cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24972
Views
30
Helpful
40
Replies

Inter vlan routing on a Cisco SF 300-24 port switch No internet except when scanning with wireshark

richley1980
Level 1
Level 1

Hi,

I am trying get inter vlan routing to work on a DF 300 - 24 port switch.    I have an existing company network on 192.168.111.0 and want to create a vlan on 192.168.1.1 that can talk to 192.168.111.0.    I have enabled layer 3 routing on the switch via console and also provided the ip routing command. I have the following VLAN's:

VLAN1 - Default 192.168.111.0

VLAN2 - 192.168.1.0

I have enabled DNS and provided my two DNS servers 192.168.111.82 & 192.168.111.212.  

I have set the VLAN1 interface to 192.168.111.217 and VLAN2 interface to 192.168.1.1.

Ports FE1 - FE15 are set to access ports and assigned to VLAN1 (untagged)

Ports FE16 - FE24 are set to access ports and assigned to VLAN2 (untagged)

I have set a default route for the switch to 0.0.0.0 0.0.0.0 192.168.111.254 (Draytek 2600 router). I have connected a computer (A) to VLAN1 port FE3 and a computer (B) to VLAN2 port FE16.   I have set Computer A default gateway to 192.168.111.217 and its IP address to 192.168.111.94.    I have set Computer B default gateway to 192.168.1.1 and IP to 192.168.1.2.   

Computer A has access to Mdaemon, file server via network drives but no internet (cannot ping google) and can ping computer B and RDP onto computer B.

Computer B can ping computer A and RDP onto computer A but does not have access to the company network i.e MDaemon, file server etc.   It also cannot access the internet.

From the console I can ping www.google.co.uk and all ip addresses in the company network i.e. 192.168.111.82 (DNS server).   I dont understand what i am doing wrong and have been banging my head for days just staretd a new job and desperatly need to get it working so any help would be greatly appreciated

If I scan computer A wirh wireshark the internet starts working wheird!

Configuration show below:

switch7c0a71#show run

vlan database

vlan 2

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 2

ip address 192.168.1.1 255.255.255.0

exit

interface vlan 1

ip address 192.168.111.217 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 192.168.111.254

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switch7c0a71

no passwords complexity enable

no snmp-server server

interface fastethernet1

switchport mode access

exit

interface fastethernet2

switchport mode access

exit

interface fastethernet3

switchport mode access

exit

interface fastethernet4

switchport mode access

exit

interface fastethernet5

switchport mode access

exit

interface fastethernet6

switchport mode access

exit

interface fastethernet7

switchport mode access

exit

interface fastethernet8

switchport mode access

exit

interface fastethernet9

switchport mode access

exit

interface fastethernet10

switchport mode access

exit

interface fastethernet11

switchport mode access

exit

interface fastethernet12

switchport mode access

exit

interface fastethernet13

switchport mode access

exit

interface fastethernet14

switchport mode access

exit

interface fastethernet15

switchport mode access

exit

interface fastethernet16

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet17

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet18

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet19

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet20

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet21

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet22

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet23

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet24

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface vlan 2

name Development

exit

40 Replies 40

Can you ping 8.8.8.8? If not, i recommend a tracert to 8.8.8.8 to see how far you can get.

Hi Robert,

I have run a tracert on 8.8.8.8 and I get the following:

1      *     *     * request timed out

2     *     *     * request timed out

3     *     *     * request timed out

etc

Kind Regards

Richard

Hi Richard,

What IP from your ISP are you pinging thats working?

Since you're able to ping the draytek from the vlan 4 computer, and the reverse (and access the LAN), I think your switch is config'd properly at this point, and its something with the draytek.

Best,

David

Hi David,

I have taken the WAN IP address from the WAN status page of the router, I dont want to post the IP address though for obvious reasons.

Kind Regards

Richard

Hi David,

I did a tracert on the ISP IP address and got the following:

1     *          *               *               Request timed out.

2     <1 ms   <1 ms      <1 ms       ISP IP ADDRESS   

regards

Richard

Thats your public ip, correct? can you ping your ISP's default gateway?

Best,

David

Sent from Cisco Technical Support iPad App

Hi David,

How do I find out the ISP's default gateway.

Kund Regards

Richard

Hi David,

Just found it, I am unable to ping the GW IP Addr  displayed on the router status page.

Regards

Richard

Hi David,

I also cannot ping the primary and secondary dns servers for the ISP.

Regards

Richard

Richard,

I think that you should try and get in touch with Draytek support or follow up on that end.

Check out this thread:

http://www.network-builders.com/draytek-vigor-2600-multi-nat-dmz-vlan-question-t34149.html

I emailed Draytek directly and got the following response:

a. The Vigor can only deal with one subnet. You could still use the

Vigor VLAN facility to separate the ports but you'd need two more

devices to act as the gateway for the other two subnets.

My suggestion prior to reading that would be to set up the subnet on the draytek (if the draytek has multiple interfaces) or use the draytek router to create the vlan, but you may be running into the limits of the router.

Best,

David

Hi David,

I have found this on the draytek router:

Would I have to do this here?

Kind Regards

Richard

Richard,

Your guess is as good as mine - I have NEVER used a draytek router. It might be time to find documentation from Draytek on this, or contact their support people.

However, if I could play with the router for a bit, I would first backup the config on the draytek if possible, or take very detailed notes of everything you change.

Then, I would enable the ip routing usage, and put the 192.168.2.254 (lets give that IP to the router, which would now be the default gateway on that subnet's machines), and leave the subnet mask as it is.

I don't know if doing that will automatically create the proper routes? But I'd like to think it does... Obviously, I can't see the rest of the configurable settings on that draytek page, or the rest of the web interface.

Best,

David

Richard,

Just wanted to check in and see how things were progressing. Any luck with the Draytek?

Best,

David

Hi David,

Sorry for not getting back sooner ive been on Holiday, I replaced the Draytek Vigor 2600 with a Draytek Vigor 2830 which allowed me to route two private subnets so I have internet access on both VLAN1 and VLAN4.   

I know need to allow VLAN4 access to the mail server, fileserver and ability to RDP onto the servers in VLAN1 but deny VLAN1 computers access to VLAN4.   I am trying to do this with access control lists but am a bit lost would you be able to point me in the right direction?

Kind Regards

Richard 

Hi Richard,

Hope you enjoyed your holiday!

Are all the vlan 4 machines off the SF300?  Probably the best way to to this is to use the draytek to configure the access policies, but again, I can't be much help with the draytek.

If you want to give it a shot with the SF300:

1. In the GUI, Access Control->IPv4-Based ACL

2. Click add, name the ACL (access control list) and apply.

3. Access Control -> IPv4-Based ACE (access control element), click add

4. In the pop up now: ACEs with higher priority are processed first. I created priority 50, permit all to all.

5. Create priority 40, action deny, protocol any, source user defined (use vlan 1 subnet 192.168.111.0 0.0.0.255), destination ip, user defined, vlan 4 subnet addr 192.168.1.0 0.0.0.255 and then apply.

5. Then create permit rules for the services that you want to have access to the vlan 4, ie AD server priority 30  @ 192.168.111.xxx 0.0.0.0 permit to 192.168.1.0 0.0.0.255

6. Then go to Access Control -> ACL Bindings and apply the ACL to the ports. Edit, check the box, apply, copy settings to other ports. When an ACL is bound to an interface, its ACE rules are applied to packets arriving at that interface.

Just a note with IPv4 based ACLs, packets are checked, but others like ARP are not.

You may need to tweak the priorities, etc as needed but I hope that gives you a good enough idea. 

Let me know how it goes.

Best,

David