Solved: SGE2000P Stupid Inter-VLAN Routing Question

john-huntington · ‎07-28-2011

I've tried a bunch of stuff, and searched through all the discussions here, but I'm stumped. I'm setting up a closed, private industrial control network (for a haunted house, believe it or not), and I have four SGE2000P's in stack mode. all configured for Layer 3 operation.

I have 6 VLAN's defined across the switches:

VLAN1: 192.168.111.0

VLAN2: 192.168.112.0

VLAN3: 192.168.113.0

VLAN4: 192.168.114.0

VLAN5: 192.168.115.0

VLAN6: 192.168.116.0

I assigned IPv4 addresses to each of the VLAN's, at 192.168.111.1/24, 112.1, etc.

Everything within each of the VLAN's appears to be working just fine. I have several IP PoE Video cameras streaming to a DVR, and I have a bunch of other test hosts set up on the various VLAN's and everything pings across its own VLAN just fine, and I'm not able to ping the other devices on other VLAN's, which is what I want.

Here's what I want to do, though: I have a host (lighting control console) in VLAN2 at 192.168.112.11. It's working fine, and from it I can ping 192.168.112.1.

I want to access that host from a show control system which is running on VLAN1 at 192.168.111.11. It's also working fine, and from it I can ping 192.168.111.1, but not 192.168.112.1.

I've tried to add a number of routes but almost every configuration I've done I get an error saying "Only a directly connected router can be defined as the gateway.", which has me stumped. In fact, the only route I got the system to accept was was 192.168.112.11/32, with a next hop of 192.168.112.11, but that didn't work.

Any suggestions?

Thanks!

John Huntington

www.controlgeek.net

David Hornstein · ‎07-28-2011

Hi John,

Thank you for your quick response.

When you add a IP address to the VLAN on the SGE2000P, automatically it can add a network interface route.

( See second screen capture below)

I put my switch, like yours into Layer 3 mode, via the console.

This now allows me to associate or add a distinct IP address to each VLAN.

This IP address then becone the IP gateway for other IP hosts in that specific network.

In fact, in your environment, PC's within a VLAN should use the IP address of the switches VLAN they are in as their gateway address.

These VLANs will only will show up in the route table when a device is connected into that VLAN.

So, If vlan 10 has switch port Gig2 attached as a Untagged member of that VLAN, a device would have to plugged into switch port Gig10 before a interface route for that network would come up and populate in the switches routing table.

The switch sees a link up, it also populated the error log to tell you that the IP network is directly connected.

Codes: C - connected, S - static

C 192.168.1.0/24 is directly connected vlan 10

C 192.168.10.0/24 is directly connected vlan 1

C 192.168.20.0/24 is directly connected vlan 20

C 192.168.40.0/24 is directly connected vlan 40

C 192.168.50.0/24 is directly connected vlan 50

C 192.168.60.0/24 is directly connected vlan 60

C 192.168.70.0/24 is directly connected vlan 70

C 192.168.80.0/24 is directly connected vlan 80

I setup my SGE2000P just a few minutes ago and created multiple networks as seen in the screen shot below;

I plugged IP hosts into the different VLANs.

I then had a look at the route table and saw all these interface routes within the switch,

So now, within the SGE2000P, it knows where to forward packets for different IP networks.

The SGE2000P knows which switch ports are connected to which vlan.

So the SGE2000P will switch at layer 3 the IP packets between different networks.

So, if a PC in my VLAN1 at IP address 192.168.10.10 wants to communicate with a PC in VLAN 10 at IP address 192.168.1.10.

The PC sends the packet to it's defined gateway, and in my case the gateway for packets in VLAN 1 is the IP address that I associated with VLAN 1.

This address is as you can see from the first screen capture is 192.168.10.254.

The switch then looks up where it has to forward the packet, because the switch is directly connected to VLAN10 IP network, It does a route lookup and sees a interface route for the 192.168.1.0 network.

it forwards the packet into VLAN10. and so the story goes..............

I hope this helps, I admit this is not a easy topic at all,

regards Dave

View solution in original post

David Hornstein · ‎07-28-2011

Hi John ,

I am guessing that Host at 192.168.111.11 in VLAN1 is not using 192.168.111.1 as it's gateway address.

I'm also guessing, and it's only a guess, you need only one default route leading to a internet router.

But that's just a guess.

Try altering the PC at 192.168.111.11 gateway address to 192.168.111.1 and then try to ping 192.168.112.1 from 192.168.111.1.

Because the PC is trying to get to a remote subnet , it has no idea where to send the packet.

If the PCs gateway address is the SG2000P Vlan1 IP address, it will forward tha packet to VLAN1 IP interface and it will knows where to switch the packet at Layer 3 to the appropriate network.

Give it a try and let us know how it goes.

regards Dave

john-huntington · ‎07-28-2011

Thanks for the response!

I'll check in the AM, but I'm pretty sure that the host on 111.11 has its gateway as 111.1. And even with that connected, with nothing in the routing table except for the internal stuff created by the switch, how would it find a route to 112.11?

Also, this network is not connected to the internet at all, it's totally closed, so I'm trying to use only the features of the switch. Also, how would I put in only one default route to a router if the router is on a separate subnet? Let's say I put a router on the VLAN at 111.0. If I put that as the gateway for hosts on VLAN 2 at 112.0, how would they be able to communicated?

"If the PCs gateway address is the SG2000P Vlan1 IP address, it will forward tha packet to VLAN1 IP interface and it will knows where to switch the packet at Layer 3 to the appropriate network."

How would it know where to send it? This is what's confusing me.

It seems to me I should be able to do this without an external router, and I think what I'm really asking for is for help with a valid router statement in the switch that will create a path from the 111.0 network to the 112.0 network.

Thanks!

John

David Hornstein · ‎07-28-2011

Hi John,

Thank you for your quick response.

When you add a IP address to the VLAN on the SGE2000P, automatically it can add a network interface route.

( See second screen capture below)

I put my switch, like yours into Layer 3 mode, via the console.

This now allows me to associate or add a distinct IP address to each VLAN.

This IP address then becone the IP gateway for other IP hosts in that specific network.

In fact, in your environment, PC's within a VLAN should use the IP address of the switches VLAN they are in as their gateway address.

These VLANs will only will show up in the route table when a device is connected into that VLAN.

So, If vlan 10 has switch port Gig2 attached as a Untagged member of that VLAN, a device would have to plugged into switch port Gig10 before a interface route for that network would come up and populate in the switches routing table.

The switch sees a link up, it also populated the error log to tell you that the IP network is directly connected.

Codes: C - connected, S - static

C 192.168.1.0/24 is directly connected vlan 10

C 192.168.10.0/24 is directly connected vlan 1

C 192.168.20.0/24 is directly connected vlan 20

C 192.168.40.0/24 is directly connected vlan 40

C 192.168.50.0/24 is directly connected vlan 50

C 192.168.60.0/24 is directly connected vlan 60

C 192.168.70.0/24 is directly connected vlan 70

C 192.168.80.0/24 is directly connected vlan 80

I setup my SGE2000P just a few minutes ago and created multiple networks as seen in the screen shot below;

I plugged IP hosts into the different VLANs.

I then had a look at the route table and saw all these interface routes within the switch,

So now, within the SGE2000P, it knows where to forward packets for different IP networks.

The SGE2000P knows which switch ports are connected to which vlan.

So the SGE2000P will switch at layer 3 the IP packets between different networks.

So, if a PC in my VLAN1 at IP address 192.168.10.10 wants to communicate with a PC in VLAN 10 at IP address 192.168.1.10.

The PC sends the packet to it's defined gateway, and in my case the gateway for packets in VLAN 1 is the IP address that I associated with VLAN 1.

This address is as you can see from the first screen capture is 192.168.10.254.

The switch then looks up where it has to forward the packet, because the switch is directly connected to VLAN10 IP network, It does a route lookup and sees a interface route for the 192.168.1.0 network.

it forwards the packet into VLAN10. and so the story goes..............

I hope this helps, I admit this is not a easy topic at all,

regards Dave

john-huntington · ‎07-28-2011

When you add a IP address to the VLAN on the SGE2000P, automatically it can add a network  interface route.

Aha, thanks! I saw those routes in the routing table and figured it was something like that. I also only saw routing table entries for VLAN's with connected hosts.

Given this info, I think your original idea of me having the gateway on the host set wrong makes a lot more sense. I will check tomorrow and post an update here, thanks!

John

www.controlgeek.net

john-huntington · ‎07-29-2011

D'Oh! (Homer Simpson style) You were exactly right, I didn't have the default gateways set correctly on a couple of the hosts. Thanks!

Now, another question just for my interest--what if I wanted to restrict acess into a specific VLAN to the IP of a specific server? Would I just make an ACL? I wouldn't have to do anything in the routing, I assume.

Thanks!!!

John

www.controlgeek.net

David Hornstein · ‎07-29-2011

Hi john,

We all have the D'Oh moment, no problem.

But here is a example of a simple access list I just created for the SGE2000P

https://supportforums.cisco.com/message/3407882

regards Dave

john-huntington · ‎07-29-2011

Thanks! Before I read your response, I just made my own access control list to experiment. First, I made one that permits only access to 192.168.112.11, and deny everything else. I applied that to an interface and it worked fine.

Then, I made one like this:

permit 192.168.112.11 0.0.0.0

permit 192.168.115.0 0.0.0.255

permit 192.168.116.0 0.0.0.255

deny all

I tried to bind that to an interface and got an error "Cannot apply due to lack of HW resources.."

I rebooted the stack and tried applying it to the interface again, but got the same error.

I checked the CPU utilization and it's running at about 30-40%. Any ideas?

Thanks!

John

www.controlgeek.net

john-huntington · ‎07-29-2011

I did a bit more experimentation, and it seems to be related to having too many entries. I tried an ACL that has:

permit 192.168.115.0 0.0.0.255

deny all

And that worked fine.

I then added one line:

permit 192.168.115.0 0.0.0.255

permit 192.168.116.0 0.0.0.255

deny all

And then I got the HW resources error again...

John

www.controlgeek.net

David Hornstein · ‎07-29-2011

hi John

I would suggest that you have a chat to the wonderful folks at the Small Business support Center (SBSC)

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

I tried a slightly more complex ACL and applied it to a port, with no problem. But I have seen that message before, but scratching my head and cannot recall what it was point to.

regards Dave

David Carr · ‎07-29-2011

John,

Delete the acl name and recreate it with a totally different acl name and see if you get the same error.

john-huntington · ‎08-03-2011

FYI, we tried various things on the tech support chat, who were very helpful. But we were not able to resolve the

"Cannot apply due to lack of HW resources." issue, so the case has now been escalated up the chain...

John

sagnik_ · ‎12-29-2014

Hi David, I am face some problem, below I am describing - please suggest me the right way.

i have sge2000 switch , in this switch i have create 03 number of vlan.

01. common vlan - 172.16.10.x /16 vlan ID = 1

02. server vlan 192.168.10.x / 24 vlan ID = 20

03. Hinok vlan 192.168.20.x / 24 vlan ID = 30

next , i have 10 number of srw224g4 switch , now I am inter connect the switch through cat6 cable with trunk port. and vlan name and id assign of the edge switch also.

now please suggest me how i am doing the inter vlan routing. each time i am trying to assign a default route 0.0.0.0 0.0.0.0 vlan1. each time showing a error message that directly connect error. I could not under stand what is issue

Aleksandra Dargiel · ‎12-29-2014

Hi Sagnik_@321,

What is the exact syntax you are trying to enter?

Regards,

Aleksandra