Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2534
Views
5
Helpful
9
Replies

SG300 Routing Configuration Help

SubX
Level 1
Level 1

‎10-22-2017 12:23 PM - edited ‎03-21-2019 10:57 AM

One SG300-28PP Setup as L3 mode

Firmware - 1.4.8.6 / IP = 10.0.0.6 

VLAN 1 - 10.0.0.6 255.255.255.0

VLAN 8 - 10.0.8.99 255.255.255.0

VLAN 18 - 10.0.18.99 255.255.255.0

VLAN 88 - 10.0.88.99 255.255.255.0

Gi5-8 as trunk port, with tagged vlan 8 & 18

create static route 10.0.0.0/24 via10.0.8.1  & 10.0.8.0 via 10.0.0.2. However it shows inactive. 

How can I reach vlan 8 from vlan 1 and also allow vlan 8 to talk to vlan 1?

Not network expert here, please help. 

Thanks,

 

 

 

1 person had this problem
Labels:
0 Helpful
9 Replies 9

Seb Rupik
VIP Alumni
VIP Alumni

‎10-23-2017 12:40 AM

Hi there,

Routes for 10.0.0.0/24 and 10.0.8.0/24 should already appear in the routing table as 'connected' routes. There is no need to introduce static routes for these subnets.

Providing these 'connected' routes have been installed and no ACLs have been introduced deny the traffic, then communication between VLAN 1 & 8 should be possible in both directions,

 

cheers,

Seb.

0 Helpful

SubX
Level 1
Level 1
In response to Seb Rupik

‎10-23-2017 11:08 AM

Thanks Seb.

1. So all VLANs should be communicated to each other by default?

2. The above default, does it means VLAN8, VLAN18, VLAN88 can talk to VLAN 1 right away. What about VLAN 8 <> VLAN18 ,  VLAN 8 <> VLAN88, VLAN 18 <> VLAN88? Need manual route for later three?

3. I didn't setup any ACL for VLANs. Why it doesn't allow me to ping from VLAN8 to VLAN1 and vise versa?

4. I also add a default route via ip route 0.0.0.0 0.0.0.0 10.0.0.1 (where this 10.0.0.1 is the LAN ip for pfSense LAN). Is that correct? I am using NAT to allow VLAN1 (10.0.0.x subnet to access internet via ISP modem (192.168.2.x subnet).

5. How to setup ACL? 

 

Thanks,

Sub

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to SubX

‎10-24-2017 12:25 AM

Hi Sub,

1) Yes, so long as each VLAN has a Layer3 interface (SVI) and the assigned subnet appears in the routing table as a 'connected' route then inter-VLAN communication will work.

2) Any combination of source/ destination will work.

3) How are the devices connected to your VLANs receving their IP addresses? Have you got a DHCP server running on the network? Is the SG300 going to be operating as a DHCP server for all VLANs?

4) Your default route is correct, and you should be able to ping 8.8.8.8 from the SG300. Providing you have configured each device to use their respective VLAN SVI as their default gateway, they should be able to reach 10.0.0.1 . You will need to add the following routes to the pfSense box so that it knows how to return internal traffic:

!
ip route 10.0.8.0 0.0.0.255 10.0.0.6
ip route 10.0.18.0 0.0.0.255 10.0.0.6
ip route 10.0.88.0 0.0.0.255 10.0.0.6
!

Also, the NAT ACL on the pfSense box will need to include the VLAN 8, 18 and 88 subnets.

5) An ACL can block IP protocol/ IP addresses/ services. What do you need to acheive. If you wanted to secure your VLANs, it would make more sense to trunk them to your pfSense box, route and apply ACLs there.

 

cheers,

Seb.

0 Helpful

SubX
Level 1
Level 1
In response to Seb Rupik

‎10-24-2017 07:48 AM

@Seb Rupik wrote:

Hi Sub,

1) Yes, so long as each VLAN has a Layer3 interface (SVI) and the assigned subnet appears in the routing table as a 'connected' route then inter-VLAN communication will work.

2) Any combination of source/ destination will work.

3) How are the devices connected to your VLANs receving their IP addresses? Have you got a DHCP server running on the network? Is the SG300 going to be operating as a DHCP server for all VLANs?

4) Your default route is correct, and you should be able to ping 8.8.8.8 from the SG300. Providing you have configured each device to use their respective VLAN SVI as their default gateway, they should be able to reach 10.0.0.1 . You will need to add the following routes to the pfSense box so that it knows how to return internal traffic:

!
ip route 10.0.8.0 0.0.0.255 10.0.0.6
ip route 10.0.18.0 0.0.0.255 10.0.0.6
ip route 10.0.88.0 0.0.0.255 10.0.0.6
!

Also, the NAT ACL on the pfSense box will need to include the VLAN 8, 18 and 88 subnets.

5) An ACL can block IP protocol/ IP addresses/ services. What do you need to acheive. If you wanted to secure your VLANs, it would make more sense to trunk them to your pfSense box, route and apply ACLs there.

 

cheers,

Seb.

Seb, 

Thanks. Maybe I should focus on making one thing work at a time. Let's say making internal VLAN 8, 18, 88 communicate to each other first and then move to VLAN to internet.

3.a) Currently I am using all static IP to check if it works then will consider moving to DHCP. It is ESX 6.5 environment (8 - VM network, 18 - vMotion, 88 - iSCSI & CIFS, default VLAN 1 = 10.0.0.x is for mgmt)

3.b) If moving to DHCP (VLAN 1 and VLAN 8 only, shoud I use pfSense or SG300? Does SG300 allow DHCP on two VLAN only? And where to configure DHCP in SG300?

3.c) As I am focusing on VLAN within SG300 first, I haven't setup VLAN interface on pfSense LAN side, does it prevent me from achiving internal VLAN commmunication within SG300?

 

 

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to SubX

‎10-24-2017 08:29 AM

3.a) Have you set the default gateway of your devices to match the VLAN SVI of your SG300: VLAN8 = 10.0.8.99, VLAN18 = 10.0.18.99, VLAN88 = 10.0.88.99 ? If so, can they ping the SVI IP? Can they ping the SVIs of other VLANs? Can they ping device IPs in other VLANs?

3.b) You could use either device. If you use the pfSense box you will need to configure ip helper-address on you DHCP enabled VLANs to forward the requests to the pfSense box.
Regarding DHCP on the SG300, you need to specify the DHCP pools so can limit the number of subnets with DHCP running. To configure it on the SG300, the following would work:

!
ip dhcp server
ip dhcp pool network DHCP_POOL1
  address 10.0.0.0/24
  default-router 10.0.0.6
  dns-server 8.8.8.8
!
ip dhcp pool network DHCP_POOL8
  address 10.0.8.0/24
  default-router 10.0.8.99
  dns-server 8.8.8.8
!
ip dhcp excluded-address 10.0.0.6
ip dhcp excluded-address 10.0.8.99
!

3.c) Providing you have the SG300 in router mode (set system mode router) then inter-VLAN communication should work. Can you share your running config?

cheers,
Seb.

SubX
Level 1
Level 1
In response to Seb Rupik

‎10-24-2017 12:26 PM

3.a) all device gateway are correctly specified according to the VLAN IP. Example in VLAN 8

     VM1 = 10.0.8.100

     VM2 = 10.0.8.101

     Both VM1 & 2 can ping 10.0.8.99 and each other as well.  Both VMs can also ping 10.0.18.99 &  10.0.88.99

I config Gi26 as access port with VLAN 8 and have a laptop (10.0.8.251) connected. 251 can achieve the same as VM1&2. 

    

     However both VMs & 251 can't ping device in VLAN 18 and VLAN 88.

 

3.c) PM a running-config

Thanks,

    

      

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to SubX

‎10-25-2017 12:39 AM

Hi there,

Can you provide the complete output for:

 

sh arp

sh ip route

sh mac address-table

 

cheers,

Seb.

0 Helpful

SubX
Level 1
Level 1
In response to Seb Rupik

‎10-25-2017 09:48 AM

Seb,

I just PM you the detail output. 

Thanks a lot!

Sub

0 Helpful

SubX
Level 1
Level 1
In response to Seb Rupik

‎11-04-2017 08:52 AM

Big thanks to Seb!!!

The issue has been fixed. 

Take Away - double check gateway of each subnet is configured properly.

 

How to mark a post as solved in this support forum?

0 Helpful
Customers Also Viewed These Support Documents