Switching

Good evening,

I recently got an EX2300 for use in a small office. I've configured the switch to hand out DHCP addresses to clients on a vlan. The ge-0/0/0 interface is configured to get a DHCP address from the modem. The modem itself is in NAT with Routing mode, but any client connected to the switch is unable to get out to the internet.

From the switch's perspective it can ping the internal l3 interfaces, it can ping the modem, and it can ping an external web address. The l3 interface is able to ping the switch, but cannot ping the modem/gateway. The best I can come up with is there is a route missing from the modem back to the switch, but the modem doesn't allow me to configure any static routes. The static route in the switch is automatically created when ge-0/0/0 is connected and is the local IP of the modem.

Any thoughts or help is appreciated. I am also attaching my current configuration.

Thank you.

Attachment(s)

config.txt   6 KB 1 version

Hello Michael,

Are you able to ping the switch from the modem? The only IP address on the switch I could find from your config is the IRB 62. What is the interface that goes to the DHCP Server or  Modem? There is no static route or any routing configured on the switch.  

Also, do the clients get an IP address via DHCP through the switch? You mention that a static route is automatically created when ge-0/0/0 is connected but can you try to configure it before connecting ge-0/0/0?

Please provide the answers to the above questions and try the above and let me know. 

Thanks,

Puneet

Good evening Puneet,

I don't believe the modem has an interface I can use to attempt pinging the switch (unfortunatley this is an ISP provided modem and the feature set is extremely slim).

The interface connecting the switch to the modem is ge-0/0/0 it is set to family inet dhcp and gets an IP address from the modem (192.168.0.2 to be precise, the modem is 192.168.0.1). No there is no static route configured because the 0.0.0.0/0 next-hop is created automatically when I connect the switch to the modem. I have also configured this manually, but it has made no difference in irb.62 being able to ping the modem.

Yes the clients get an IP address from the switch when connected. All of that works as expected. They recieve a 192.168.62.x address within the defined boundry and can ping each other with no issue, they just don't appear to be able to get beyond 192.168.62.1 (the address is both the router defined in the DHCP settings and the IP of irb.62 which handles the routing for that vlan).

Attached is the output from show route that includes the 0.0.0.0 next-hop 192.168.0.1. Like I said I have also added this as a static route with no change in behavior.

Attachment(s)

route.txt   647 B 1 version

Hello Michael,

Can you try suppressing the access-internal route and put a static route and check once? 

Puneet,

Unfortunately this did not have any affect on the vlan's ability to cross the 192.168.62.1 gateway.

I am also in the process of responding to the post above with the results.

Thank you.

Hi Michael,

If source IP 192.168.0.1 can access the internet but not others in vlan62, then we are probably looking at a source-nat requirement that usually is supported on SRX or MX devices.  You can check with the vendor but I don't think such basic modems have the capability of configuring a return route for your internal networks.  

One way for switch ports to access external network could perhaps be like this, please give this a try:

a) Configure ge-0/0/0 as an access port with family ethernet-switching and member of vlan62 (say). 

b) Assign irb.62 an IP as 192.168.0.1/24 in same subnet as modem/gateway.

c) Configure switch ports (that need internet access) in same VLAN (vlan62) and assign the clients the gateway IP as 192.168.0.2 (modem).

d) Configure static default route on the switch to point to the modem/gateway.

delete interfaces ge-0/0/0

set interafaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan62

delete interfaces irb
set interfaces irb unit 62 family inet address 192.168.0.1/24
set routing-options static route 0/0 next-hop 192.168.0.2

Or just use another VLAN that can get internet access.   However know that if we create a separate VLAN for this purpose, then only that VLAN will have internet access (anything sourced from vlan62 won't).

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Good morning mriyaz,

Thank you for your advice. It appears configuring it so that the vlan, irb, and the port connected to the modem are all on the same network as the modem itslef then everything works. Clients get out to the internet without issue. I am going to outline the configuration below, but then I have a couple of questions. Networking is by far my forte, but I want to understand why this does/does not work a little bit better. I will say that I based a lot of my configuration of this small office on our home office which is running EX3400s and an SRX. All of the routing happens on the SRX and of course there is NATing occuring on the SRX. Perhaps my expectations were that the Modem would be able to handle the same job the SRX is doing as far as the NAT is concerned, but anyway, I will ask my questions below.

Working configuration:

Modem's local IP address - 192.168.0.1

VLAN configured with a l3-interface of 192.168.0.2

Interface ge-0/0/0 connected to the modem and set to configured VLAN

Client interfaces configured to recieve a DHCP address between 192.168.0.100 and 192.168.0.150 with a gateway of 192.168.0.1

Static route configured as 0/0 next-hop 192.168.0.1

Observations and Questions:

I tested the configuration without the static route as well and it works. I'm assuming there are no static routes needed because the client/vlan/and modem are all on the same network and thus don't need to route across networks. Is this accurate?

Since we are not routing within the switch given the above configuration is the irb even needed? Again since everything is on the same network we're practically in "dumb switch" mode are we not? I am going to test this later today for my own curiostiy.

So, I guess my question is, why is the vlan configuration not working as I expected it to? Is it a route back to the vlan that is missing because the modem doesn't know what to do with the traffic? On my main network I have 8-9 vlans with a single static route of 0/0 out to the ISPs gateway. All of the routing is happening on the SRX though, the switches just do ethernet-switching. Is this not similar to the configuration I initally had? Is there some "magic" (high tech term there) that the SRX does that it doesn't need additional configuration to route traffic back to the sending client? If I was able to define a route back to the switch from the modem (I'm assuming this would be something like 0.0.0.0/0 next-hop 192.168.0.2 for a return path from the modem to the switch if I was actually able to configure it) would that do what I was originally trying to accomplish?

As of right now, to your point mriyaz I don't think I can do multiple vlans on this switch with this modem that would allow all clients regardless of their vlan to get internet access. I may play around with my limited understanding of trunks to see if I can get something going, but since the only way to get things working so far has been to put the vlan on the same network as the modem I don't think trunking will accomplish anything.

Thanks for all the help everyone.

Tried to respond inline.

---

@Michael_WC wrote:

Good morning mriyaz,

 

Thank you for your advice. It appears configuring it so that the vlan, irb, and the port connected to the modem are all on the same network as the modem itslef then everything works. Clients get out to the internet without issue. I am going to outline the configuration below, but then I have a couple of questions. Networking is by far my forte, but I want to understand why this does/does not work a little bit better. I will say that I based a lot of my configuration of this small office on our home office which is running EX3400s and an SRX. All of the routing happens on the SRX and of course there is NATing occuring on the SRX. Perhaps my expectations were that the Modem would be able to handle the same job the SRX is doing as far as the NAT is concerned, but anyway, I will ask my questions below.

 

Working configuration:

 

Modem's local IP address - 192.168.0.1

VLAN configured with a l3-interface of 192.168.0.2

Interface ge-0/0/0 connected to the modem and set to configured VLAN

Client interfaces configured to recieve a DHCP address between 192.168.0.100 and 192.168.0.150 with a gateway of 192.168.0.1

Static route configured as 0/0 next-hop 192.168.0.1

 

Observations and Questions:

 

I tested the configuration without the static route as well and it works. I'm assuming there are no static routes needed because the client/vlan/and modem are all on the same network and thus don't need to route across networks. Is this accurate?

[ANS] No, that must be because the clients are already ARPing for the gateway and the EX is just doing plain switching and not routing in this case.  So it looks at the destination MAC and forwards packets out of ge-0/0/0.  That's how it must be working without the static route.

 

Since we are not routing within the switch given the above configuration is the irb even needed?

[ANS] You'll need the IRB if you have any other VLAN and need to allow IP communication between VLANs.  Note this is independent of the fact that your other VLAN cannot get internet connectivity in this set up.

 

Again since everything is on the same network we're practically in "dumb switch" mode are we not? I am going to test this later today for my own curiostiy.

[ANS] Switch is doing switching based on destination MAC address, not quite "dumb" though :), I'd call a hub as "dumb".

 

So, I guess my question is, why is the vlan configuration not working as I expected it to? Is it a route back to the vlan that is missing because the modem doesn't know what to do with the traffic?

[ANS] If possible, on your working setup, just check if the SRX has a return route for the other internal VLANs/networks that it provides internet connectivity.   I think that's the only difference here, the modem isn't smart enough to do routing back to the internal networks like an SRX.

 

On my main network I have 8-9 vlans with a single static route of 0/0 out to the ISPs gateway. All of the routing is happening on the SRX though, the switches just do ethernet-switching. Is this not similar to the configuration I initally had? Is there some "magic" (high tech term there) that the SRX does that it doesn't need additional configuration to route traffic back to the sending client? If I was able to define a route back to the switch from the modem (I'm assuming this would be something like 0.0.0.0/0 next-hop 192.168.0.2 for a return path from the modem to the switch if I was actually able to configure it) would that do what I was originally trying to accomplish?

[ANS] Not really, you need a route like 192.168.162.0/24 with next-hop as 192.168.0.2 (assuming internal network is 192.168.162.0/24 and 192.168.0.2 is the switch interface connecting to modem like before).  It's unlikely the modem will have this capability.  The reason why you're idea of 0.0.0.0/0 next-hop 192.168.0.2 is incorrect is that doesn't make sense of how the modem will not hit that route for internet traffic? Hope you get what I mean here.

 

As of right now, to your point mriyaz I don't think I can do multiple vlans on this switch with this modem that would allow all clients regardless of their vlan to get internet access. I may play around with my limited understanding of trunks to see if I can get something going, but since the only way to get things working so far has been to put the vlan on the same network as the modem I don't think trunking will accomplish anything.

[ANS] True, with the current setup, a flat VLAN is what you might be able to make work.  Else, I think you will need an SRX in the mix like you do in the working setup :).

 

Thanks for all the help everyone.

---

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Thank you so much mriyaz! Your explanations are very helpful indeed.

While it isn't my preferred route, for now a single vlan will have to do, I'm just a little mad at myself because I could have accomplished the same thing with a much cheaper piece of hardware. Once I have time and the funds I will look into getting an SRX setup in this office so that I can actually take advantage of the hardware.

Unfortunately I have about 24 hours before this office has to be live so I just need to make do with what I have.

Thank you and everyone else for all of the help it is very much appreciated!

Thanks again.

The modem will need a route to the 192.168.62.0/24 network with a next hop of your ge-0/0/0 ip address.

since this is dhcp, this would need to change as the address changes, so the better option is setting a static address there for this route.

And you need to confirm that the outbound nat on the modem can work for the additional subnet as configured.

What is the make and model of the device?

An alternative is to just leave the ex as . a pure layer 2 device so it simply extends the modem vlan and get the dhcp directly from the modem for all the devices on the ex.

Hi spuluka,

The route from the modem back to the swtich is where I think this whole thing is failing and since I can't configure the modem with static routes I may just be out of luck in this situation. We are currently working with the ISP to get a static address due to the need to connect a particular system back to our home office, we just don't have it currently.

There is literally no configuration options for the NAT on the modem other than RoutingwithNAT/Bridge/RoutingNoNAT. It's either on or off. I will grab the make/model in a little bit when I head over to the other building. (EDIT: It is an Arris DG3270)

Yeah, your option is in essence what I am doing currently with the addition of a defined vlan (unneeded) and having the switch do the DHCP. I've been contemplating resetting the switch and just letting the modem do everything, though I initially wanted two separate networks it is looking unlikely to be doable with the current hardware I have.

Thanks.

Since the device has a bridge mode you could enable the cable modem bridge mode then install the firewall of your choice like the SRX that woud give you all the control you want in place.

Thanks spuluka, I am thinking about doing that in the future. As mentioned above I am on a pretty tight schedule and don't have the time or the budget for that right now. If I am going to do it I might as well do it right and put another SRX in place. Eventually I want to get all of smaller offices connected back to the main office through a point to point VPN. From my understanding of the SRX this should be doable.

Until then though I think I have everything I need to get this office up and going.

Thank you for the advice.