Solved: SG350 - Inter-VLAN communication

lhiapgpeonk · ‎11-13-2020

Dear all,

I have recently decided to upgrade my home network infrastructure and chose CISCO gear to do so.

My setup is as follows:

-------------------             -------------------            -------------------------
|AVM FritzBox 7490|------------>|RV260P           |----------->|SG350-28               |
|working as Modem |             |Working as Router|            |Switch for most devices|
-------------------             -------------------            -------------------------
                                         |
                                _________V_________
                                |                 |
                       ---------V-------  --------V---------
                       |DECT base (PoE)|  |UAP AC Pro (PoE)|
                       -----------------  ------------------

A short note on the reasoning behind the hardware:

I wanted to replace the FritzBox, which acted as modem, DECT base, WiFi AP and router with dedicated devices. Since the new DECT base and WiFi AP can be powered by PoE I wanted one device to supply PoE (without having to resort to multiple PoE injectors) and having the PoE Router and an "ordinary" switch was to most cost efficient way.

I want to segment my network using VLANs:

VLAN 1: Default VLAN (I leave that as is)

VLAN 10: Core Devices (PC, Laptop, NAS Port #1): 192.168.10.0/24

VLAN 20: Multimedia (Cellphones, TV, Audio-System, ..., NAS Port #2): 192.168.20.0/24

VLAN 30: VOIP (DECT base): 192.168.30.0/24

VLAN 254: Infrastructure (router & switch): 192.168.254.0/24

I have configured these VLANs on the Router and it works, even Firewall rules between the VLANs work (allowing access to the DECT admin-GUI from a different VLAN). The VLANs are also correctly replicated on the WiFi-AP.

The Problems start with the switch configuration:

I have my PC (currently still with IP 192.168.1.2) connected to the switch. The second LAN port of my NAS is also connected to the switch with IP 192.168.20.10 and standard gateway 192.168.20.2.

VLANs have been configuren in the switch and interfaces set (IP Configuration => IPv4 Interface)

VLAN 1: 192.168.1.134

VLAN 20: 192.168.20.2

What I want to configure is the inter VLAN access between VLAN 1 (later from other ones) to VLAN 20.

From my PC I can ping 192.168.20.2 but 192.168.20.10 gives a timeout.

From the switch (Administration -> Ping) I can ping 192.168.20.10 succesfully if I choose 192.168.20.2 as Interface (so the IP actually exists on the port) But using 192.168.1.134 as interface I loose all packets. Pinging 192.168.20.2 from that interface is again sucessful.

Using "tracert 192.168.20.10" on my PC shows that the route goes "up" to the RV260P and then does not know where to go from there.

In my opinion the L3-capabilities of the switch should allow me to only go "up" to the router, if the target IP is not found on the switch itself. But how do I actually setup this inter VLAN routing? The ressources by CISCO (https://www.youtube.com/watch?v=xK5HmMlaIlg or https://www.youtube.com/watch?v=NLMKwYSlQDY) did not help me.

It is probably quite a simple setting, but I cannot find it, so any pointers are greatly appreciated!

Richard Burts · ‎11-22-2020

The symptoms that you describe suggest that the host on 192.168.20.10 that you are trying to ping does not have the correct gateway configured. Can that host ping the vlan 20 gateway address (192.168.20.1 or .2)? I assume that the answer is yes. Then can that host ping the gateway address for vlan 10 (192.168.10.1 or .2)? I am guessing that this will not work. In that case please post the output of ipconfig (or other appropriate command if this is not a Windows device).

HTH

Rick

View solution in original post

Giuseppe Larosa · ‎11-13-2020

Hello @lhiapgpeonk ,

>> Using "tracert 192.168.20.10" on my PC shows that the route goes "up" to the RV260P and then does not know where to go from there.

check who is the default gateway on PC and what is most important ensure that the SG350 has IP routing enabled because it looks like it is not

Hope to help

Giuseppe

lhiapgpeonk · ‎11-13-2020

Thank you for your reply,

I have now changed the default gateway of the PC to 192.168.1.134 and tracert now goes to the switch ==> good.

If by "IP routing enabled" you mean "IPv4 routing enable" on the IPv4 Interface-page, then yes, that is already enabled.

Is there a way I can check what you propose?

Seb Rupik · ‎11-13-2020

Hi there,

What is the netmask of the #2 interface ?

Thinking about it a bit more, is the default route for the NAS box 192.168.1.134 ? If so it sounds like packets arriving on VLAN20 are then being returned via its #1 interface on VLAN10, these replies will have the wrong source IP and will be dropped by the device initiating the ping. This behavior also explains why the ping from the VLAN20 SVI works.

cheers,

Seb.

lhiapgpeonk · ‎11-13-2020

Thank you for your replay,

the netmask of the #2 interface is /24.

The #1 interface still resides on 192.168.0.6 on the other side of the RV260P (I can access that without any problem on my PC) because I am slowly transitioning the network and want to do some tests first. I can try to set the VLAN of the interface to 20 and see if that does change anything.

lhiapgpeonk · ‎11-22-2020

After fiddeling with the configuration (updated to the latest firmware, couple of resets) and watching the official Cisco TechTalks I am still no further.

I have moved my PC to VLAN 10 (192.168.10.20) and I have access to the internet through the router (so the trunk is working). I also can ping the VLAN interfaces both on the switch and on the router. (e.g. 192.168.20.1 on the router and 192.168.20.2 on the switch) But I cannot ping a host (192.168.20.10) on port 1 (assigned to VLAN 20, untagged) from my PC on port 24 (assigned to VLAN 10). Using the switches ping tool from the administration tab I can ping the host when I select the VLAN 20-interface as source, but not from any other interfaces. The ping tool on the router probably uses its VLAN 20-interface, because also the router can ping the host on port 1 on the switch.

I even tried to set an IPv4 ACE

which to my understanding should permit acces from all addresses in VLAN 10 to all addresses in VLAN 20, but i still cannot reach the host from VLAN 10 (or 1).

The TechTalk videos make it seem so easy "Configure your VLANs and VLAN interfaces, check IPv4 Routing enabled and *bam* thats how you do inter VLAN routing on a SG350".

I am missing the obvious here, but I need a pointer and probably a mor in-depth description of where my assumptions are wrong.

The other problem is: How would I go ahead to let my router do all of the routing? In the IPv4 routes I cannot set the VLAN interfaces of the router as next hop.

Thanks to everyone for their help so far!

Richard Burts · ‎11-22-2020

The symptoms that you describe suggest that the host on 192.168.20.10 that you are trying to ping does not have the correct gateway configured. Can that host ping the vlan 20 gateway address (192.168.20.1 or .2)? I assume that the answer is yes. Then can that host ping the gateway address for vlan 10 (192.168.10.1 or .2)? I am guessing that this will not work. In that case please post the output of ipconfig (or other appropriate command if this is not a Windows device).

HTH

Rick

lhiapgpeonk · ‎11-23-2020

Thank you, that did the trick.

On my Synology RS819 I had to enable multiple gateways, a setting burried under some advanced settings button. I now can successfully ping the server from my pc!

Richard Burts · ‎11-23-2020

Thanks for the update. Glad to know that you have resolved the issue and that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick