cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1427
Views
5
Helpful
8
Replies

SG300-10 won't pass traffic with public ip's.

CmrData
Level 1
Level 1

I am the IT Director at our school. We have a SG300-10 that only seems to pass public, routable traffic in certain circumstances! The setup is as follows:

 

Ports 1-4 = VLAN501, Access Mode, Untagged PVID=501

Ports 5-8 = VLAN100, Access Mode, Untagged PVID=100

Ports 9-10 = VLAN1, Access Mode, Untagged PVID=1 (Default VLAN)

 

For the purposes of this discussion, VLAN 100 is not yet being used. In fact, nothing is plugged in those ports.

 

Port 1 is connected to an ISP supplied public internet connection. Port 2 is connected to a workstation setup with a static public IP address (for testing purposes). Port 10 is connected to our LAN at our school.

 

Leaving port 10 connected, I am able to normally managed the switch. However, the switch will NOT pass traffic on ports 1 and 2 (the only other ports currently connected). If I disconnect the workstation from port 2 and connect directly to the internet connection, traffic flows! I plug it back into port 2, nothing happens! This rules out a firewall issue on the workstation.

 

Here is the FUN part! With ports 1 and 2 connected and internet traffic not flowing, IF I disconnect port 10 from the LAN, all of a sudden the switch begins passing traffic between ports 1 and 2! Of course, I then loose my ability to manage the switch! If I plug port 10 back into our LAN, traffic again ceases to flow between ports 1 and 2!

 

Any ideas and how to resolve this?

 

8 Replies 8

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

What is switch mode? Is it working in Router mode or switch mode? Have you assigned an IP address on VLAN 501?

If possible share the switch configuration and logs.

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

CmrData
Level 1
Level 1

The switch is layer 3 mode. However, the problem continues in layer 2 mode also. No ip address in VLAN 501. I am not currently using it to route traffic, only to simply pass traffic between the two ports.

 

Here is the configuration:

config-file-header
RCSSW002
v1.4.9.4 / R800_NIK_1_4_205_011
CLI v1.0
set system mode router

file SSD indicator plaintext
@
vlan database
vlan 100,501
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname RCSSW002
no passwords complexity enable
username admin password encrypted
username cisco password encrypted
username randall password encrypted
ip http timeout-policy 1800
!
interface vlan 100
name "Local VLAN to route"
ip address 192.168.100.1 255.255.255.0
!
interface vlan 501
name Internet
!
interface gigabitethernet1
switchport mode access
switchport access vlan 501
no macro auto smartport
!
interface gigabitethernet2
switchport mode access
switchport access vlan 501
no macro auto smartport
!
interface gigabitethernet3
switchport mode access
switchport access vlan 501
no macro auto smartport
!
interface gigabitethernet4
switchport mode access
switchport access vlan 501
no macro auto smartport
!
interface gigabitethernet5
switchport mode access
switchport access vlan 100
no macro auto smartport
!
interface gigabitethernet6
switchport mode access
switchport access vlan 100
no macro auto smartport
!
interface gigabitethernet7
switchport mode access
switchport access vlan 100
no macro auto smartport
!
interface gigabitethernet8
switchport mode access
switchport access vlan 100
no macro auto smartport
!
interface gigabitethernet9
switchport mode access
!
interface gigabitethernet10
switchport mode access
!
exit

Hi,

The configuration is looking fine and software is also looking updated. Is there anything in the logs? Any error?

 

Trick: I am not sure it will work for you or not but add a fake IP on VLAN 501 interface and test it. as

interface vlan 501
name Internet

IP address 172.16.16.1 255.255.255.255

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

GregF1
Level 1
Level 1

In layer 3 mode the IP interface is only active if there is a device on the VLAN. I suspect (without seeing the routing table) that when you connect to the management port the switch is trying to route the traffic. Since you can't route private IP's on the Internet there is no point in running the switch in layer 3, put the switch layer 2 mode. This will default the switch.

Once you have logged in to the now defaulted switch:

1. Go to Administration --> Management Interface --> IPv4 Interface and configure 192.168.100.1 255.255.255.0 and whatever the default gateway is for that VLAN.

2. Create the 501 and 100 VLAN's and assign to ports.

Our ISP only gives up one port to connect to and we have multiple static IP's. I use a SG300 to split out the different IP addresses.

 

Gentlemen,

I have divined what the problem was! Deepak, perhaps unknowingly, pointed me in the right direction when he inquired of the logs. Looking at the logs, I saw a few entries on stp states changing on the concerned ports. Using this information, I discovered that if I disable stp on port 1 (the one leading to the ISP supplied public ip address), after about a minute, traffic started flowing through ports 1 and 2! Traffic would also begin to flow if I disabled stp on the connecting port on the upstream switch.

Now that this has been resolved, I will proceed to the next step of getting routing to work between VLAN 100 and VLAN 501.

 

Hi,
I am happy that your issue has resolved.

Regards,
Deepak Kumar
Don't forgot to vote a helpful answer.
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

So are you splitting out the 5 static IP on the layer 3 switch and adding 5 routers for firewall since there is not NAT in the layer 3 switch.

 

I think this would be a way to handle 10 gig if you use a SG500x-24 switch since most routers can't handle 10 gig.  Connect 5 full duplex 1 gig routers to the switch and let the switch split the 10 gig.

The reason the STP changed states is because the switch detected a loop in your network. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X