cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


7227
Views
44
Helpful
26
Replies
cope.chris
Beginner

VLAN gateway access???

Hi

My name is Chris and I’ve recently brought a SG 300-52 for my company with the main intention of using the L3 switching, I’ve recently gone on a 3day cisco course and came backing thinking i knew what i had to do but as always if you don’t have the experts next to you to answer the questions you soon have problems.

Hopefully this is a very simple question/solution for you guys

I have setup 3 VLANS, the switch is basically on its default settings and VLAN 1 connects straight to the router/gateway and on the internet but VLAN 2 and 3 do not, they are completely localy contained to their own Non DHCP networks...

…So the question is how do I get VLAN 2 and 3 on the internet and able to talk to each VLAN?

The keywords I’ve came across in my search are static routing between VLANs and InterVLAN, I’m assuming i need to do one of these???

I’m sorry if this seems simple... Please help

Regards

26 REPLIES 26

Ok…

Router (IP 81.187.174.129):

Rule - anything for 192.168.2.x (VLAN 2 network) send to 81.187.174.136 switches Gateway (router is physically connected to) for the Switch to then route the packet…. I’ve got that Loud and clear and all that is working.

I do understand honestly J

I’ve set the DHCP on the router so all DHCP clients have the 81.187.174.136 gateway (switch’s gateway instead of the routers) so that’s lovely and fine now, all traffic is going to the switch first…. Great just what I wanted.J

VLAN 2 can Ping the Router 81.187.174.129 from 192.168.2.69 through its local gateway of 192.168.2.1 The switch then takes the packet and sends it to the next hop 81.187.174.129 (the router) from the switch’s 81.187.174.136 interface, if this default route is taken out then the switch has NO WAY of getting to the router so I CANT remove this as the system will not ping the router for obvious reasons.

The route in the router states

VLAN2,

Direction ANY>LAN,

TARGET 192.168.2.x/24,

SEND to 81.187.174.136 (next hop)

So this all makes perfect sense surely.

The NIC on the PC connected to VLAN 2 is configured as follows…

IP 192.168.2.69/24

GW 192.168.2.1

DNS 81.187.174.129

This also makes perfect sense… hopefully

wait a tick........

IVE DONE IT!!!!!!! Haha

I’ve just configured another route in the router

LAN->WAN(WAN)

Any

Any->Any

Any

Any

81.187.173.141

NAT

Thank you guys for all your help, I would like to virtually shake your hands, I am so happy this has finally come to end…… for now.

You have all been so helpfully.

Thank you all and merry christmas!

JJJJJJJJJJJJJJJJJJ

David Carr
Frequent Contributor

That is awesome Chris,


I am glad Alejandro and I could assist you.


Virtual hand Shake Accepted.

I have to appologize because I misunderstood your IP addressing... the connection from the switch to the router is 81.187.174.129 network, so we are not NATing until after we leave the Firebrick. Man!!! I should have put that together just never did. ..til now!

You needed to create the route but from the looks of it, you needed to add a NAT pool or NAT rule to tell the router to NAT all IPs from the LAN. I was just thinking the public IPs were on the "cloud" side of the Firebrick. It does feel good once you get it working, no?!

Sorry for dragging this out but sure glad I was able to help... at least so you think! 

i read and followed this but i'm still having an issue.

my setup is slightly different, i have the SG300-20, but my gateway is set to vlan 2.  vlan1 is (as you know) the administrative vlan and i'd like to keep it that way, leave it alone.  so i assume all i have to do is set vlan2 as the default and reboot the switch...  correct?

my question is this: what if we're using a gateway that's non-vlan aware? 

i've so far configured vlan2 as if it were a regular gateway, only addresses are static.

so the gateway would be 192.168.2.1 on the 192.168.2.0 network, with VLAN2 being assigned 192.168.2.2.

is this a possibility?

i'm trying to make it a sort of "generic" setup, so should i decide to throw on a new router, all i have to do is set the device ip on the lan side and then just plug it in.  Also, i'm trying to relinquish all routing and so forth to the switch so the only task the gateway will have is for firewall duties.

