I am re-configuring the SG500 in L3 mode, but have not had success accessing the internet on it. The current configuration is below, and is as far as Cisco Support and I got with the device last week.
Arris Router Subnet: 192.168.0.x/24, Router Gateway Address: 192.168.0.1
SG500 port 16: Access Mode, Subnet: 192.168.0.x/24, Gateway Address: 192.168.0.2, Untagged
Machine connected to port 15: Access Mode, Subnet: 192.168.10.x/24, Untagged
SG500 other config items:
Inter-VLAN routing enabled
From the host machine on 192.168.10.x, I can ping the interface on 192.168.0.2 on the SG500, but cannot reach the gateway at 192.168.0.1.
I relocated for a new job, and am working remotely. The setup, as I've shown, is different than the configuration used when it was working on the internet in the past in other cities. This configuration is what Cisco Support has currently recommended I do. I'm pretty good with configuring the internal VLANs once internet is setup, but this internet connectivity part of the setup has never been completely clear.
It is important that I get it working as soon as I can using separate VLAN's for work and home. The ISP router alone is very problematic. It has almost no configurable interfaces or options and basic things I use for home and work don't exist on it at all. All assistance is welcome and appreciated!
Solved! Go to Solution.
I am sorry that we have not been able to find a solution using the SG500. Given that it is now not supported I agree that replacing it with something that is supported would be a good idea. I am not particularly expert in the Small Business routers area but based on what I do know I believe that there are several options in the RV router series that could be appropriate choices for you. Perhaps this link will be a starting point in selecting one that does what you want.
Arris Router Subnet: 192.168.0.x/24, Router Gateway Address: 192.168.0.1
Hope 192.168.0.1 Lan site of the Router where Switch SG500 connected ?
So your setup looks as below :
Internet ISP ( Router Arris) (192.168.0.1)----(192.168.0.2) SG500) LAN 192.168.10.X ?
In the above case, on Arris Router you need a static route for the 192.168.10.X /24 network towards 192.168.0.2 ( for the 192.168.10.X network to reach 192.168.0.1
Also in the Arris router, you need to add 192.168.10.X network in network address translation for that subnet to go to the interenet.
what is the device IP address and Gateway for the Lan side ? Please confirm also.
We do not have details of how the switch is configured but believe that it is probably good enough. I believe that BB has correctly identified 2 issues, either of which would prevent Internet access for devices connected in 192.168.10.0. They need to be addressed on the ISP router. We do not know what device that is but given the comments in the original post about limited capabilities of the ISP router I am concerned whether it will be feasible to get this to work on that device.
Thank you both for your inputs. It is greatly appreciated since this is still causing significant delays for many things right now.
BB, your assumption about how the configuration looks is correct.
The SG500 has, on it's own, setup default routes to the internet from 192.168.10.x, which can be seen in the UI.
Since both routers are in L3 mode, it was my understanding that the usual routing protocols would discover the shortest proper routes to anything inside the class C address space (since they are not route-able on the internet, if indeed they were doing proper routing between each). Since all internal networks on the SG500 are untagged with this configuration as recommended by Cisco, I would assume (maybe incorrectly) that the only IP address the ISP router would communicate with would be the 192.168.1.2 address of the interface of the SG500 and wouldn't need to have knowledge of the other subnets (since not connected to it in trunk mode)... which would imply the SG500 would do translation to the other subnets using it's own tables.
Are you saying that all traffic incoming to the Arris router would need a static route to 192.168.0.2 (interface of the SG500 on the Arris internal Lan)?... Then, the SG500 could use it's own greatly superior hardware to perform translation on a per subnet/VLAN basis and not rely on the highly limited abilities of the ISP router?
The ISP router also has the ability to operate in bridge mode. I have not gone down this path because getting support to get the SG500 as far as I have was very difficult.
Even though the device is essentially new, vastly better than any ISP or consumer router for overall quality and connectivity performance, and there is a very real very protracted silicon shortage, I have not been able to get almost any support for configuring it through formal channels; not even after offering to buy a support package.
I should mention that bridge mode is an option on the ISP router, in full disclosure, in case it would be helpful. But also add that like anyone configuring the Cisco would do, the risk of having it's management interface on the internet would need to be worked out sooner than it would be otherwise.
To answer your other question, I don't have a static WAN IP address.
Thanks again everyone, very much appreciated!
reading through your post, I think it would be easier if you just add a simple schematic drawing showing how the devices are connected, and which IP addresses are configured where.
I am confused by this:
--> that the only IP address the ISP router would communicate with would be the 192.168.1.2 address of the interface of the SG500
Where is 192.168.1.2 configured ?
