Inter VLAN routing on Omniswitch 6400

[Support ACA]

I am new on this forum, but other posts have already been lots of help to me.

I have a problem with our network where data VLAN 1 cannot talk to voice VLAN 221. I thought the Omniswitch 6400 would automatically do (layer 3?) inter vlan routing. Some other threads seem to suggest this should work just fine out of the box. If I need to buy a layer 3 router, I will do so. If I can avoid it, this would make me extremely happy.

The network I have looks something like this:

https://docs.google.com/drawings/d/10ih ... t?hl=en_US

Omniswitch 6400 configuration

Code: Select all

! Stack Manager :
! Chassis :
system name 6400-XXXXXsk +XXXXXX"
system location "ICT lokaal Stad Peer"
system timezone CET
! Configuration:
! VLAN :
vlan 1 enable name "data"
vlan 221 enable name "voice"
vlan 221 mobile-tag enable
vlan 221 port default 1/19
vlan 221 port default 1/20
vlan 221 port default 1/21
vlan 221 port default 1/22
vlan 221 port default 1/23
vlan 221 port default 1/24
vlan port mobile 1/5
vlan port mobile 1/6
vlan port mobile 1/7
vlan port mobile 1/8
vlan port mobile 1/9
vlan port mobile 1/10
vlan port mobile 1/12
vlan port mobile 1/14
vlan port mobile 1/15
vlan port mobile 1/16
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan port mobile 1/22
vlan port mobile 1/23
vlan port mobile 1/24
vlan 1 ip 10.132.3.0 255.255.255.0
vlan 221 ip 10.221.17.0 255.255.255.0
vlan 221 mac 00:17:c5:16:9e:82
vlan 221 mac 00:18:27:00:de:cf
vlan 221 mac 00:18:27:00:e7:10
vlan 221 mac 00:e0:4b:32:9d:ab
vlan 221 mac 68:b5:99:cc:9b:7a
! VLAN SL:
! IP :
ip service all
ip interface "data" address 10.132.3.194 mask 255.255.255.0 vlan 1 ifindex 1
ip interface "voip" address 10.221.17.194 mask 255.255.255.0 vlan 221 ifindex 2
! IPX :
! IPMS :
! AAA :
aaa authentication console "local"
aaa authentication telnet "local"
aaa authentication ftp "local"
aaa authentication http "local"
! PARTM :
! AVLAN :
! 802.1x :
! QOS :
! Policy manager :
! Session manager :
session prompt default "XXXX-6400-SW@194: "
! SNMP :
! RIP :
! OSPF :
! BFD-STD :
! ISIS :
! IPv6 :
! IPSec :
! IP multicast :
ip static-route 10.132.3.0/24 gateway 10.132.3.253 metric 1
ip static-route 10.221.17.0/24 gateway 10.221.17.253 metric 1
! RIPng :
! OSPF3 :
! BGP :
! Health monitor :
! Interface :
interfaces 1/1 hybrid FORCED-FIBER
interfaces 1/2 hybrid FORCED-FIBER
interfaces 1/3 hybrid FORCED-FIBER
interfaces 1/4 hybrid FORCED-FIBER
! Udld :
! Link Aggregate :
! Port Mapping :
! VLAN AGG:
! 802.1Q :
vlan 221 802.1q 1/1 "TAG PORT 1/1 VLAN 221"
vlan 221 802.1q 1/2 "TAG PORT 1/2 VLAN 221"
vlan 221 802.1q 1/3 "TAG PORT 1/3 VLAN 221"
vlan 221 802.1q 1/4 "TAG PORT 1/4 VLAN 221"
vlan 221 802.1q 1/17 "TAG PORT 1/17 VLAN 221"
vlan 221 802.1q 1/18 "TAG PORT 1/18 VLAN 221"
! Spanning tree :
bridge mode 1x1 
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
! Server load balance :
! System service :
swlog console level info
debug fscollect enable
! SSH :
! Web :
! AMAP :
! LLDP :
lldp network-policy 1 application voice vlan 221 l2-priority 5 dscp 0
lldp chassis tlv med network-policy enable
lldp chassis med network-policy 1
! Lan  Power :
! NTP :
ntp server 10.132.3.3
ntp client enable
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
! EFM-OAM :
! ERP :
! SAA :
! DHCP Server :

Omnistack LS6224P configuration

(Currently there are two units in the stack, but there will be more in the near future)

Code: Select all

spanning-tree mode rstp
interface range ethernet 1/e(1-24),2/e(1-24),3/e(1-24),4/e(1-24)
spanning-tree portfast auto
exit
interface range ethernet 1/e(1,25-26),2/e(1,25-26),3/e(1,25-26),4/e(1,25-26)
switchport mode trunk
exit
interface range ethernet 1/e(2-24),2/e(2-24),3/e(2-24),4/e(2-24)
switchport mode general
exit
vlan database
vlan 221
exit
interface range ethernet 1/e(2-24),2/e(2-24),3/e(2-24),4/e(2-24)
switchport general allowed vlan add 221 untagged
exit
interface range ethernet 1/e(1,25-26),2/e(1,25-26),3/e(1,25-26),4/e(1,25-26)
switchport trunk allowed vlan add 221
exit
interface vlan 221
name Voice
exit
vlan database                               
map mac 00:1d:7e:29:e2:35 24 macs-group 221
map mac 00:60:b9:00:00:00 24 macs-group 221
exit
vlan database
map subnet 10.132.3.0 24 subnets-group 1
map subnet 10.221.17.0 24 subnets-group 221
exit
interface range ethernet 1/e(2-24),2/e(2-24),3/e(2-24),4/e(2-24)
switchport general map macs-group 221 vlan 221
exit
interface range ethernet 1/e(2-24),2/e(2-24),3/e(2-24),4/e(2-24)
switchport general map subnets-group 1 vlan 1
exit
interface vlan 1
ip address 10.132.3.193 255.255.255.0
exit
interface vlan 221
ip address 10.221.17.193 255.255.255.0
exit
ip default-gateway 10.132.3.253
qos advanced
wrr-queue cos-map 1 0                      
wrr-queue cos-map 1 3
wrr-queue cos-map 1 4
wrr-queue cos-map 1 5
wrr-queue cos-map 1 6
mac access-list "Voice Vlan ACL"
permit any any vlan 221
exit
mac access-list "Best Effort"
permit any any vlan 1
exit
class-map "Voice Class Map"
match access-group "Voice Vlan ACL"
exit
class-map "Best Effort Class Map"
match access-group "Best Effort"
exit
policy-map VoicePolicy
class "Voice Class Map"
set cos 7
police 3000 3000
exit
class "Best Effort Class Map"              
set cos 0
exit
exit
interface ethernet 1/e25
service-policy input VoicePolicy
exit
interface ethernet 1/e26
service-policy input VoicePolicy
exit
interface ethernet 2/e25
service-policy input VoicePolicy
exit
interface ethernet 2/e26
service-policy input VoicePolicy
exit
interface ethernet 3/e25
service-policy input VoicePolicy
exit
interface ethernet 3/e26                    
service-policy input VoicePolicy
exit
interface ethernet 4/e25
service-policy input VoicePolicy
exit
interface ethernet 4/e26                    
service-policy input VoicePolicy
exit
hostname XXXX_XXXX_6224P
username admin password XXXX level 15 encrypted
username manager password XXXX level 15 encrypted
snmp-server location "XXXX XXXX"
snmp-server contact "XXXX Helpdesk +XXXX"
stack display-order top 1 bottom 2
clock timezone +1
clock summer-time recurring eu zone utc
sntp client enable vlan 1
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp anycast client enable
sntp broadcast client enable
sntp server 10.132.3.3

Currently, the DATA network can talk fine to other members in the DATA network, and can talk to the internet through the Sonicwall NSA2400 firewall.
Currently, the VOICE network can talk fine to other members in the VOIP network, and can talk to the internet through the Sonicwall NSA2400 firewall.

Another strange thing is that I was able to talk from a PC in the data network to a server and a phone in the VOIP network and the other way around. To be sure, all configurations were written to starting configurations and Alcatel stack and switch was rebooted. Then it stopped working again. I document every change I make, so normally changes do not go lost.

After these issues I even added the latter config tot the 6400, to no avail

Code: Select all

policy network group vlan1 10.132.3.0 mask 255.255.255.0
policy network group vlan221 10.221.17.0 mask 255.255.255.0
policy condition c1 source network group vlan1 destination network group vlan221
policy action allow disposition accept
policy rule r1 condition c1 action allow precedence 10000 log
policy condition c2 source network group vlan221 destination network group vlan1
policy action allow disposition accept
policy rule r2 condition c2 action allow precedence 15000 log
qos apply

Thanks for your input.

[one6f]

Hi,
post show ip route from 6400.

[jeroenhartgers]

On the 6400:

Code: Select all

show ip route

 + = Equal cost multipath routes
 * = BFD Enabled static route 
 Total 3 routes

  Dest Address      Subnet Mask       Gateway Addr      Age       Protocol 
------------------+-----------------+-----------------+---------+-----------
  10.132.3.0        255.255.255.0       10.132.3.194        12d20h  LOCAL
  10.221.17.0       255.255.255.0       10.221.17.194       12d20h  LOCAL
  127.0.0.1         255.255.255.255     127.0.0.1           12d20h  LOCAL

[one6f]

Hi,
I understand you need to ping from data to voip and vice versa.
Normally your OS6400 routed traffic between both vlans based on

Code: Select all

ip static-route 10.132.3.0/24 gateway 10.132.3.253 metric 1
ip static-route 10.221.17.0/24 gateway 10.221.17.253 metric 1

Also you no needed the static-routes in your config and qos policies(traffic is already accepted).
Before reboot do "write memory flash-synchro" for config synchronization in stack.
I do not see default route to FW on 6400, hence another routing done on your Sonicwall?

[jeroenhartgers]

Thank you for all hints and tips. Especially the synchro, I did not know one has to do that.

GOAL

My goal is (still) that Desktop PC's in VLAN 1 (network 10.132.3.0/24) can "talk" to the VOIP phones in VLAN 221 (network 10.221.17.0/24).
I believe there to be a need to do that, for tasks such as: A person on a desktop PC wants to transfer a call from a VOIP phone to another persons VOIP phone.

WHAT I CHANGED

After installation of the "enhanced" firmware on the Sonicwall, I found that the Enhanced OS for Sonicwall CAN handle VLANs and trunking on one port. So, as can be seen in the picture (URL https://docs.google.com/drawings/d/1mu0 ... -4cLo/edit ), I now have a VLAN 221 sub-interface "X0:v221" on the VLAN 0 interface "X0" (VLAN 0 is supposedly more or less the same as VLAN 1).

Of course, my port 1/10 on the Omniswitch 6400 Core switch, is now trunked and goes to the Sonicwall X0. The other port OS6400 1/11 to Sonic X2 has been disconnected.

I also changed a little bit of the routing stuff on the 6400 and the LS6442P

THE GOOD (improvements since my previous post)

1. I can now ping from my desktop PC (10.132.3.32) to any device in VLAN 221, such as voip phone 10.221.17.50
2. I can now ssh and https from my desktop PC (10.132.3.32) to the Sonicwall management interface on VLAN 221 with IP 10.221.17.253
3. From within the sonicwall ssh, I can reach all devices in both networks.

THE BAD

1. I can reach the VOIP server 10.221.17.212 with TELNET when I am logged in to the cli in the 6400 and the cli in the 6224P, but I cannot reach it with telnet NOR ping from my desktop PC. The VOIP server does have two interfaces on a windows machine. The other interface of this Windows server is 10.132.3.212 with default router 10.132.3.253 (a Windows machine can only have one default router per machine).
2. From my Desktop PC 10.132.1.32, I can NOT telnet to 10.221.17.194 (Alcatel 6400 in VLAN 221) NOR the 10.221.17.193 (Alcatel 6224P in VLAN 221). ( I have put my PC in VLAN 221 with DHCP and then I could telnet to the Alcatels)

CONCLUSION

So, it seems now that I can PING everywhere from my Desktop PC, but I cannot TELNET to anything in VLAN 221. I have not found any firewall exceptions in the Sonicwall that would prevent TELNET traffic.

Does anyone know if I am missing something in my Alcatel configuration that would prevent such?
Are there still errors in my Alcatel routing statements?

CHANGED 6400

Code: Select all

! Stack Manager :
! Chassis :
system name 6400-XXXX-XXXX@194
system contact "XXXXX helpdesk XXXX"
system location "ICT XXXXX"
system timezone CET
! Configuration:
! VLAN :
vlan 1 enable name "data"
vlan 221 enable name "voice"
vlan 221 mobile-tag enable
vlan 221 port default 1/19
vlan 221 port default 1/20
vlan 221 port default 1/21
vlan 221 port default 1/22
vlan 221 port default 1/23
vlan 221 port default 1/24
vlan port mobile 1/5
vlan port mobile 1/6
vlan port mobile 1/7
vlan port mobile 1/19
vlan port mobile 1/20
vlan port mobile 1/21
vlan port mobile 1/22
vlan port mobile 1/23
vlan port mobile 1/24
vlan 1 ip 10.132.3.0 255.255.255.0
vlan 221 ip 10.221.17.0 255.255.255.0
vlan 221 mac 00:17:c5:16:9e:82
vlan 221 mac 00:18:27:00:de:cf
vlan 221 mac 00:18:27:00:e7:10
vlan 221 mac 00:e0:4b:32:9d:ab
vlan 221 mac 68:b5:99:cc:9b:7a
! VLAN SL:
! IP :
ip service all
ip interface "data" address 10.132.3.194 mask 255.255.255.0 vlan 1 ifindex 1
ip interface "voip" address 10.221.17.194 mask 255.255.255.0 vlan 221 ifindex 2
! IPX :
! IPMS :
! AAA :
aaa authentication console "local"
aaa authentication telnet "local"
aaa authentication ftp "local"
aaa authentication http "local"
! PARTM :
! AVLAN :
! 802.1x :
! QOS :
policy network group vlan1  10.132.3.0 mask 255.255.255.0 
policy network group vlan221  10.221.17.0 mask 255.255.255.0 
policy condition c1 source network group vlan1 destination network group vlan221 
policy condition c2 source network group vlan221 destination network group vlan1 
policy action allow 
policy rule r2 precedence 15000 condition c2 action allow log  
policy rule r1 precedence 10000 condition c1 action allow log  
qos apply
! Policy manager :
! Session manager :
session prompt default "Peer-6400-SW@194: "
! SNMP :
! RIP :
! OSPF :
! BFD-STD :
! ISIS :
! IPv6 :
! IPSec :
! IP multicast :
! RIPng :
! OSPF3 :
! BGP :
! Health monitor :
! Interface :
interfaces 1/1 hybrid FORCED-FIBER
interfaces 1/2 hybrid FORCED-FIBER
interfaces 1/3 hybrid FORCED-FIBER
interfaces 1/4 hybrid FORCED-FIBER
! Udld :
! Link Aggregate :
! Port Mapping :
! VLAN AGG:
! 802.1Q :
vlan 221 802.1q 1/1 "TAG PORT 1/1 VLAN 221"
vlan 221 802.1q 1/2 "TAG PORT 1/2 VLAN 221"
vlan 221 802.1q 1/3 "TAG PORT 1/3 VLAN 221"
vlan 221 802.1q 1/4 "TAG PORT 1/4 VLAN 221"
vlan 221 802.1q 1/10 "TAG PORT 1/10 VLAN 221"
vlan 221 802.1q 1/17 "TAG PORT 1/17 VLAN 221"
vlan 221 802.1q 1/18 "TAG PORT 1/18 VLAN 221"
! Spanning tree :
bridge mode 1x1 
! Bridging :
! Bridging :
! Port mirroring :
! UDP Relay :
! Server load balance :
! System service :
swlog console level info
debug fscollect enable
! SSH :
! Web :
! AMAP :
! LLDP :
lldp network-policy 1 application voice vlan 221 l2-priority 5 dscp 0
lldp chassis tlv med network-policy enable
lldp chassis med network-policy 1
! Lan  Power :
! NTP :
ntp server 10.132.3.3
ntp client enable
! RDP :
! VLAN STACKING:
! Ethernet-OAM :
! EFM-OAM :
! ERP :
! SAA :
! DHCP Server :

CHANGED LS6224P

Code: Select all

spanning-tree mode rstp
interface range ethernet 1/e(1-24),2/e(1-24),3/e(1-24),4/e(1-24)
spanning-tree portfast auto
exit
interface range ethernet 1/e(1,25-26),2/e(1,25-26),3/e(1,25-26),4/e(1,25-26)
switchport mode trunk
exit
interface range ethernet 1/e(2-24),2/e(2-24),3/e(2-24),4/e(2-24)
switchport mode general
exit
vlan database
vlan 221
exit
interface range ethernet 1/e(2-24),2/e(2-24),3/e(2-24),4/e(2-24)
switchport general allowed vlan add 221 untagged
exit
interface range ethernet 1/e(1,25-26),2/e(1,25-26),3/e(1,25-26),4/e(1,25-26)
switchport trunk allowed vlan add 221
exit
interface vlan 221
name Voice
exit
vlan database                               
map mac 00:1d:7e:29:e2:35 24 macs-group 221
map mac 00:60:b9:00:00:00 24 macs-group 221
exit
vlan database
map subnet 10.132.3.0 24 subnets-group 1
map subnet 10.221.17.0 24 subnets-group 221
exit
interface range ethernet 1/e(2-24),2/e(2-24),3/e(2-24),4/e(2-24)
switchport general map macs-group 221 vlan 221
exit
interface range ethernet 1/e(2-24),2/e(2-24),3/e(2-24),4/e(2-19)
switchport general map subnets-group 1 vlan 1
exit
interface vlan 1
ip address 10.132.3.193 255.255.255.0
exit
interface vlan 221
ip address 10.221.17.193 255.255.255.0
exit
ip default-gateway 10.132.3.194
qos advanced
wrr-queue cos-map 1 0                      
wrr-queue cos-map 1 3
wrr-queue cos-map 1 4
wrr-queue cos-map 1 5
wrr-queue cos-map 1 6
mac access-list "Voice Vlan ACL"
permit any any vlan 221
exit
mac access-list "Best Effort"
permit any any vlan 1
exit
class-map "Voice Class Map"
match access-group "Voice Vlan ACL"
exit
class-map "Best Effort Class Map"
match access-group "Best Effort"
exit
policy-map VoicePolicy
class "Voice Class Map"
set cos 7
police 3000 3000
exit
class "Best Effort Class Map"              
set cos 0
exit
exit
interface ethernet 1/e25
service-policy input VoicePolicy
exit
interface ethernet 1/e26
service-policy input VoicePolicy
exit
interface ethernet 2/e25
service-policy input VoicePolicy
exit
interface ethernet 2/e26
service-policy input VoicePolicy
exit
interface ethernet 3/e25
service-policy input VoicePolicy
exit
interface ethernet 4/e25
service-policy input VoicePolicy
exit
interface ethernet 4/e26                    
service-policy input VoicePolicy
exit
hostname XXXX_XXXX_6224P
username admin password XXXXXXXXXXX level 15 encrypted
username manager password XXXXXXXXX level 15 encrypted
snmp-server location "XXXX XXXX"
snmp-server contact "XXXX Helpdesk XXXXX"
stack display-order top 1 bottom 2
clock timezone +1
clock summer-time recurring eu zone utc
sntp client enable vlan 1
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp anycast client enable
sntp broadcast client enable
sntp server 10.132.3.3

show ip route (6400)

Code: Select all

 + = Equal cost multipath routes
 * = BFD Enabled static route 
 Total 3 routes

  Dest Address      Subnet Mask       Gateway Addr      Age       Protocol 
------------------+-----------------+-----------------+---------+-----------
  10.132.3.0        255.255.255.0       10.132.3.194      01:00:35  LOCAL
  10.221.17.0       255.255.255.0       10.221.17.194     01:00:35  LOCAL
  127.0.0.1         255.255.255.255     127.0.0.1         01:01:55  LOCAL

show ip router database (6400)

Code: Select all

Legend: + indicates routes in-use
        * indicates BFD-enabled static route
        r indicates recursive static route, with following address in brackets

Total IPRM IPv4 routes: 2

  Destination         Gateway         Interface    Protocol  Metric        Tag   Misc-Info
---------------------+---------------+------------+--------+-------+----------+-----------------
+  10.132.3.0/24      10.132.3.194    data         LOCAL          1          0 
+  10.221.17.0/24     10.221.17.194   voip         LOCAL          1          0 

[one6f]

Sorry, overwritten,
of course routed based on

Code: Select all

ip interface "data" address 10.132.3.194 mask 255.255.255.0 vlan 1 ifindex 1
ip interface "voip" address 10.221.17.194 mask 255.255.255.0 vlan 221 ifindex 2

Static routes do not needed.