cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24962
Views
30
Helpful
40
Replies

Inter vlan routing on a Cisco SF 300-24 port switch No internet except when scanning with wireshark

richley1980
Level 1
Level 1

Hi,

I am trying get inter vlan routing to work on a DF 300 - 24 port switch.    I have an existing company network on 192.168.111.0 and want to create a vlan on 192.168.1.1 that can talk to 192.168.111.0.    I have enabled layer 3 routing on the switch via console and also provided the ip routing command. I have the following VLAN's:

VLAN1 - Default 192.168.111.0

VLAN2 - 192.168.1.0

I have enabled DNS and provided my two DNS servers 192.168.111.82 & 192.168.111.212.  

I have set the VLAN1 interface to 192.168.111.217 and VLAN2 interface to 192.168.1.1.

Ports FE1 - FE15 are set to access ports and assigned to VLAN1 (untagged)

Ports FE16 - FE24 are set to access ports and assigned to VLAN2 (untagged)

I have set a default route for the switch to 0.0.0.0 0.0.0.0 192.168.111.254 (Draytek 2600 router). I have connected a computer (A) to VLAN1 port FE3 and a computer (B) to VLAN2 port FE16.   I have set Computer A default gateway to 192.168.111.217 and its IP address to 192.168.111.94.    I have set Computer B default gateway to 192.168.1.1 and IP to 192.168.1.2.   

Computer A has access to Mdaemon, file server via network drives but no internet (cannot ping google) and can ping computer B and RDP onto computer B.

Computer B can ping computer A and RDP onto computer A but does not have access to the company network i.e MDaemon, file server etc.   It also cannot access the internet.

From the console I can ping www.google.co.uk and all ip addresses in the company network i.e. 192.168.111.82 (DNS server).   I dont understand what i am doing wrong and have been banging my head for days just staretd a new job and desperatly need to get it working so any help would be greatly appreciated

If I scan computer A wirh wireshark the internet starts working wheird!

Configuration show below:

switch7c0a71#show run

vlan database

vlan 2

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 2

ip address 192.168.1.1 255.255.255.0

exit

interface vlan 1

ip address 192.168.111.217 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 192.168.111.254

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switch7c0a71

no passwords complexity enable

no snmp-server server

interface fastethernet1

switchport mode access

exit

interface fastethernet2

switchport mode access

exit

interface fastethernet3

switchport mode access

exit

interface fastethernet4

switchport mode access

exit

interface fastethernet5

switchport mode access

exit

interface fastethernet6

switchport mode access

exit

interface fastethernet7

switchport mode access

exit

interface fastethernet8

switchport mode access

exit

interface fastethernet9

switchport mode access

exit

interface fastethernet10

switchport mode access

exit

interface fastethernet11

switchport mode access

exit

interface fastethernet12

switchport mode access

exit

interface fastethernet13

switchport mode access

exit

interface fastethernet14

switchport mode access

exit

interface fastethernet15

switchport mode access

exit

interface fastethernet16

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet17

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet18

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet19

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet20

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet21

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet22

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet23

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet24

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface vlan 2

name Development

exit

40 Replies 40

Hi David,

I have added the rules as you described see below:

But it seems to let everything through, if I remove rule rule 41, I have no access to the 192.168.2.0 network at all. Also it seems to be ignoring rule 39 as it should allow me to RDP through to a computer on 192.168.2.0.

I need to allow RDP (3389), SMTP (25), FTP (21), LDAP (389), IMAP (143) between both networks but deny everything else.   The end goal is to deny the SQL server (port 1433) on 2.2. from being able to communicate with the SQL server on 111.0 as the SQL server on 2.2 is a test SQL server.

Hope this makes sense.

Kind Regards

Richard

Hi Richard,

You need to change the mask in rule 40 to 0.0.0.255 if you're using 255.255.255.0 network.

Then add in the remainder of your permit rules, or if its easier, to permit all and just deny the SQL server, your call.

Best,

David

Hi David,

That seems to have worked see ACL below:

Is there a way of blocking traffic from network 192.168.2.0 to 192.168.111.0 as well i.e both ways except for the ports I allow & Deny?  If I try and add a rule to block any traffic from 192.168.2.0 to 192.168.111.0 above or below rule 42 I loose the RDP connection to the computer on 192.168.2.0 from 192.168.111.0 network.  Is it possible to acomplish this.

Kind Regards

Richard  

Davidwagman1
Level 7
Level 7

Hi Richard,

43 - Permit Protocol: Any To/From All

42- Deny  Protocol ALL from  192.168.2.0             0.0.0.255 -> to  192.168.111.0       0.0.0.255

41- Deny Protocol ALL from    192.168.111.0    0.0.0.255   ->  to  192.168.2.0     0.0.0.255

40- Permit Protocol RDP   from ALL to ALL   

etc

That should block everything, including MSSQL, except for RDP, and the other ports as you've defined above.  Are the other defined services working and just not the RDP? 

Richard, please remember to rate helpful posts and identify correct answers.

Best,

David

Hi David,

I have enabled what you have specified above which has blocked traffic both ways but it seems to be ignoring all rules to allow RDP, SMTP, IMAP, FTP ect.  Settings shown below:

Rules 34 - 38 seem to be ignored for some reason not sure why?

Kind Regards

Richard

Hi Richard,

I've attached a screenshot of what it should look like, though its not complete (I didn't do all of the services, but enough so you get the gist). You need both to and from rules and diff source/dest rules:

Best,

David

Hi David,

I would like to connect a server to the Linksys SRW224G4 L2 switch but it needs to be on the VLAN 4 network. 

I have created a trunk link between the Linksys SRW224G4 and SF-300 and tagged VLAN 4 on both ends (VLAN1 untagged) and set the server IP to the 192.168.2.* network and given it the default gateway for VLAN 4 192.168.2.249 but it doesnt want to communicate.

I get limited connectivity and no internet access.  

The server has bonded nics and is connected to the G3 and G4 ports of the Linksys224G4 and the ports are set to access ports.

I thought I would just have to trunk between the Switches and tag the required VLAN (4)?

Kind Regards

Richard

bhackbarth
Level 1
Level 1

A trunk port is only helpful when you have tags identifying which VLAN the traffic is supposed to be on. Your server definitely probably isn't tagging any of its traffic, so any traffic you manage to send back to the SF300 is going to end up in VLAN1 on the SF300's end anyway because you used a trunk port and VLAN1 is untagged. So you'll need to either be on an Access port on the SWR or change the PVID of the trunk to something other than 1, assuming your access ports to your server are not on VLAN1.

If the entire switch is to be a member of VLAN4 from the SF300's side, it makes sense on the SRW side to either use VLAN1 or change the PVID of all the ports to VLAN4. On the SF300 side, depending on whether traffic headed for VLAN4 is tagged or not, the port that goes to the SRW may need to be an access port. If there are tags, then a Trunk port is correct to use.

To summarize: if your access ports to the server are in VLAN4, set your port going  back to the SF300 as access port for VLAN 4.  Then look at the SF300 side and determine whether traffic headed for those aforementioned servers will be tagged as VLAN4 or not (802.11q compatible). If so, you're done. If not, set the port going to the SRW as an access port for VLAN4 so tags aren't needed.

Hi Brayton,

The server is installed on an esxi 5.1 host and is a virtual client (2012 server) so I can assign its interface to a VLAN.   I have set its VLAN port assignment to 4 but I cannot ping anything on VLAN 1 or 4.

Inter vlan routing is working on the SF-300 switch bewteen VLAN 1 and 4 as I have users on VLAN  4 using VLAN 1 resources and they can connect to the domain.

Port G1 on the SF-300 is trunked with VLAN 4 tagged and is connected directly to port E09 of the Linksys switch which is also trunked and tagged with VLAN 4.     The switches are connected direcly via a couple of patch panels. 

Because the ESXI Host has servers installed running in VLAN 1 I am unable to remove VLAN 1 from the trunk port and just have VLAN 4.

Do I need to trunk the ports which the server is connected to i.e. G3 & G4 and tag VLAN 4 as they are currently set to access?

Many thanks

Richard

bhackbarth
Level 1
Level 1

Hi Richard,

  Definitely set G3 and G4 as Trunk ports if there are multiple VLANs coming in and out those ports. It sounds like there are if the esxi host is advanced enough to allow VLAN configuration. Simply decide what the default VLAN of G3 and G4 is, i.e. the one that will not require any tags at all. Make sure G3 and G4 have that particular VLAN as an untagged member. Then tag the other VLANs that need to flow through. If you had them as Access Ports on VLAN4 before it seems like VLAN4 would be the untagged member.

Regards,

-Brayton

poojo666
Level 1
Level 1

Hi All

I used the "Switch SF300" I want to set the IP Routing. Problem is that I need to put Gatewate to be contagious.

Sample

vlan 1 => IP 192.168.1.1 255.255.255.0.

vlan 2 => IP 192.168.2.1 255.255.255.0.

PC1 (Vlan1)

IP 192.168.1.2  Subnetmast :255.255.255.0 Gatewate 192.168.1.1   

PC2 (Vlan2)

IP 192.168.2.2  Subnetmast :255.255.255.0 Gatewate - no gatewate or 192.168.1.254

PC1 ==> Ping to Vlan 2 and PC2  : pass

PC2 ==> Ping to Vlan 1 and PC1  : Verification.

I've tested with the Catalyst 3560 in Packet Tracer 5 do.

http://www.4shared.com/file/MIy7vIJV/FMC.html