cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5353
Views
0
Helpful
14
Replies

SG300 VLANs with FIOS Internet

jlkleins6
Level 1
Level 1

Hi folks,

I have an SG300-28PP I'm configuring to upgrade my wife's clinic's outdated network and am having some issues with getting my added VLAN to see anything outside of itself. Currently they have Verizon FIOS for Internet/Switching (FiOS G1100 Router), which serves the few office PCs and Printers via the onboard LAN jacks and a couple of D-link 5 port GB switches. They also have an isolated network for a few PCs serving medical scope imaging equipment that is the driver for the upgrade as the PC equipment/software is being upgraded and needs to be on the Internet for vendor remote support.

 

So, I bought the SG switch and am trying to set it up, however, it's a bit different than the Catalyst switches we use at work, which admittedly I know enough about to be dangerous. I'm not a network engineer but manage a pretty network switch-heavy streaming audio visual system at work, so am familiar enough with them to do basic administration once the hard setup is done.

 

Anyway, I have so far set this SG300 up as follows in L3 mode:

  • FiOS router to port 28 trunk port with VLAN's 1 and 10 joined (router is 192.168.1.1/255.255.252.0).
  • All other ports are about 75% Office equipment and 25% Scope room equipment (I allowed extra ports for future expansion) and set to Access.
  • VLAN1 is set up Static on 192.168.1.3 for the Office equipment.
  • VLAN10 is set up Static on 192.168.4.1 for the Scope equipment. 
  • A route is set up on the FIOS Router to VLAN4 using VLAN1 as the Gateway. (Note: This is on my router at home as I'm pre-testing this here).
    Routing Table
    Name Destination Gateway Netmask Metric Status Action
    Network (Home/Office) 192.168.4.0 192.168.1.3 255.255.255.0 1 Applied
     
     
     
  • Switch routes are set up on the SG300 switch as follows:
IPv4 Static Routing Table
Destination IP Prefix Prefix Length Route Type Next Hop Router IP Address Route Owner Metric Administrative Distance Outgoing Interface
0.0.0.0 0 Default 192.168.1.1 Default 1 1 VLAN 1
192.168.0.0 22 Local   Directly Connected   VLAN 1
192.168.4.0 22 Local   Directly Connected   VLAN 10

 

I have a laptop plugged into both VLAN1 and VLAN10 for testing, and the switch is trunked to my FIOS Router. My home network that I'm using for testing is a 192.168.1.1 subnet, so from the VLAN1 laptop I can reach everything (Internet and anything else) on the 192.168.1.x network.

I can *Ping* VLAN10 (192.168.4.1) from the laptop on VLAN1, however, I can't ping the laptop on VLAN10.

From the VLAN10 laptop, I can only ping VLAN10's IP, I can't reach anything outside of VLAN10, whether DNS or IP based (i.e. neither 8.8.8.8 or www.google.com work).

 

Note: all DHCP addressing is being done from the FIOS router, and I suspect that it will only provide addressing to the 192.168.1.1 network that is the basic network, but that's okay as I plan to static IP the devices on VLAN10 anyway (as they are now). So, while that might be nice to figure out if I could DHCP addresses in the 192.168.4.x range on VLAN10, it's not a deal breaker unless for some reason the Cisco Collective deems it necessary :)

 

What IS a dealbreaker is not being able to reach the Internet from VLAN10 or not being able to pass info across the two VLANs. Access requirements are as follows:

  • The Vendor needs to access VLAN10 from the Internet to provide helpdesk support for the new Scope PCs (using their Teamview account, which will be installed on the Scope PCs).
  • The office needs to access shared drives on the Scope PCs from the Office PCs (i.e. image files and notes), so VLAN1 must talk to VLAN10.
  • The Docs need to access the Internet from the Scope PCs, so VLAN10 must get to the FIOS Router on VLAN1 and then out to the Internet.
  • The Docs need to access shared drives on the Office PCs from the Scope PCs (i.e. scheduling and chart notes), so VLAN10 must access PCs on VLAN1.

 

Hopefully that covers everything I've done so far...I feel like I'm missing a simple piece of the puzzle but can't quite put my finger on it.

 

Thanks for any help,

Jeff

1 Accepted Solution

Accepted Solutions

Hi Jeff,

Regarding the Windows FW, the proper solution to this would be an Active Directory from where you could create a firewall policy and push it out to all domain members. Not a feasible solution for your setup!

 

If you think your original question has been answered, please mark this post as solved. :)

 

cheers,

Seb.

View solution in original post

14 Replies 14

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

If inter-vlan routing is not working, there is a good chance your SG300 is in switch mode. Try the following in CLI:

!
set system mode router
!

cheers,

Seb.

Hi Seb,

I've already set the switch to L3 mode with the web GUI, which I believe is the same as setting router mode via CLI. That seems to be the common advice given in all the posts I've read referencing inter-vlan comms, but it's still not working for me.

 

Thanks,
Jeff

Hi Jeff,

Did the GUI force you to reload the SG300 after you put it into L3 mode?
Can you provide the interface config and routing table of one devices on VLAN10 which can't reach VLAN1 or the internet?

Regarding your questions about the FiOS router performing DHCP for VLAN10, you would simply configure a ip helper-address and set the IP to 192.168.1.1 . This would require that the FiOS router is capable of hosting more than one DHCP pool concurrently.
It is probably easier to configure the SG300:

!
ip dhcp server
ip dhcp pool network DHCP_POOL10
  address 192.168.4.0 /22
  default-router 192.168.4.1
  dns-server 8.8.8.8
!
ip dhcp excluded-address 192.168.4.1
!


Also noticed a typo in your routing table on the FiOS router. You need to change the subnet mask for VLAN10 to 255.255.252.0 .

cheers,
Seb.

Hi Seb,

Yes, the GUI forces you to reboot when switching from the default L2 mode to L3 and it wipes the config as well, so I did that first (the 2nd time around, heheh).

 

I'll try the VLAN10 dhcp setup after I get the cross VLAN thing working, I agree that it's probably easier to do that part on the switch. I haven't looked into it deeply yet, but I doubt the Verizon router will do multiple DHCPs, but I could be surprised.

 

I fixed the typo on the FiOS router, thanks for the catch. No change though, although that's expected as I my VLAN10 laptop was pinging from a (edit) 192.168.4.251 address so it would have gone through anyway. The rest of the laptop info is:

IPv4: 192.168.4.251

SM: 255.255.252.0

GW: 192.168.1.1

Aaaaaand that's when I figured it out.

I had the GW set wrong, based on having 2 IPs on my hardwired NIC (192.168.1.1 and 192.168.4.1, with a 192.168.1.1 GW). I thought I had the 4.x address on the Ethernet jack and the 1.x address on the wifi (turned on and off during testing), but didn't realize that I'd forgotten to change the GW on the Ethernet jack to the VLAN10 IP.

 

I'll do some more testing when I get home from work, but so far looking much better. 

 

Thanks,
Jeff

 

Ok, did some more checking and while I can indeed get from VLAN10 (192.168.4.251 laptop IP) to the Internet now, neither laptop can ping the other one (i.e. can't ping across VLANs). I did a trace route and got the following:

 

VLAN1 laptop to VLAN10 laptop:

C:\>tracert 192.168.4.251

Tracing route to 192.168.4.251 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.1.1
2 1 ms 5 ms 5 ms 192.168.1.3
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.

etc, etc, etc

 

VLAN10 laptop to VLAN1 laptop:

C:\>tracert 192.168.1.250

Tracing route to 192.168.1.25over a maximum of 30 hops

1 1 ms 4 ms 3 ms 192.168.4.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.

etc, etc, etc

 

Thanks,
Jeff

Hi Jeff,

Can you ping the laptops from the switch?

On the switch cli, what is the output of:

 

sh mac add

sh ip arp

 

cheers,

Seb.

Hi Seb,

Here's what I got (it was "sh ip arp insp" on the SG):

(Note: gi28 is the uplink to my home network via one of my FiOS router ports, gi13 is my 192.168.1.250 IP laptop's port on VLAN1 and gi8 is my 192.168.4.251 laptop's port on VLAN10.)

 

AADC-SW1#sh mac add
Flags: I - Internal usage VLAN
Aging time is 300 sec

Vlan Mac Address Port Type
------------ --------------------- ---------- ----------
1 00:10:7f:36:36:ef gi28 dynamic
1 00:10:7f:90:0e:ef gi28 dynamic
1 00:1e:c9:5d:4c:00 gi28 dynamic
1 08:ed:b9:75:05:9f gi28 dynamic
1 18:55:0f:07:f3:50 gi28 dynamic
1 18:55:0f:0a:b6:be gi28 dynamic
1 18:55:0f:0e:cb:4a gi28 dynamic
1 34:23:ba:fe:b3:20 gi28 dynamic
1 34:e2:fd:a5:a1:ea gi28 dynamic
1 48:5d:36:6b:b8:bd gi28 dynamic
1 48:f8:b3:76:01:1c gi28 dynamic
1 70:6e:6d:f5:01:11 0 self
1 70:70:0d:9f:0a:17 gi28 dynamic
1 78:2b:cb:ce:45:9d gi13 dynamic
1 a0:18:28:2d:92:13 gi28 dynamic
1 a0:cc:2b:19:36:7b gi28 dynamic
1 a4:ee:57:65:8e:1d gi28 dynamic
1 ac:3a:7a:3d:23:f6 gi28 dynamic
1 ac:89:95:09:00:bd gi28 dynamic
10 04:7d:7b:99:a3:40 gi8 dynamic

 

AADC-SW1#show ip arp insp
IP ARP inspection is Disabled
IP ARP inspection is configured on following VLANs:
Verification of packet header is Disabled
IP ARP inspection logging interval is: 5 seconds

Interface Trusted
----------- -----------

 (Hmm, nothing here...a clue?)

 

Thanks,

Jeff

Sorry, wrong command, try

sh arp

Looks like my earlier iPhone reply didn't come through.

Here's what I found when I got home:

 

AADC-SW1#show arp

Total number of entries: 5


VLAN Interface IP address HW address status
--------------------- --------------- ------------------- ---------------
vlan 1 gi28 192.168.1.1 48:5d:36:6b:b8:bd dynamic
vlan 1 gi28 192.168.1.2 48:f8:b3:76:01:1c dynamic
vlan 1 gi28 192.168.1.165 00:1e:c9:5d:4c:00 dynamic
vlan 1 gi13 192.168.1.250 78:2b:cb:ce:45:9d dynamic
vlan 10 gi8 192.168.4.251 04:7d:7b:99:a3:40 dynamic

 

I put a screenshot to for easier viewing.

 

Jeff

Can you ping the devices from the other VLAN SVI?

 

ping 192.168.4.251 source 192.168.1.3

ping 192.168.1.250 source 192.168.4.1

 

Just a thought, do these devices have firewalls installed which may be blocking ICMP?

Seb,

Regarding the firewall question, they both just have the basic Windows Defender running, nothing special. However, I turned it off on both laptops for private networks and now I can ping (both ways)!

 

So...know any good tutorials on setting up Windows Defender to allow pinging across VLANs?

 

 

Regarding the "ping from source" commands, I'm a little confused with the results I got. I could ping both addresses with a simple ping command, but it don't work when specifying the source. Although I would understand why forcing a ping to VLAN1 from VLAN10 interface wouldn't work (2nd example), why wouldn't the first have worked? Wouldn't my simple ping commands be pinging from source 192.168.1.3 by default just by virtue of being logged into the switch with PuTTY?

 

Thanks,
Jeff

Hi Jeff,

So the switch is now working? :)

 

Regarding windows defender, take a look at the windows firewall, inbound rules. In particular "File and Printer sharing(Echo Request - ICMPv4-In) . There should be two rules, one for 'Local subnet' and another for 'any'.

Enable the 'any' rule. If you go into the rule properties -> scope, you could specify the VLAN1 and VLAN10 subnets.

 

As for the ping, without the source parameter the switch will source the ping from the 'nearest' IP to the destination, so the VLAN1 /10 SVI as required. Not sure why specifying the source didn't work, the source IPs I suggested are the SVIs right?

 

cheers,

Seb .

Seb,

Yes, it appears everything in the switch is now working, once added the route to the FiOS router, added the IPv4 Static Routes and fixed the gateway on VLAN10 to match the subnet.

 

So it appears all I need to do now is configure the Windows Firewall on each machine...that's going to be fun. I guess this is where hardware routers become an advantage in office networks?

 

Regarding the pings, yes, the SVI IPs you suggested were correct: VLAN1 on 192.168.1.3 and VLAN10 on 192.168.4.1.

 

Thanks,
Jeff

Hi Jeff,

Regarding the Windows FW, the proper solution to this would be an Active Directory from where you could create a firewall policy and push it out to all domain members. Not a feasible solution for your setup!

 

If you think your original question has been answered, please mark this post as solved. :)

 

cheers,

Seb.