cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1362
Views
10
Helpful
2
Replies

SG350 / SG350X setup advice and a few questions

Filomena
Level 1
Level 1

Hi,

I managed this setup in a test environement:

 

Internet Network Diagram Template 7.vpd-tmp.png

 

 

Notice: Once I afford one of the new fanless 10 Gb switches, it will replace the SG350, but I need a silent switch there and all cabling reaches that room. So I cannot swap the switches.

 

I had to create the interfaces on the firewall instead of using static routes pointing back downward to the SG350 because of limitations in the firewall to support serving DHCP for interfaces not directly connected to it.

 

The static route in the SG350 doing inter-VLAN routing ensures that all internet traffic flows through the Transit route.

The VLAN interfaces on the SG350 are set to be the gateway for the corresponding VLAN clients. DNS and DHCP are served by the firewall VLAN interfaces.

 

The above design works properly as long as the SG350 VLAN interfaces are set as the gateway for the connecting clients. VLAN isolation is managed at the Switch with ACL rules. No inter VLAN traffic reaches the firewall and traffic for 10 Gb connections in VLAN 10 is properly all done by the SG350X

 

I have the following questions:

- the SG350X cannot be set to L2. However, I wanted to be able to manage it from VLAN 10. I cannot access the management VLAN 1 interface on the switch if I don't define the VLAN 10 interface on the Switch. Is this expected ?

- How can I restrict mangement access to the switches VLAN interfaces except to VLAN 1 interface ? Is it only possible with single ACL rules for each interface ? Is there a general option to set a management interface and restrict access from a single VLAN ?

- The SG350X has no static routes defined manually since it is trunked to the gateway SG350 switch. It works properly without defining the interfaces like in an L2 switch. Is my setup correct despite the switch cannot be set globally to L2 ?

1 Accepted Solution

Accepted Solutions

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

- the SG350X cannot be set to L2. However, I wanted to be able to manage it from VLAN 10. I cannot access the management VLAN 1 interface on the switch if I don't define the VLAN 10 interface on the Switch. Is this expected?

Ans: If you are seating in a different VLAN and trying to access SG350X switch using the VLAN 1 so need to define a default route or default gateway on the switch with destination to VLAN 1 of your inter-VLAN routing switch (SG350). It will allow the packet switching between VLANs from the SG350X switch as well.

 

- How can I restrict mangement access to the switches VLAN interfaces except to VLAN 1 interface ? Is it only possible with single ACL rules for each interface ? Is there a general option to set a management interface and restrict access from a single VLAN ?

Ans: Restrict Access to Cisco Switch Based on IP Address (helpdeskgeek.com) and Configure Secure Shell (SSH) Server Authentication Settings on a Switch - Cisco check both links

 

- The SG350X has no static routes defined manually since it is trunked to the gateway SG350 switch. It works properly without defining the interfaces like in an L2 switch. Is my setup correct despite the switch cannot be set globally to L2 ?

Ans: Yes it seems correct. 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

2 Replies 2

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

- the SG350X cannot be set to L2. However, I wanted to be able to manage it from VLAN 10. I cannot access the management VLAN 1 interface on the switch if I don't define the VLAN 10 interface on the Switch. Is this expected?

Ans: If you are seating in a different VLAN and trying to access SG350X switch using the VLAN 1 so need to define a default route or default gateway on the switch with destination to VLAN 1 of your inter-VLAN routing switch (SG350). It will allow the packet switching between VLANs from the SG350X switch as well.

 

- How can I restrict mangement access to the switches VLAN interfaces except to VLAN 1 interface ? Is it only possible with single ACL rules for each interface ? Is there a general option to set a management interface and restrict access from a single VLAN ?

Ans: Restrict Access to Cisco Switch Based on IP Address (helpdeskgeek.com) and Configure Secure Shell (SSH) Server Authentication Settings on a Switch - Cisco check both links

 

- The SG350X has no static routes defined manually since it is trunked to the gateway SG350 switch. It works properly without defining the interfaces like in an L2 switch. Is my setup correct despite the switch cannot be set globally to L2 ?

Ans: Yes it seems correct. 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Thank you a lot, that was clear and helpful.

I have still one point I did not understand properly this answer:

 

Ans: If you are seating in a different VLAN and trying to access SG350X switch using the VLAN 1 so need to define a default route or default gateway on the switch with destination to VLAN 1 of your inter-VLAN routing switch (SG350). It will allow the packet switching between VLANs from the SG350X switch as well.

 

You mean I define this static route on the SG350X:

10.0.1.0/24 -> 10.0.1.2 (SG350 VLAN1 interface)

That did not work and I still cannot access VLAN 1 mangement interface of the SG350X from a VLAN 10 workstation connected directly to the switch. I also tried with trunking VLAN1 between the 2 switches without luck.

 

As soon as I define the VLAN 10 interface IP on the SG350X, access to its VLAN 1 management interface is possible from the VLAN 10 workstation.

 

Why the same workstation in VLAN 10 can ping the Media server in VLAN 50 (both devices are on the SG350X) and inversely. Both clients are properly routed to the SG350 gateway ?

# traceroute from VLAN10 Workstation to Media server on VLAN 50, both attached to the SG350X
# it properly uses the SG350 Switch 10.0.10.2 gateway tracert 10.0.50.30 Tracing route to 10.0.50.30 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 10.0.10.2 2 <1 ms <1 ms 2 ms 10.0.50.30

Trace complete.
# traceroute from VLAN50 media server to VLAN 10 workstation, both on SG350X
# traffic is properly routed to SG350 VLAN 50 gateway 10.0.50.2
# * * * : is a limitation in the server, ping is fine

traceroute 10.0.10.40 traceroute to 10.0.10.40 (10.0.10.40), 64 hops max, 40 byte packets 1 10.0.50.2 (10.0.50.2) 5.240 ms 3.237 ms 2.532 ms 2 * * *

 

I am just trying to understand why the SG350X (with VLAN routing disabled) needs the VLAN10 interface IP defined to allow acces to its VLAN 1 management interface from a VLAN 10 client while it is not needed to connect between other attached hosts (properly working like an L2 switch for hosts)

 

Hope you can help me understand that part

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: