GS300 internal routing

ylafont · ‎06-06-2019

I am hoping someone can provided guidance on proper setup on internal routing with a GS300 with two different sub-subnets. This is not my forte but i should be able to mange it if am pointed in the right direction. Network Diagram is below, the issues i have is that I cannot communicate between 10.100.20.0/24 and other subnets. The VPN connection between 10.100.20.0/14 and 192.168.10.0/24 is fine (Thank God), But i cannot communicate between 10.100.20.20/24 and 10.100.10.0/16 and 10.100.0.0/16 or vice versa. 10.100.10.0/16 and 10.100.0.0/16 also cannot access the 192.168.10.0/24 on the VPN side of network.

The switch is able to ping all subnets, so i am assuming there is a command that is needed to enable routing between each of the subnets in both directions. I was playing around wiht access list without success and i am not sure if that is the way to go.

Any assistance is greatly appreciated, thank you in advance.

Running Configuration

config-file-header
SW1
v1.4.9.4 / R800_NIK_1_4_205_011
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp server
ip dhcp excluded-address 10.100.20.1 10.100.20.10
ip dhcp excluded-address 10.100.20.250 10.100.20.254
ip dhcp pool network "v20"
address low 10.100.20.11 high 10.100.20.249 255.255.255.0
default-router 10.100.20.253
dns-server 192.168.10.101 1.1.1.1
exit
bonjour interface range vlan 1
ip access-list extended test
permit ip any 255.255.255.255 255.255.255.255 ace-priority 20
exit
hostname SW1
line console
exec-timeout 0
exit
!
interface vlan 1
ip address 10.100.10.253 255.255.0.0
no ip address dhcp
!
interface vlan 20
name "VLAN20"
ip address 10.100.20.253 255.255.255.0
!
interface gigabitethernet1
switchport mode access
switchport access vlan 20
!
interface gigabitethernet2
switchport mode access
switchport access vlan 20
!
interface gigabitethernet3
switchport mode access
switchport access vlan 20
!
interface gigabitethernet4
switchport mode access
switchport access vlan 20
!
interface gigabitethernet5
switchport mode access
switchport access vlan 20
!
exit
ip default-gateway 10.100.10.1

Again, thank you in advance.

Hector Gustavo Serrano Gutierrez · ‎06-06-2019

Hi @ylafont,

I'd like to help you and in order to do so, I need more details.

1. Is a PC connected to your SG300 (PC with IP address 10.100.20.x) able to ping 10.100.10.1?

2. Please show me the configuration of the port that connects to that TP-Link device on your SG300.

You may need to set a Static Route on your SG300.

In your case, a default (0.0.0.0 0.0.0.0) Static Route should be enough.

SG300#configure terminal 
SG300(config)#ip route 0.0.0.0 0.0.0.0 10.100.10.1

You can run show ip route to see the Routing Table before and after applying the Static Route.

The command you already have in place ip default-gateway 10.100.10.1 is usually used only by the Switch itself for Management purposes.

For the Switch to be able to perform Routing decisions, you need to add Static Routes to fill its Routing Table.

Please le us know how it goes.

Regards.

PS. Some useful links:

IPv4 Static Route Setup on the 300 Series Managed Switches

Configure IPv4 Static Routes Settings on a Switch through the CLI

ylafont · ‎06-06-2019

Hector, thank you for taking the time, again much appreciate.

1 - The PC on 10.100.20.0/24 can ping 10.100.10.0/26 and ping across through VPN to the 192.168.10.0/24 network. They cannot ping 10.100.0.0 /16 Network

2- Port configuration on GI25

SW1#sho run in gi25
Empty configuration

I am planning on adding this port to VLAN2 - to separate further but when i tried that last, the VPN connection did not come up so i reset the config. i don't think it was anything to do with GS300, but rather a TP-Llink issue since i needed to recreated the VPN connections a few times before they came back up.

IP Routes

SW1#show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled

Codes: > - best, C - connected, S - static

S 0.0.0.0/0 [1/1] via 10.100.10.1, 06:16:13, vlan 1
C 10.100.0.0/16 is directly connected, vlan 1
C 10.100.20.0/24 is directly connected, vlan 20

I already had the static ip route on the switch, without this i could not get thought to the VPN

Please let me know if further information is required.

Georg Pauwen · ‎06-06-2019

Hello,

I think you need to specifically enable 'ip routing' globally on these switches (the SG switches):

SW1(config)#ip routing

Hector Gustavo Serrano Gutierrez · ‎06-07-2019

It is clear to me now.

Hosts on 10.100.x.x/16 are attempting to communicate with hosts on 10.100.20.x locally in the network segment sending ARP Requests as opposed to send their traffic to their local gateway (that TP-Link) for the appropriate routing. So no communication between them because of the way you have set the IP addressing in this scenario.

This is expected since 10.100.20.x is part of 10.100.x.x/16.

You need to modify your IP addressing.

One (of several) ways to fix this is modify 10.100.x.x/16 making it 10.100.0.x/24 instead.

Let me know if you have any concerns.

Cheers.

ylafont · ‎06-07-2019

Hector,

I had that setup previously and part of the problem was the VPN needed to have a tunnel for each subnet. Currently there are three active subnets and a few more are planed. The recommendation that was provided was to create the 10.100.0.0/16 supernet to avoid all those tunnels. Which made sense to me (but what do I know) as it should make the network easier to expand and manage as the subnets are created.

I can restore configurations if needed. Is there a preferred setup method what would allow each VPN segment to communication with the entire 10.100.0.0/16 network and allow easy expansion and management?

Again, want to thank you for the guidance and dedicated efforts.

Hector Gustavo Serrano Gutierrez · ‎06-07-2019

Hi @ylafont,

Let's manually configure your workstation in your Internal VLAN as 10.100.0.155/24 Gateway 10.100.0.1 (note the mask of /24 not /16) just for the sake of argument. Make sure you can ping the Gateway 10.100.0.1 and then attempt to ping 10.100.20.2 and other hosts on VLAN 20. No need to perform any other configuration change for this test so you can leave your TP-Link as it is for the moment.

My expectation is that once you perform this test, 10.100.0.155 will now send traffic to its Gateway the TP-Link which if it is correctly configured, will route the traffic to your Cisco SG300 Switch and ping will be successful. I expect there are no Software Firewalls running on the hosts or similar which may introduce an incorrect result for our test.

Sorry, I am unsure about VPN Tunnels configuration on TP-Links but you will probably need to re-design the IP addressing a bit.

I hope this helps.

ylafont · ‎06-07-2019

No firewall or anything that can skew results, that i am aware of.

All working as expected. i could ping 10.100.10.1 and 10.100.20.2 and get out to the internet after the change was made

I could not ping over the VPN (192.168.10.0/24), just for giggles i also attempted to ping something else on the 10.100.0.0 /16 without success.

ylafont · ‎06-11-2019

Hector ,

I was wondering if there any next steps i should consider?

Hector Gustavo Serrano Gutierrez · ‎06-11-2019

Hi @ylafont,

Just to recap, traffic generated by a hosts in 10.100.0.0/16 (Internal LAN) cannot reach any host on 10.100.20.0/24 (Vlan20) because that network mask (/16) makes the hosts on the Internal LAN not to send their traffic to their Default Gateway (is it 10.100.0.1? - TP-Link) but to try to communicate to hosts on 10.100.20.x locally on the network segment (aka broadcast domain).

If your host in the Internal LAN is configured as 10.100.0.x/24 (and same Gateway) instead, now it should be able to send its traffic to the local Gateway (TP-Link) for the appropriate Routing to the SG300.

Additionally to that, why you have 10.100.0.0/16 as Vlan1 between the SG300 and the TP-Link? That can also "confuse" the SG300 expecting it to route traffic destined to 10.100.0.0/16 locally and not to the TP-Link when the destination is 10.100.x.x

Hector Gustavo Serrano Gutierrez · ‎06-11-2019

If you can ping hosts in the 10.100.0.0/16 from the SG300 itself, then the TP-Link is doing "bridging" between the port the SG300 connects to and the port connected to your Internal LAN.

Still, the overlapping IP addressing is a problem. One thing you can do to fix it is modify VLAN20 to be 10.200.20.0/24 instead.

I'm sorry but I don't really know how to properly configure the TP-Link.

The current configuration on the SG300 is OK and the IP addressing scheme used is currently a problem.