Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10444
Views
0
Helpful
12
Replies

SF300-48 - I want to have two VLANs talk to each other

Go to solution
svinieratos
Level 1
Level 1

‎10-20-2011 01:18 PM

I want to segment out our wireless users from our wired users and I purchased this switch in hopes of being able to do that.

How do I go about doing that? 

I have already put the switch in layer 3 mode.

I have created the second VLAN and assigned it and IP address.  How do I get the wireless VLAN to talk to the data VLAN?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Hornstein
Level 7
Level 7
In response to svinieratos

‎10-21-2011 07:49 AM

Hi Scott,

Your only giving me part of the story, but we will move forward another step, and add a static route in your WAN router..

A network Diagram , even done with paint would be fantastic to better understand your network topology. 

So without the full story of how the network is put together,  I gotta work on assumptions.

PC in the 10.1.32.0 network were using the WAN router as their default gateway. You had set the default gateway to the switches VLAN1 or VLAN2 IP address, depending on which VLAN the PC resides in.

Let me work on the assumption that the IP address of VLAN1 of the SF300 switch is 10.1.32.100

step 1. Set the PC in VLAN1 back so it's default gateway is 10.1.32.1.

step 2.  Add a appropriate static route in your WAN router so that it knows how to send traffic back to VLAN2

It could be something like, and I'll verbalize the route statement that should reside in your WAN router;

To get to 10.20.32.0 network with a Mask of 255.255.255.0 use the gateway of 10.1.32.100 (IP address of vlan1 on the SF300.)

This should then allow PC hosts in VLAN1 and the router to know how to get traffic to  VLAN2.  the router will re-direct traffic to the SF300 switch and it has a interface route for VLAN2, so it definetly knows how to get IP packets to VLAN2.

If the WAN router knows where VLAN2 is, go via the SF300 switch,  it might then be able to then  NAT Internet traffic from this second VLAN.

We are not finished here, more still has to occur, such as DHCP and  DNS resolution for hosts in VLAN2 and possible NAT issues depending on capabilities of your WAN router.

regards Dave

View solution in original post

0 Helpful
12 Replies 12

Go to solution
David Hornstein
Level 7
Level 7

‎10-21-2011 05:42 AM

Hi Scott,

Sounds like you have done the easy bit.

step 1. You already assigned a second IP address to this second VLAN.   DONE

step 2. I guess you have also added a switch port as untagged member  in this second VLAN.  This switch port will attach to your wireless AP.  Done

(You should be able to ping the AP from the switch)

Step 3. , somehow you have to take care of DHCP requests from the wireless clients, by setting up a DHCP relay within the switch selection option 82 and relaying the DHCP requests to your DHCP server or router that supports DHCP option 82 ?

Step 4. You have to setup a route in your router pointing back to this new VLAN. So If the IP address of VLAN1 in the switch is 192.168.1.100, and the network address is 192.168.2.0 of VLAN 2 , the route in the router could be ;

I have used a windows format for the route command as I have no idea what your WAN router is.

route add 192.168.2.0 mask 255.255.255.0 192.168.1.100

That should do it. (now you should be able to ping vlan2 IP address from your WAN router). 

If your WAN router doesn't support option 82, then you have to take a couple of options we could discuss.

regards Dave

0 Helpful

Go to solution
svinieratos
Level 1
Level 1
In response to David Hornstein

‎10-21-2011 06:51 AM

Hi Dave, thanks for the advice.

Here is my issue - I can ping both sides of the switch from the untagged port on the wireless VLAN.  I cannot ping anything on the data side from the wireles side as I thought the SF300 would be able to do this for me.  We do not have a router on our network.  Can the SF300 do this?

Thanks!

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to svinieratos

‎10-21-2011 06:58 AM

Hi Scott,

The gateway address for both IP hosts (PCs)  then must be the IP address of the switches VLAN interface they reside in.

     PC1----------------VLAN1  -----------------------------VLAN2-----------------------------PC2

192.168.1.10       192.168.1.1                           192.168.2.1                 192.168.2.10

in the example above,

PC1  should have a default gateway address of 192.168.1.1

PC2  should have a default gateway address of 192.168.2.1

If you satisfy this routing requirement, where the PC have the correct default gateway, they WILL communicate.

regards dave

0 Helpful

Go to solution
svinieratos
Level 1
Level 1
In response to svinieratos

‎10-21-2011 07:33 AM

Ok that does work thanks!  Now, how do I get the 10.20.32.x network to see the internet?

10.1.32.1 is my internet router

let me know if you need any more info.. thanks!

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to svinieratos

‎10-21-2011 07:49 AM

Hi Scott,

Your only giving me part of the story, but we will move forward another step, and add a static route in your WAN router..

A network Diagram , even done with paint would be fantastic to better understand your network topology. 

So without the full story of how the network is put together,  I gotta work on assumptions.

PC in the 10.1.32.0 network were using the WAN router as their default gateway. You had set the default gateway to the switches VLAN1 or VLAN2 IP address, depending on which VLAN the PC resides in.

