In article <1158074178.670149.197200@d34g2000cwd.googlegroups. com>, "mbob" writes:
> I have a problem which I was unable to track down to the real cause
> yet:
>
> I have a broadband connection from the ISP with static IPs. On my side
> there is ZyXEL router with 4 ports.
> One 1 port of the ZyXEL a the WAN port of a Netgear WLAN NAT Router is
> connected to one of the static IPs.
> The LAN side of the Netgear has the IPs 192.168.1.x
> I connected 1 LAN port of the Netgear to a GBit switch, where all the
> other clients (PCs) are connected to.
>
> There is another GBit switch in another room, where I want to have
> access to the internal net (192.168.1.x) as well as to the external net
> (85.126.....x), but there is only one cable connection between the
> rooms.
> I connected both switches via 1 cable.
>
> So far everything is working.
> But when I connect a 2nd port of the ZyXEL to the first switch I run
> into problems.
> Basically it works (I can access internal and external net from clients
> on both switches).
>
> But sooner or later the traffic "runs wild" (some clients as e.g. the
> Buffalo Terastation even cease to work after a few minutes). I assume a
> broadcast storm. But I cannot understand the reason for it, since the
> theoretical loop between ZyXel, first switch and Netgear is only
> theoretical, since no broadcast packets should pass the Netgear (as
> router).
>
>
> Has anyone an idea what really is happening here? How can I know that
> it really is broadcast related? Are there any other possible reasons
> for the problem? How could I solve it. Providing that I have only 1
> cable between the room and still want access to both internal and
> external net from everywhere.

Not having any detailed knowledge of the NetGear or ZyXel, I can
only speculate. However I have seen similar symptoms in the past
with situations that resemble yours in some key regards.

Two words: Directed broadcast.

Suppose we have a frame directed to the broadcast address on your
external subnet. It may be generated by one of your client devices.
Or maybe it comes from the ISP. Let's assume it came from the client
side. (It ends up generating a storm either way).

The frame is an IP level directed broadcast arriving in an Ethernet
level unicast frame directed to the Netgear.

The Netgear dutifully forwards this through its external interface
where it manifests as an IP level directed broadcast in an Ethernet
level broadcast frame.

But the connected cable has more than one subnet...

This frame arrives on the ZyXel's first port, the ZyXel's second
port and the NetGear's inside port. Not all of these interfaces recognize
the incoming destination address as being local. The ZyXel forwards
one or two copies either to the external subnet or to the NetGear
depending on your exact topology and routing. And the NetGear
now forwards one or more copies out through its external interface.

And off you go to an exponentially multiplying broadcast storm, limited
only by your TTL and your buffer space.

I was unclear on your exact topology and routing, but there are
possibilities for directed broadcast storms in all of the plausible
setups that seemed to me to fit your description.

If it's just the NetGear forwarding directed broadcasts to itself,
you are OK. That's only a traffic multiplier of 30 or so (depending
on your TTL).

When you add a second path through the forwarding loop then things
go exponential and you get a traffic multiplier of 2^30 or so. It
only takes one packet to shut you down until your buffers clear and
the TTL works itself out.

"mbob" wrote:

>I have a problem which I was unable to track down to the real cause
> yet:
>
> I have a broadband connection from the ISP with static IPs. On my side
> there is ZyXEL router with 4 ports.
> One 1 port of the ZyXEL a the WAN port of a Netgear WLAN NAT Router is
> connected to one of the static IPs.
> The LAN side of the Netgear has the IPs 192.168.1.x
> I connected 1 LAN port of the Netgear to a GBit switch, where all the
> other clients (PCs) are connected to.
>
> There is another GBit switch in another room, where I want to have
> access to the internal net (192.168.1.x) as well as to the external
> net
> (85.126.....x), but there is only one cable connection between the
> rooms.
> I connected both switches via 1 cable.

I drew a picture like this:

WAN----ZyXEL-----NAT------EnetSwitch--------EnetSwitch

where you have several spare ports available at the the ZyXEL, NAT, and
each of the two switches.

All works well configured like this. Then you add a link from a formerly
spare port of the ZyXEL directly to the first switch, bypassing the NAT,
and gradually everything degrades.

> So far everything is working.
> But when I connect a 2nd port of the ZyXEL to the first switch I run
> into problems.
> Basically it works (I can access internal and external net from
> clients
> on both switches).
>
> But sooner or later the traffic "runs wild" (some clients as e.g. the
> Buffalo Terastation even cease to work after a few minutes). I assume
> a
> broadcast storm. But I cannot understand the reason for it, since the
> theoretical loop between ZyXel, first switch and Netgear is only
> theoretical, since no broadcast packets should pass the Netgear (as
> router).

First of all, my suspicion is that the ZyXEL is actually a brouter,
correct? The WAN port has one IP address belonging to one IP subnet, and
the other ports are all Ethernets of a single IP in-home subnet.
Otherwise, instead of four static IP addresses you'd have been assigned
four IP subnets, with some prefix length (i.e. mask) for each one.

Going on this assumption, i.e. that the in-home ports of the ZyXEL are
just ports of an Ethernet switch, and all belong to the same IP subnet,
what happens when you bypass the NAT with a link direct to the ZyXEL
from your two in-home switches?

For one thing, any broadcast, such as an ARP request from one of the
PCs, will find its way to the NAT, directly to the ZyXEL, and from there
back to the NAT's WAN port. As well as to every host connected to the
ZyXEL and to the two switches. I don't know how the Netgear reacts to
this sort of ARP query arriving at the WAN port, for an IP address
behind the NAT.

The other iffy thing is that you'll have hosts with private IP addresses
and with globally unique addresses in the same Ethernet, but no router
to allow the two to talk. A NAT is not a standard router. This will
occur especially if the ZyXEL and the NAT both support DHCP.

> Has anyone an idea what really is happening here? How can I know that
> it really is broadcast related? Are there any other possible reasons
> for the problem? How could I solve it. Providing that I have only 1
> cable between the room and still want access to both internal and
> external net from everywhere.

I don't understand why you can't send all Internet traffic through the
Netgear? Alternatively, connect some of your in-home hosts directly to
the ZyXEL and others behind the NAT, but don't add that NAT bypass
cable.

Bert

OK, I see, I should add some more details.
The assumption of the topoolgy basically was correct, but here I add
some more information

xDSL ----- ZyXEL(4) -----|----- (1)Netgear NAT(4) ----- Switch1(8)
----- Switch2(8)

In parantheses is the number of ports available, and very important:
Switch1 and Switch2 are in different rooms, where there is only 1 cable
available.

The ZyXEL is in my house, but property of the ISP, so no way to
reconfigure it.

I have 8 static IPs from the ISP (85.126.148.24-31), available on the 4
ports.
The Netgear WAN port is connected to 1 ZyXEL port and uses
85.126.148.26
The Netgear LAN range is 192.168.1.x
1 Netgear LAN port is connected to Switch 1
Switch 1 connected to Switch 2, using the only cable available between
the 2 rooms.
All clients connect to one of the switches.

But now I want to have an server with a public static IP address
connected to Switch 2.
That's why I used another cable from one of the ZyXEL ports directly to
Switch1

xDSL ----- ZyXEL(4) -----|----- (1)Netgear NAT(4) ----- Switch1(8)
----- Switch2(8)
|
|

+-------------------------------------------------------+


So if I understand the previous messages right, the main problem is a
directed broadcast to the ZyXEL (hence 85.126.148.31) which passes
directly to Switch 1, and from there via the Netgear NAT back to the
ZyXEL ... is this right? And it passes the Netgear, since it is a
directed broadcast ...(?)

How actually is a broadcast identified? Is there a special bit set in
the frame? If yes, why does the Netgear forward it anyway. If no: how
does Switch1 then know that it is a broadcast?

And the most important thing: the question remains on how I can solve
te problem, provided that I have no access to the ZyXEL router.

Basically I can imagine 2 approaches:

- configure the Netgear to block certain traffic, which might not be
possible, since
it's a simple SOHO router.

- put some hardware inbetween the direct link between ZyXEL and
Switch1,
which filters certain traffic.


But:
- can the problem be solved by just filtering traffic? aren't the
broadcasts (as ARP
or whatelse) important for the network to function?
- which hardware would do the job (please just a simple and cheap
solution)?
- AND: which traffic has to be filtered on which part of the
infrastructure exactly?


I still see so possible solution of the problem


regards,
Martin

I also just investigated the capabilities of the Netgear (WPNT834). No
way to really block certain traffic.

Would it be an option to add a static route in the Netgear for the
broadcast address of the ZyXEL which uses a non-existent LAN
(192.168.1.x) address as gateway/destination in order to "block" the
traffic (send it to nirvana)?

What's your opinion? Could this solve the problem? Was my
interpretation of the problem correct at all (that stopping thr routing
of the directed broadcast would be one way solve the problem)?

Martin

I am puzzled why you connect 2 ports of the Zxyl to the first switch.
What is the use.
There is a risk of a layer2 loop if spanning tree is not working
properly. However in that case the network goes down immediatly.

Hello,

mbob a écrit :
>
> But now I want to have an server with a public static IP address
> connected to Switch 2.
> That's why I used another cable from one of the ZyXEL ports directly to
> Switch1
>
> xDSL -- ZyXEL(4) --|-- (1)Netgear NAT(4) -- Switch1(8) -- Switch2(8)
> | |
> +------------------------------------------+

Note : when you draw an ASCII diagram, be careful about the line
wrapping and avoid proportional fonts.
Is this diagram correct ?

So basically you connect together the Netgear router WAN and LAN sides,
and create a sort of loop. IMHO that's a wrong, very wrong idea.

Do you ethernet switches support VLANs ? If they do, this could be a
solution.

You need to define two VLANs on your switches, for exemple :
- VLAN 1 for the private side
- VLAN 2 for the public side

The ports that link the two switches together must in both VLAN 1 and
VLAN 2, and tagged IEEE 802.1q. The other ports must be in either VLAN
depending on what they are connected to, and normal (not tagged) :
- ports connecting private part of the network must be in VLAN 1
(stations with private addresses, Netgear router LAN port)
- ports connecting public part of the network must be in VLAN 2 (Zyxel
router LAN port, Netgear router WAN port, servers with public addresses).

This way it will work as if you had two logical switches, one for the
private part and one for the public part of your network, and the only
connection between them will be the Netgear router.

the diagram is correct.

and the reason ist, that I want connect internal hosts (192.168.1.x)
and public hosts (85.126.148.x) on Switch 2.

VLANs is no real option, since then I would require 2 cables to the
room in which Switch 2 is located, 1 cable per VLAN, but there is only
1 (and that's the real limitation, otherwise I could place another
Switch 3 there and connect it to the ZyXEL).

So in other words, on Switch 2 both networks should be present.
Which is in principle not a problem.
The problem is the loop ZyXEL - Netgear - Switch 1.

If I understand it right the only problem is that the Netgear passes
directed broadcasts from LAN to WAN, which come back to the Switch 1
via the ZyXEL.
The other direction wouldn't be a problem, since broadcast would not
pass the Netgear from WAN to LAN (also because of NAT).

Normal packets should be fine, because I assume the switch would
forward it to the right gateway (Netgear for internal packets and ZyXEL
for public packets) anyway.


Anyway: what could be the solution, provided that the real limitation
is the 1 cable between switch 1 and switch 2, and the need to connect
internal and public hosts to switch 2?



Pascal Hambourg wrote:
> Hello,
>
> mbob a écrit :
> >
> > But now I want to have an server with a public static IP address
> > connected to Switch 2.
> > That's why I used another cable from one of the ZyXEL ports directly to
> > Switch1
> >
> > xDSL -- ZyXEL(4) --|-- (1)Netgear NAT(4) -- Switch1(8) -- Switch2(8)
> > | |
> > +------------------------------------------+
>
> Note : when you draw an ASCII diagram, be careful about the line
> wrapping and avoid proportional fonts.
> Is this diagram correct ?
>
> So basically you connect together the Netgear router WAN and LAN sides,
> and create a sort of loop. IMHO that's a wrong, very wrong idea.
>
> Do you ethernet switches support VLANs ? If they do, this could be a
> solution.
>
> You need to define two VLANs on your switches, for exemple :
> - VLAN 1 for the private side
> - VLAN 2 for the public side
>
> The ports that link the two switches together must in both VLAN 1 and
> VLAN 2, and tagged IEEE 802.1q. The other ports must be in either VLAN
> depending on what they are connected to, and normal (not tagged) :
> - ports connecting private part of the network must be in VLAN 1
> (stations with private addresses, Netgear router LAN port)
> - ports connecting public part of the network must be in VLAN 2 (Zyxel
> router LAN port, Netgear router WAN port, servers with public addresses).
>
> This way it will work as if you had two logical switches, one for the
> private part and one for the public part of your network, and the only
> connection between them will be the Netgear router.

mbob a écrit :
>
> VLANs is no real option, since then I would require 2 cables to the
> room in which Switch 2 is located, 1 cable per VLAN

No, that's what IEEE802.1q tagging is for : transport several VLANs on
the same physical link. So only one cable is needed between the two
switches.

Oh, I was not aware that it possible to add 2 VLAN IDs to an individual
port. Is this a "standard" feature, or only available with selected
(expensive) switches?

I was thinking I would end up in 2 VLANs on Switch 1 with the need of 2
cables then to connect both VLANs to another Switch (with also 2
VLANs).

But I guess this really solves my problem then.

Pascal Hambourg wrote:
> mbob a écrit :
> >
> > VLANs is no real option, since then I would require 2 cables to the
> > room in which Switch 2 is located, 1 cable per VLAN
>
> No, that's what IEEE802.1q tagging is for : transport several VLANs on
> the same physical link. So only one cable is needed between the two
> switches.

mbob wrote:
> I have a problem which I was unable to track down to the real cause
> yet:
>
> I have a broadband connection from the ISP with static IPs. On my side
> there is ZyXEL router with 4 ports.
> One 1 port of the ZyXEL a the WAN port of a Netgear WLAN NAT Router is
> connected to one of the static IPs.
> The LAN side of the Netgear has the IPs 192.168.1.x
> I connected 1 LAN port of the Netgear to a GBit switch, where all the
> other clients (PCs) are connected to.
>
> There is another GBit switch in another room, where I want to have
> access to the internal net (192.168.1.x) as well as to the external net
> (85.126.....x), but there is only one cable connection between the
> rooms.
> I connected both switches via 1 cable.
>
> So far everything is working.
> But when I connect a 2nd port of the ZyXEL to the first switch I run
> into problems.
> Basically it works (I can access internal and external net from clients
> on both switches).
>
> But sooner or later the traffic "runs wild" (some clients as e.g. the
> Buffalo Terastation even cease to work after a few minutes). I assume a
> broadcast storm. But I cannot understand the reason for it, since the
> theoretical loop between ZyXel, first switch and Netgear is only
> theoretical, since no broadcast packets should pass the Netgear (as
> router).
>
>
> Has anyone an idea what really is happening here? How can I know that
> it really is broadcast related? Are there any other possible reasons
> for the problem? How could I solve it. Providing that I have only 1
> cable between the room and still want access to both internal and
> external net from everywhere.
>
>
> best,
> Martin
>


"Spanning Tree Protocol" is a protocl that was created to handle
multiple paths to the same device (a switch). The traffic would
naturally increase if there are two paths to the same switch.

Now I searched for switches that would fulill my requirements and found
the ZyXEL 2108G
After browsing through the documentation, I'm not really sure how to
configure it correctly ... unfortunately I'm not a real networking pro
and I never had to do with managed switches.

port based or IEEE802.1q?, trunking between the 2 switches?

Can you mavbe give me some basic hints? The user guide can be found at
ftp://ftp.zyxel.com/ES-2108-G/docume...UsersGuide.pdf


thanks in advance,
Martin

Pascal Hambourg wrote:
> mbob a écrit :
> >
> > VLANs is no real option, since then I would require 2 cables to the
> > room in which Switch 2 is located, 1 cable per VLAN
>
> No, that's what IEEE802.1q tagging is for : transport several VLANs on
> the same physical link. So only one cable is needed between the two
> switches.

mbob a écrit :
> Now I searched for switches that would fulill my requirements and found
> the ZyXEL 2108G
> After browsing through the documentation, I'm not really sure how to
> configure it correctly ... unfortunately I'm not a real networking pro
> and I never had to do with managed switches.

Me neither, sorry. I've never touched a manageable switch in my life.

> port based or IEEE802.1q?, trunking between the 2 switches?
>
> Can you mavbe give me some basic hints? The user guide can be found at
> ftp://ftp.zyxel.com/ES-2108-G/docume...UsersGuide.pdf

IEEE 802.1q. I don't think you need trunking with only two switches. On
each switch, create two VLANs with the same VLAN IDs as the other
switch. The port connected to the other switch must be in both VLANs and
tagged (and maybe with trunking), and the other ports must be in the
desired VLAN and untagged.

HTH.

Thanks for all the info, guys ... really helped me a lot:

- to solve my problem (hopefully - 2 VLAN switches are already ordered)
- to learn about VLANs and broadcasts :-)

Martin

Pascal Hambourg wrote:
> mbob a écrit :
> > Now I searched for switches that would fulill my requirements and found
> > the ZyXEL 2108G
> > After browsing through the documentation, I'm not really sure how to
> > configure it correctly ... unfortunately I'm not a real networking pro
> > and I never had to do with managed switches.
>
> Me neither, sorry. I've never touched a manageable switch in my life.
>
> > port based or IEEE802.1q?, trunking between the 2 switches?
> >
> > Can you mavbe give me some basic hints? The user guide can be found at
> > ftp://ftp.zyxel.com/ES-2108-G/docume...UsersGuide.pdf
>
> IEEE 802.1q. I don't think you need trunking with only two switches. On
> each switch, create two VLANs with the same VLAN IDs as the other
> switch. The port connected to the other switch must be in both VLANs and
> tagged (and maybe with trunking), and the other ports must be in the
> desired VLAN and untagged.
>
> HTH.

On 2006-09-12 11:16:18 -0400, "mbob" said:

>
> There is another GBit switch in another room, where I want to have
> access to the internal net (192.168.1.x) as well as to the external net
> (85.126.....x), but there is only one cable connection between the
> rooms.
> I connected both switches via 1 cable.

I read all the follow-on postings, so I don't have too much to add in
that thread, but it made me think that I frequently run into issues
where a vendor doesn't have a product offering that is flexible enough
to resolve the custom issue I need to.

I turned to OpenBSD (insert neat jingle sound here).

OpenBSD supports cheap hardware, packet queuing / bandwidth control /
bridging / routing, and 802.1q VLANs in a fairly easy-to-understand
English language, and yes, also includes a robust firewall. I use
OpenBSD at home to sort out hosts that do need to be NAT'd, don't, and
it gives me a lot of control over who talks to who. It's also an
excellent way to experiment with concepts like VLANs, routing,
bridging, and pick up some new knowledge.

----
__| |_ __ / _| |_ ____ __
dmfh @ / _` | ' \| _| ' \ _ / _\ \ /
\__,_|_|_|_|_| |_||_| (_) \__/_\_\
----