07-08-2015 03:02 AM - edited 03-03-2019 07:55 AM
I have Cisco SG-500-28 Port Gigabit switch, I need to setup VLANs on the switch and need to access internet from all VLANs.
Existing Setup:
1) 2 Internet Links are terminated on UTM- Cyberoam CR25iNG box
2) 2 LANs connected directly on UTM-Cyberoam
3) In both LAN gateway is Cyberoam e.g 10.100.0.1 and 172.16.10.10
4) Primary DNS IPs are same as gateway and secondary DNS IPs 10.100.0.17 and 172.16.10.100 ( DNS domain IP)
Proposed Setup:
1) VLAN 10 - Server
2) VLAN 20 - Management ( This VLAN can access all VLANs but should not be accessible from any other VLAN)
3) VLAN 30 - Development
4) VLAN 40 - QA
Except VLAN 20 all other VLAN should be accessible between each other, all users from all VLANs should have internet access.
I appreciate help with step-by-setups to complete this task.
SG-500 has web GUI.
P.S. We dont have any other router except UTM-Cyberoam Firewall.
E-Mail: syadav@surelinesystems.com
07-08-2015 04:49 AM
Hi first thing to do if your intervlan routing on an SG is go to system mode before configuring anything and set it to layer 3 mode
you can try this below, you will need to tweak it to allow all your vlans and your specific ips etc, guide attached shows you how to do some as well this is just an example
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/administration_guide/500_Series_Admin_Guide.pdf
ip access-list extended MARK
permit ip 192.168.10.0 0.0.0.255 (internet ip routed port to firewall)---allow to internet
permit ip 192.168.20.0 0.0.0.255 (internet ip routed port to firewall)
permit ip 192.168.30.0 0.0.0.255 (internet ip routed port to firewall)
permit ip 192.168.40.0 0.0.0.255 (internet ip routed port to firewall)
deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255--deny talking to other vlans
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
exit
interface vlan 10
ip address 192.168.10.1 255.255.255.0
ip dhcp relay enable
!
interface vlan 20
ip address 192.168.20.1 255.255.255.0
ip dhcp relay enable
interface gigabitethernet1
service-acl input MARK
switchport mode access
switchport access vlan 10
switchport forbidden default-vlan
interface gigabitethernet1
service-acl input MARK
switchport mode access
switchport access vlan 20
switchport forbidden default-vlan
ip route 0.0.0.0 0.0.0.0 (firewall ip)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide