Hi David,

Thanks for replying thought no one ever would.

Basically I need to create a secure area for the programmers in my company so they can access the company network but no one can access their systems.  

So I wanted to create a secure VLAN using ACL's within the existing network which is made up of cisco layer two switches running on the default VLAN1 i.e no vlan configuration (I cannot easily change this as they have 4 switches running off VLAN1).   

I have connected the sf 300 (layer 3 enabled) to the company network by removing the connection from my pc to the network and plugged that into port fa 0/1 and enabled it as a trunk port)

I then connected my computer (A) to port fa 0/2 of the sf 300 and enabled it as an access sport.

I then connected another computer (B) to port fa 0/16 of the sf 300 and enabled it as an access sport.

I created a second VLAN (VLAN2) ip address 192.168.2.1 and assigned it to fa 0/16 all other ports are assigned to VLAN1 (default).

I set my Computer A (IP 192.168.111.94) default gateway to the ip address of the sf 300 (192.168.111.218) and computer B (IP 192.168.2.2) default gateway to 192.168.2.1.

I set the default route to 0.0.0.0 0.0.0.0 192.168.11.254 (draytek router and default gateway for existing network) and added the DNS servers for my network to the sf 300.

Computer A still has access to the company drives, email etc but is unable to access the internet and can ping and RDP to computer B but cannot access the internet.

Computer B can ping and RDP to computer A but cannot access the company network or internet i.e I cannot ping the domain controller.

I have tried tagging VLAN2 to fa 0/1 trunk port but still no sucess and adding entries on the domains controllers DNS for computer B.

My main issue is that I cannot get VLAN2 to access the company network.  

I have created a digram of the setup below to hopfully give you a better idea

Many Thanks

Richard

Hi Richard,

As for your main issue - getting vlan 2 to access the LAN and internet - you need to set a default route on the draytek to the effect of 192.168.2.0 255.255.255.0 192.168.111.218 ?  That may be computer B is not getting LAN access.

Why is the sf300 connected to the network as a trunk? Do you plan to have other vlan 2 computers plugged in elsewhere other than this switch? Or are there vlans other than 1 & 2?

Can you post a sh run for the switch so I can see what else is going on, and what, if any ACLs there are that may be preventing computer A from accessing the internet.  Can you also please change the default gateway on computer A to 192.168.1.254 and let me know if that works.

Best,

David

Please rate helpful posts.

Hi David,

I have set my draytek with a default route as you described (I cannot test this until Monday as I currently only have console access to the switch as I have plugged my computer back into the network and am not going through the switch).

Originally I had port fa 0/1 set as an access port because I thought the IT Manager only wanted the switch in  the IT department to host the secondary VLAN and I wouldnt have to cross switches. 

He has since said that he would like to have some computers in other rooms available to the secondary VLAN for testing purposes.  

He also wanted to increase the number of IP addresses as we are reaching the maximum on the current setup i.e 254.

Getting it working in just our area for now would take the heat off me though.

I thought I had to set the default gateway on computer A to the IP address of the sf 300 (192.168.111.218).  

If I set the default gateway of computer A to 192.168.111.254 it does indeed work and I get internet acess and network access as I had tested this previously.

I have since changed the config for the switch which is shown below but it might be worse than the previous config:

switch7c0a71#show run

vlan database

vlan 4

exit

interface  gi1

switchport default-vlan tagged

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 4

ip address 192.168.2.249 255.255.255.0

exit

interface vlan 1

ip address 192.168.111.250 255.255.255.0

exit

no ip arp proxy disable

ip route 0.0.0.0 0.0.0.0 192.168.111.254

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switch7c0a71

no snmp-server server

ip name-server  192.168.111.212 192.168.111.82

interface fastethernet1

switchport mode access

exit

interface fastethernet2

switchport mode access

switchport access vlan 4

exit

interface fastethernet3

switchport mode access

exit

interface fastethernet4

switchport mode access

exit

interface fastethernet5

switchport mode access

exit

interface fastethernet6

switchport mode access

exit

interface fastethernet7

switchport mode access

exit

interface fastethernet8

switchport mode access

exit

interface fastethernet9

switchport mode access

exit

interface fastethernet10

switchport mode access

exit

interface fastethernet11

switchport mode access

exit

interface fastethernet12

switchport mode access

exit

interface fastethernet13

switchport mode access

exit

interface fastethernet14

switchport mode access

exit

interface fastethernet15

switchport mode access

exit

interface fastethernet16

switchport mode access

exit

interface fastethernet17

switchport mode access

exit

interface fastethernet18

switchport mode access

exit

interface fastethernet19

switchport mode access

exit

interface fastethernet20

switchport mode access

exit

interface fastethernet21

switchport mode access

exit

interface fastethernet22

switchport mode access

exit

interface fastethernet23

switchport mode access

exit

interface fastethernet24

switchport mode access

exit

interface gigabitethernet1

switchport trunk allowed vlan add 4

exit

interface vlan 4

name ARC_Developer

exit

Kind Regards

Richard Leyshon

Hi Richard,

Im using a sg300 here to test, and mine is working fine. I did have to put a default route in my router for the vlan 4 network, but this is my sh run:

switchf1cc3a#sh run

vlan database

vlan 4

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 1

ip address 10.10.1.79 255.255.255.0

exit

interface vlan 4

ip address 192.168.2.249 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 10.10.1.1

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switchf1cc3a

no snmp-server server

interface gigabitethernet8

switchport mode access

switchport access vlan 4

exit

I am able to use either the switch ip or router ip for the default gateway on my vlan 1 and am able to get both lan and internet access. Can you please post a sh ip route from both the switch and draytek?

My switch shows the following:

switchf1cc3a#sh ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP 

S  0.0.0.0/0          [1/1] via  10.10.1.1  0:10:58                vlan 1

C  10.10.1.0/24       is directly connected                        vlan 1

C  192.168.2.0/24     is directly connected                        vlan 4

Best,

David

Hi David,

I have telnet into the draytek and I see the following ( I thought I added a default route but apparently you can only do this by telnet not through the web interface).   

If I add a second default route will it nock out the route shown above as I dont want to down the internet connection as I am doing this remotely from home and dont want to kill the router. 

I have 4 ethernet ports in the draytek. ethernet port 1 is plugged into the network (which I think is IF0) and the adsl cable is plugged into the ADSL port  IF3 (I think) .

The syntax for the draytek is as follows:

Do I need to patch a cable from the draytek (ethernet port 2) into the network and setup a default route on that interface or can I add one to the existing interface (ethernet port 1)?

The show ip route for the switch is as follow (I dont have anything plugged into it though):

switch7c0a71#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP

S  0.0.0.0/0          [1/1] via  192.168.111.254  118:22:47        vlan 1

C  192.168.111.0/24   is directly connected                        vlan 1

switch7c0a71#

Hope this makes sense.

Kind Regards

Richard

Richard,

I'm not at all familiar with draytek devices. It surprises me that adding a route would knock out the route thats in there now, but again, might just be a draytek thing. I would think you can simply add the route to the interface you're currently using.  The other thing of note is take a look at the difference between my sh ip route and yours, mine shows the 192.168.2.0  network as directly connected, while yours does not.

As far as a course of action, we're not going to be able to make progress while your at home on your weekend, so stop thinking about this until monday, and try the following then and report back:

1 - Add the proper route into the draytek. From your screenshot, it looks to me like the proper syntax would be ip route add 192.168.2.0 255.255.255.0 192.168.111.250

2 - check the sf300's vlan 4 address, and that computer B can ping 192.168.2.249. Make sure that the sf300 is showing that network as directly connected in its ip routing table.

At this point, you should have internet and lan access on both hosts A + B.

On vlan 4 - are the addresses being assigned via DHCP or statically assigned?

Best,

David

Please rate helpful posts.

Hi David,

I have added the route to the draytek as shown below:

I think VLAN2 is not saying directly connected because Computer B which belongs to VLAN2 is not currently connected. 

At present VLAN4 ip addresses are being statically assigned but I have added a new DHCP range to the domain controller for 192.168.2.0 so I presume I could dish out IP addresses via DHCP when it is all working?

I will get back to you on Monday once I have plugged it all in and tested, again many thanks for your help David have a great weekend.

Kind Regards

Richard

Richard,

Let me know how it looks come monday morning. Can you ping the switch's 192.168.2.249 address from the draytek?

The route should show up if the ipv4 interface for vlan 4 is configured properly - its showing the subnet is connected in sh ip route - rather than the host.

Best,

David

Hi David,

I have tested the configuration and I can get network access in VLAN1 using default gateway of 192.168.111.254 and network access in VLAN4 using a default gateway of 192.168.2.249.

But I am unable to get internet access in VLAN4, I can ping the default gateway (192.168.2.249) for VLAN4 from the computer in VLAN4 (192.168.2.2) and unable to ping google etc.   Internet access in VLAN1 is ok.

My show IP route is as follows:

switch7c0a71#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP

S  0.0.0.0/0          [1/1] via  192.168.111.254  0:17:15          vlan 1

C  192.168.2.0/24     is directly connected                        vlan 4

C  192.168.111.0/24   is directly connected                        vlan 1

I can also ping 192.168.2.249 from the draytek (using telnet).   

Kind Regards

Richard

Good morning Richard,

Just a quick question while I re-read some of the thread. The screenshots dont show up on the ipad app...

Could it be a dns issue on vlan 4? Can you ping 4.2.2.2?

Best,

David

Sent from Cisco Technical Support iPad App

Hi David,

I have tried to ping google's IP address  but 173.194.67.94 but it times out.   I am not sure what you mean by 4.2.2.2 but I tried to ping it without sucess.   I have attached a grab of the route print command from  192.168.2.2:

I can also ping the network DNS servers (192.168.111.82 & 192.168.111.212) from 192.168.2.2

Kind Regards

Richard

Hello Richard,

From vlan4 (192.168.2.x) can you ping the router (192.168.111.254)? If yes, then can you ping your WAN IP address on the router?

It may be possible that the router is not doing NAT for your second vlan. If this is the case then, your ping out would be dropped once it hits the internet.

Hi Robert,

I can ping the Router IP address from VLAN2.

I thought it might be NAT myself but I have just pinged the ISP IP address from VLAN2 and it came back sucessfull:

Kind Regards

Richard