Cisco SG300-10 - How to set up Inter VLAN routing. - Page 2

gavinstewart1971 · ‎06-07-2012

I have an urgent issue with the above switch:

I have a connection on IP 192.168.1.21, Subnet 255.255.255.0 - this is on the default VLAN1 on the switch. I need to route this to IP 10.0.3.101, Subnet 255.255.252.0 - which is set up on VLAN2 on the switch. I have set the switch to Layer 3 via console.

Could someone please advise how I setup this route? I am use the Browser based interface.

Gavin

Tom Watts · ‎03-20-2013

Hi Richard, this is more complicated than it should be.

There is a very small requirement for this to work.

The requirements are

Switch in layer 3 mode
More than 1 vlan created
An IP address assigned to the vlan
At least 1 port assigned and connected within the desired vlan

This is the only requirements for intervlan communication for the switch to function. If you have a computer connected to vlan 2 the IP address of that computer should be in the same subnet as the vlan 2 interface and the default gateway should be that of the vlan 2 ip address/netmask.

If it does not work it is because of an external factor such as a Firewall or misconfiguration of a network card or something of this nature.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

hwcoxjr1208 · ‎11-29-2013

I've tried (or think I have tried) everything in this chain and I'm still having problems. Below is a conceptual drawing of what I have right now.

The cisco 300-10 acting as a core switch is in L3 mode. It serves as my DHCP server and sets it's self as the default gateway (192.168.2.11) for all clients on VLAN1. It also is the default gateway through the 192.168.4.11 address for all devices on VLAN10. As you can hopefully tell, I have devices from both VLANs attached to all three switches. I am trying to get the Cisco 300 to do all internal vlan routing for me. I have VLAN10 created on the Cisco 300 and it sees it as a local interface in the routing table. I have one static route setup in the routing table, to send 0.0.0.0 to the RV042G router out to the internet.

The reason I am trying to do this is because the RV042G does not handle vlans in the traditional sense at all. So I'm trying the Cisco 300 as an intervlan router. I think my real problem is that I have the RV042G and the default vlan on the cisco 300 both on the 192.168.2.xx subnet.

So what I think I need to do is put the RV042G on another subnet (192.168.1.x) and leave it on vlan1. Then on the cisco 300 make the default vlan somethng else (9 lets say) and move all the vlan1 ports to the new vlan 9, except for the port that is plugged into the router. Then assign 192.168.1.2 to vlan1 which is only available on the port attached to RV042G and put the default route 0.0.0.0's next hop as 192.168.1.2.

Does that sound right? Or am I way over thinking this?

Wesley Brighton · ‎11-30-2013

1)

turn off vlan 1.

if not possible, do not put an IP on it.

2)

make your management vlan 10

give it a say 10.5.10.0 /24

all your switches/router need an ip for management

3)

make a user vlan, call it 20

give it a say 10.5.20.0 /24

this is for host computers, users

4)

make a wireless vlan, call it 30

give it a say 10.5.30.0 /24

this is for "guest" users, put an acl that goes like:

permit ip 10.5.30.0 255.255.255.0 10.5.30.0 255.255.255.0

deny ip 10.5.30.0 255.255.255.0 10.0.0.0 255.0.0.0

permit any any

this allows wireless to talk to wireless

then blocks to all internal addresses

then permits all traffic

5)

make a video vlan, call it 40

give it a say 10.5.40.0 /24

this is for your wireless cameras and video server

6)

make a server vlan, call it 50

give it say 10.5.50.0 /24

this is where your other servers like file sharing and such go

7)

on your trunk ports, permit the vlans you want. based on digram i see:

2v042g to 300-10 permit all vlans

300-10 to 302-08 permit 20 and 40

300-10 to sr208 permit 20 and 40

and then have the rv042 do all inter-vlan routing

or else you can have the 300-10 do the inter-vlan routing

this will allow you to add a "guest" wireless to your network

without compromising your network, just add it where you want

and throw the ports into that vlan. just remember to NOT give

the wireless access points vlan 10 IPs, give them vlan 30 IPs

hwcoxjr1208 · ‎11-30-2013

Thanks for the quick answer. I was on the phone with cisco support last night and they had me go to just vlan 1 (default) and vlan 10 (security). So I'm back to where I was in the earlier drawing. I'm not sure what you mean by not having a IP address assigned to vlan1. Don't I have to have one to specify the next hop. At this point, all I think I need are the two VLANs. The security camer vlan (10) and the default vlan (1). I would like to get this working with those first.

Below are what I think are the relevant excerpts from my running-config

SW11#show running-config
config-file-header
SW11
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router

vlan database
vlan 10
exit
ip arp inspection vlan 1
ip arp inspection vlan 10
no ip arp proxy disable
ip dhcp pool network Security
address low 192.168.4.100 high 192.168.4.149 255.255.255.0
default-router 192.168.4.11
time-server 192.168.2.94
exit
ip dhcp pool network prod
address low 192.168.2.100 high 192.168.2.149 255.255.255.0
domain-name us.fs.com
default-router 192.168.2.11
time-server 192.168.2.94
dns-server 192.168.2.94
netbios-name-server 192.168.2.94
exit
ip access-list extended AllowAny
permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
exit
hostname SW11
!
interface vlan 1
ip address 192.168.2.11 255.255.255.0
no ip address dhcp
service-acl input AllowAny default-action permit-any
!
interface vlan 10
name Security
ip address 192.168.4.11 255.255.255.0
service-acl input AllowAny default-action permit-any
!
interface gigabitethernet1
switchport mode access
!
interface gigabitethernet2
switchport mode access
!
interface gigabitethernet3
switchport mode access
!
interface gigabitethernet4
switchport trunk allowed vlan add 10
!
interface gigabitethernet5
switchport trunk allowed vlan add 10
!
interface gigabitethernet6
switchport trunk allowed vlan add 10
!
interface gigabitethernet7
switchport mode access
switchport access vlan 10
!
interface gigabitethernet8
switchport trunk allowed vlan add 10
!
interface gigabitethernet9
switchport trunk allowed vlan add 10
!
interface gigabitethernet10
switchport trunk allowed vlan add 10
!
exit
ip default-gateway 192.168.2.1
SW11#

Thanks

Tom Watts · ‎11-30-2013

Hi Chip, if you got time Sunday night (after 7pm EST) or Monday/Tuesday the same time, after 7pm EST, let's take a look. I also do not work Wednesday-Friday and I wouldn't mind to volunteer the time to get you working as desired.

If you'd like to take me up, send an email to tmw0402@hotmail.com

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Wesley Brighton · ‎12-01-2013

ok, for this to work, you create a vlan 10 on the RV042G, set it to ip 10.5.10.1, and set that as the default vlan

my assumptions:

gi1: unused, changing over to hot plugin for management with dhcp. setup so you can plug in a computer, get dhcp ip in your management vlan to configure/manage anything

gi2: uplink trunk port to your edge device the RV

gi3: unused

gi4: server directly connected

gi5: server directly connected

gi6: server directly connected

gi7: video server

gi8: unused

gi9: downlink trunk port to 302-08 with users, video, adding guest/wireless, assuming it is vlan capable, needs IP on its management vlan interface, possibly 10.5.10.3

gi10: downlink trunk port to SRW2008 with users, video, adding guest/wireless, assuming it is vlan capable, needs ip on its management vlan interface, possibly 10.5.10.4

1) i am adding in the NTP configuration i use for my switch with syncs with NIST's servers which works on a round-robin setup, they ask that you use their DNS record rather than IP for load balancing, so configured google DNS. you can now point all your devices at this device to pull their NTP/Time information

2) vlans are all configured to use google's DNS servers, you can change the IPs to your ISPs DNS if you want, keep in mind that google DNS is a Class A DNS server which means they get updates fast, and provide public access to users at large which is rare for Class A DNS owners. Most ISPs with Class A DNS servers just use them as reflectors for B and C DNS.

3) as far as i know, we cannot apply ACLs to vlan interfaces, so i applied the guest/wireless vlan to the trunk ports that will allow guest/wireless to talk to each other, then blocks it to all private space, with a closing permit any any to allow connected devices to hit the internet but not allow it to hit your internal network. you can change that to meet your needs.

4) you will have to create the vlans on the devices, and it makes it really easy to add wireless/guest ports. just put one of those ports into vlan 30, connect your AP, make sure DHCP is disabled, and it will pass DHCP requests to your device although you may need to configure the IP on them. you can assign 10.5.30.2-99 to your APs and your hosts will pull an ip 101-200.

SW11#show running-config

config-file-header

SW11

v1.3.5.58 / R750_NIK_1_35_647_358

CLI v1.0

set system mode router

spanning-tree mode mst

default-vlan vlan 10

exit

vlan database

vlan 1,20,30,40,50

exit

ip arp inspection vlan 10

no ip arp proxy disable

ip dhcp server

ip dhcp pool network Management

address low 10.5.10.50 high 10.5.10.55 255.255.255.0

default-router 10.5.10.1

dns-server 8.8.8.8 8.8.4.4

exit

ip dhcp pool network Users

address low 10.5.20.10 high 10.5.20.200 255.255.255.0

default-router 10.5.20.1

dns-server 8.8.8.8 8.8.4.4

exit

ip dhcp pool network Wireless_Guest

address low 10.5.30.100 high 10.5.30.200 255.255.255.0

default-router 10.5.30.1

dns-server 8.8.8.8 8.8.4.4

exit

ip dhcp pool network Video

address low 10.5.40.10 high 10.5.40.200 255.255.255.0

default-router 10.5.40.1

dns-server 8.8.8.8 8.8.4.4

exit

ip dhcp pool network Servers

address low 10.5.50.10 high 10.5.50.200 255.255.255.0

default-router 10.5.50.1

dns-server 8.8.8.8 8.8.4.4

exit

hostname SW11

ip access-list extended Guest_Wireless_30

permit ip 10.5.30.0 0.0.0.255 10.5.30.0 0.0.0.255

deny ip 10.5.30.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 10.5.30.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 10.5.30.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip any any

clock timezone " " -5

clock summer-time web recurring usa

sntp anycast client enable ipv4

sntp broadcast client enable ipv4

clock source sntp

sntp unicast client enable

sntp unicast client poll

sntp server time.nist.gov poll

ip name-server 8.8.8.8 8.8.4.4

!

interface vlan 1

no ip address

no ip address dhcp

service-acl input AllowAny default-action permit-any

!

interface vlan 10

name Management

ip address 10.5.10.2 255.255.255.0

!

interface vlan 20

name Users

ip address 10.5.20.1 255.255.255.0

!

interface vlan 30

name Wireless_Guest

ip address 10.5.30.1 255.255.255.0

!

interface vlan 40

name Video

ip address 10.5.40.1 255.255.255.0

!

interface vlan 50

name Servers

ip address 10.5.50.1 255.255.255.0

!

interface gigabitethernet1

description Hot_MGMT

switchport mode access

switchport access vlan 10

!

interface gigabitethernet2

description Uplink_RV042G

switchport trunk allowed vlan add 10,20,30,40

shutdown

!

interface gigabitethernet3

description EMPTY

switchport mode access

shutdown

!

interface gigabitethernet4

description Downlink_Server#1

switchport mode access

switchport access vlan 50

!

interface gigabitethernet5

description Downlink_Server#2

switchport mode access

switchport access vlan 50

!

interface gigabitethernet6

description Downlink_Server#3

switchport mode access

switchport access vlan 50

!

interface gigabitethernet7

description Video_Server

switchport mode access

switchport access vlan 40

!

interface gigabitethernet8

description EMPTY

switchport mode access

shutdown

!

interface gigabitethernet9

description Downlink_302-08

switchport trunk allowed vlan add 10,20,30,40

ip access-list extended Guest_Wireless_30

!

interface gigabitethernet10

description Downlink_SRW2008

switchport trunk allowed vlan add 10,20,30,40

ip access-list extended Guest_Wireless_30

!

exit

ip default-gateway 10.5.10.1

jjoyce8994 · ‎06-16-2014

I have tried to post this a few places....Please help!

