Need Layer 3 networking help

So right now I am stuck. My network consists of an EdgeRouter, a core EdgeSwitch containing my VLAN database and broadcasting GVRP (similar to Cisco VTP I guess, but I don’t really know Cisco), and 3 more EdgeSwitches that get their VLAN info from the core switch. All of the switches are trunked together through the SFP ports. What I can’t figure out is how to hit anything past the core EdgeSwitch from outside the LAN (or in, for that matter. Only way I can do it now is to plug directly into my management port, which is not my goal). I have the port fowarding correct and the switches all have different IPs. I’m not really sure how this needs to be done. Can any of you gurus give me some insight?

Also, before, I had them set up totally incorrectly but somehow still working, and I could reach them from the outside. However I’m thinking since the VLANs have no IPs in the secondary switches thats why I can’t reach them?

So you’re having trouble accessing the management interface on the switches that are connected to your core switch unless you plug into them directly, is that correct?

Yes. Right now my secondary switches have no IPs on their VLANs, just VLAN ID memebership assigned to ports and GVRP on the trunk ports. Sorry if my terminology is off, I’m a rookie with Layer 3. This is my second install with multiple EdgeSwitches.

thats your problem the management interfaces have to have there own ip address in the same subnet your management access network is own. you can do it with vlans but it is better to have its own management network way from the internal traffic. just a suggestion it also will improve security on the network.

You can have a management vlan, but you need to set it manually here:

Can this be the “default” VLAN? Or should I create a VLAN for this purpose? If I create a VLAN, does it need to be assigned to any ports?

yes need to keep it seprate from the network traffic other wise anybody can get into your switch

1 Like

Any vlan that you want as long as it’s routed.

No just where I have it above (and in the trunk).

Okay yes, that’s what I was thinking. I have to go onsite in another town to try but I’m about to test in my office. Thanks!

1 Like

Cool.

Ideally, you should at least have a management vlan, an admin vlan and client vlan(s). Use the firewall on the router to only allow incoming traffic to the management network from the admin network.

@ferg9020 would you agree with that?

yes i would. the only thing about using the vlan is keep in mind if the lan goes down you will lose access to your down stream switches. its a cascading effect. also keep in mind when testing the pipe (lan) icmp ping packets have the lowest priority in the pipe. its not a good test will show a connection but will not show you the true bandwidth on the wan.

1 Like

I would recommend setting up a site-to-site vpn while you’re there assuming you’re responsible for the ongoing administration of the site.

Here’s the info for that:

i used to run a rather large network using 7609 Cisco switchs. it can give you headachs for days if some on makes a mistake. also do leave the management vlan up from the core switch its inviting trouble trust me with that one. with all the nice security hole found in this equipment https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1

1 Like

So I’ve made my management VLAN 1, and on the same tab given my two switches IPs on the same SM (192.168.2.2 and 192.168.2.3). Plugged into the management port on my secondary switch (2.3, also set to 1 as mgmt VLAN) I can ping the core switch. But from my office PC that’s connected directly to the core switch and on a different VLAN I cannot reach either of those addresses. I’ve tried to “include” VLAN 1 on this VLAN but it doesn’t seem to stick, only removed the exclusion part. Is it necessary to create an entire VLAN for this purpose? Is the default VLAN just for initial setup?

Couple things, VLAN 1 is the default VLAN, so probably not your best option for mgmt or admin networks. By default, all ports on your switches are VLAN 1.

Pinging across VLANs requires the router to get involved*, so you need to confirm that the router is aware of all vlans and that you can ping the secondary switches from the router. The static routes should be automatically added when you configure the VLAN on your EdgeRouter.

*The EdgeSwitches do have some routing capabilities but I have never used them.

All of my routing (well, local at least) is done on the switches. But I am going to try and create a VLAN specifically for this purpose, as this has to be the issue. I have inter-VLAN routing functioning as my servers and clients are on seperate VLANs and are correctly functioning.

1 Like

[How] Are you controlling access between the VLANs then? To me, the reason to use a separate management VLAN is to firewall it against the client/server VLANs, which I believe the switches are not capable of doing. Other than breaking up broadcast domains, what are you achieving by routing VLANs on the switches?

Via inclusions/exclusions based on ports. I have POS systems excluded from everything else, and a pretty big high-res IP camera network that I wanted to separate for congestion reasons (pretty sure that’s how it works). Again man I’m by no means an expert, my boss throws these jobs at me for me to learn and likes to leave me on my own until I absolutely can’t figure things out lol. He also learned everything on Cisco so both of us are unsure about nuanced parts of configs like this. I’m a 20 yo college dropout with no formal training just getting my feet wet with Layer 3.

1 Like

Yeah, I should probably do some things this way. I’ve always configured my networks more or less as router-on-a-stick. I wonder if there are any security caveats to VLAN switching other than a lack of granularity (it’s just on or off, no packet filtering).