11-11-2017 04:39 PM - edited 03-21-2019 11:17 AM
Hi folks,
I have an SG300-28PP I'm configuring to upgrade my wife's clinic's outdated network and am having some issues with getting my added VLAN to see anything outside of itself. Currently they have Verizon FIOS for Internet/Switching (FiOS G1100 Router), which serves the few office PCs and Printers via the onboard LAN jacks and a couple of D-link 5 port GB switches. They also have an isolated network for a few PCs serving medical scope imaging equipment that is the driver for the upgrade as the PC equipment/software is being upgraded and needs to be on the Internet for vendor remote support.
So, I bought the SG switch and am trying to set it up, however, it's a bit different than the Catalyst switches we use at work, which admittedly I know enough about to be dangerous. I'm not a network engineer but manage a pretty network switch-heavy streaming audio visual system at work, so am familiar enough with them to do basic administration once the hard setup is done.
Anyway, I have so far set this SG300 up as follows in L3 mode:
Routing Table | ||||||
---|---|---|---|---|---|---|
Name | Destination | Gateway | Netmask | Metric | Status | Action |
Network (Home/Office) | 192.168.4.0 | 192.168.1.3 | 255.255.255.0 | 1 | Applied |
|
Destination IP Prefix | Prefix Length | Route Type | Next Hop Router IP Address | Route Owner | Metric | Administrative Distance | Outgoing Interface | ||
---|---|---|---|---|---|---|---|---|---|
0.0.0.0 | 0 | Default | 192.168.1.1 | Default | 1 | 1 | VLAN 1 | ||
192.168.0.0 | 22 | Local | Directly Connected | VLAN 1 | |||||
192.168.4.0 | 22 | Local | Directly Connected | VLAN 10 |
I have a laptop plugged into both VLAN1 and VLAN10 for testing, and the switch is trunked to my FIOS Router. My home network that I'm using for testing is a 192.168.1.1 subnet, so from the VLAN1 laptop I can reach everything (Internet and anything else) on the 192.168.1.x network.
I can *Ping* VLAN10 (192.168.4.1) from the laptop on VLAN1, however, I can't ping the laptop on VLAN10.
From the VLAN10 laptop, I can only ping VLAN10's IP, I can't reach anything outside of VLAN10, whether DNS or IP based (i.e. neither 8.8.8.8 or www.google.com work).
Note: all DHCP addressing is being done from the FIOS router, and I suspect that it will only provide addressing to the 192.168.1.1 network that is the basic network, but that's okay as I plan to static IP the devices on VLAN10 anyway (as they are now). So, while that might be nice to figure out if I could DHCP addresses in the 192.168.4.x range on VLAN10, it's not a deal breaker unless for some reason the Cisco Collective deems it necessary :)
What IS a dealbreaker is not being able to reach the Internet from VLAN10 or not being able to pass info across the two VLANs. Access requirements are as follows:
Hopefully that covers everything I've done so far...I feel like I'm missing a simple piece of the puzzle but can't quite put my finger on it.
Thanks for any help,
Jeff
Solved! Go to Solution.
11-20-2017 12:02 AM
Hi Jeff,
Regarding the Windows FW, the proper solution to this would be an Active Directory from where you could create a firewall policy and push it out to all domain members. Not a feasible solution for your setup!
If you think your original question has been answered, please mark this post as solved. :)
cheers,
Seb.
11-12-2017 02:48 PM
Hi there,
If inter-vlan routing is not working, there is a good chance your SG300 is in switch mode. Try the following in CLI:
! set system mode router !
cheers,
Seb.
11-12-2017 07:27 PM
Hi Seb,
I've already set the switch to L3 mode with the web GUI, which I believe is the same as setting router mode via CLI. That seems to be the common advice given in all the posts I've read referencing inter-vlan comms, but it's still not working for me.
Thanks,
Jeff
11-13-2017 12:37 AM
Hi Jeff,
Did the GUI force you to reload the SG300 after you put it into L3 mode?
Can you provide the interface config and routing table of one devices on VLAN10 which can't reach VLAN1 or the internet?
Regarding your questions about the FiOS router performing DHCP for VLAN10, you would simply configure a ip helper-address and set the IP to 192.168.1.1 . This would require that the FiOS router is capable of hosting more than one DHCP pool concurrently.
It is probably easier to configure the SG300:
! ip dhcp server ip dhcp pool network DHCP_POOL10 address 192.168.4.0 /22 default-router 192.168.4.1 dns-server 8.8.8.8 ! ip dhcp excluded-address 192.168.4.1 !
Also noticed a typo in your routing table on the FiOS router. You need to change the subnet mask for VLAN10 to 255.255.252.0 .
cheers,
Seb.
11-13-2017 06:14 AM - edited 11-13-2017 08:23 AM
Hi Seb,
Yes, the GUI forces you to reboot when switching from the default L2 mode to L3 and it wipes the config as well, so I did that first (the 2nd time around, heheh).
I'll try the VLAN10 dhcp setup after I get the cross VLAN thing working, I agree that it's probably easier to do that part on the switch. I haven't looked into it deeply yet, but I doubt the Verizon router will do multiple DHCPs, but I could be surprised.
I fixed the typo on the FiOS router, thanks for the catch. No change though, although that's expected as I my VLAN10 laptop was pinging from a (edit) 192.168.4.251 address so it would have gone through anyway. The rest of the laptop info is:
IPv4: 192.168.4.251
SM: 255.255.252.0
GW: 192.168.1.1
Aaaaaand that's when I figured it out.
I had the GW set wrong, based on having 2 IPs on my hardwired NIC (192.168.1.1 and 192.168.4.1, with a 192.168.1.1 GW). I thought I had the 4.x address on the Ethernet jack and the 1.x address on the wifi (turned on and off during testing), but didn't realize that I'd forgotten to change the GW on the Ethernet jack to the VLAN10 IP.
I'll do some more testing when I get home from work, but so far looking much better.
Thanks,
Jeff
11-14-2017 05:26 PM
Ok, did some more checking and while I can indeed get from VLAN10 (192.168.4.251 laptop IP) to the Internet now, neither laptop can ping the other one (i.e. can't ping across VLANs). I did a trace route and got the following:
VLAN1 laptop to VLAN10 laptop:
C:\>tracert 192.168.4.251
Tracing route to 192.168.4.251 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.1
2 1 ms 5 ms 5 ms 192.168.1.3
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
etc, etc, etc
VLAN10 laptop to VLAN1 laptop:
C:\>tracert 192.168.1.250
Tracing route to 192.168.1.250 over a maximum of 30 hops
1 1 ms 4 ms 3 ms 192.168.4.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
etc, etc, etc
Thanks,
Jeff
11-14-2017 11:21 PM
Hi Jeff,
Can you ping the laptops from the switch?
On the switch cli, what is the output of:
sh mac add
sh ip arp
cheers,
Seb.
11-16-2017 04:59 AM
Hi Seb,
Here's what I got (it was "sh ip arp insp" on the SG):
(Note: gi28 is the uplink to my home network via one of my FiOS router ports, gi13 is my 192.168.1.250 IP laptop's port on VLAN1 and gi8 is my 192.168.4.251 laptop's port on VLAN10.)
AADC-SW1#sh mac add
Flags: I - Internal usage VLAN
Aging time is 300 sec
Vlan Mac Address Port Type
------------ --------------------- ---------- ----------
1 00:10:7f:36:36:ef gi28 dynamic
1 00:10:7f:90:0e:ef gi28 dynamic
1 00:1e:c9:5d:4c:00 gi28 dynamic
1 08:ed:b9:75:05:9f gi28 dynamic
1 18:55:0f:07:f3:50 gi28 dynamic
1 18:55:0f:0a:b6:be gi28 dynamic
1 18:55:0f:0e:cb:4a gi28 dynamic
1 34:23:ba:fe:b3:20 gi28 dynamic
1 34:e2:fd:a5:a1:ea gi28 dynamic
1 48:5d:36:6b:b8:bd gi28 dynamic
1 48:f8:b3:76:01:1c gi28 dynamic
1 70:6e:6d:f5:01:11 0 self
1 70:70:0d:9f:0a:17 gi28 dynamic
1 78:2b:cb:ce:45:9d gi13 dynamic
1 a0:18:28:2d:92:13 gi28 dynamic
1 a0:cc:2b:19:36:7b gi28 dynamic
1 a4:ee:57:65:8e:1d gi28 dynamic
1 ac:3a:7a:3d:23:f6 gi28 dynamic
1 ac:89:95:09:00:bd gi28 dynamic
10 04:7d:7b:99:a3:40 gi8 dynamic
AADC-SW1#show ip arp insp
IP ARP inspection is Disabled
IP ARP inspection is configured on following VLANs:
Verification of packet header is Disabled
IP ARP inspection logging interval is: 5 seconds
Interface Trusted
----------- -----------
(Hmm, nothing here...a clue?)
Thanks,
Jeff
11-16-2017 05:21 AM
Sorry, wrong command, try
sh arp
11-16-2017 10:13 AM
Looks like my earlier iPhone reply didn't come through.
Here's what I found when I got home:
AADC-SW1#show arp
Total number of entries: 5
VLAN Interface IP address HW address status
--------------------- --------------- ------------------- ---------------
vlan 1 gi28 192.168.1.1 48:5d:36:6b:b8:bd dynamic
vlan 1 gi28 192.168.1.2 48:f8:b3:76:01:1c dynamic
vlan 1 gi28 192.168.1.165 00:1e:c9:5d:4c:00 dynamic
vlan 1 gi13 192.168.1.250 78:2b:cb:ce:45:9d dynamic
vlan 10 gi8 192.168.4.251 04:7d:7b:99:a3:40 dynamic
I put a screenshot to for easier viewing.
Jeff
11-16-2017 11:41 PM
Can you ping the devices from the other VLAN SVI?
ping 192.168.4.251 source 192.168.1.3
ping 192.168.1.250 source 192.168.4.1
Just a thought, do these devices have firewalls installed which may be blocking ICMP?
11-17-2017 05:48 AM
Seb,
Regarding the firewall question, they both just have the basic Windows Defender running, nothing special. However, I turned it off on both laptops for private networks and now I can ping (both ways)!
So...know any good tutorials on setting up Windows Defender to allow pinging across VLANs?
Regarding the "ping from source" commands, I'm a little confused with the results I got. I could ping both addresses with a simple ping command, but it don't work when specifying the source. Although I would understand why forcing a ping to VLAN1 from VLAN10 interface wouldn't work (2nd example), why wouldn't the first have worked? Wouldn't my simple ping commands be pinging from source 192.168.1.3 by default just by virtue of being logged into the switch with PuTTY?
Thanks,
Jeff
11-17-2017 06:23 AM
Hi Jeff,
So the switch is now working? :)
Regarding windows defender, take a look at the windows firewall, inbound rules. In particular "File and Printer sharing(Echo Request - ICMPv4-In) . There should be two rules, one for 'Local subnet' and another for 'any'.
Enable the 'any' rule. If you go into the rule properties -> scope, you could specify the VLAN1 and VLAN10 subnets.
As for the ping, without the source parameter the switch will source the ping from the 'nearest' IP to the destination, so the VLAN1 /10 SVI as required. Not sure why specifying the source didn't work, the source IPs I suggested are the SVIs right?
cheers,
Seb .
11-17-2017 10:21 AM
Seb,
Yes, it appears everything in the switch is now working, once added the route to the FiOS router, added the IPv4 Static Routes and fixed the gateway on VLAN10 to match the subnet.
So it appears all I need to do now is configure the Windows Firewall on each machine...that's going to be fun. I guess this is where hardware routers become an advantage in office networks?
Regarding the pings, yes, the SVI IPs you suggested were correct: VLAN1 on 192.168.1.3 and VLAN10 on 192.168.4.1.
Thanks,
Jeff
11-20-2017 12:02 AM
Hi Jeff,
Regarding the Windows FW, the proper solution to this would be an Active Directory from where you could create a firewall policy and push it out to all domain members. Not a feasible solution for your setup!
If you think your original question has been answered, please mark this post as solved. :)
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide