cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


1140
Views
0
Helpful
17
Replies
Fork2232
Beginner

SG300 Not Forwarding to Default Route

I have an SG300 with fully functional VLAN routing between 4 VLANs that will not forward to the default route.

 

I am able to ping/traceroute to the default route IP configured on the SG300 of the switch from all VLANs, but when trying to access anything not directly connected to the switch the traffic is not forwarded to the default route.

 

I have run a tcpdump on the router and no traffic is seen when trying to access anything that should hit the default route.

 

I have routes for all of the VLANs pointing back to the SG300

 

All switch ports are configured as Trunk ports as they all go to either other switches or ESX servers that support multiple VLANs.

 

I also tried setting a static route to something on the other side of the router and that did not work either.  I have seen comments about the ports being configured as access vs trunk, does that make a difference?

 

I am sure there is some small check-box I am missing somewhere, Any help would be appreciated.

17 REPLIES 17
Jaderson Pessoa
Events Top Contributor

Well,

could you share your configuration?

what device is used as default route? (router/firewall/isp) do you have access on it? Could you share configuration?

Is there a possibility to provide a simple draw of your topology?
Jaderson Pessoa
*** Rate All Helpful Responses ***

The default route terminates at a firewall running as a VM.  I have full control over it.  As I said, I ran a tcpdump on the internal interface of the firewall and see no traffic forwarded to it from the SG300 when it is a network not directly connected to the SG300.

 

The firewall has two interfaces, one in VLAN 60 and one in VLAN 30.  Nothing else is located in either VLAN the firewall has full access to the internet.

 

I don't have a diagram, but it is just a basic network.  I am just moving the routing from the a hardware firewall to the SG300 to give me more flexibility in my lab environment.

 

Here is the the config:

 

config-file-header

v1.4.11.2 / R800_NIK_1_4_216_022

CLI v1.0

set system mode router

port jumbo-frame

vlan database

vlan 10,20,30,40,50,60

exit

 

no ip arp proxy disable

logging buffered debugging

ip ssh server

ip http timeout-policy 0 https-only

 

interface vlan 10

ip address 10.20.100.253 255.255.255.0

!

interface vlan 20

ip address 10.22.100.253 255.255.255.0

!

interface vlan 30

!

interface vlan 50

ip address 10.19.100.253 255.255.255.0

!

interface vlan 60

ip address 10.18.100.1 255.255.255.0

!                                                     

interface gigabitethernet1

switchport trunk allowed vlan add 10,20,30,40,50,60

!

interface gigabitethernet2

switchport trunk allowed vlan add 10,20,30,40,50,60

!

interface gigabitethernet3

switchport trunk allowed vlan add 10,20,30,40,50,60

!

interface gigabitethernet4

switchport trunk allowed vlan add 10,20,30,40,50,60

!

interface gigabitethernet5

switchport trunk allowed vlan add 20

switchport trunk native vlan 10

!

interface gigabitethernet6

switchport trunk native vlan 40

!

interface gigabitethernet7

switchport trunk allowed vlan add 10,20,30,40,50,60

!                                                     

interface gigabitethernet8

switchport trunk allowed vlan add 10,20,30,40,50,60

!

interface gigabitethernet9

switchport trunk allowed vlan add 10,20,30,40,50,60

!

interface gigabitethernet10

switchport trunk allowed vlan add 20,30,40,50,60

switchport trunk native vlan 10

!

exit

banner login ^C

Switch 2

^C

mac address-table aging-time 30

ip default-gateway 10.18.100.10

Jaderson Pessoa
Events Top Contributor

if you try to ping 10.18.100.10 from your SG300, works?
Jaderson Pessoa
*** Rate All Helpful Responses ***

Yes, everything works that is directly connected.  All of the VLANs can talk to each other.

Jaderson Pessoa
Events Top Contributor

Good,

on which interface is your "firewall" is connected? this default route is a firewall? Which model? Could you share configuration with us?
Jaderson Pessoa
*** Rate All Helpful Responses ***

The firewall is connected through port 7, but it is actually on another switch.  It is Check Point VM and I don't think it is the problem.  If I add a machine to the VLAN it is on I can pass through it, and it has routes, access rules and NAT configured for all of the VLANs.

 

I am guessing from the questions you don't see anything wrong with the switch config?

Jaderson Pessoa
Events Top Contributor

@Fork2232 

 

I think that your default route configured is wrong.

 

try it:

no ip default-gateway 10.18.100.10

ip route 0.0.0.0 0.0.0.0 10.18.100.10

 

Certify that you will do it on directly network, because maybe you will lose access on your device until it is done.

 

 

Jaderson Pessoa
*** Rate All Helpful Responses ***

Thanks for the suggestion.  I tried that and it didn't change anything.  If you don't see anything else I may tear it all down and try again, there just seems to be something weird going on.

Jaderson Pessoa
Events Top Contributor

well... i really want know the result about the command below;

ping 10.18.100.10 source-interface vlan 10
ping 10.18.100.10 source-interface vlan 20
ping 10.18.100.10 source-interface vlan 50
Jaderson Pessoa
*** Rate All Helpful Responses ***

All of those pings are successful.

 

I did some more experimenting and if I stick another device on the VLAN between the switch and the firewall and try to ping 8.8.8.8 through the firewall everything is fine, but at the same time the devices on the other side of the switch can now ping 8.8.8.8...  but only 8.8.8.8.  It is like the switch is still relying on ARP and not following its default route unless it already knows the destination is there.  This is driving me crazy.

Jaderson Pessoa
Events Top Contributor

Ok, I think that your firewall is the problem.

 

Disable arp spoofing on your firewall.

 

Look it: https://community.checkpoint.com/t5/Logging-and-Reporting/Disable-quot-Local-interface-address-spoofing-quot/td-p/14128

 

 

Jaderson Pessoa
*** Rate All Helpful Responses ***

I have the correct networks configured in anti-spoofing, and it is set to detect, not block.  I am not seeing any of the logs mentioned in the linked article.  Anti-spoofing in Check Point doesn't have anything to do with ARP, it is to detect when improper IP addresses are seen on an interface.

Jaderson Pessoa
Events Top Contributor

Your switch is configure properly. I had this issue times ago.. and the problem was checkpoint, let me try to explain.

when traffic is comming from one network and match network interface = traffic is allowed.
when traffic is comming from one network and do not match network interface = traffic is blocked by anti-spoofing.

In your case your traffic is send to default route to your firewall then traffic is comming from network that not match network interface the traffic is blocked by anti-spooing, but when you see in the checkpoint's log it is appear as "allowed", but you need see in spoofing logs.

to resolve this issue i had did a few configuration:
Obs: "I dont remember correct path"

advance > security > (search) "spoo" and will apear antispoofing configuration i have disabled it to test... all works well :)

try it... because your switch configuration are ok.

Jaderson Pessoa
*** Rate All Helpful Responses ***

I completely understand what you are talking about and spoofing is a commonly misconfigured thing in Check Point.  By default the spoof group will be assigned as the directly connected network, but it is possible to specify a group, and I have created a group with contains all of the internal networks.  It also would not explain why the traffic was allowed through after I connected from a locally attached machine.

 

That being said, I did completely disable spoofing to verify that wasn't the problem.

 

I do have this working now, though I don't know the exact cause of the problem, it was not the SG300.  It must have something to do with how VMware Fusion VLANs work.  I moved from Fusion to an ESX box and it immediately started working with no other changes.