Hi Tom,

I have a rather simple question here; In the link that you provided the inter-VLAN routing is done by the RV router or by the SX switch?

The link that you provided is paritally helpful to the point where I can create the VLANs, after that things get confusing becuase the router that we have is from a different manufacturer (Sophos).

Thanks!

The switch is performing the routing

-Tom
Please mark answered for helpful posts
http://blogs.cisco.com/smallbusiness/

Any ide why am I getting "Duplicate IP address 192.168.0.1 from MAC 00:1a:8c:xx:xx:xx was detected on VLAN 200, port gi1/26" ; This MAC address belongs to the interface for VLAN 200 on my Sophos router/firewall.

Hello Desmond,

You have two different options:

Option 1:

Configure Sg500 switch as a Layer 2 switch and let the Sophos firewall do all the Layer 3 routing along with internet access. If you choose this option, then, you need to configure your uplink port as a trunk port and allow all 3 vlans to pass through. Also, you need to make sure that the Sophos device supports VLANs and trunking (or at least sub interfaces and create sub interfaces for each vlan). Also, all LAN devices will have the respective sub-interface/VLAN interface IP on the Sophos as their default gateway.

Option 2:

Configure SG500 switch as a Layer 3 device and configure intervlan routing to manage internal network traffic locally and send just the internet traffic to Sophos device.

• You need to create Layer 3 interfaces for VLAN1, VLAN100, and VLAN200 on SG500 and then make those Layer 3 interfaces default gateway for respective VLAN.
• You can configure the uplink port as an access port in one of the VLANs.
• Make sure that the Sophos device has an IP on the same subnet as the VLAN you chose for the uplink port.
• You also need to enter static routes on the Sophos device for the remaining two subnets on the SG500 (next hop address pointing to the IP address of the VLAN that the uplink port belongs to).
• Also, on the SG500, you need to configure a default route, next hop address pointing to the Sophos interface IP address.

Hope this helps.

Nagaraja

Hi Nagaraja,

Thank you for your answer.

What is the good practice in this case? To use option 1) where the router does the routing, or option 2) where Layer 3 switch takes care of the routing?

Which one do you think applies better to my case?

Additionally, do you have any links or info which shows how to configure the SG500 for the option 1) (router does routing)?

The link for option 2) is already provided by Tom here:

https://supportforums.cisco.com/message/4178990

Best,

D

Desmond,

In general good practice is to allow the switch to perform LAN routing to take some load off of the router/firewall. (Layer 3)

In Layer 2 the router will be the default gateway for all VLANs. You need to create a trunk between the router and switch so that all VLANs can reach the router. As far as the switch goes, there is little to do:

1) Give it a management IP

2) Create the desired VLANs and assign to ports

3) Create a trunk port to the router with one VLAN Untagged and the others Tagged

Create the same VLANs on the router and an identical trunk port to connect to the switch.

Please reply if you have any questions.

- Marty

Hi Marty,

What is the specific reason that requires the trunk port (the one that is used fror uplink) on the Switch to be Untagged member of one VLAN (the VLAN1 most probably in my case) and Tagged member of the others (VLAN 200)?

Best,

Desmond

Desmond,

With a trunk the switch and router are able to define which VLAN the traffic belongs to based on the VLAN tag. Without tagging all traffic would belong to the default VLAN. If there is no tag, the devices will assume that the traffic belongs to the default VLAN. That is why the default VLAN remains untagged.

- Marty

According to the Sophos forums, my router does not support untagged VLANs and the VLAN1 is used by the router itself, so it's better to choose another VLAN for my equipment.

I guess I have to create a new VLAN for the internet connection, and make port 26 (the uplink to the router) a tagged member of VLAN xx (new VLAN for the internet) and VLAN 200 (the one where the Wifi access point is). Can you confirm?

Hello Desmond,

The following links may help.

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=d863955fd1454c5cb94a468742771c78_VLAN_Creation_on_the_Sx500_Series_Managed_Switches.xml&pid=2&respid=0&snid=7&dispid=0&cpage=search

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=aea5deb5d4b54cce8e1f6e96f6e4824c_Enabling_Multiple_Wireless_Networks_on_RV320_VPN_Router__WAP.xml&pid=2&respid=0&snid=2&dispid=0&cpage=search

Nagaraja

I just want to report back for an issue that I encountered.

My current port configuration is as follows:

port 13 - access - VLAN 200

port 26 - trunk - tagged member VLAN200, untagged member VLAN 1 (default VLAN)

The switch is router mode.

This setup would take years when I requestd to visit a http site over internet, but I would recieve the requested site after a while, in that case the DHCP was disabled at the switch. Once I enabled the DHCP the switch started to respond in timely manner. Why did this happen?

How can I make the switch to work fine, when the DHCP is turned off?

Hi again Nagaraja,

How can I achieve "you need to configure a default route, next hop address pointing to the Sophos interface IP address."

The web interface does not allow me to check/uncheck and change the current routes, pls check attachment

Thanks,

D

Hi Tom,

My ip for VLAN 200 (where the Wifi access point is connected) is: 192.168.0.1

I creted one netwrok pool according to that: it is in the attachment, can you confirm if it is OK?

Now I want to isolate the devices connected to VLAN 200, not to be able to access anything out of their VLAN, how can I achieve that, I looked at your post, but it confused me a bit with the ingress stuff. could you help please?