Let me work on the assumption that the IP address of VLAN1 of the SF300 switch is 10.1.32.100

step 1. Set the PC in VLAN1 back so it's default gateway is 10.1.32.1.

step 2.  Add a appropriate static route in your WAN router so that it knows how to send traffic back to VLAN2

It could be something like, and I'll verbalize the route statement that should reside in your WAN router;

To get to 10.20.32.0 network with a Mask of 255.255.255.0 use the gateway of 10.1.32.100 (IP address of vlan1 on the SF300.)

This should then allow PC hosts in VLAN1 and the router to know how to get traffic to  VLAN2.  the router will re-direct traffic to the SF300 switch and it has a interface route for VLAN2, so it definetly knows how to get IP packets to VLAN2.

If the WAN router knows where VLAN2 is, go via the SF300 switch,  it might then be able to then  NAT Internet traffic from this second VLAN.

We are not finished here, more still has to occur, such as DHCP and  DNS resolution for hosts in VLAN2 and possible NAT issues depending on capabilities of your WAN router.

regards Dave

0 Helpful

Go to solution
svinieratos
Level 1
Level 1
In response to David Hornstein

‎10-21-2011 08:30 AM

Thanks for your help so far Dave!  I was able to get everything work - talk across VLANs, internet.  Before I get into DHCP and DNS issues I want to get it fully working.  So, I need to access resources across our MPLS from VLAN2 (10.20.32.x) and that is not working.  Is this something that I need to let Global Crossing know about the new network?  VLAN1 (10.1.32.x) machines can access them fine with a static route in our firewall.  I tried to add a static route in the SF300 to our MPLS node (10.1.32.35) but that didn't work.

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to svinieratos

‎10-21-2011 09:15 AM

Hi Scott,

Now it's a simple routing issue, but your still hiding the network information needed , but that's ok

The SF300 should have one static route defined, a default route pointing to the local LAN ethernet interface of it's router, 10.1.32.1 .

But the  remote MPLS router nodes also need to know how to send traffic back to  10.20.32.0 /24 network..that's the problem at this stage. 

Remote networks have no idea where the 10.20.32.0  network is.

They will also need a route statement , and i will verbalize the route statement;

remote MPLS router will have a route statement  that says to get to the 10.20.32.0 network with mask 255.255.255.0 send traffic to the WAN IP address of the router that directly connects to the SF300 switch.

It will be using the local WAN router that connects to the SF300 switch.

regards Dave

0 Helpful

Go to solution
svinieratos
Level 1
Level 1
In response to David Hornstein

‎10-21-2011 09:24 AM

I am not trying to hide any information - what else do you need?

I do have the route 10.1.32.1 on the SF300 and it's the only route.

Since we have managed routers from GC, I will create a ticket with them to get the route to 10.20.32.0/24 network added.  Hopefully it will be done by Monday and I will update the forum.  Then we can move onto DCHP and DNS issues.

Thanks again!

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to svinieratos

‎10-21-2011 11:30 AM

Hi Scott,

I need nothing more, knowing your WAN IP addresses, would have made it a little  easier to verbalize the route statements needed for including in  the remote MPLS WAN routers.   they will need at minimum  two route statements for each remote site

I'm not trying to give you a hard time, just reduce the length of this posting

But I think the solution is there, if you realize;

  • Remote MPLS routers have to know where these local  networks are, and what the gateway address is needed for the route statement.

       Remote MPLS routers have to know how to get to networks  10.1.32.0/24 and 10.20.32.0/24 at this site.

  • Local MPLS routers have to know the IP address of VLAN1 on the SF300 switch, which will be the gateway address for a route that points to the VLAN2s network.
  • The local switch only needs a default route pointing to their local MPLS VLAN1 (LAN) IP address.
  • MPLS router locally, must be able to create  a DHCP scope for VLAN2, but it needs to understand a request from VLAN2 via DHCP option 82.
  • Local MPLS router must also be able to NAT IP requests going to the internet from hosts on VLAN2
  • Use the switches access list functionality within the SF300 to restrict access between VLANs if that is what you need to do.

That's about it, I'm done  have fun, looks like a interesting exercise.

regards Dave

0 Helpful

Go to solution
svinieratos
Level 1
Level 1
In response to David Hornstein

‎10-21-2011 12:06 PM

Dave that worked!  Thank you!

One last question in the DHCP - can the SF300 pass the DHCP requests from the 10.1.32.x network?  Like does it have the IP HELPER functionality?  Will I need to do something else to the Cisco?

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to svinieratos

‎10-21-2011 12:26 PM

Hi Scott,

It's all there for you.

UDP relay  will UDP forward such protocols as netbios etc UDP ports 137 and 138..

Check out the page sensitive help tab that can be found at the top right of the GUI.

The screen capture below shows you the options for UDP relay and DHCP relay.

enjoy

regards Dave

0 Helpful

Go to solution
svinieratos
Level 1
Level 1
In response to David Hornstein

‎10-21-2011 01:11 PM

I got it!  Thanks for all of your help David!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents