Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1707
Views
0
Helpful
3
Replies

Problem configuring SF300 for VLAN Routing

bmcilvain
Level 1
Level 1

‎04-30-2013 01:44 PM

Greetings,

I'm have a bear of a time getting a SF300 to properly route IP between 2 VLANs. I've watched the demo video and performed everything it showed, but I get the most bizarre half-way results. I haven't done anything on Cisco routers in about 15 years, so I'm a little rusty.

We have an office LAN with a cable modem/router for Internet access where the modem/router has IP address 192.168.1.1. We have the usual 24 bit prefix net mask. The SF 300 is connected to this network on port 1.

I have configured port 1 to VLAN 1, interface in Access mode, assigned a static IP address of 192.168.1.36, which is a free address on our office LAN.

I have configured port 2 to VLAN 2, interface in Access mode, assigned  a static IP address of 192.168.3.1

I put a static route in the modem/router, pointing 192.168.3.0/24 to 192.168.1.36.

I have a PC on 192.168.3.10 attached to port 2.

The SF300 can ping 192.168.3.1, but not 192.168.3.10. 192.168.3.10 can ping 192.168.3.1. It can also ping 192.168.1.1, and can pull up an HTTP router admin page from 192.168.1.1. 192.168.3.1 can be pinged from anywhere on 192.168.1.x, but 192.168.3.10 cannot be pinged from 192.168.1.x. Finally, 192.168.3.10 cannot ping any other addresses on 192.168.1.x except 192.168.1.1, and cannot reach the Internet.

Here's my configuration:

switch6d919d#show run
config-file-header
switch6d919d
v1.3.0.59 / R750_NIK_1_3_647_260
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 2
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switch6d919d
no passwords complexity enable
username cisco password encrypted 0e175b51aefdbac463b616ec1777b83a6dbad17b priv5
ip domain name westell.com
ip name-server  192.168.1.1
ip telnet server
!
interface vlan 1
ip address 192.168.1.36 255.255.255.0
no ip address dhcp
!
interface vlan 2
name ServerLan
ip address 192.168.3.1 255.255.255.0
!
interface fastethernet1
switchport mode access
!
interface fastethernet2                              
switchport mode access
switchport access vlan 2
!
exit
ip route 0.0.0.0 /0 192.168.1.1 metric 1
switch6d919d#

Can anyone tell me what's wrong here? Any help would be greatly appreciated.

Regards,

Bo McIlvain

Labels:
0 Helpful
3 Replies 3

Tom Watts
VIP Alumni
VIP Alumni

‎04-30-2013 03:05 PM

Hi Bo, here is a good topic to give many hints;

https://supportforums.cisco.com/thread/2123434

I think the ip route does not need to be in place. You should try to set a global default gateway on the switch to point to your router. The computer default gateways should be the IP address of the VLAN they connect within and there should be a static route on your ROUTER pointing back to the switch VLAN interface.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

marco.senft
Level 1
Level 1

‎05-01-2013 01:50 AM

First, if your machine on 192.168.3.10 is a Windows PC, did you enable ICMP Echo in Windows Firewall? You should disable the firewall altogether for testing.

Second, maybe your internet router is configured to do NAT for the 192.168.1.0/24 network only, which would explain why you don't have internet access.

@Tom: as far as I understand from Bo's message, I think he already did what you suggested?

0 Helpful

bmcilvain
Level 1
Level 1
In response to marco.senft

‎05-02-2013 08:17 AM

Marco,

Thank you for your help. I suspect you're right about NAT restrictions on the modem/router, but it's such a dumbed-down consumer product from Verizon that it doesn't give me any access to anything that would tell me for sure, nor any ability to change that behaviour. As for the firewall, I discovered to my horror that my test PC was running Norton Internet Security, which as far as I'm concerned made it unsuitable for this purpose, so I got a different machine to work on.

I made some additional tests which showed me that the router appeared to be working ok if it wasn't on our office network. We had just installed a wireless router which was probably causing problems (we should have gotten an access point instead of a router) and when I put it in briding mode to turn its router off things seem to have improved. Anyway, for the software I'm testing I can use the SF300 in a stand-alone network disconnected from the office LAN, so I'm ok for now.

I appreciate your help!

Regards,

Bo McIlvain.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents