Re: No internet on Vlan devices

zeeyad · ‎05-21-2018

Hi,

I am a networking newbie and Just joined a company as IT Admin. I inherited a working flat network with 0 Vlans. Around 30 devices connected to a Cisco SF-300 48P Poe Switch operating on L3 mode.I created around 5 vlans on this,gave them interface IPs and untagged ports as necessary. But Im not able to access internet on these devices on the vlan. devices on the default vlan works just fine.

Let me first explain my network design. I have a Dell Sonicwall TZ300 acting as the Router. One Cisco Small Business SG-100 16 Unmanaged Switch as the Core switch.Two cisco sf300 used as voice switch and One Cisco SF300 48 P for Data.Two windows servers, One for AD Domain Controller,Dhcp,Dns and another One for Filesharing server.

X0 port on the firewall is connected to the First port of the core switch. All the 3 switches and the Servers are directly connected to the unmanaged core switch. All the end point computers are connected to the SF300-48 ports switch and the IP Phones are connected to the 2nd 3rd switches.

The AD/DHCP/DNS servers ip address is 192.168.1.100. Router Ip address is 192.168.1.1

How shall I configure the switch so that, the devices in vlans for example Vlan40 -192.168.40.1 and vlan50-192.168.50.1 will be able to get dhcp (Ive tried and failed to configure dhcp relays) from the server connected to the Core switch, and get internet access from the router? So far Im able to ping between the vlans but cant ping the server or router. Shall I connect the server to the data switch to a new vlan for server,and will the devices be able to talk with intervlan routing enabled?

Any help pls

Georg Pauwen · ‎05-21-2018

Hello,

judging from your description, it is highly likely that the NAT configuration and access rules on the Sonicwall need to be amended to reflect the additional VLANs.

Check the NAT settings in the Sonicwall, and which networks are being translated...

Martin Carr · ‎05-21-2018

You would have to have a native VLAN, which is the uplink to the core.

The router and the server do not have the correct D/G (which also results in no DNS).

Be aware that all VLAN'S can communicate with one another, so all you have done is made a small broadcast domain smaller. There is no security advantage, as it stands.

In addition to the mentioned NAT configuration, you would also need to add a default route to SF-300 with your router being the next hop.

The DHCP relay needs to be configured on the SF-300, but I am not sure how this will work with the unmanaged switch, you would also need to define scopes on the DHCP server for the VLAN's.

Martin

zeeyad · ‎05-21-2018

"You would have to have a native VLAN, which is the uplink to the core."

I do. And all the devices in the native VLAN are able to access the internet and all other services. Its just the devices in the other VLANs having the issue.

"The router and the server do not have the correct D/G"

All the devices in native VLAN can access the server services such as dhcp,dns,fileshares etc with no issue. So I think its not the server but switch configuration is the issue.

"In addition to the mentioned NAT configuration, you would also need to add a default route to SF-300 with your router being the next hop."

switch ip routes.png

Isnt it this one? If not How do I do that?

Pls help,Im soo confused.

Fotiosmark · ‎05-22-2018

SF's and SG's work a little bit different.

Think about what you are trying to do.

There is a router on the edge, all were on VLAN1 no IP, so offcourse everything were hitting the D/G on the router.

Now when you make the Switches 4 Vlans on Layer3, they are acting as Router on a Stick.

Now consider this.

Vlan4 192.168.14.0 / 24

Vlan5 192.168.15.0/24

How would the router know these Vlans?

So once you start breaking down subnets, instead of making a Router on a Stick with SubInterfaces, you created L3 Interfaces for routing purposes.

Create Satic Route on the Router to learn these Vlans!

Example:

ip route 192.168.8.0 255.255.255.0 192.168.1.238 (Vlan8 to 192.168.1.238 is my Layer3 Switch)
ip route 192.168.12.0 255.255.255.0 192.168.1.238 (Vlan12 to 192.168.1.238 is my Layer3 Switch)
ip route 192.168.13.0 255.255.255.0 192.168.1.238
ip route 192.168.14.0 255.255.255.0 192.168.1.238
ip route 192.168.15.0 255.255.255.0 192.168.1.238

So basicaly it sais these Vlans are coming from the Core switch from that Layer 3 vlan interface.

Hope that helps

zeeyad · ‎05-22-2018

Here is the problem. The router we have here is a sonic wall TZ300. I cant use cli commands on these, so I need to get it done through GUI

Fotiosmark · ‎05-22-2018

what I m trying to say is that for each Vlan that you create you will need to configure the DHCP with the correct subnet IP.
if I have a Vlan 5 Layer 3 interface 192.168.5.1 255.255.255.0
I will need to go to the dhcp server and a add that subnet. you can create DHCP on the router, or from the server.
IP Helper is helping to pass the broadcasts through a Router. Router does not pass broacasts.

Fotiosmark · ‎05-22-2018

1st thing first.
You said
"I created around 5 vlans on this,gave them interface IPs and untagged ports as necessary. But Im not able to access internet on these devices on the vlan. devices on the default vlan works just fine."
You created 5 different Vlans on different Subnets. They will never reach to the router if you don't add a Static route to the router to specifically tell from Where there routes are coming from.
For example 192.168.5.0 is my VLAN 5. and 192.168.1.100 is a Layer3 on the SWITCH that 5.0 is connected to.
On the router I had to enter this command
ip route 192.168.5.0 255.255.255.0 192.168.1.100

Fotiosmark · ‎05-22-2018

a better approach is to delete all the Layer3 Vlans from the switches, and create VLAN layer 2. The on the router side create subinterfaces for inter Vlan routing and thest start allowing or clocking traffic with ACL.
As for the DHCP it needs to have the correct IP range for each vlan.
example---
ip dhcp pool PBX
network 172.20.20.0 255.255.254.0
dns-server 208.67.222.222
default-router 172.20.20.252
!
Vlan1 172.20.20.252 YES NVRAM up up

Martin Carr · ‎05-22-2018

Yes, but like I say those nodes will have the router as their gateway, hence they can connect to the internet and nothing else.

This is because your router knows nothing of the other networks, hence you need to add the mentioned static routes to your router.

In addition, it needs to NAT for them.

Martin

zeeyad · ‎05-27-2018

Thanks for the inputs guys. Sorry for coming back soo late, I just wanted to make sure I tried everything I can before bugging you guys again. So I went to the TZ300 Firewall and added VLAN Subinterfaces and static routes to the VLANs. On the Managed Switch, G0/0 is the port connected to the trunk port of my Unmanaged switch. So I made this port tagged on all the VLANS. Now All the devices have internet and can access the server and other computers etc. Is this the way to go?

Georg Pauwen · ‎05-27-2018

Hello,

so you are saying you have full connectivity after making those changes ?

zeeyad · ‎05-27-2018

So Far I have tried it with 2 Vlans with 1 device Each. And both can access internet just fine. Is this Ok? Or is it gonna choke up my switch when I add remaining dozens of devices to multiple additional vlans?

Georg Pauwen · ‎05-27-2018

Hello,

the switch is not likely to cause any significant delay. Judging from your drawing, the only potential 'bottleneck' will be the Internet connection going out the Sonicwall. That obviously depends on the kind of outbound traffic your clients are generating.

zeeyad · ‎05-27-2018

OK. I think that I will have try and see. There are no other issues adding the port to all of the VLANs right? I will still be able to block some vlans talking to some other through ACLs Right?