Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
198
Views
1
Helpful
3
Replies

Cisco SG350 with Firewalla Gold -- VLAN with no Internet Access

Go to solution
donaldm314
Level 1
Level 1

‎10-02-2024 10:08 AM

I have a Cisco SG350-28 (SG350) running firmware 2.5.9.54, connected to a Firewalla Gold. The Firewalla is connected to my ISP cable modem. There are no other networking devices involved.

Having never administered VLANs, I am well out of my depth!

I have one VLAN that is working correctly. I have managed to create a second one that cannot access the Internet. Have I misconfigured my SG350, or my Firewalla, or both?

The working VLAN is VLAN 9:

interface vlan 9
name Management
ip address 192.168.168.2 255.255.255.0
ip dhcp relay enable

The default gateway on the SG350 is:

ip default-gateway 192.168.168.1

Everything in the 192.168.168.0/24 network can ping the switch at 192.168.168.2 and the default gateway at 192.168.168.1 (the Firewalla) and access the Internet. Go, me!

The devices in VLAN 9 are connected to switch interfaces configured as below:

interface GigabitEthernet23
 switchport access vlan 9 
 switchport general pvid 9 
 switchport trunk native vlan 9

There is one trunk interface, directly connected to the Firewalla:

interface GigabitEthernet1
 switchport mode trunk 
 switchport trunk native vlan 9 
 switchport trunk allowed vlan 9-10

The Firewalla receives 10.0.0.3 from the ISP via DHCP, and has a static IP of 192.168.168.1.

The broken VLAN is VLAN 10:

interface vlan 10
 name Engineering 
 ip address 10.10.0.1 255.255.255.0 
 ip dhcp relay enable

I have configured the Firewalla with VLAN 10, static IP of 10.10.0.200.

My test machine is connected to:

interface GigabitEthernet14
 switchport access vlan 10 
 switchport general pvid 10

The test machine has IP 10.10.0.5, and it can ping:

  • 10.10.0.1
  • 10.10.0.200
  • 192.168.168.2

The test machine cannot reach the Internet:

ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
	
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2034ms

Routing information on the SG350:

cisco-sg350#sh ip ro
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static

S   0.0.0.0/0 [1/4] via 192.168.168.1, 97:53:49, vlan 9                    
C   10.10.0.0/24 is directly connected, vlan 10                            
C   192.168.168.0/24 is directly connected, vlan 9

And routing on the Firewalla:

pi@firewalla:~ (firewalla-gold) $ ip ro
default via 10.0.0.1 dev eth0 metric 1 
10.0.0.0/25 dev eth0 proto kernel scope link src 10.0.0.3 
10.10.0.0/24 dev br1 proto kernel scope link src 10.10.0.200 
64.59.128.121 via 10.0.0.1 dev eth0 metric 1 
64.59.135.145 via 10.0.0.1 dev eth0 metric 1 
192.168.168.0/24 dev br0 proto kernel scope link src 192.168.168.1

Have I configured the SG350 correctly?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
donaldm314
Level 1
Level 1

‎10-05-2024 06:18 AM

I have found and fixed my mistake: I had asymmetric routing. My configuration on the SG350 and the FWG were correct. 

I had the test machine incorrectly configured with the SVI as its gateway. Instead, the gateway needed to be the IP of the FWG. Once I corrected that, everything worked.
Go me!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Flavio Miranda
VIP
VIP

‎10-02-2024 10:25 AM

@donaldm314 

 I believe the problem is related to NAT. The firewall is natting the network 192.168.168.0 but not the network 10.10.0.0. that´s why the traffic is failing.

 The SG350 seems to be configured correctly. What you coudl do differently would be to create a point-to-point connection between the SB the firewall, instead the trunk.  You can use the 192.168.168.0 network for it.

Then, you can create a static route on SG sending all the traffic to the firewall via this layer3 connection.  But, the way you did should work as long as the firewall perform the NAT for both network.

Go to solution
donaldm314
Level 1
Level 1

‎10-03-2024 06:50 PM

I contacted the helpful team at Firewalla, and they believe I've configured the Firewalla Gold (FWG) correctly. 

I still believe I have misconfigured either the SG350 or the FWG. Or both.

A traceroute to 1.1.1.1 from 192.168.168.0/24, VLAN 9 works.

A traceroute to 1.1.1.1 from my test machine at 10.10.0.5 only goes as far as the Switch Virtual Interface (SVI) 10.10.0.1. From there ... nothing. Shouldn't the next hop be to 192.168.168.1, the default route?

I think this suggests something needs to change in the SG350.

0 Helpful

Go to solution
donaldm314
Level 1
Level 1

‎10-05-2024 06:18 AM

I have found and fixed my mistake: I had asymmetric routing. My configuration on the SG350 and the FWG were correct. 

I had the test machine incorrectly configured with the SVI as its gateway. Instead, the gateway needed to be the IP of the FWG. Once I corrected that, everything worked.
Go me!

0 Helpful
Customers Also Viewed These Support Documents