WAN IP (Dynamic IP) <|> Lan ISP Router IP Management Interface (192.168.0.1)<---Direct Connection---> SG500 L3 Mode IP (192.168.0.2 - Static IP)
SG500 Port connected to Arris Router configured as Access/Untagged, other VLAN's sit on SG500 with the test VLAN 192.168.10.x unable to access internet. Test VLAN port configured as Access/Untagged.
The original poster said "it was my understanding that the usual routing protocols would discover the shortest proper routes to anything inside the class C address space". We do not have any information that any dynamic routing protocol is configured. The only routing information that is enabled by default is routing for locally connected subnets. If the Arris router is to know about 192.168.10.0 then either the Arris router needs a static route for that subnet or needs to be configured for a dynamic routing protocol - and in that case the SG switch also needs to be configured for the dynamic routing protocol.
The original poster also said "which would imply the SG500 would do translation to the other subnets using it's own tables." The SG switch does not have support for nat, so the Arris router would need to be configured to translate the 192.168.10.0 subnet.
Thank you for the clarification.
I've had some resistance to diagnosing issues with internet connectivity with it, but once set the SG works better than anything else I've worked with.
I am trying to understand everything possible about the internet connectivity part, so I can be precise when I go back and ask the ISP to do what's needed to get up and running.
In the past, I used something called PAT, port address translation, and the internet connected port (connected to the Arris local lan) had an IP address assigned to that subnet on that LAN.
If it would be simpler, which it sounds like it would be, which dynamic routing protocol would make the most sense to enable on the SG to allow the device the opportunity to "solve" routs on it's own before going back to the ISP and asking for updates to be made on the back end of the Arris device?
If we enable such a protocol, would the current configuration set (with each port type, connected to local subnets 192.168.x.x for local devices and to 192.168.1.2 for the single port connecting to the Arris device) need to be switched away from Access Port configuration and over to PAT, somehow, with an assigned IP on the Arris connected SG port = 192.168.1.2, as it was in the past?
Ideally, the SG is the device we want to perform routing, since this allows me to maintain independent subnets between work and home devices.
Thanks very much!
You ask which routing protocol to use. There are several possibilities. I might start with OSPF. RIP would also be a possibility. I am not clear what protocols the Arris supports but suspect that it does not support EIGRP.
If you get the routing issue resolved there will also be a need for address translation. So that would be something to ask the ISP about.
I'm not sure how to get cooperation from this ISP. A few folks I've spoken too have been gracious while completely denying my request for the simplest information. It is pretty surprising, since I did not have this issue at all with ATT in the past.
The current ISP is COX.... I also agree that translation is an issue. This is why I mentioned PAT in my prior post. When I set up this router with ATT, I spoke with Cisco on the phone and the technician setup PAT, I believe using command line, on port 12 and the commands/operations he issued were not visible to me at the time.
PAT allowed us to assign the IP address of the router to port 12. That IP address (192.168.1.2, on ATT's local LAN) showed up on the web interface for the ATT router as a device with 192.168.1.2 as it's DHCP assignment. From there, the router was able to automatically discover it's default route to the internet on ATT's device at 192.168.1.1(=ATT default Gateway).
The independent LAN's created on the SG500 after that were assigned addresses 192.168.2.x, 3.x, 4.x, and so fourth from there. It was quite simple. This had the added benefit of not having to rely on the SG500 ACL's to firewall all the traffic, since the ATT router's regular firewall was also in place.
COX has all but completely refused to tell me what sort of routing protocol I should set on this device. They have said I can call a different number and make that attempt, which I will do.
Does anything I've said about the prior configuration with ATT indicate to anyone reading this what the requirement/issue with the COX device could be? I was surprised to read the recommendation from the thread that the connection from the SG500 to the COX Arris device should set the port on the SG500 to "Access Port" setting. I don't think the port connecting it to ATT's router was set to "Access" when port 12 was set up for PAT.
I am completely open to anyone's thoughts on how/where to proceed. I think I'm going to have to wipe it and start all over again anyway.
I am puzzled about your reference to PAT on port 12. Do you have any more information about the configuration of port 12? I do not have much experience with this model of switch. But in general Cisco switches do not support address translation (either PAT or NAT). Anything you can tell us about port 12 when connected to ATT would be helpful.
As far as the port type is concerned, on switches there are basically 2 choices for port type: a port can be an access port or it can be a trunk port. An access port belongs to a single vlan and sends the Ethernet frames out with no vlan tagging. A trunk port carries traffic for multiple vlans. The traffic for one vlan (referred to as the native vlan) is sent with no vlan tagging and traffic for other vlans is sent with tagging to identify which vlan it belongs to. On some switches there is a third option: a port can be configured as a routed port (in CLI it uses the command no switchport). In this configuration the port is not a member of a vlan and you can configure an IP address on the switch port. (most switches do not configure IP address on switch ports but configure IP addresses on vlan interfaces) Perhaps this is what your ATT config did?
As far as routing protocol is concerned, if there are multiple layer 3 devices in your network then a routing protocol makes sense. If I am understanding your situation correctly your SG switch is the only layer 3 device in your network. Is that correct? Your SG switch can have multiple subnets that are locally connected. But are there any subnets that are in your network that are remote from the SG switch? Unless there are remote subnets there is not any need for a routing protocol on your SG switch.
-Do you have any more information about the configuration of port 12? I do not have much experience with this model of switch. But in general Cisco switches do not support address translation (either PAT or NAT). Anything you can tell us about port 12 when connected to ATT would be helpful.
Thank you for your description of these features. I can tell you what I know and remember from that experience with ATT and Cisco back at that time. The gentleman from Cisco, I think from Raleigh or somewhere in the Carolina's, told me he was assigning the ip address of the router too the port, if I'm remembering his words correctly. Having the ip address assigned to that port was called port address translation, and it kept us from attempting to do something else more involved. The only assignments available in the web UI of the SG500 are access or trunk, and later when I tried to view the configuration that he made so I could replicate it if needed in the future those settings were not visible to me in the UI, from what I could tell. In other words, I had backed up the configuration we made, wiped the device, and tried to repeat those steps and failed. This left me in the unfortunate position of having to keep that back up of our work and start all over from the beginning if anything were to happen... which is why I find myself in that situation today but without that backup. I also did not see the PAT configuration option in any of the reading or command line options in the device literature, at least which I could identify, which was discouraging.
After that, I proceeded to cut down and reduce the number of functions that were running on the device which were not useful for my needs. I configured several VLAN's behind this ip address assigned port, which were able to access the internet on different subnets. Those subnets were mostly partitioned from one another, except for 2 or 3 which did allow inter vlan routing for work I was doing at the time (server management requiring specific pre baked configurations for the type of software they were running). Functionally, the device was performing address translation from those other subnets behind ATT's router. Tagging was enabled on those subnets configured on the SG500 in order to prevent cross VLAN communication from VLAN A to VLAN B, etc. I believe all VLAN's with internet access were untagged on port 12, if memory serves me. The biggest challenge we ran into, at the time, was that the traffic initially was able to traverse VLAN 2 at 192.168.2.x, to port 12 at 192.168.1.2... and ping the internet gateway on ATT's router at 192.168.1.1... but for some reason which was never discovered were not able to send and receive traffic from the internet.
After some time, and inexplicably to me, that problem resolved on it's own after a few days. Multicast protocols were all disabled globally on the device and forwarding was disabled globally on the device. CPU use was low the vast majority of the time, suggesting that internet routing was performed primarily by the ATT router, with inter VLAN routing likely being processed by the SG500. This is the desired behavior. CPU processing did spike to nearly 50% when a wireless access point was added later, suggesting my roommate at the time was using some sort of source based routing protocol or something on his Apple WIFI modular device.
-On some switches there is a third option: a port can be configured as a routed port (in CLI it uses the command no switchport). In this configuration the port is not a member of a vlan and you can configure an IP address on the switch port. (most switches do not configure IP address on switch ports but configure IP addresses on vlan interfaces) Perhaps this is what your ATT config did?
Is sounds like this may have been what was done last time.
-As far as routing protocol is concerned, if there are multiple layer 3 devices in your network then a routing protocol makes sense. If I am understanding your situation correctly your SG switch is the only layer 3 device in your network. Is that correct? Your SG switch can have multiple subnets that are locally connected. But are there any subnets that are in your network that are remote from the SG switch?
There were no other managed routing devices connected to the ATT device at the time this configuration had been working. The only subnet that could be considered remote from the perspective of the SG switch could be the local LAN of the ATT device back then (the Arris local LAN today) at 192.168.1.x for ATT (192.168.0.x for Arris)... Back then, devices connected to the local LAN of the ATT device (and physically connected to it) could connect to any VLAN defined on the SG as long as there were no ACL's explicitly blocking that traffic to/from specific ip addresses. Because this behavior is confusing, I was unable to determine definitively which device was the primary router "master" between the two. Maybe no master/secondary relationship was necessary in this situation because no routing relationship was defined, as such, between these two in this situation.
Let me know if this clears things up or if I missed/misunderstood anything...
this post is kind of old, so I am not sure what issues are left, but for sure I can say that no ISP will exchange OSPF/RIP/EIGRP with you. BGP is the only protocol left, but it is not even supported on the SG switches as far as I recall.
Why not simply use a static default route ?
There was at least one static route defined on the device, if memory serves me... it was the internet route to 0.0.0.0. I can't remember now if the ip address of the SG port 192.168.1.2 or the ip address of the ATT gateway 192.168.1.1 was used. It think it may have been automatically populated though. It was long enough ago, now, that I'm not 100% sure.