Solved: SG300 Layer 3 - Hosts cannot communicate across VLANS

cbcomins · ‎01-22-2022

Hi, I am a novice when it comes to VLAN's and have setup a test environment to learn. I would like to figure out how to get VLAN hosts to communicate with other VLAN hosts. IE.. VLAN 10 host communicate with VLAN20 host.

Cisco RV345P - 10.68.1.1

SG300-28PP (Layer 3)

VLAN1 - 10.68.1.2 (default) - Port 1 - Access mode to router - Untagged

VLAN2 - 10.68.10.1 - Port 3 & 15 - Trunk - Untagged
VLAN3 - 10.68.20.1 - Port 4 - Trunk - Untagged

VLAN4 - 10.68.30.1 - Port 5 - Trunk - Untagged

VLAN5 - 10.68.40.1 - Port 6 - Trunk - Untagged

All VLAN hosts Can reach the internet.

All VLAN hosts Can ping other hosts within the same VLAN.

All VLAN hosts Can Ping the gateway of other VLAN's.

However...

VLAN hosts cannot ping hosts on other VLAN's. (Time out response)

I get the same results when pinging from the switch interface and selecting the different source IP's for each VLAN.

SG300 Config:

config-file-header
csg300l3
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode router 

file SSD indicator plaintext
@
vlan database
vlan 10,20,30,40 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp server 
ip dhcp pool network IoT
address low 10.68.40.50 high 10.68.40.65 255.255.255.0 
dns-server 10.68.1.1
exit
ip dhcp pool network LAN
address low 10.68.10.50 high 10.68.10.99 255.255.255.0 
dns-server 10.68.1.1
exit
ip dhcp pool network CCTV
address low 10.68.30.50 high 10.68.30.65 255.255.255.0 
dns-server 10.68.1.1
exit
ip dhcp pool network WLAN
address low 10.68.20.50 high 10.68.20.99 255.255.255.0 
dns-server 10.68.1.1
exit
bonjour interface range vlan 1
hostname csg300l3
line console
exec-timeout 0
exit
line ssh
exec-timeout 0
exit
line telnet
exec-timeout 0
exit
username  password encrypted  privilege 15 
ip http timeout-policy 0 
ip name-server  10.68.1.1 8.8.8.8 8.8.4.4
ip domain polling-interval 8
!
interface vlan 1
 ip address 10.68.1.2 255.255.255.0 
 no ip address dhcp 
!
interface vlan 10
 name LAN 
 ip address 10.68.10.1 255.255.255.0 
!
interface vlan 20
 name WLAN 
 ip address 10.68.20.1 255.255.255.0 
!
interface vlan 30
 name CCTV 
 ip address 10.68.30.1 255.255.255.0 
!
interface vlan 40
 name IoT 
 ip address 10.68.40.1 255.255.255.0 
!
interface gigabitethernet1
 switchport mode access 
!
interface gigabitethernet3
 switchport trunk native vlan 10 
 switchport forbidden default-vlan 
!
interface gigabitethernet4
 switchport trunk native vlan 20 
 switchport forbidden default-vlan 
!
interface gigabitethernet5
 switchport trunk native vlan 30 
 switchport forbidden default-vlan 
!
interface gigabitethernet6
 switchport trunk native vlan 40 
 switchport forbidden default-vlan 
!
interface gigabitethernet15
 switchport trunk native vlan 10 
 switchport forbidden default-vlan 
!
exit
ip default-gateway 10.68.1.1 
ip ssh-client key rsa key-pair

Any help is appreciated.

Thank you.

cbcomins · ‎01-24-2022

Well, it turns out the issue was not with my switch configuration at all. The windows firewall on my devices were blocking traffic from other subnets. Should have tested with a device other than a computer.

Just need to look into making rules in the windows firewall to allow the traffic.

Edit: If anyone is looking for how to allow other subnets through the windows firewall, this link is very useful.

windowsreport.com/windows-firewall-allow-ip-range

View solution in original post

cbcomins · ‎01-23-2022

"show ip route" output - 1 laptop connected to VLAN10 and one desktop connected to VLAN20.

IP Forwarding is enabled, I cant figure out why I cannot ping between these devices.

csg300l3#show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static


S   0.0.0.0/0 [1/1] via 10.68.1.1, 28:43:24, vlan 1
C   10.68.1.0/24 is directly connected, vlan 1
C   10.68.10.0/24 is directly connected, vlan 10
C   10.68.20.0/24 is directly connected, vlan 20

cbcomins · ‎01-24-2022

Yesterday I reset the SG300 to factory defaults and set it back up from scratch.

Still the same result, devices can ping the gateway of each vlan but cannot ping devices on other vlans. Ip routing and forwarding enabled.

No ACL or policy in place.

I know I am missing something but I can't figure out what.

Devices connected to vlan 1 (default) show the router, 10.68.1.1 as the gateway instead of the switch ip 10.68.1.2.

Not sure if this is an issue.

Thank you in advance.

cbcomins · ‎01-24-2022

Well, it turns out the issue was not with my switch configuration at all. The windows firewall on my devices were blocking traffic from other subnets. Should have tested with a device other than a computer.

Just need to look into making rules in the windows firewall to allow the traffic.

Edit: If anyone is looking for how to allow other subnets through the windows firewall, this link is very useful.

windowsreport.com/windows-firewall-allow-ip-range

SG300 Layer 3 - Hosts cannot communicate across VLANS

Cisco Business Product Family

Cisco Switching Product Family