Hi,

attached, find the output of show run and show vlan unfortunately show vlan brief was not recognized by the switch. If you look in the files, don't wonder, I had to remove the most VLAN names.

I changed the configuration to the following:

PC1:

192.168.0.9

255.255.255.0

VLAN 410

Port 2/1/8

PC2:

192.168.3.89

255.255.255.0

VLAN 3000

Port 2/1/38

Server:

192.168.99.11

VLAN 2000

Port 1/1/41

Thanks

Dos anyone has an idea?

Hi Steffenmock,

First of all, please keep in mind that I'm not familiar with that model, but let me try to help.

A couple of things, what mode your swich is running? "sh system mode", the other thing is that all ports attached to the end hosts should be in access not in trunk, even if that would work in some cases based on the untagged vlan you set on the trunk, but I would suggest to change them to access ports.

Regards,

Aref

Hi Aref,

system mode is Router. Okay so to VLAN 2000 is the server allocated. Should I change the port where the server is connected as well to access?

I'm not so familiar with access trunk etc. but if I change to access then I'm only able to select one VLAN, aren't I? But if I have the client which is allocated to VLAN 3000 and the server in 2000, I should somehow access to both, shouldn't I?

Thanks in advance for your help.

Steffen

Hi Steffen,

There are several conditions you need to take into consideration:

1. edge devices should be in one VLAN and port in access mode

2. trunk would be use if you want to extend isolation between switches or other infrastructure devices such as AP or routers

3. your router on your network SG500-52 should have IP address interface for each VLAN

4. edge devices should have default gateway set to the IP address of the respective VLAN on the switch

5. windows firewall by default would not allow traffic from different subnets and would require some adjustment; for testing you can just simply disable

I am not sure what are the default gateway settings on your PC used for testing, please check it.

Regards,

Aleksandra

All end hosts has to be on switch access ports, unless you have some compatibility on the end host nic to tag the vlans, but that would not be your case. Try to set all the end hosts (pcs and server) switch port to access, assign each one to its vlan and remove any trunk configuration on any port since in your scenario there is no router on a stick or another switch connected. The routing between vlans should be done by the switch itself and it has nothing to do with trunking.

Regards,

Aref

Hi,

first of all thanks for the replies.

With Access configuration on the ports and default gateways on the PCs to its switch IP interface, I'm able to ping all other VLAN IP interfaces. So that's so far even a good result :-)

But I'm not able to ping the IP of PC, located in the other VLAN.

So I'm getting to the switch's IP interface of the VLAN where I want to go, but somehow not to the PCs, located in that VLAN.

You are very welcome Steffenmock.

As Aleksandra mentioned, by default pcs operating systems has the host firewall enabled by default and most likely block any icmp traffic in inbound direction, so it might be that your ping messages arrive at those pcs but they would be dropped because of the deny rules on their firewalls. Try to disable any firewall/security softwares on one pc and try again, or to configure a shared folder on a pc and try to access it from another.

Regards,

Aref

Hi,

thanks so far.

It is partly working now.

I configured all ports as adviced to access, configured the standard gateway of each computer to the switchs IP-Interface and I'm able to connect to my servers,

But now the problem is, I'm as well able to connect from one PC in a VLAN to a PC in another VLAN. I tried to solve it with forbidden settings on the ports, but it didn't help.

Any suggestions?

Thanks in advance

steffen

That's because the intervlan routing is enabled. If you can please post your configs for review, anyway, you would do something similar to this, let's say you are going to enable traffic from vlan 1 network to the server, block it towards vlan 2 network and allow it to anyone else:

Switch(config)#ip access-list extended ONLY-TO-SERVER
Switch(config-ip-al)#permit ip 192.168.1.0 0.0.0.255 192.168.99.11 0.0.0.0
Switch(config-ip-al)#deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Switch(config-ip-al)#permit ip 192.168.1.0 0.0.0.255 any

interface vlan 1
 service-acl input ONLY-TO-SERVER

or

Switch(config)#ip access-list extended ONLY-TO-SERVER
Switch(config-ip-al)#deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Switch(config-ip-al)#permit ip 192.168.1.0 0.0.0.255 any

interface vlan 1
 service-acl input ONLY-TO-SERVER

Also please check out this guide:

http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf

Regards,

Aref