The Graveyard - Products No Longer Supported > Hubs and Switches

DGS-1210-28 - cannot access admin GUI when connected to another switch via trunk

(1/2) > >>

mx5gr:
We own two identical DGS-1210-28 switches, updated to the latest firmware.

We are using 4 different VLANs and the switch ports are either tagged or untagged. Ports 25 - 28 are bonded together and are used to interconnect the two switches. All VLANs that refer to these ports are tagged and allowed through.

The VLANs are:

VLAN1 - 192.168.11.0/24
VLAN2 - 192.168.12.0/24
VLAN3 - 192.168.13.0/24
VLAN4 - 192.168.14.0/24

The G/W of the switch is 192.168.12.1 .. however, all VLANs talk to each other through a firewall/router that is attached to all of them.

We have setup two management interfaces, 192.168.11.5 & 192.168.12.5 for the 1st switch and 192.168.11.6 & 192.168.12.6 for the other.

When the two switches are not connected to each other, if we attach a laptop to a port and ping the switch management interface or open the GUI, they work fine. If, however, we interconnect them as stated above, then two things happen:

(1) There is only access to the management interfaces of the 1st switch from any VLAN/ports/switch (i.e. a device connected to switch 2 cannot ping or open its management interface but can both open/ping the mgmt interface of switch 1)

(2) All devices connected to different VLANs and are spread among the ports of both switches can properly communicate to each other (as intended)

We have tried many combinations and different methods to test the mgmt interfaces of switch #2, there is no way (until now) to make them work (admin GUI/ping) when both switches are connected to each other.

Any hints?

PacketTracer:
Hi,

I'm surprised how you could have managed to configure two management addresses (one per VLANs 1 and 2) per switch!
According to the manual, you can only configure a single management address (System > System Settings) per switch which is assigned to default VLAN 1. And you can change this VLAN assignment via "VLAN > 802.1Q Management VLAN" to another user created one, in your case e.g. VLAN 2.

PT

mx5gr:
Hi,

I went to L3 Functions -> IP Interface and created one IPv4 interface per VLAN that is attached to the switch, apart from the one defined within System -> System Settings and assigned to the correct VLAN. Through these IPs (multiple VLANs) I can access the mgmt GUI.

PacketTracer:
Hi,

ah - ok. The manual I referenced refers to an older DGS-1210-28 which doesn't provide L3 Functions. Found a more recent manual V5.00 for switch model DGS-1210-28MP, looks like this is the model you use?

Here the VLAN that the first management interface shall be assigned to can already be selected within "System > System Settings".

I studied about the L3 functions: It seems to me like any L3 Interface defined for another VLAN does not constitute an own routing context (VRF) but only extends the switch's global routing context by an additional SVI. Hence you can only have a single global routing table with a single default route defined via "System > System Settings". From what you said I conclude you selected VLAN 2 (192.168.12.0/24) within "System > System Settings" and set the Gateway to 192.168.12.1.

This would mean for L3 interfaces 192.168.11.5 and  192.168.11.6 that without additional host routes within your Firewall/Router or static routes within your switches they can only be accessed by clients within VLAN 1, because for clients within VLANs 2,3 and 4 you would have asymmetric routing that should be blocked by the firewall (routed traffic from these VLANs sent to the switches via VLAN 1, reverse traffic from the switches sent back via VLAN 2). For clients within VLANs 2,3 and 4 (assuming them to have configured your firewall/router as their gateway 192.168.X.1, X=11,12,13,14) you would either have to define the following host routes within your firewall/router:

192.168.11.5/32 next hop 192.168.12.5 via interface vlan2
192.168.11.6/32 next hop 192.168.12.6 via interface vlan2

Or, as an alternative and perhaps the better choice, you can instead define additional static routes within your switches for routing to VLANs 2, 3 and 4 via VLAN 1:

192.168.12.0/24 next hop 192.168.11.1 via interface vlan1
192.168.13.0/24 next hop 192.168.11.1 via interface vlan1
192.168.14.0/24 next hop 192.168.11.1 via interface vlan1 )

On the other hand the problems you observed cannot be explained by the missing of these routes.

Hence something else may possibly be wrong. What about the PVID settings of the switch ports. Did you set them accordingly or are they all left at their default values PVID=1 (which would be wrong for some set of ports)?

PT

mx5gr:
I thought so myself regarding the VRF functionality as you described. I don't see why they could not program a proper L3 interface and they delivered such a crippled functionality.

I tried adding a few rules to the f/w to cover the asymmetric routing potential issue the other day, however I did not have the time to test them out.

However, the mgmt interface cannot be accessed even by clients belonging to the same subnet as the virtual L3 interfaces on the same switch, i.e. no gateway is involved. Furthermore, regarding sw 2, its mgmt interface albeit being within the same VLAN/subnet as the mgmt interface of sw 1 (settings as defined within System -> System Settings), it is inaccessible even by clients within the same VLAN when attached to the switch (#2) itself to ports that have this VLAN untagged. These sw2 ports at the same time can properly communicate with the clients on the same VLAN attached to the corresponding ports of sw1, as well as the sw1 mgmt interface itself.

Port PVIDs have been double checked and the switches operate properly (access to mgmt interface) when not interconnected via the trunk links. When the trunk is in place, no access to the mgmt interface of sw2 is feasible through any VLAN and irrespective to whether the client is directly attached to the switch or not.

It completely baffles me..  ::)

Navigation

[0] Message Index

[#] Next page

Go to full version