SG500 VLAN configuration - Page 2

untitled_753 · ‎06-09-2013

Greetings.

I just recently purchased the SG500-52 Switch and is currently trying to configure the device for inter-VLAN connection and internet access.

I have set the device to L3 Mode. The gateway config IP is 192.168.9.254. The default VLAN ID is 1. The PC used for configuring the switch is plugged into the GE2 LAN port, and the internet is plugged into the GE48 LAN port.

I have 3 VLANs set up. VLAN 20 for Sales, VLAN 60 for Accounting, and VLAN 90 for IT. Port membership are as follows. All untagged

- GE1,GE2,GE25,GE26 are VLAN 20

- GE6 is VLAN 60

- GE9 is VLAN 90

- GE48 has membership of all VLANs. (1UP, 20T, 60T, 90T)

All ports are set to trunk mode, except for GE48, which has been set to General. IPs are manually configured with DHCP turned off.

From this PC (192.168.20.1), I can Ping and detect the computers within the same VLAN (VLAN 20) but computers in the different VLAN is completely inaccessible. Furthermore, I cannot access the internet.

Please help. Any suggestions would be appreciated. If you need more info, please do ask.

P.S. Sorry for my English.

untitled_753 · ‎06-10-2013

That is correct. All computers in different VLANs can ping each other. Except for the router located in VLAN 1, which can be pinged only if the computer is in VLAN 1.

Put simply, no computers can access the internet unless assigned to VLAN 1.

mpyhala · ‎06-10-2013

Theodore,

What you are missing is a static route in the RV042 back to each VLAN on the switch. The switch VLAN interfaces know to send WAN traffic to 192.168.9.254, and the VLAN 1 interface knows that the gateway is 192.168.9.29. The problem is that 192.168.9.29 has no idea how to get back to 192.168.20.0/24, 192.168.60.0/24 and 192.168.90.0/24 so it just drops the traffic.

RV042 Config: Setup-> Advanced Routing-> Static Routing

Destination IP: 192.168.20.0

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.9.254

Hop Count: 1

Interface: LAN

Destination IP: 192.168.60.0

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.9.254

Hop Count: 1

Interface: LAN

Destination IP: 192.168.90.0

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.9.254

Hop Count: 1

Interface: LAN

- Marty

untitled_753 · ‎06-10-2013

Thanks a lot, Marty, for such a detailed procedure.

I've managed to set up the parameters in the RV042 router and all computers in all VLANs can now detect/ping the router. Despite this, however, internet access is still not possible. I've tried disabling the router firewall, but it still does not work.

P.S. - DNS appears to be operational though.

mpyhala · ‎06-11-2013

Theodore,

Glad I could help you make some progress.

You should never need to disable the firewall in the router. This sounds like a problem with the default gateway of the PC.

Can the PC ping 8.8.8.8? That would indicate internet access but a DNS issue.

What do you mean "DNS appears to be operational though."? Can you resolve google.com from the PC?

What is the Default Gateway of the PC? It should be the VLAN interface of the switch for the VLAN that it is connected to. (i.e. 192.168.20.254)

Try also:

192.168.9.254

and

192.168.9.29

Have you created any Access Rules in the router? (Delete them if you did)

- Marty

untitled_753 · ‎06-11-2013

First off, I have re-enabled the firewall router.

Regarding "DNS operational", I managed to ping Google. from the client PC (using ping www.google.com, and the URL is translated into 74.125.135.100), however, it still shows as "Request Timed Out". Pinging 8.8.8.8 does not work as well.

The configuration of the client is as follows.

IP address: 192.168.20.1 (VLAN 20)

Subnet: 255.255.255.0

Default Gateway: 192.168.20.254

DNS1: 192.168.9.29

DNS2: 192.168.9.254

I tried changing the gateway, to no avail. Furthermore, there are also no access rules defined in the router either.

mpyhala · ‎06-11-2013

Theodore,

Try adding this to the switch config:

ip route 0.0.0.0 0.0.0.0 192.168.9.29

- Marty

untitled_753 · ‎06-11-2013

Added accordingly. However, still unable to access the internet.

Tom Watts · ‎06-11-2013

Hi, please look at this post, as long as no one is stuck on the fact it is a sx300 (there's almost no difference if any difference).

https://supportforums.cisco.com/thread/2123434

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

untitled_753 · ‎06-13-2013

I did it according to the instructions, but internet connectivity is still down.

One notice though, my network does not use DHCP configuration. IPs are statically assigned to ensure compatibility with existing equipments.

From the client's PC in VLAN 20, I can now...

- Ping every computer in the same and different VLANs (VLAN 1,20,60,90)

- Access the SG500 switch from any VLANs (1,20,60,90)

- Pinged the router successfully at address 192.168.9.29 (at VLAN 1) from any other VLANs.

Except for the internet connection, which appears to be unusable. Pinging 8.8.8.8 and 4.2.2.2 returned timeout.

Please help. I think it's pretty close now but there's still something either missing or misconfigured.

Tom Watts · ‎06-13-2013

Hi Theordore, please allow me access to your network. I do not believe anyone can help you at this point as all the information required has been provided. I have tried and tested this for years at this point.

If you could please coordinate a teamviewer8 session to my email at tmw0402@hotmail.com that would be good.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Christopher Baker · ‎06-16-2013

Seems like the answers you have been given should work, but are you sure you have the IPs configured correctly. I think the issue is in your IPs for your switch and your internet router/fw. In your first post you say the "gateway IP is 192.168.9.254). To me it seems like you are saying your internet router's internal IP is 192.168.9.254. So your VLAN switch is configured to 192.168.9.253 on VLAN 1? Is this correct? If so, I think the information you were given is correct above, just some IPs are off.

You want all ports (INCLUDING THE INTERNET ROUTER) to be access ports, NOT TRUNK OR GENERAL. So you would have:

interface vlan 20

description GE1,GE2,GE25,GE26

ip address 192.168.20.254 255.255.255.0

interface vlan 60

description GE6

ip address 192.168.60.254 255.255.255.0

interface vlan 90

descritpion GE9

ip address 192.168.90.254 255.255.255.0

interface vlan 1

description GE48 (internet router)
ip address 192.168.9.253 255.255.255.0 <<< THIS IS THE IP OF THE VLAN SWITCH

So the switch is acting as a switch (L2 vlans) and router (L3 IPs). You have assigned the switch/router to answer or be the default gateway for each VLAN on 192.168.20.254 (VLAN20), 192.168.60.254 (VLAN60), 192.168.90.254 (VLAN90), 192.168.9.253 (VLAN1). Therefore, each device connected "downstream" of the switch would have a default gateway of the switch's VLAN IP. So everything on VLAN 20 would have an IP of 192.168.20.XXX with a subnet of 255.255.255.0 and a default gateway of 192.168.20.254. Same for 60 (192.168.60.254) and 90 (192.168.90.254).

In other words, everything on the inside LAN (PCs for example) would have the VLAN IP of the switch as their default gateway.

FYI - If your internet router is running a DNS server, then you can set their DNS to that router IP (192.168.9.254). My guess is it is not, so I would set each client to either an internal DNS server (like a windows machine running DNS with our without root hints) or to the ISPs DNS servers which are typically given by the ISP as part of the internet connection. You can also use publically available DNS servers like Google's 8.8.4.4 and 8.8.8.8 but I would avoid these where possible.

On the switch, you would set a default gateway to the internet router (in other words, anything the switch doesn't know about in it's routing table (directly attached VLAN IP subnets), it would send to this "upstream" device - aka the internet router). You can do that either with one or both of the commands given, ip route 0.0.0.0 0.0.0.0 192.168.9.254 (assuming your upstream router/fw has that internal address) or a "default route" command.

Now you need the internet firewall to know how to reach the internal VLANs. It knows about the 192.168.9.xxx subnet because it is directly attached to that. But it does not know about the .20, .60, .90. So on the internet router/fw, make sure the "incoming" packets can reach the internet VLANs/IPs. This is done by adding the static routes in the internet router/fw. Marty wrote above BUT HAS THE WRONG IP FOR THE NEXT HOP ROUTER I THINK. (Should be .253, the VLAN router. He had .254 which I think you have as the internet router's IP (RV042)??):

V042 Config: Setup-> Advanced Routing-> Static Routing

Destination IP: 192.168.20.0

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.9.254 <<< Should be the VLAN router's 192.168.9.xxx address .253?

Hop Count: 1

Interface: LAN

Destination IP: 192.168.60.0

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.9.254 <<< Should be the VLAN router's 192.168.9.xxx address .253?

Hop Count: 1

Interface: LAN

Destination IP: 192.168.90.0

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.9.254 <<< Should be the VLAN router's 192.168.9.xxx address .253?

Hop Count: 1

Interface: LAN

Or you could just add one statement like (192.168.0.0 with a subnet of 255.255.0.0 to 192.168.9.253) if no other 192.168.xxx.xxx addresses are used on the internet router/fw.

hindyhong · ‎09-18-2013

for this case maybe i can suggest you can buy a router cisco RV series support multisubnet. (before buy can ask the store,maybe they can give you suggestion)

on router config needed:
1.config a multi subnet on Router Cis" RV series as you want

2.config port trunk on router(untagged)port as you want
3.dont forget (check the routing table & try ping)
4.connect the router with sg500(plug on trunk port)

on switch config needed:
1.config sg500 as router mode,

2.setting vlan&ip on each port as you want
3.setting trunk than connect the cable to router
4.tried ping for each port&ip

hope this info helpful
thanks

jeremy0023 · ‎04-12-2018

Did you ever solve this problem? I have the exact same problem and have followed all of the replies and tried all of the steps already mentioned with no success.

johnnyparada · ‎04-12-2018

Jeremy,

What problem are you having specifically? For me, the next hop was incorrect and I could not reach the router from any of the devices in any of the VLANs.

Here is a link to the post I created on the side.

https://supportforums.cisco.com/t5/lan-switching-and-routing/intervlan-routing-between-a-cisco-sg500x-and-erl-edgerouter-lite/m-p/3318010#M402736

Let me know if you have any troubles with it.

Johnny

jeremy0023 · ‎04-12-2018

I have finally fixed it after a year of working on it. As of today everything works! The big thing that I was missing was the multiple subnet feature on the RV 042G. Any configuration using multiple subnets downstream from the RV 042G must have the multiple subnet feature enabled and all subnets added that need edge access. No one seem to be able to provide this answer on the Internet and so I am going to be posting the information somewhere where others can benefit. Many people helped and corrected some things that I had very wrong but that final answer that is specific to the RV was the stumper.