I'm a newby at this stuff so go easy on me if i sound like a total moron..

thanks in advance

Jeff

Jeff,

The management vlan is that just for management to the device.  The default vlan, is kind of the untagged vlan or if you were to reboot the switch the default vlan for a port.

The management vlan, you would need an ip address and gateway for that vlan so you can access it from another vlan.

At that point you can make a trunk port to the router and be able to access it from different vlans.

Hey David, thanks for the reply.

Yes, i'm aware that VLAN1 is just a management VLAN, and as of now it defaults to that.

What i'm trying to do is as follows:

in Chris's post, his gateway/router has the various routes set in it.  i was wondering if the switch can be configured so that the default VLAN (in my case VLAN2) is configured so the gateway/router doesn't need to have those routes set in it.

i'd like to have my SG300 (it's in layer 3 mode) all set up, create some ACLs or what ever so that which ever devices plug into what ever ports get assigned what ever addresses on what ever vlans, BUT be able to stick any gateway in front of it and without any VLAN configuring of the sort on the gateway.  so, for example, i take an old linksys wrt54g, disable wifi and use it strictly as a firewall (i'm only using the wrt54g as an example because it's not vlan aware and therefore doesn't have provisions for routing tables (if I recall correctly)), plug it in and have instant internet access. 

all requests from all pcs on all vlans get sent to VLAN2, which acts as a proxy and sends the request to the gateway. 

Without any knowledge of routes, the gateway can just sit there and function purely for firewalling.

Forgive me if i'm not explaining this properly.

Thanks!

Jeff,

I think I got ya.  Use vlan 2 to be on the same network as the gateway (gw ip 192.168.1.1 switch ip 192.168.1.2)

Then create your vlans/ put ip addresses on vlans, then assign the vlans to ports.

Then create a default route to the gateway looking like this 0.0.0.0 0.0.0.0 next hop 192.168.2.1.

Then then since the switch don't have routing protocols, you will have to put static routes for each vlan you created and point it back to the switches ip address 192.168.1.2)  This way the router knows how to get the traffic back to the vlans.

(example vlan 10 192.168.10.0 255.255.255.0 192.168.2.1)

yeah, last night i basically attempted to setup VLAN2 as if it were a gateway, but the SG wouldn't allow for certain ips to be entered..

only thing i didn't do was set VLAN2 as default, i didn't know if that's mandatory or not.  it doesn't seem like it should matter, if i'm directing all VLANS to use vlan2 as a means to get to the www, then that should be it, right?

do i have to enter a dns? 

like i said, i'd like to make it so i can take any simple box, plug it into the port associated with vlan2 and it all just work (of course the box's lan ip will be set appropriately..  but i don't wanna have to put in a route configuration if i dont' have to

thanks!

here's another question..  (i'm trying to get a better understanding of how to percieve vlans)..

I understand the differences between a trunk, general, and access port.  not really sure what tagged vs untagged means..

can the default VLAN that is responsible for providing an interface to the gateway (in my case VLAN2) be set as just an "access" port, since there aren't multiple VLANS passing data over it. 

This is what i mean by 'perceive'.  in my mind, i envision having several vlans, one of which functions as an interface to the internet, via a firewal/gateway, and all internet requests from various vlans ultimately send packets to the default vlan, in which the default vlan then sends the packet onto the internet..  almost like NAT'ing/proxy.

i know, i'm making things waay to complicated and probably sound like more of an idiot if anything..

Thanks in advance for any explanations and patience

-Jeff

Hi David,

I have seen your great explanation on the post explaining intervlan routing on L3 switch and internet access with a router doing NAT.

Im asking for your advise. Do you know if Small Business Routers can perform this kind off NAT (multiple subnets not configured on their LAN interface) maybe RV120W, RV220W, SA500, SR500 or any other small business device , I have searched over the documentation, forums and more but with not to much luck. I think SR500 can do it because is IOS based but Im not sure on the others. If you have some information about routers or firewalls for small business that can perform this I will appreciate a lot.

Thanks for your help.

Hi Christian,

The routers you mentioned should be able to handle gateway access when using a layer 3 switch. The important feature is the ability to add static routes pointing back to the switch for the other subnets.

Thanks a lot for your help Robert.