cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


7220
Views
44
Helpful
26
Replies
cope.chris
Beginner

VLAN gateway access???

Hi

My name is Chris and I’ve recently brought a SG 300-52 for my company with the main intention of using the L3 switching, I’ve recently gone on a 3day cisco course and came backing thinking i knew what i had to do but as always if you don’t have the experts next to you to answer the questions you soon have problems.

Hopefully this is a very simple question/solution for you guys

I have setup 3 VLANS, the switch is basically on its default settings and VLAN 1 connects straight to the router/gateway and on the internet but VLAN 2 and 3 do not, they are completely localy contained to their own Non DHCP networks...

…So the question is how do I get VLAN 2 and 3 on the internet and able to talk to each VLAN?

The keywords I’ve came across in my search are static routing between VLANs and InterVLAN, I’m assuming i need to do one of these???

I’m sorry if this seems simple... Please help

Regards

26 REPLIES 26
David Hornstein
Rising star

Hi Chris,

Imagine the black box in the diagram below has three VLANs. This black box represents a Sx300 series switch.

You have put the switch into Layer 3 mode via the console or telnet /SSH  session, this will reset to factory defaults and reboot the switch..

You  then created your two extra vlans  and assigned three different  IP addresses , one for each vlan.  (see diagram below)

The WAN router provides DHCP services for it's ethernet devices and devices plugged onto VLAN1 of the switch, because they are both connected together via a cat5e cable..

Since VLAN2 is a seperate broadcast domain, DHCP broadcasts do not leak from VLAN1 to VLAN2 or VLAN3.  And conversely broadcast traffic such as DHCP, ARP etc... stay within the VLAN that the traffic originated from.

But,  going back to a previous statement, VLAN2 and VLAN3 within the Sx300 switch have seperate IP addresses associated to that  VLAN.

This creates;

  1. interface routes within the switch, so that a PC in VLAN3 with a IP address of 192.168.3.2 and a default route pointing to 192.168.3.1 will be able to ping 192.168.2.1 and 192.168.1.2.  Why because all the vlans within the SG300 can 'see' eachother.

    •         This PC at IP address 192.168.3.2 will not be able to ping 192.168.1.1, until you add a static route within the WAN router.;
    •         This route will tell the router that to get to network 192.168.3.0  with a  mask=255.255.255.0  the nexthop will be 192.168.1.2

   2. These IP addresses that you program in for vlan2 and vlan3 are also gateway addresses for the PCs connected on those specific VLANs.

'See' is a tough word, let me suggest that every time we add a VLAN and associate a host IP address on that VLAN,   other vlan interfaces within the switch will immediately be able to route to those networks.

The screen capture below shows that I have lots or routable vlans within my switch and can route between 10 networks.

The IP addresses (except for VLAN1 )  shows are gateway addresses for PC connected on those particular VLANs.

Somewhere in the GUI is an option to add a default route, which tells the switch,  if you don't know where to send a packet, send it down the default route.  In your case you need to add a default route that would point to the LAN IP address of your WAN router.

In my case below I would have a default route with a nexthop equal to 192.168.20.1, which is the next interface my packet would hit when it left my SF300 switch.

  that's it, hope this long winded answer helps you and others.

regards Dave

Thank you very much for your help, I’ve now configured it to L3 and in the middle of configuring the VLan's but you mentioned....

''-This PC at IP address 192.168.3.2 will not be able to ping 192.168.1.1, until you add a static route within the WAN router-''

I was under the impression that when a switch is in L3 mode it then does this function so the router is only needed for firewall and the DHCP part???

Regards

Update... for some unknown reason I’m very unsure about, when i set VLan1 to obtain an IP dynamically it shows it as down; IP 0.0.0.0 subnet of 255.255.255.255, although all the device's on that network gets the DHCP fine, just the switch doesn’t obtain one. When i statically set the IP I can then access the switch on that VLan OK. i can’t work out why it’s doing this!?

Hi Chris

Lets have a look at the following real example from my home network.

I actually pasted the route table from my WAN router above.  It only represents the route table in the WAN router and NOT the 300 series switch.

So here a little bedtime story that follows the track of a packet going to the internet from a Host on VLAN3.

So lets look at a packet originating from a PC within VLAN 3 with a source IP address of 192.168.3.100 and it wants to go to cisco.com  destination IP address 64.34.33.234.

This packet arrives at the Layer 3 switch , the SF300-48P.  The switch looks at the destination address of the packet and cannot match the destination address with any locally connected networks.  The 300 series switch had a default route that says if the network=0.0.0.0 send it out to the gateway or next hop of 192.168.1.1.

( By the way a static route within this network  of  ip=0.0.0.0 and netmask=0.0.0.0  nexthop/gateway=192.168.1.1 is called a default route.


It basically tells the layer 3 switch I don't care where the packet is going, send it out to the following  gateway.)

The packet from 192.168.3.100 now arrives at the WAN router.  This packet is destined to go out to  64.34.33.234.

The WAN router runs the destination address through it's routing table and only finds a match with the default route.  The wan router performs a NAT and sends the packet out to cisco.com.

Cisco.com at ip address  64.34.33.234 send a reply back to the WAN router.

The wan router knows, via the NATing process that the reply is destined for 192.168.3.100.

It searches through it's route table and says ..huh..i know how to get to 192.168.3 network is,  I have a static route that directs the packet to 192.168.1.2.  I'll now let 192.168.1.2 worry about getting the packet to the right IP host.

The reply packet that has been forwarded by the WAN router then hits the 300 series switch.  The 300 series Layer 3 switch has Interface routes created when the VLANs and IP addresses were created and knows which VLAN  and switch port to forward the reply to.

Ok this is a simple simple bed time story, but basically what really  happens within this simple network.

If the box in the picture above,  on the right represents any of the small Business switches (200 , 300 etc..) , this Layer 3 switch knows where vlan2 and 3 are as the layer 3 switch have low preference  interface routes within the switch itself.

If this really is a stumbling block, I am happy to talk to you..

Just send me  contact details referencing this posting to dhornste at cisco.com .

I think you can figure my email address.

sincere regards

Dave Hornstein

What ive found so far...

from VLAN 1 81.187.174.136 (switch interface) i can ping VLAN 2 Interface (192.168.2.1) and visa versa,

i can NOT ping ANY clients that are within these VLANS. the router is connected into VLAN 1 with a gateway of 81.187.174.129 and this cant be pinged from VLAN 2 but of course VLAN 1 can ping it fine.

the default route on the switch is 0.0.0.0/0 next hop 81.187.174.129

on the router i have created a route for


From ANY source send to LAN on Gateway 81.187.174.136
Target IP 192.168.2.0 - 192.168.2.255

Still cant get VLAN 2 to connect to the internet or VLAN 1!?!?!

UPDATE...

Pinging between the VLAN 1 and 2 works, removed both firewalls and on the PCs

Just need to route VLAN 2 down the 81.187.174.129 router/gateway for internet access, Still need help with this part, is it just router config based?

i think i have nearly cracked it, i can view and control a camera on the other VLAN but cant get internet access out of that VLAN, im assuming its something to do with the DNS settings on the client device within that VLAN... what should the DNS be set to... next hop Router??? local gateway???

can someone please help

Regards

Ok, think of it like this....

for my computer to get out of my network it needs to know two things:

1. how do i get out?

2. how do i get back?

So  a VLAN is a network, and for my network to really serve most needs it needs to be unique and have a gateway (the way out). You already have  this and brings us a bit closer. The thing is that the routers need to  know where you are and how to bring you back. This is where your  problems is.

So my network 10.10.1.0/24 is my private  place. I am attached to a L3 switch on VLAN 20... Since the switch is acting like a router VLAN20  is an interface and needs an IP address.  This IP address will be my network's gateway. On my computer the NIC  will be configured like this:

IP: 10.10.1.30

submask: 255.255.255.0

gateway: 10.10.1.1 <== This is the interface "VLAN20" on the switch.

Now! I know how to get out but the switch does not. So what will happen is  that any pings would be returned as not routeable. So we place a default  route entry in the switch like this:

route 0.0.0.0/0  to next hop 10.20.20.1 <== this will be the next routing device. It  can be another L3 switch or a full on router. BUT!!! this network  will  need to belong to the switches VLAN 1 interface (typically). So now I  can get to my router with an interesting or potential problem. If the router has no idea where 10.10.1.0/24 network lives our ping requests  will "Time Out". This is not because we can't get there is because the router does not know how to bring us back! THIS is your problem.

Make  sure all routing devices have the proper information for each hop. So  the router should have entries in it for your networks like this:

route 10.10.1.0/24 next hop 10.20.20.2 <== this is the VLAN 1 interface in my example.

route 10.50.1.0/24 next hop 10.20.20.2

route 10.60.1.0/24 next hop 10.20.20.2 and so on. All of these networks are VLANs on my L3 switches, but notice that we are sending them to only ONE IP address; which is typically the native VLAN.

Hope this helps!

Message was edited by: Alejandro Gallego (corrected typos)

Thank you for the reply, that really made me step back and look at it in a different perspective.

I can now ping the Router from VLAN 2 while the router is connected into the VLAN 1 interface, brilliant!!!

But I’m still having trouble getting out to the internet. i assume the router doesn’t need another subnet interface for the VLAN 2 address as the switch will send the packet (from a VLAN 2 source) out of the default gateway from VLAN 1 interface with the VLAN 1 address attached to it (if that makes sense)... so why can’t i access the internet???

The usual NAT is on the WAN interface of the router, do I need Proxy ARP on the Router as well as the switch?

Sorry for all the questions but I’m just so close.

I have attached a picture of the routing table for the router, hope that helps you help me J

Thanks to you guys for helping me so far I really do appreciate it

I may not be reading your attachment correctly but it looks like the route entries you have are not correct.

First make sure you are not placing a route entry for the VLAN1 (this is assuming that the switch and Fire Brick are on VLAN1).

Second, remove the entry for "LAN > LAN" the router should never see this type of traffic. That is the Switches job!

*** take the below statement as an idea. I am not familiar with Fire Brick and I may not be reading the route table correctly ***

Third, the entry for "Myfirebrick > LAN" should be source ANY destination 192.168.2.0/24 gateway 192.168.1.1

The point is that we need to tell the router to send the packet destined for 192.168.2.0/24 network to the next router in line. Since a router can only route on a directly attached interface it would have to point to the switch IP address. That would be its next hop, then it is up to the switch to either route it, or drop it.

So assuming that the switch VLAN 1 IP address is: 192.168.1.1 and it has a default route of 0.0.0.0/0 next hop 192.168.1.2 (this being the Fire Brick)

NetworkNet Mask
Next Hop
192.168.2.024192.168.1.1
192.168.3.024

192.168.1.1

192.168.4.024192.168.1.1

NOTE: We are never specifying public networks here. Our router will not be able to talk with the ISP's router, so the route statement would either be ignored or you will have problems getting out. This is not to say that the router will not populate the field, just saying that should not be a manually configured entry.

I hope this solves your problem.

Thank you for the reply, i had the LAN>LAN route in there to make it easy for me to use the Firebrick's DHCP so i could access VLAN2 via the firebricks gateway. that was down to me being unintentionally lazy as I’m swapping between LAN's i just put it on DHCP and routed down, none the less i have done it properly now.

My network is as follows...

Firebrick:

Gateway: 81.187.174.129/25 with DHCP

Switch: (Next hop 81.187.174.129^)

VLAN 1 (Physically connected to the Firebrick Router)

Gateway: 81.187.174.136/25

VLAN 2

Gateway: 192.168.2.1/24

I can ping the router 81.187.174.129 from VLAN 2 (192.168.2.x) and that seems to be fine, just no internet access.

The NIC on the VLAN 2 interface is as follows…

IP- 192.168.2.55

SN- 255.255.255.0

GW- 192.168.2.1

DNS- 81.187.174.129

I have attached another/different picture of the firebricks route to the switch, I just can’t make sense of it, as far as I’m concerned it ‘should’ work.

Do you have any other solutions I could try or any techniques I could try to see what the problem is?

Once again thanks in advance

"Switch: (Next hop 81.187.174.129^)"

This should not be configured anywhere on the SG switch, the switch next hop is what is missing. You are thinking (from the looks of the route statement) that you need to route OUT, when that is not the case. We need to route IN!

Just configure your network EXACTLY as follows: (just make sure to use your valid IP addressing)

FireBrick:

WAN: set to DHCP

LAN:

     IP: 192.168.1.1 /24 <= (replace with your current IP, but this should be private address not public. If it is public, then we have something else..)

Route Statement

192.168.2.0 /24 next hop 192.168.1.2 <= NOTE THIS STATEMENT

======================

SG Switch:

VLAN1

IP: 192.168.1.2 /24

VLAN2

IP: 192.168.2.1 /24

Default Route

0.0.0.0/0 next hop 192.168.1.1 <= NOTE THIS ENTRY

==========================

The object is just to make sure that the router knows that it has another network attached to his VLAN1 interface. The Firebrick is NOT doing any inter-vlan routing and it will NOT route any traffic for VLAN2. It will only hand the traffic destined for VLAN2 to its neighbor router which is attached on his interface; VLAN1 ip address. There is no reason to have any VLAN2 ip addressing on the Firebrick only a route pointing to the SG switch.

The thing is that from you posted it looks like you are including the WAN as part of a VLAN. The public IP addressing will stay on the router because he will be performing the NAT function. The SG switch will never NAT it will only route the packets to the appropriate routing device.

Please correct me if I’m wrong but you may be mistaken?

"Switch: (Next hop 81.187.174.129^)"

This should not be configured anywhere on the SG switch, the switch next hop is what is missing. You are thinking (from the looks of the route statement) that you need to route OUT, when that is not the case. We need to route IN!

*The SG 300-52 cisco switch has a default gateway (next hop) of 81.187.174.129 (that’s the routers gateway)*

The meaning for this is when the SG 300-52 cisco switch doesn’t know where to send a packet it then sends it up the default route (next hop) then the router decides where its suppose to go from there?

*The Firebrick router has a default gateway of 81.187.174.136 for any 192.168.2.x traffic (that’s the switch's VLAN 1 gateway)*

They can communicate OK and it all pings OK so there’s no LAN issue now,

i just can’t access the internet from my 192.168.2.x network on VLAN2, my logic tells me that the packet gets sent from a client device on the VLAN2 192.168.2.x and is destined for 64.34.33.234, the SG 300-52 finds that it’s not for any of its interfaces so sends it to the default gateway (firebrick) the firebrick checks its routes then sends the packet to the WAN interface… when the packet comes back through the WAN the firebrick runs its route ‘’192.168.2.x send to 81.187.174.136 (SG 300-52)’ this is then received by the switch and then the switch sends the packet to the 192.168.2.x interface and jobs done. So from what I can see is all the internal routes are fine there just doesn’t seem to be that transition between 192.168.2.x to the WAN, please correct me if I’m wrong… I don’t need to set up a 192.168.2.x subnet on the router with NAT do I?

I can’t change our DHCP range or Gateway IP address as our other company look after the sales accounts etc on these IP’s and they can access our server that they need to do from time to time, don’t ask me why they have done it this way because I have asked them many times and they take it personally so I’ve gave up with them.

By no means do I doubt you I just need to get it clear in my head, it’s nearly there but not quite. And thank you for your patience so far.

I can ping the LAN and WAN IP of the router from the VLAN 1 - 81.187.174.X/25 network but

can only ping the LAN IP of the router from the VLAN 2 - 192.168.2.X/24 network, does that indicate the problem to this issue?

David Carr
Frequent Contributor

Mr. Cope,


I was reading your post and I have set this up numerous times.  With the switch in layer 3 mode and ip addresses on the vlans, as long as you have the vlan address as your gateway and your plugged into an access port for that vlan you will be able to ping from one vlan to another.  With these switches if you don't have something plugged into a vlan, it will not build a route for it.  Now when you plug a device into a port for that vlan, then the switch will populate in the routing table for that vlan and network.


Locally as long as your using the switch as your gateway for each vlan, you can go from one vlan to another.


The internet access part.  As long as you have a joining interface to the router for example 192.168.1.1 (routers lan) and 192.168.1.254 (Switches vlan1 interface).  Then create a default route in the switch looking like this 0.0.0.0 prefix length 0 next hop 192.168.1.1.  This will forward all traffic to the router for the default route.


Now Like Allejandro was stating getting there is half the battle.  The switch does not have any routing protocols to populate the routers routing table so you have to make static routes back to the switch for each network other than the vlan 1 network.  For example (192.168.2.0 prefix length 24 next hop  192.168.1.254).  You will need to do this for all the vlan networks you have created behind the switch.


Now if you can ping the router from a vlan and get a response but not get out to the internet, check the following, Ping the wan ip address of the router.  If you cannot do this, then the router may have an access list or rule in place to prevent your network across the lan to the wan of the router.  If you can ping the router but cannot get any web pages to pull up, verify that the dns that you have on the pc is up and running.  For a test you can use one of these dns server addresses 4.2.2.2, 4.2.2.1, 8.8.8.8.



Let me know if this helped.


Thank you

"can only ping the LAN IP of the router from the VLAN 2 - 192.168.2.X/24 network, does that indicate the problem to this issue?"

Yes this is where the problem is. Just as stated by David Hornstein, and David Carr in the previous post we can not create a route via a network that is not directly attached. In other words, if I am a router with network 1.2 and 1.3 directly connected to me and a client on network 1.3 needs a resource on network 4.5 I CAN'T route the request. But if I have a route statement that tells me how to get to 4.5 then I can SEND the request in that direction. Notice the wording I am using, this important to understand. Now that I have a route I will send the request to the next closest destination (next hop), which in this case is the 1.3 network. So my route statement may look something like this:

10.4.5.0 /24 next hop 10.1.3.1 NOTE: the next hop is a destination IP not a network.

There is no way I can get out of my house by exiting through my neighbors front door! This is another way of looking at it. Just trust us, and correct your switch as stated previously.

The reason you cannot ping your public IP is this; every packet has a source and destination IP address. If you send your ping request directly from your LAN host the source IP will the host's PRIVATE IP and the destination would of course be the public. The request does get to the router, but when the router responds to your host with the private IP, the packet gets KILLED out in the cloud. Private addressing is not routeable.

Fix your switch already!!