Solved: Hi Andrew, Please change the

andrewdmorton · ‎11-23-2014

HI.

Got a SF500 in layer3 mode, operating 5 vlans all with their own subnet.

Vlan 10 = 192.168.10.0/24

Vlan 100 = 192.168.100.0/24

Vlan 200 = 192.168.200.0/24

Vlan 201 = 192.168.201.0/24

Vlan 202 = 192.168.202.0/24

We have a gateway on Vlan 10 (192.168.10.1), which all vlans can see & access (because of intervlan routing), and this at present allows vlan 10 to access the internet.

I want vlan 100 to be able to access the internet through this gateway as well, although the other vlans (200,201,202), will use a different gateway located on vlan 200 subnet.

Of course, the gateway has to exist in the subnet. I cannot assign the default gateway of a machine on vlan 100, an ip address of the gateway on vlan 10.

If I point the default gateway to the virtual interface in its subnet (e.g. 192.168.100.254), it equally does not know how to get out to the internet, even though it can see the gateway (I can access a web page it hosts).

So the question is this:

Can vlan 100 traffic be routed on the SF500 to use the gateway on vlan 10? (outside of the default gateway of the switch).

If this is not possible with the SF500, what would I need to make it work?

Many thanks.

Mehdi Boukraa · ‎11-24-2014

Hi Andrew,

I understand what you want to achieve, so in your case we need to have a switch with PBR (Policy based Routing ) capability which allow you to match the source IP address and action next hope IP address of the gateway.

This feature is not implemented in SMB product but for entreprise devices we have this feature like Catalyst 3750

Please rate or marked as answered to help other Cisco Customers

Greetings

Mehdi

View solution in original post

Mehdi Boukraa · ‎11-24-2014

Hi Andrew,

I don't have more information about your network so I will try to much your configuration from your post

let's say we have this configuration :

1. Create Vlan 10 and assign on SVI IP address 192.168.10.254 /24

2. Create Vlan 100 and assign on SVI ip address 192.168.100.254/24

3. Create Vlan 200 and assign on SVI ip address 192.168.200.254/24

4. Create Vlan 201 and assign on SVI IP address 192.168.201.254/24

5. Create Vlan 202 and assign on SVI IP address 192.168.202.254/24

and the gateway (Router) is on Vlan 10 with IP address 192.168.10.1

6. we assign at least one port to each vlan and the switch port from where is connected to the router should be trunk (10U,100T,200T,201T,202T) it means All the traffic from Vlan 100,200,201,202 is Tagged and transmitting through Untagged Vlan 10

7. Under IP Cofiguration --> IPv4 Management and Interface --> IPv4 Route

8. add the deafult static route to the gateway :

Destination : 0.0.0.0

SubnetMask : 0.0.0.0

Remote IP GW :192.168.10.1

Now from the router expectation : router need to NAT all the source IP address (200.0/24 , 100.0/24 ...)

I don't know what the router you have but there is a router where NAT all the source coming to him to go to Internet, but there is other router which need to configure NAT for the unknown address for the router side --> Here is up to the Router

after that connect PC to port on Vlan 100 setup static IP for example 192.168.100.100/24 with Gw 192.168.100.254 should access to the internet via the trunk port on the switch and router should NAT this subnet to go outside

Hope I was clear

Please rate this post or marked as answered to help other Cisco Routers

Greetings

Mehdi

andrewdmorton · ‎11-24-2014

Mehdi,

What you have described is correct to tunnel all traffic through the 1 gateway, by assigning the static route on the switch - is that right?

My query relates to whenever there are 2 gateways - one on vlan 10, and one in vlan 200.

The gateway in vlan 10 serves 10 and 100. The one in 200 serves 200,201 and 202.

Is there a way to specify the gateway ip/static route per vlan or per subnet?

Regards,

Andrew

Mehdi Boukraa · ‎11-24-2014

Hi Andrew,

I understand what you want to achieve, so in your case we need to have a switch with PBR (Policy based Routing ) capability which allow you to match the source IP address and action next hope IP address of the gateway.

This feature is not implemented in SMB product but for entreprise devices we have this feature like Catalyst 3750

Please rate or marked as answered to help other Cisco Customers

Greetings

Mehdi

andrewdmorton · ‎11-25-2014

Mehdi,

I put in the static route for 0.0.0.0, but it doesn't seem to work either - which is weird! I used a metric of 1, but I don't think that should matter.

I did a trace route, from a machine on the 201 vlan, and it just gets to the virtual interface (192.168.201.254),but no further.

Very odd.

Any ideas?

Mehdi Boukraa · ‎11-25-2014

Hi Andrew,

Can you please share the running config, so i can take a look with you.

and please check if you have any information from the gateway on vlan 10 like Vlan configuration you can take screenshots also

Thanks

Mehdi

Mehdi Boukraa · ‎11-25-2014

Hi Andrew,

- Please check also the port where is connected to the gateway should be Trunk untgged Vlan 10 and tag other Vlan's

- Also in the gateway perspective should also the port where is connect to the switch as trunk vlan 10 and tag all vlan's

- For the default router 0.0.0.0 mask 0.0.0.0 192.168.10.1 SHOULD have metric of 1

Please let me know and wating for the running config and screenshot from the gateway to help me to understand your device

Thanks

Mehdi

andrewdmorton · ‎11-25-2014

Hi Mehdi.

Please bear with me - ill have to hook up a pc with the console to get the running config.

In the mean time ill describe it...

The port connected to the gateway (consumer grade modem/router), is a member of Vlan 10. It is a 'general port', with a PVID of 10 and an untagged member of vlans 10 and 201. (so traffic from both vlans can access it).

The machine in vlan 201 is again connected to a general port, with a PVID of 201. Its membership is 10U, 100U, 200U, 201UP. It communicates with every vlan except 202.

There are currently no ACLs on either of the ports above.

One thing that has occurred to me is that although the gateway can see the DHCP clients, it is not specifically vlan aware... but technically does it have to be as the traffic is limited on the switch?

Ill get the running config as soon as I find a pc that I can use......

Andrew

Mehdi Boukraa · ‎11-25-2014

Hi Andrew,

Please change the port where is connect to modem/router to Trunk PID 10 and add all other vlan's it means 10U,201T

and the port where the PC test which part of Vlan 201 should be Access, or Trunk PVID 201 --> it means 201U without adding other vlan's

Please try those steps and let me know

if still you have the issue please

to gain time :) I replicate your topology an it's working

please give me your private email so we ca continue to discuss in private and i can share my configuration also with you

Greetings

Mehdi

Multiple vLans with Multiple Gateways