Here is what I have

1 SG300-20 (192.168.0.254)

1 Linksys E2500 connected to Internet in another room out of wifi range.(192.168.0.1 & DHCP 192.168.0.210-229)

1 Access Point WAP551 (192.168.0.253)

I have 10 Control System devices that need to communicate with each other. I do not want them to have access to the internet. I also want the traffic on their network to be limited to mainly their own communication only. The main control device uses dhcp 192.168.0.11-191 and it cannot be turned off. There are some devices that use dhcp and some that use static ips The devices with static ips that i need to communicate with are as follows:

192.168.0.2 port 3000

192.168.0.200 port 3002

192.168.0.201 port 3002

192.168.0.231 port 3000

192.168.0.232 port 3000

All of these devices have embedded web control pages which can be reached by putting in the devices IP address in a browser of a computer on its network. The problem is I need those commuters to also have internet access. I also have wireless devices such as iPads that need internet as well but also have apps that need to send these devices IP commands.

Internet Devices that need to communicate to the non internet devices

iMac

iPad & iPhone

(Hoping for DHCP from the router)

I have gotten as far as setting up two vlans. My control devices see each other, my internet devices see each other but thats it...no internet connection either.

Please Help!

Wesley Brighton · ‎06-18-2014

JJoyce

ok, so here is what i think you are trying to do:

e2500 connected to the internet via wan port
e2500 with 1 port connected to sg300-20

sg300 connected to the e2500 on gi1

sg300 connected to wap551

here is what you will want to do.

vlan 10: management vlan 192.168.10.0-255
vlan 20: control servers 192.168.20.0-255
vlan 30: wireless vlan 192.168.30.0-255

configure e2500 with IP 192.168.10.1
configure sg300 with vlan 10 ip 192.168.10.2
configure wap551 with ip 192.168.30.2
configure sg300 with vlan 20 ip 192.168.20.1

to configure routing to the separate vlans on the e2500:

if you go to advanced routing you should see something that allows you to configure static routing entries.

what you have to do is create a route to each vlan with their gateway as the sg300 vlan 10 ip

then to prevent vlan 20 from reaching the internet just create an ACL that you put on vlan 20 with:

ip access-list extended U_Control_20
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip any any

this allows traffic from the control servers to each of your other vlans, but blocks all other traffic

ip dhcp pool network Wireless_30
address low 192.168.30.5 high 192.168.30.64 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8 8.8.4.4

ip dhcp pool network Control_20
address low 192.168.20.5 high 192.168.20.64 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8 8.8.4.4

ip dhcp pool network Network_10
address low 192.168.10.20 high 192.168.10.64 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8 8.8.4.4

those are just some examples. but the big thing you have to keep in mind is that for the e2500 to see and be able to route to the multiple vlans, you MUST setup the static routing to the different vlan ranges, otherwise they will not work.

that should help get you started at least in getting a unified network. the important thing is to segregate your traffic through vlans. plus I do not see anything about your other devices such as users and stuff. oh, and for the port going to your WAP, you can just configure that port on the SG300 going to the WAP to that vlan, because WAPs are not always VLAN capable. but that would still allow you to have the functionality.

if you do have other users and devices on the SG300, then that would require another 4th VLAN that you could set as something like vlan 40 with its scope.

jjoyce8994 · ‎06-23-2014

Thank you for your reply! I didn't get a notification that there was an answer so I just continued on. I hit another road block and came back here to post another question.

So here is where I am now:

Layer 3

VLAN 1 INTERFACE - 192.168.4.254

VLAN 2 - INTERFACE - 192.168.0.1

VLAN 1 has my computers

VLAN 2 has all of my low traffic devices

My e2500 is on VLAN 2 handling DHCP for my computers

When I manually assign my IP on the computers with a default gateway of 192.168.4.254 I can hit all of the devices on VLAN 2 (192.168.0.1) but I can't get online. When I let the router dole out an address and a gateway of 192.168.4.1 I can get online but can hit anything on VLAN 2 (192.168.0.1). Im sure it is simply setting a static route somewhere but not sure where....your thoughts?

richardj · ‎06-23-2014

JJoyce,

You are on the right track, it took me a lot of trials and different configurations to get it right.

The SG300 is also sensitive to the methodology and the sequence of setting up the layer and vlan addresses.

I found the most reliable method was to carefully document the setup for each device and set them up, then reset the SG300 and program it systematically, using the serial interface, save the configuration, power it down, connect the devices and restart, allowing several minutes for it to startup and dynamically configure the internal routing.

Put the dynamically addressed computers that need internet access and the e2500 on the same vlan and in the same subset of addresses.

Computers that need internet access should have their default gateway set for the e2500 address, by the DHCP configuration.

You need to set a static route in the e2500 pointing to the vlan interface address of the SG300.

Static addressed devices on the other vlan need to have their gateway address set to point to the SG300 address on the same vlan.

When you get the devices and the SG300 setup with the correct addresses in the right sequence, the SG300 will dynamically build the directly connected static routes between the vlan's. You may verify the routes with "show ip route"

Then packets sent from any computer will travel to the e2500, and if the address is in the other vlan, the e2500 will route the packet back to the SG300's gateway address, which will route the packet to the other vlans. Replies from static addressed devices on the second vlan will go to the vlan address on the sg300 which will then route them back to devices on the other vlan.

The attached configuration document with drawing by David Hornstein, helped me tremendously, and once I had mastered the correct configuration method and sequence of the SG300, it is reliable and works every time. Also double check that the SG300 has the latest firmware load, I got caught several times by mine reverting back to the original factory load that did not work correctly, after a master reset.

Good luck

RichardJ

jjoyce8994 · ‎06-25-2014

Thank you for speaking simply! That all makes perfect sense....pretty much what I was following. I was not sure where to set the static route and what to set it to. After reading your attachment I think I figured the last bit out, but when I try to put the static route into the router I get an error when I try to save.

Take a look at the attached.

richardj · ‎07-06-2014

JJoyce,

It appears you have your destination and gateway addresses in the E2500 swopped.

The gateway address must always be on the same subnet/vlan as the devices are physically connected.

Secondly the destination address must always end in a 0 if it points to a subnet, otherwise it will always only take you to one specific device on that subnet.

Think of the gateway address as the number on a door in a passage, leading to a room, where the room is the SG300 Switch/router.

The room (SG300) has a second doorway leading to a second passage, which is the 2nd subnet/Vlan.

The numbering on the doors inside of the room will always end with a 0 showing it as the access point to reach that passage.

To find your route from the 1st subnet/Vlan (passage)to the 2nd subnet/Vlan, you go to the E2500 router and tell it your destination, and it will reply with the gateway address of the room (SG300) that will allow you to cross to the second passage.

Goodluck

Richardj

puneet211086 · ‎12-19-2018

I have a similar issue. My switch is in L3 Mode with default IP address 192.168.1.254. I created Vlan 101, 102 and 103 and I need all ports as trunk with all VLANs enabled on them. Vlan 101 will have IPs 10.1.0.x ; Vlan 2 will have 10.2.0.x IPs and Vlan 3 will have 10.3.0.x Ips. When I am trying to add all these VLANs to all interfaces as tagged (I need 5 interfaces for ESXi hosts) the switch immediately goes offline. Can you please help me with these configurations. I need to be able to ping all IPs from each other i.e 192.168.1.x; 10.1.0.x; 10.2.0.x and 10.3.0.x . Thanks.

DEBADURLAV SARANGI · ‎07-05-2014

Dear All,

Actually i am setting up of IPV6 LAB .Where i am facing the issue with inter-Vlan Routing, Kindly Guide me where is the issue.

-> i have configured VLANs In SG300-28port Switch, Keep in our mind i am not using any Router for Create the sub- interface.that switch itself act as a L3 Switch.

-> Created two VLANs in Switch, VLan1, and Vlan2, Assing them the Global unicast Ip address(Like Vlan1: 2003:2004::1/64 and Vlan2 2003:2004::1/64)

-> Both Vlan Host are able to ping the their respective gateway and also there are able to ping Vlans gateways, more details given as below.

Host A ------------------Connected in VLAN1

HostB ---------------------Connected in Vlan2

Host B Is able to ping VLAN1 Interface IP

HostA is able to ping VLAN2 Interface IP.

But think is unable to communicate With HOST A to HOST B.

1. Windows 7 OS Firewall are turned off for both.

Hope i will resolve this with your help.

Thanks

Deba