interfaces properly for 802
That sounds reasonable, however we want to have our management vlan as separated as possible, but I guess letting traffic out of the vlan won't help anyone trying to get out..
Now I came across a different problem which i don't understand. The radius server can't reach the radius vlan's IP interface on the 6850. The packet gets to the radius vlan's IP interface of the core switch but not further (to the vlan's ip interface on the 6850). It can reach a test client sitting on the radius vlan on the 6850. I can ping the 6850's radius vlan Ip interface from the core switch itself.
My interpretations is that when the packed reaches the ip interface of the radius vlan on the core switch, that ip interface don't appear to be aware of the radius ip interface on the 6850. What am I missing? I have forwarding enabled on all IP interfaces.
If i add an ip interface for the server vlan on the 6850 everything works...
Now I came across a different problem which i don't understand. The radius server can't reach the radius vlan's IP interface on the 6850. The packet gets to the radius vlan's IP interface of the core switch but not further (to the vlan's ip interface on the 6850). It can reach a test client sitting on the radius vlan on the 6850. I can ping the 6850's radius vlan Ip interface from the core switch itself.
My interpretations is that when the packed reaches the ip interface of the radius vlan on the core switch, that ip interface don't appear to be aware of the radius ip interface on the 6850. What am I missing? I have forwarding enabled on all IP interfaces.
If i add an ip interface for the server vlan on the 6850 everything works...
Re: How to configure VLAN and IP interfaces properly for 802
I guess it's time for a picture..
use traceroute, show routing tables aso.
use traceroute, show routing tables aso.
Re: How to configure VLAN and IP interfaces properly for 802
Code: Select all
core switch show VLAN
vlan admin oper 1x1 flat auth ip ipx tag name
-----+-------+------+------+------+------+----+-----+-----+-----------
1 off off on on off off NA off VLAN 1
20 on on on on off on NA off SL
30 on on on on off on NA off Visitor
99 on on on on off on NA off Radius
100 on on on on off on NA off Servers
999 on on on on off on NA off Management
core switch show IP interface
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Management 192.168.248.254 255.255.255.0 UP NO vlan 999
Radius 192.168.249.254 255.255.255.0 UP YES vlan 99
SL 10.10.20.254 255.255.255.0 UP YES vlan 20
Servers 10.0.0.254 255.255.255.0 UP YES vlan 100
Visitor 10.10.30.254 255.255.255.0 UP YES vlan 30
core switch show ip route
Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+-----------------+---------+---------
0.0.0.0 0.0.0.0 192.168.1.254 123d 1h NETMGMT
10.0.0.0 255.255.255.0 10.0.0.254 126d 0h LOCAL
10.10.20.0 255.255.255.0 10.10.20.254 126d 0h LOCAL
10.10.30.0 255.255.255.0 10.10.30.254 126d 0h LOCAL
127.0.0.1 255.255.255.255 127.0.0.1 126d 1h LOCAL
192.168.248.0 255.255.255.0 192.168.248.254 126d 0h LOCAL
192.168.249.0 255.255.255.0 192.168.249.254 126d 0h LOCAL
6850 show vlan
vlan admin oper 1x1 flat auth ip ipx tag name
-----+-------+------+------+------+------+----+-----+-----+-----------
1 off off on on off off NA off VLAN 1
20 on on on on off on NA off SL
30 on on on on off on NA off Visitor
99 on on on on off on NA off Radius
100 on on on on off on NA off Servers
999 on on on on off on NA off Management
6850 show IP interface
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Management 192.168.248.60 255.255.255.0 UP NO vlan 999
Radius 192.168.249.60 255.255.255.0 UP YES vlan 99
6850 show ip routes
Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+-----------------+---------+---------
0.0.0.0 0.0.0.0 192.168.1.254 123d 1h NETMGMT
192.168.248.0 255.255.255.0 192.168.248.60 126d 0h LOCAL
192.168.249.0 255.255.255.0 192.168.249.60 126d 0h LOCAL
the switches are connected to each other on two trunked ports:
core switch:show 802.1q 1/23
Acceptable Frame Type : Any Frame Type
Force Tag Internal : NA
Tagged VLANS Internal Description
-------------+------------------------------------------+
20 TEST TAG PORT 1/23 VLAN 20
99 TEST TAG PORT 1/23 VLAN 99
100 TEST TAG PORT 1/23 VLAN 100
6850 switch show 802.1q 1/48
Acceptable Frame Type : Any Frame Type
Force Tag Internal : NA
Tagged VLANS Internal Description
-------------+------------------------------------------+
20 TEST TAG PORT 1/23 VLAN 20
99 TEST TAG PORT 1/23 VLAN 99
100 TEST TAG PORT 1/23 VLAN 100
traceroute from core switch itself to 192.168.249.60
1 192.168.249.60 166 ms 2 ms 2 ms
traceroute from radius server on vlan 100 (10.0.0.150) to 192.168.249.60
1 1 ms 1 ms 1 ms 10.0.0.254
2 * * * Request timed out.
traceroute from 6850 switch itself to 10.0.0.150 (radiusserver)
1 * * *
Your help is very much appreciated.
Re: How to configure VLAN and IP interfaces properly for 802
So judging from you outout:
Your Radiusserver is 10.0.0.150
Your Switch has 192.168.249.60
Coreswitch has IPs in Server Network, Management/Radiusnetwork, he is the default Router.
Your defaultgateway for the 6850 Switch is 192.168.1.254 - this no network the 6850 has an interface in thus the defaultgateway is unreachable -> no routing. You need to change that for a reachable IP, that does the routing, so take an IP of the core for that. (in a VLAN that the Switch has an IP.
Could you try to change the default route to 192.168.248.254 or 192.168.249.254 (which should both be on the core switch).
I think that it will work there. (try pinging the defaultgateway from the switch)
This works as both switches have an IP in 192.168.249.0
Your Radiusserver is 10.0.0.150
Your Switch has 192.168.249.60
Coreswitch has IPs in Server Network, Management/Radiusnetwork, he is the default Router.
Your defaultgateway for the 6850 Switch is 192.168.1.254 - this no network the 6850 has an interface in thus the defaultgateway is unreachable -> no routing. You need to change that for a reachable IP, that does the routing, so take an IP of the core for that. (in a VLAN that the Switch has an IP.
Could you try to change the default route to 192.168.248.254 or 192.168.249.254 (which should both be on the core switch).
I think that it will work there. (try pinging the defaultgateway from the switch)
Code: Select all
traceroute from core switch itself to 192.168.249.60
1 192.168.249.60 166 ms 2 ms 2 ms
Where did you do that? What is the defaultgateway of this client?i can ping a client on the radius vlan connected to the 6850 switch from the radius server.
Re: How to configure VLAN and IP interfaces properly for 802
Oups, sorry, the entry you are referring to (0.0.0.0 0.0.0.0 192.168.1.254 123d 1h NETMGMT) was a cut and paste error, in the 6850 the first routing entry is the loopback ip route.
However, your suggested issue appears to be the correct solution! I added a default gateway in the 6850 pointing to 192.168.249.254. Now radius works great, thanks!
However, DHCP stopped working. I had it working when I did not have a default GW in the 6850 but did have an IP interface for the server vlan. I have no helper address in the 6850, only in the core switch. The core has a ip helper for each vlan pointing to the same DHCP server. It works fine for clients sitting on other (production) 6850s. I cannot see any DHCP traffick on the DHCP server originating from "my" 6850.. What setting could affect the DHCP traffic? My first thought is that the DHCP discover packet does not reach the IP helper adress in the core switch. Can that be the problem?
Regards,
Jonas
However, your suggested issue appears to be the correct solution! I added a default gateway in the 6850 pointing to 192.168.249.254. Now radius works great, thanks!
However, DHCP stopped working. I had it working when I did not have a default GW in the 6850 but did have an IP interface for the server vlan. I have no helper address in the 6850, only in the core switch. The core has a ip helper for each vlan pointing to the same DHCP server. It works fine for clients sitting on other (production) 6850s. I cannot see any DHCP traffick on the DHCP server originating from "my" 6850.. What setting could affect the DHCP traffic? My first thought is that the DHCP discover packet does not reach the IP helper adress in the core switch. Can that be the problem?
Regards,
Jonas
Re: How to configure VLAN and IP interfaces properly for 802
Actually, after doing some more testing. Adding a DHCP client on a mobile port (default vlan 20) will somehow break connectivity between server vlan 100 and raidus vlan 99 (the client will nog get a DHCP address). If i remove the client and wait approx 5 minutes, the connectivity between vlan 99 and 100 is back again. Any thought?
Thanks for all the help so far!
EDIT: The connectivity issues is maybe not related to the DHCP client, it seems that connectivity just fail more or less randomly a while after setting the ip route.
Thanks for all the help so far!
EDIT: The connectivity issues is maybe not related to the DHCP client, it seems that connectivity just fail more or less randomly a while after setting the ip route.