Solved: How to enable VLAN Routing - Page 2

adam.weight · ‎10-29-2013

Hello,

I have a layer 3 Cisco switch (SG300-52) that I am trying to get setup and functioning, but am having problems with getting DHCP to work on multiple VLAN's.

I have 3 vlans (VLAN1 management) VLAN 2 and VLAN 3. I am currently using DHCP on our firewall device which is on VLAN 1. When I connect a computer to a port on VLAN 1, the device is able to pull a DHCP lease from the firewall. If I connect a device to a port on VLAN 2 or 3, it cannot find the firewall to obtain a DHCP lease.

I am assuming this has to do with routing. I believe that VLAN2 and VLAN3 don't know how to get to the firewall on VLAN 1, but I've been looking around for hours and trying different commands to get the routing to work but nothing so far.

Basically what I am looking to do is have 3 VLAN's. DHCP is on VLAN1, and all 3 vlans should be able to pull a DHCP lease from that DHCP server (firewall). I do not however, want the VLAN's communicating with each other in any other way. So basically what I want is the following:

VLAN 1 obtain DHCP from firewall on VLAN1 and access to Internet through firewall on VLAN 1

VLAN 2 obtain DHCP from firewall on VLAN 1 and access to Internet through firewall on VLAN 1 - no other communication with VLAN 1, and no communication with VLAN 3

VLAN 3 obtain DHCP from firewall on VLAN 1 and access to Internet through firewall on VLAN 1 - no other communication with VLAN 1, and no communication with VLAN 2

I can get DHCP to work on all VLAN's if I create a routing policy on my firewall, but then all 3 vlans are able to communicate with each other. For security purposes, this will not work. I need them to pull DHCP without talking to each other.

Any ideas on how I can get this to work? Been working on this for several days with no luck.

Thanks,

Adam.

adam.weight · ‎10-30-2013

Thanks, but that doesn't seem to be an available command either. Here is what I get when I try that.

DCSW1#conf t

DCSW1(config)#int vlan 2

DCSW1(config-if)#service acl-input vltwo default-action deny-any

% Unrecognized command

DCSW1(config-if)#service ?

cpu-utilization Enables the software to measure CPU utilization.

mirror-configuration Enables the mirror-configuration service

password-recovery Disable password recovery

DCSW1(config-if)#service

Thanks.

cadet alain · ‎10-31-2013

Hi Adam,

I must admit that I have no clue why it is not working(I never worked with these kind of switches), maybe you could try with the GUI and tell us what.

Regards

Alain

Don't forget to rate helpful posts.

adam.weight · ‎11-01-2013

Thanks for all your help Cadet Alain, you were on the right track, just the implementation was a bit off for this specific model of switch. Probably due to the fact that this is a Small Business switch and may not have all the same options as the full Cisco models.

I figured out that you cannot create an ACL Group on a VLAN interface on this model. You can only do it on a Port basis.

This is what worked for my model:

ip access-list extended vltwo

deny ip 10.0.108.0 0.0.0.255 10.0.109.0 0.0.0.255

permit ip any any

ip access-list extended vlthree

deny ip 10.0.109.0 0.0.0.255 10.0.108.0 0.0.0.255

permit ip any any

int gig2

service acl-input vltwo default-action deny-any

int gig3

service acl-input vlthree default-action deny-any

After doing this, those two ports followed the ACL list and no longer communicated with each other, but were able to get to the Internet and pull DHCP. Sucks that this has to be done on a port basis rather than VLAN basis, but at least it works.

Thanks again for all your help.