cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22971
Views
30
Helpful
40
Replies

Inter vlan routing on a Cisco SF 300-24 port switch No internet except when scanning with wireshark

richley1980
Level 1
Level 1

Hi,

I am trying get inter vlan routing to work on a DF 300 - 24 port switch.    I have an existing company network on 192.168.111.0 and want to create a vlan on 192.168.1.1 that can talk to 192.168.111.0.    I have enabled layer 3 routing on the switch via console and also provided the ip routing command. I have the following VLAN's:

VLAN1 - Default 192.168.111.0

VLAN2 - 192.168.1.0

I have enabled DNS and provided my two DNS servers 192.168.111.82 & 192.168.111.212.  

I have set the VLAN1 interface to 192.168.111.217 and VLAN2 interface to 192.168.1.1.

Ports FE1 - FE15 are set to access ports and assigned to VLAN1 (untagged)

Ports FE16 - FE24 are set to access ports and assigned to VLAN2 (untagged)

I have set a default route for the switch to 0.0.0.0 0.0.0.0 192.168.111.254 (Draytek 2600 router). I have connected a computer (A) to VLAN1 port FE3 and a computer (B) to VLAN2 port FE16.   I have set Computer A default gateway to 192.168.111.217 and its IP address to 192.168.111.94.    I have set Computer B default gateway to 192.168.1.1 and IP to 192.168.1.2.   

Computer A has access to Mdaemon, file server via network drives but no internet (cannot ping google) and can ping computer B and RDP onto computer B.

Computer B can ping computer A and RDP onto computer A but does not have access to the company network i.e MDaemon, file server etc.   It also cannot access the internet.

From the console I can ping www.google.co.uk and all ip addresses in the company network i.e. 192.168.111.82 (DNS server).   I dont understand what i am doing wrong and have been banging my head for days just staretd a new job and desperatly need to get it working so any help would be greatly appreciated

If I scan computer A wirh wireshark the internet starts working wheird!

Configuration show below:

switch7c0a71#show run

vlan database

vlan 2

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 2

ip address 192.168.1.1 255.255.255.0

exit

interface vlan 1

ip address 192.168.111.217 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 192.168.111.254

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switch7c0a71

no passwords complexity enable

no snmp-server server

interface fastethernet1

switchport mode access

exit

interface fastethernet2

switchport mode access

exit

interface fastethernet3

switchport mode access

exit

interface fastethernet4

switchport mode access

exit

interface fastethernet5

switchport mode access

exit

interface fastethernet6

switchport mode access

exit

interface fastethernet7

switchport mode access

exit

interface fastethernet8

switchport mode access

exit

interface fastethernet9

switchport mode access

exit

interface fastethernet10

switchport mode access

exit

interface fastethernet11

switchport mode access

exit

interface fastethernet12

switchport mode access

exit

interface fastethernet13

switchport mode access

exit

interface fastethernet14

switchport mode access

exit

interface fastethernet15

switchport mode access

exit

interface fastethernet16

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet17

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet18

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet19

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet20

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet21

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet22

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet23

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet24

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface vlan 2

name Development

exit

2 Accepted Solutions

Accepted Solutions

Davidwagman1
Level 7
Level 7

Hi Richard,

43 - Permit Protocol: Any To/From All

42- Deny  Protocol ALL from  192.168.2.0             0.0.0.255 -> to  192.168.111.0       0.0.0.255

41- Deny Protocol ALL from    192.168.111.0    0.0.0.255   ->  to  192.168.2.0     0.0.0.255

40- Permit Protocol RDP   from ALL to ALL   

etc

That should block everything, including MSSQL, except for RDP, and the other ports as you've defined above.  Are the other defined services working and just not the RDP? 

Richard, please remember to rate helpful posts and identify correct answers.

Best,

David

View solution in original post

Hi Richard,

I've attached a screenshot of what it should look like, though its not complete (I didn't do all of the services, but enough so you get the gist). You need both to and from rules and diff source/dest rules:

Best,

David

View solution in original post

40 Replies 40

Davidwagman1
Level 7
Level 7

What port on the sf300 is the router plugged in to? What are the vlan settings for that port, as well as the routes you have on the draytek?

Also, please try setting the default gateway on the computer to the routers ip.

Sent from Cisco Technical Support iPad App

Hi David,

Thanks for replying thought no one ever would.

Basically I need to create a secure area for the programmers in my company so they can access the company network but no one can access their systems.  

So I wanted to create a secure VLAN using ACL's within the existing network which is made up of cisco layer two switches running on the default VLAN1 i.e no vlan configuration (I cannot easily change this as they have 4 switches running off VLAN1).   

I have connected the sf 300 (layer 3 enabled) to the company network by removing the connection from my pc to the network and plugged that into port fa 0/1 and enabled it as a trunk port)

I then connected my computer (A) to port fa 0/2 of the sf 300 and enabled it as an access sport.

I then connected another computer (B) to port fa 0/16 of the sf 300 and enabled it as an access sport.

I created a second VLAN (VLAN2) ip address 192.168.2.1 and assigned it to fa 0/16 all other ports are assigned to VLAN1 (default).

I set my Computer A (IP 192.168.111.94) default gateway to the ip address of the sf 300 (192.168.111.218) and computer B (IP 192.168.2.2) default gateway to 192.168.2.1.

I set the default route to 0.0.0.0 0.0.0.0 192.168.11.254 (draytek router and default gateway for existing network) and added the DNS servers for my network to the sf 300.

Computer A still has access to the company drives, email etc but is unable to access the internet and can ping and RDP to computer B but cannot access the internet.

Computer B can ping and RDP to computer A but cannot access the company network or internet i.e I cannot ping the domain controller.

I have tried tagging VLAN2 to fa 0/1 trunk port but still no sucess and adding entries on the domains controllers DNS for computer B.

My main issue is that I cannot get VLAN2 to access the company network.  

I have created a digram of the setup below to hopfully give you a better idea

Many Thanks

Richard

Hi Richard,

As for your main issue - getting vlan 2 to access the LAN and internet - you need to set a default route on the draytek to the effect of 192.168.2.0 255.255.255.0 192.168.111.218 ?  That may be computer B is not getting LAN access.

Why is the sf300 connected to the network as a trunk? Do you plan to have other vlan 2 computers plugged in elsewhere other than this switch? Or are there vlans other than 1 & 2?

Can you post a sh run for the switch so I can see what else is going on, and what, if any ACLs there are that may be preventing computer A from accessing the internet.  Can you also please change the default gateway on computer A to 192.168.1.254 and let me know if that works.

Best,

David

Please rate helpful posts.

Hi David,

I have set my draytek with a default route as you described (I cannot test this until Monday as I currently only have console access to the switch as I have plugged my computer back into the network and am not going through the switch).

Originally I had port fa 0/1 set as an access port because I thought the IT Manager only wanted the switch in  the IT department to host the secondary VLAN and I wouldnt have to cross switches. 

He has since said that he would like to have some computers in other rooms available to the secondary VLAN for testing purposes.  

He also wanted to increase the number of IP addresses as we are reaching the maximum on the current setup i.e 254.

Getting it working in just our area for now would take the heat off me though.

I thought I had to set the default gateway on computer A to the IP address of the sf 300 (192.168.111.218).  

If I set the default gateway of computer A to 192.168.111.254 it does indeed work and I get internet acess and network access as I had tested this previously.

I have since changed the config for the switch which is shown below but it might be worse than the previous config:

switch7c0a71#show run

vlan database

vlan 4

exit

interface  gi1

switchport default-vlan tagged

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 4

ip address 192.168.2.249 255.255.255.0

exit

interface vlan 1

ip address 192.168.111.250 255.255.255.0

exit

no ip arp proxy disable

ip route 0.0.0.0 0.0.0.0 192.168.111.254

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switch7c0a71

no snmp-server server

ip name-server  192.168.111.212 192.168.111.82

interface fastethernet1

switchport mode access

exit

interface fastethernet2

switchport mode access

switchport access vlan 4

exit

interface fastethernet3

switchport mode access

exit

interface fastethernet4

switchport mode access

exit

interface fastethernet5

switchport mode access

exit

interface fastethernet6

switchport mode access

exit

interface fastethernet7

switchport mode access

exit

interface fastethernet8

switchport mode access

exit

interface fastethernet9

switchport mode access

exit

interface fastethernet10

switchport mode access

exit

interface fastethernet11

switchport mode access

exit

interface fastethernet12

switchport mode access

exit

interface fastethernet13

switchport mode access

exit

interface fastethernet14

switchport mode access

exit

interface fastethernet15

switchport mode access

exit

interface fastethernet16

switchport mode access

exit

interface fastethernet17

switchport mode access

exit

interface fastethernet18

switchport mode access

exit

interface fastethernet19

switchport mode access

exit

interface fastethernet20

switchport mode access

exit

interface fastethernet21

switchport mode access

exit

interface fastethernet22

switchport mode access

exit

interface fastethernet23

switchport mode access

exit

interface fastethernet24

switchport mode access

exit

interface gigabitethernet1

switchport trunk allowed vlan add 4

exit

interface vlan 4

name ARC_Developer

exit

Kind Regards

Richard Leyshon

Hi Richard,

Im using a sg300 here to test, and mine is working fine. I did have to put a default route in my router for the vlan 4 network, but this is my sh run:

switchf1cc3a#sh run

vlan database

vlan 4

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 1

ip address 10.10.1.79 255.255.255.0

exit

interface vlan 4

ip address 192.168.2.249 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 10.10.1.1

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switchf1cc3a

no snmp-server server

interface gigabitethernet8

switchport mode access

switchport access vlan 4

exit

I am able to use either the switch ip or router ip for the default gateway on my vlan 1 and am able to get both lan and internet access. Can you please post a sh ip route from both the switch and draytek?

My switch shows the following:

switchf1cc3a#sh ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP 

S  0.0.0.0/0          [1/1] via  10.10.1.1  0:10:58                vlan 1

C  10.10.1.0/24       is directly connected                        vlan 1

C  192.168.2.0/24     is directly connected                        vlan 4

Best,

David

Hi David,

I have telnet into the draytek and I see the following ( I thought I added a default route but apparently you can only do this by telnet not through the web interface).   

If I add a second default route will it nock out the route shown above as I dont want to down the internet connection as I am doing this remotely from home and dont want to kill the router. 

I have 4 ethernet ports in the draytek. ethernet port 1 is plugged into the network (which I think is IF0) and the adsl cable is plugged into the ADSL port  IF3 (I think) .

The syntax for the draytek is as follows:

Do I need to patch a cable from the draytek (ethernet port 2) into the network and setup a default route on that interface or can I add one to the existing interface (ethernet port 1)?

The show ip route for the switch is as follow (I dont have anything plugged into it though):

switch7c0a71#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP

S  0.0.0.0/0          [1/1] via  192.168.111.254  118:22:47        vlan 1

C  192.168.111.0/24   is directly connected                        vlan 1

switch7c0a71#

Hope this makes sense.

Kind Regards

Richard

Richard,

I'm not at all familiar with draytek devices. It surprises me that adding a route would knock out the route thats in there now, but again, might just be a draytek thing. I would think you can simply add the route to the interface you're currently using.  The other thing of note is take a look at the difference between my sh ip route and yours, mine shows the 192.168.2.0  network as directly connected, while yours does not.

As far as a course of action, we're not going to be able to make progress while your at home on your weekend, so stop thinking about this until monday, and try the following then and report back:

1 - Add the proper route into the draytek. From your screenshot, it looks to me like the proper syntax would be ip route add 192.168.2.0 255.255.255.0 192.168.111.250

2 - check the sf300's vlan 4 address, and that computer B can ping 192.168.2.249. Make sure that the sf300 is showing that network as directly connected in its ip routing table.

At this point, you should have internet and lan access on both hosts A + B.

On vlan 4 - are the addresses being assigned via DHCP or statically assigned?

Best,

David

Please rate helpful posts.

Hi David,

I have added the route to the draytek as shown below:

I think VLAN2 is not saying directly connected because Computer B which belongs to VLAN2 is not currently connected. 

At present VLAN4 ip addresses are being statically assigned but I have added a new DHCP range to the domain controller for 192.168.2.0 so I presume I could dish out IP addresses via DHCP when it is all working?

I will get back to you on Monday once I have plugged it all in and tested, again many thanks for your help David have a great weekend.

Kind Regards

Richard

Richard,

Let me know how it looks come monday morning. Can you ping the switch's 192.168.2.249 address from the draytek?

The route should show up if the ipv4 interface for vlan 4 is configured properly - its showing the subnet is connected in sh ip route - rather than the host.

Best,

David

Hi David,

I have tested the configuration and I can get network access in VLAN1 using default gateway of 192.168.111.254 and network access in VLAN4 using a default gateway of 192.168.2.249.

But I am unable to get internet access in VLAN4, I can ping the default gateway (192.168.2.249) for VLAN4 from the computer in VLAN4 (192.168.2.2) and unable to ping google etc.   Internet access in VLAN1 is ok.

My show IP route is as follows:

switch7c0a71#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP

S  0.0.0.0/0          [1/1] via  192.168.111.254  0:17:15          vlan 1

C  192.168.2.0/24     is directly connected                        vlan 4

C  192.168.111.0/24   is directly connected                        vlan 1

I can also ping 192.168.2.249 from the draytek (using telnet).   

Kind Regards

Richard

Good morning Richard,

Just a quick question while I re-read some of the thread. The screenshots dont show up on the ipad app...

Could it be a dns issue on vlan 4? Can you ping 4.2.2.2?

Best,

David

Sent from Cisco Technical Support iPad App

Hi David,

I have tried to ping google's IP address  but 173.194.67.94 but it times out.   I am not sure what you mean by 4.2.2.2 but I tried to ping it without sucess.   I have attached a grab of the route print command from  192.168.2.2:

I can also ping the network DNS servers (192.168.111.82 & 192.168.111.212) from 192.168.2.2

Kind Regards

Richard

Hello Richard,

From vlan4 (192.168.2.x) can you ping the router (192.168.111.254)? If yes, then can you ping your WAN IP address on the router?

It may be possible that the router is not doing NAT for your second vlan. If this is the case then, your ping out would be dropped once it hits the internet.

Hi Robert,

I can ping the Router IP address from VLAN2.

I thought it might be NAT myself but I have just pinged the ISP IP address from VLAN2 and it came back sucessfull:

Kind Regards

Richard

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X