11-11-2019 08:22 AM
I have an SG300 with fully functional VLAN routing between 4 VLANs that will not forward to the default route.
I am able to ping/traceroute to the default route IP configured on the SG300 of the switch from all VLANs, but when trying to access anything not directly connected to the switch the traffic is not forwarded to the default route.
I have run a tcpdump on the router and no traffic is seen when trying to access anything that should hit the default route.
I have routes for all of the VLANs pointing back to the SG300
All switch ports are configured as Trunk ports as they all go to either other switches or ESX servers that support multiple VLANs.
I also tried setting a static route to something on the other side of the router and that did not work either. I have seen comments about the ports being configured as access vs trunk, does that make a difference?
I am sure there is some small check-box I am missing somewhere, Any help would be appreciated.
11-11-2019 08:29 AM
11-11-2019 09:08 AM - edited 11-11-2019 09:17 AM
The default route terminates at a firewall running as a VM. I have full control over it. As I said, I ran a tcpdump on the internal interface of the firewall and see no traffic forwarded to it from the SG300 when it is a network not directly connected to the SG300.
The firewall has two interfaces, one in VLAN 60 and one in VLAN 30. Nothing else is located in either VLAN the firewall has full access to the internet.
I don't have a diagram, but it is just a basic network. I am just moving the routing from the a hardware firewall to the SG300 to give me more flexibility in my lab environment.
Here is the the config:
config-file-header
v1.4.11.2 / R800_NIK_1_4_216_022
CLI v1.0
set system mode router
port jumbo-frame
vlan database
vlan 10,20,30,40,50,60
exit
no ip arp proxy disable
logging buffered debugging
ip ssh server
ip http timeout-policy 0 https-only
interface vlan 10
ip address 10.20.100.253 255.255.255.0
!
interface vlan 20
ip address 10.22.100.253 255.255.255.0
!
interface vlan 30
!
interface vlan 50
ip address 10.19.100.253 255.255.255.0
!
interface vlan 60
ip address 10.18.100.1 255.255.255.0
!
interface gigabitethernet1
switchport trunk allowed vlan add 10,20,30,40,50,60
!
interface gigabitethernet2
switchport trunk allowed vlan add 10,20,30,40,50,60
!
interface gigabitethernet3
switchport trunk allowed vlan add 10,20,30,40,50,60
!
interface gigabitethernet4
switchport trunk allowed vlan add 10,20,30,40,50,60
!
interface gigabitethernet5
switchport trunk allowed vlan add 20
switchport trunk native vlan 10
!
interface gigabitethernet6
switchport trunk native vlan 40
!
interface gigabitethernet7
switchport trunk allowed vlan add 10,20,30,40,50,60
!
interface gigabitethernet8
switchport trunk allowed vlan add 10,20,30,40,50,60
!
interface gigabitethernet9
switchport trunk allowed vlan add 10,20,30,40,50,60
!
interface gigabitethernet10
switchport trunk allowed vlan add 20,30,40,50,60
switchport trunk native vlan 10
!
exit
banner login ^C
Switch 2
^C
mac address-table aging-time 30
ip default-gateway 10.18.100.10
11-11-2019 10:27 AM
11-11-2019 10:52 AM
Yes, everything works that is directly connected. All of the VLANs can talk to each other.
11-11-2019 03:35 PM
11-11-2019 04:47 PM - edited 11-11-2019 04:51 PM
The firewall is connected through port 7, but it is actually on another switch. It is Check Point VM and I don't think it is the problem. If I add a machine to the VLAN it is on I can pass through it, and it has routes, access rules and NAT configured for all of the VLANs.
I am guessing from the questions you don't see anything wrong with the switch config?
11-11-2019 06:33 PM - edited 11-11-2019 06:33 PM
I think that your default route configured is wrong.
try it:
no ip default-gateway 10.18.100.10
ip route 0.0.0.0 0.0.0.0 10.18.100.10
Certify that you will do it on directly network, because maybe you will lose access on your device until it is done.
11-12-2019 06:14 AM - edited 11-12-2019 06:17 AM
Thanks for the suggestion. I tried that and it didn't change anything. If you don't see anything else I may tear it all down and try again, there just seems to be something weird going on.
11-12-2019 06:28 AM
11-12-2019 03:11 PM
All of those pings are successful.
I did some more experimenting and if I stick another device on the VLAN between the switch and the firewall and try to ping 8.8.8.8 through the firewall everything is fine, but at the same time the devices on the other side of the switch can now ping 8.8.8.8... but only 8.8.8.8. It is like the switch is still relying on ARP and not following its default route unless it already knows the destination is there. This is driving me crazy.
11-12-2019 03:47 PM
Ok, I think that your firewall is the problem.
Disable arp spoofing on your firewall.
11-12-2019 08:36 PM
I have the correct networks configured in anti-spoofing, and it is set to detect, not block. I am not seeing any of the logs mentioned in the linked article. Anti-spoofing in Check Point doesn't have anything to do with ARP, it is to detect when improper IP addresses are seen on an interface.
11-13-2019 11:09 AM - edited 11-13-2019 11:09 AM
Your switch is configure properly. I had this issue times ago.. and the problem was checkpoint, let me try to explain.
when traffic is comming from one network and match network interface = traffic is allowed.
when traffic is comming from one network and do not match network interface = traffic is blocked by anti-spoofing.
In your case your traffic is send to default route to your firewall then traffic is comming from network that not match network interface the traffic is blocked by anti-spooing, but when you see in the checkpoint's log it is appear as "allowed", but you need see in spoofing logs.
to resolve this issue i had did a few configuration:
Obs: "I dont remember correct path"
advance > security > (search) "spoo" and will apear antispoofing configuration i have disabled it to test... all works well :)
try it... because your switch configuration are ok.
11-13-2019 05:27 PM
I completely understand what you are talking about and spoofing is a commonly misconfigured thing in Check Point. By default the spoof group will be assigned as the directly connected network, but it is possible to specify a group, and I have created a group with contains all of the internal networks. It also would not explain why the traffic was allowed through after I connected from a locally attached machine.
That being said, I did completely disable spoofing to verify that wasn't the problem.
I do have this working now, though I don't know the exact cause of the problem, it was not the SG300. It must have something to do with how VMware Fusion VLANs work. I moved from Fusion to an ESX box and it immediately started working with no other changes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide