Solved: Re: SG350-10 inter VLAN L3 config ?

DrFafnir · ‎01-10-2019

Hi,

I'm a non professional user and need to configure a SG350-10 to link 2 subnets. I'm stuck with this, here's my situation, including ping results from 2 test-PC.

"Internal" subnet: 192.168.10.0/24
VLAN 1, switch IP 192.168.10.1, ports GE1 to 8
test-PC IP 192.168.10.10 (static) (bridge 192.168.10.1) on GE1
- ping OK to 192.168.10.1 and 192.168.1.3
- failed ping to 192.168.1.1, 192.168.1.10 and internet (8.8.8.8)

"External" subnet : 192.168.1.0/24
VLAN 2, switch IP 192.168.1.3, ports GE9 and GE10
router IP 192.168.1.1 (internet provider box) on GE10
test-PC IP 192.168.1.10 (static) (bridge 192.168.1.3) on GE9

- ping OK to 192.168.10.1, 192.168.1.3, 192.168.1.1 and internet (8.8.8.8)
- failed ping to 192.168.10.10

Static route IPv4 : Destination: 0.0.0.0/0, Type: remote, Next Hop: 192.168.1.1

I think a route is missing between the two VLANs, but how ? I tried Destination: 192.168.10.0/24, Type: remote, Next Hop: 192.168.10.1, but the switch refuses it.

Is there someone who could help me please ? I would be really grateful.

Thanks in advance,
Robin

Seb Rupik · ‎01-11-2019

Hi Robin,

from your initial test results,inter-VLAN is working:

"Internal" subnet: 192.168.10.0/24
VLAN 1, switch IP 192.168.10.1, ports GE1 to 8
test-PC IP 192.168.10.10 (static) (bridge 192.168.10.1) on GE1
   - ping OK to 192.168.10.1 and 192.168.1.3
   - failed ping to 192.168.1.1, 192.168.1.10 and internet (8.8.8.8)

Therefore I am confident inter-VLAN from VLAN2 to VLAN1 will work. I believe the test PC in VLAN has its gateway set as the ISP router. In theory the ISP router (if it has a route to 192.168.10.0/24 via 192.168.1.3) should send an ICMP redirect to the test PC, but this doesn't appear to be working.

Can you confirm the route table of the test PC in VLAN2; route -4 -n or route PRINT -4

Can you also confirm that you have either disabled the firewall/ iptables or configured it to permit ping/ ICMP requests from non-local subnets.

Cheers,

Seb.

View solution in original post

Seb Rupik · ‎01-11-2019

It looks correct, but without a switch myself I can't confirm.

Personally unless you are planning to server up your own DNS records, you do not gain anything by adding a forwarder (the switch) into the mix. I would set the DNS option in the DHCP lease to just use the ISP router or an external resolver (1.1.1.1) .

cheers,

Seb.

View solution in original post

luis_cordova · ‎01-10-2019

Hi @DrFafnir,

I hope this video can help you.

https://www.youtube.com/watch?v=kJTUH2nNB8o

Regards

DrFafnir · ‎01-10-2019

Hi,
I think this is for a "router on a stick" kind of setup, not L3 routing by the switch. I fear not useful for me. Thank's anyway for your suggestion.
Regards

Seb Rupik · ‎01-10-2019

Hi there,

For the test PC connected to VLAN2, what is its gateway? I am assuming it is 192.168.1.1 (your ISP router?).

Does your ISP router have a route for VLAN1, eg:

ip route 192.168.10.0 255.255.255.0 192.168.1.3

...if not it will not know how to route the packet correctly. As a sanity test add the above route to the test PC on VLAN2, and I imagine your ping to VLAN1 will now work.

From a design perspective you should not really have client devices connecting to a subnet which is in effect a point to point link with two gateways (192.168.1.1 and 192.168.1.3).

Suggest you make a third VLAN for clients devices and leave VLAN2 just for the two routed interfaces; neaten it up and us a /30 subnet mask.

cheers,

Seb.

DrFafnir · ‎01-10-2019

Hi Seb,

Thanks for your answer.

My goal is to use the L3 switch to route between the two VLAN, and not the ISP router (over which I have very limited control and config possibilities).

The gateway of test PC on VLAN2 is 192.168.1.3 (the switch VLAN2 IP), as the test PC is connected to the switch (and not directly to the router). And I don't have a route to VLAN1 on the ISP router. The routing is intended to work even with the router is off (without internet access of course). I think this should be possible with a L3 switch !?

Thank's for your 3rd VLAN suggestion, I'll keep it. For now the "test" PC on VLAN2 is useful to make tests... ;-)

The question is still: how to make this L3 switch make it's job and ROUTE between the VLANs ?

Thanks again for any help...

Regards,
Robin

Seb Rupik · ‎01-11-2019

Hi Robin,

from your initial test results,inter-VLAN is working:

"Internal" subnet: 192.168.10.0/24
VLAN 1, switch IP 192.168.10.1, ports GE1 to 8
test-PC IP 192.168.10.10 (static) (bridge 192.168.10.1) on GE1
   - ping OK to 192.168.10.1 and 192.168.1.3
   - failed ping to 192.168.1.1, 192.168.1.10 and internet (8.8.8.8)

Therefore I am confident inter-VLAN from VLAN2 to VLAN1 will work. I believe the test PC in VLAN has its gateway set as the ISP router. In theory the ISP router (if it has a route to 192.168.10.0/24 via 192.168.1.3) should send an ICMP redirect to the test PC, but this doesn't appear to be working.

Can you confirm the route table of the test PC in VLAN2; route -4 -n or route PRINT -4

Can you also confirm that you have either disabled the firewall/ iptables or configured it to permit ping/ ICMP requests from non-local subnets.

Cheers,

Seb.

DrFafnir · ‎01-11-2019

Hi Seb,

You were right: it was the windows firewall who blocked the pings from other subnet. Thanks a lot !

I think I have next a DNS problem. I set DNS on the switch: 1° 192.168.1.1 (ISP router) and 2°/3° the two DNS of the ISP (taken from router's config). But these settings seems not to be used properly. Details below.

I focus on clients of "internal" VLAN (192.168.10.0/24) :

- For clients with static IP, internet connexion (with domain names) is OK if I set the ISP router (192.168.1.1) as DNS server, but fails if I have only the switch IP (192.168.10.1) as DNS.

- For dynamic IP clients (DHCP), internet connection (with domain names) with automatic paramters is impossible: It works only if I set manually the ISP IP as DNS in the network settings.

This isn't a problem for static IP machines (I have config to do anyway), but it prevents mobile clients to go with automatic config. Any idea ?

Best regards,

Robin

Seb Rupik · ‎01-11-2019

I don't have a SG350 try this on, but...

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/350xg/admin_guide/AG_Tesla_350_550.pdf

...page 312, under Advanced DNS settings, have you enabled the switch as a DNS client?

DrFafnir · ‎01-11-2019

Here's the config I tried (cf. printscreen). Do you see something incorrect ?

Seb Rupik · ‎01-11-2019

It looks correct, but without a switch myself I can't confirm.

Personally unless you are planning to server up your own DNS records, you do not gain anything by adding a forwarder (the switch) into the mix. I would set the DNS option in the DHCP lease to just use the ISP router or an external resolver (1.1.1.1) .

cheers,

Seb.

DrFafnir · ‎01-11-2019

OK, I have my solution for the DNS :

1) set directly the ISP router IP as DNS in the config of static clients.

2) set the ISP router IP in the DHCP server options of the switch : IP Configuration/DHCP Server/Netword Pools/Domain Name Server IP Address (Option 6).

I don't know why the DNS server feature of the switch (IP Configuration/DNS/DNS settings) doesn't works with my settings, but never minds. NB: the Cisco documentation could be more helpful...

>>> Thanks for your time Seb, your help was exceptionnal ! <<<

Best regards,

Robin

DrFafnir · ‎01-11-2019

OK, I have my solution for the DNS :

1) set directly the ISP router IP as DNS in the config of static clients.

2) set the ISP router IP in the DHCP server options of the switch : IP Configuration/DHCP Server/Netword Pools/Domain Name Server IP Address (Option 6).

I don't know why the DNS server feature of the switch (IP Configuration/DNS/DNS settings) doesn't works with my settings, but never minds. NB: the Cisco documentation could be more helpful...

>>> Thanks for your time Seb, your help was exceptionnal ! <<<

Best regards,

Robin