cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7109
Views
0
Helpful
27
Replies

Static Routes With Next Hop As An Exit Interface Or An IP Address

mark_farber
Level 1
Level 1

I need to setup a simple L3 network. For now I will leave all devices on VLAN1 for simplicity until I have things working. Later I will add additional VLANS. Setup is straight structure. Sg300-10 are all in L3 mode currently

Router (192.168.1.1) connects to SG300-10 (192.168.1.4, port 1, in L3 mode)--> connects to  Sg300-10 (192.168.1.3, port 1, in L3 mode) --> connect to Sg300-10 (192.168.1.2, port 1, in L3)

 

I have all ports set to trunk currently

 

Question 1: Do I need to add any IPv4 routes?, or are the defaults sufficient?

 

Question 2: I will add the following VLANS, 1-Default, 2-Network, 10-internet devices, 22-guest, 100-voice. Will I need to change any IPv4 routes (above) when I do this? If so, what should they read.

 

Sorry about the newbie questions

27 Replies 27

Richard:

I must have something set up wrong with respect to the DHCP and GW. If I manually change the GW address to the switch (i.e. change it from 192.168.2.1 to 192.168.2.4. I loose internet access for that computer. I am sure I do not have inter VLAN routing all set up correctly yet.

You have two responses which I will address. First your response showing each switch and its vlan interfaces, addresses etc this looks good. It is what I would expect to see. You have addresses for vlans 1, 2, 10, 100 and not for 22. Each interface has an appropriate address (with the third octet indicating the vlan and the fourth octet the particular switch - this is a good system for generating addresses). Each interface address is static, has the appropriate mask, and is valid. Along with this I would like to see the IPv4 routes page which should show the directly connected subnets and the default route.

 

Then you tell us that devices in the wireless are automatically assigned to the Guest vlan (22). Since your switches do not have an IP address in vlan 22 they can not do routing for vlan 22. So traffic from the wireless goes up to the router. You tell us that the router has isolated vlan 22 and that is good. I think you do not need to mess any more with this.

 

In your paragraph about Correct Gateway I do not understand what you are saying in 1). I think that you are saying that in the DHCP scopes for each subnet that the default router address is the address of the router. (for example 192.168.2.1).In this case inter vlan routing would work but it would be performed on the router - and your goal is to have it performed on the switch. (more about that below).

 

I do not understand what you describe in 2) if your computer connects via wifi I would expect that it would be assigned an IP address in 192.168.22 but you tell us it is 192.168.2.61. Perhaps you need to share some details about how DHCP is configured on the router. As I said above if the gateway used by the computer is 192.168.2.1 the inter vlan routing would be performed on the router. I would think you want the gateway to be 192.168.2.4 which would have inter vlan routing occur on the switch.

 

But in your second response you tell us that if you change the gateway from 192.168.2.1 to 192.168.2.4 that you lose access to Internet. If you change the gateway do you still have access to devices in other vlans/other subnets? (Is the problem when you change gateway to 192.168.2.4 just about Internet access or is it access to everything?)

 

To investigate this we really need to see the IPv4 Routes page from the switches.

 

I wonder if the issue might be a security setting on the router. I believe that as currently configured the router treats vlan 2 and subnet 192.168.2.0 as a directly connected subnet. When you change the gateway on the PC to 192.168.2.4 the result is that packets from the PC to the Internet are forwarded by the switch to the router using the connection in vlan 1. Now the router sees a packet arrive on vlan 1 that logically belongs in vlan 2. Perhaps the router regards this as an attempt at spoofing and rejects the packet? Does the router have logging enabled? And if so are there any log messages when the PC attempts access to the Internet? Do you know what the security settings on the router are?

 

HTH

 

Rick

HTH

Rick

Richard Thanks again. 

 

IPv4 Routes for the three switches---(appear to not have next hop listed)

Switch: 192.168.1.4

Screen Shot 2018-09-04 at 5.42.26 PM.pngSwitch: 192.168.1.2

Screen Shot 2018-09-04 at 5.43.32 PM.pngSwitch 192.168.1.3

Screen Shot 2018-09-04 at 5.44.54 PM.png

 

YES -- They are all the same. I am guessing that I need to fix the next Hop router. Does this need to be the neighboring Switch or something else. In other words  my linear setup is GW (192.168.1.1)--> SW (192.168.1.4)-->SW (192.168.1.2)--> SW 192.168.1.3). Should x.1.3 next hop therefore be x.1.2, and should x.1.2 be x.1.4, and finally x.1.4 be x.1.1 For VLAN 1 and for VLAN 2 be  x.2.3 and x.2.3 ...?

 

Do I need to fix the destination IP?

 

Next Issue:

I probably made it confusing. I have two SSID wireless connections. One wireless network (House Network) for the home members which assigns individuals to VLAN 2 and one for guests (Guest Network) which assigns them to VLAN 22 automatically. This is working and keep guests off the network and only gives them internet access.

 

Issue in 2): The switches do not have any DHCP turned on. Do I need to turn on DHCP on for them. Right now the DHCP is done on the router (192.168.1.1) which has all 4 VLANS assigned on it. Yes I am trying to get the L3 switch to handle things so it takes the load off the router. I did not think I had to turn on DHCP for the switches but maybe I am incorrect?

 

Second response: 

 

Computer connects via ethernet to the switch (192.168.1.4). IP address assigned manually (or via DHCP) as 192.168.2.61, 255,255,255,0, router 192.168.2.1 --> internet and network access to switches and devices on network.

 

If I change the router to 192.168.2.4 then I still have access to the switches and the network, but loose internet access (only). Maybe fixing the first issue above will remedy it? If not what else needs to be changed.

 

Thanks again as this is extremely helpful and sorry if I mislead you about the guest VLAN.

 

 

This additional information is helpful. As far as the IPv4 Routes page not having next hop for the Local Direct Connect routes is concerned this is the expected behavior. Having those routes in the table is what enables inter vlan routing. And for a route that is Local and Directly Connected there is no need for a next hop since the switch can simply ARP for the destination address and there is no need for a next hop (which is only needed for remote destinations). I am glad to see that all switches have the 4 networks/subnets as Local and Directly Connected and that all switches have their default route as 192.168.1.1. This should enable inter vlan routing and will send anything remote to the router.

 

OK I now understand that wireless has 2 SSID. Before I was only aware of wireless for Guest. It does make sense that you could have one wireless for Guest and a separate wireless for House network. 

 

At this point I do not see a need to turn on DHCP on the switches. But to the extent that you want the switches to off load processing from the router then using DHCP on the switches might be a desirable thing. (and depending on identification of the issue about changing gateway from 192.168.2.1 to 192.168.2.4 it might become necessary to have DHCP on switches)

 

It is good to know that if you change the gateway from 192.168.2.1 to 192.168.2.4 that access to the switches and to the local networks still works. This is an indication that inter vlan routing is working on the switches. And I believe that it points toward some issue on the router. My best guess at this point is that there is some issue when the router receives a packet on its vlan 1 interface (routed from the switch) that has a source address in vlan 2 which the router considers to be a locally connected network. This might appear to the security side of the router as a spoofed address and might cause the router to reject it. We need to know more about the router setup to evaluate this.

 

HTH

 

Rick

HTH

Rick

Great news. So it looks as if we are close. I will get you some additional information about the router. I will chat with the Unifi support team tonight and determine if this is a spoof issue as well as additional information. If necessary I can insert an RV320 as my router the only issue is that I loose some diagnostic information I need from the Unifi USG gateway as a last resort.

 

Since inter VLAN routing is working the only real issue seems to be that devices are assigned the router GW address instead of the switch GW address.

 

Does this mean that all traffic is sent to the router?

or

since inter VLAN routing is working only internet traffic is router to the router and all other traffic is managed by the GW?

 

Thanks again.

Unifi Answers:

 

This is their explanation of the router config:

 

the switch (192.168.1.4) is connected to the LAN1 (on the USG) so the USG LAN would be the trunk port forwarding all IP range to the switch where switch will get default IP i.e is 192.168.1.x. If you are configuring VLANs, so USG does only DHCP here and nothing else, if you have tagged VLAN id as vlan2 to the switch port then switch port will get IP from the USG DHCP with the gateway IP as 2.1 as you have mentioned and we can see in the screenshot as well.

since the DHCP range would be same for the other devices which you want to send data, here inter vlan routing does not come into picture because of the same network range as an device in the same network can communicate.

so cisco switch is L3 here, so it does forward traffic, try disabling inter vlan routing on the switch and check. However, you can provided the info and all but the issue you have is with the cisco config and the issue I guess is why the cisco switch is getting 2.1 as gateway IP correct?

 

 

Not sure this was helpful. 

 

Richard: Last thing to consider is that am I making this a bigger issue than it is and the router can generally handle most of their stuff at a small business/home networking environment?

I do not find their explanation helpful. As I read it I get the impression that they think you have only 2 networks and not the 5 that you actually have. And they do not address the question of what the router will do if it has an interface in 192.168.2.0 and receives a packet with source address 192.168.2.65 but receives the packet on the 192.168.1.0 interface.

 

I have been thinking about this and believe that there is another approach that we can try which should resolve this issue. The crux of the issue is that our current approach has all of the vlans and all of the networks on interfaces of the router. So the router believes that it is acting as the gateway for all vlans and all networks. My suggestion is that we remove the addresses (and perhaps the vlan sub interfaces) for vlans 2, 10, and 100. That would leave the router with interfaces in vlans 1 and 22. As we take away the IP addresses we stop the router from attempting to route for their networks. So we will need to configure static routes on the router for networks 192.168.2.0, 192.168.10.0, 192.168.100.0.

 

If we make these changes there is an aspect that we need to address. One reason for the current approach was to make it easy for the router to do DHCP for all vlans. If we remove vlans 2, 10, 100 from the router we impact its ability to do DHCP for them. There are two ways to address this. One alternative is to enable UDP Relay/IP helper which should forward the DHCP requests to the router and allow the router to continue to serve DHCP for all vlans. The second alternative (which I would prefer) is to move the DHCP for vlans 2, 10, 100 to the switch. If you are going to do DHCP on the switch you should consider the question of whether to do DHCP on all 3 switches or to do it on just one. My recommendation would be to do it on just one (and that perhaps should be the 192.168.1.4 switch). I would suggest that you might also think about whether you want all switches to be doing inter vlan routing or perhaps do inter vlan routing on one switch.

 

I believe that the approach of doing DHCP and doing inter vlan routing on the switches can work and would take load off of the router. The router would then be doing routing for the Guest network and routing to and from the Internet.

 

The last paragraph of your response makes a very good point. It is very likely that the router is able to handle the needs of a small office or home network. so you might configure it so that the router does all of the DHCP and all of the IP routing and the switches just do vlans and layer 2 forwarding. The choice is yours.

 

HTH

 

Rick

HTH

Rick

Richard to simplify things how about we go with the last option. I am not sure that the L3 is helping that much and make make it more difficult if problems occur. 

 

What changes would I need to do to switch this over to Layer 2 forwarding. Can I just change to L2 mode on the switches and if so does this reset the settings (I thought it did). If I reset them do I then need to redo all the VLAN and IPv4 route setting we have done?

 

Thanks again.

 

This has been an interesting discussion about alternative approaches and the pluses and minuses of having L3 inter vlan routing on the router or on your switches. From the standpoint of a learning experience it might be appealing to try to make the changes to have inter vlan routing and DHCP on your switches. But I understand and agree that from the perspective of lets make the network work as simply as possible that you want to put routing and DHCP on the router and to have the switches operate and simply layer 2 switches. 

 

I do not have experience with this model of switch and can not address what will be the effect when you change them from Layer 3 system mode to layer 2.  I do not know how much it will remove from the configuration. But here is what I believe that you want to have when you are finished with configuration:

- you want the connection from switch to switch, and from switch to router to be a trunk which carries all 5 vlans.

- you want each switch to be configured for all 5 vlans.

- you want each switch to have an IP address configured in the management vlan (probably vlan 1) to provide management access.

- you want each switch to have a default gateway configured to allow its management address to communicate with remote networks (the default gateway would be the router address in the management vlan).

- you do not need any other IP addresses or any other routes on the switches.

- you want the router interface to be configured to communicate with the trunk to the switch. There should be a vlan sub interface for each vlan and an IP address for the appropriate network configured on each sub interface.

- the router should have a default route with the provider device address as the next hop. The router should have a Local/Directly Connected route for each of the vlan networks (does not need a next hop address). The router should not need any other routes.

- the router should have DHCP scopes configured for each vlan/network. the default router specified in each scope should be the router interface address for that network.

- the router should route the Guest network to the Internet and isolate that network from the other vlan networks.

- the router should route between the other vlan networks, and between the vlan networks and the Internet.

 

HTH

 

Rick

HTH

Rick

Richard:

 

If others will benefit from testing out this approach I am happy to try it out to see if it will work. Just let me know and I can begin to make the changes you suggest. Here are the steps as you have outlined (preferred method)

 

1. I can create/configure static routes on the router for networks 192.168.2.0, 192.168.10.0, 192.168.100.0.

 

    Just need more specifics of where that route needs to be configured to?

2. Enable DHCP on switch 192.168.1.4

3. Disable VLAN 2,10,100 on the router

 

 

It is very nice of you to volunteer to set this up so that others could benefit from it. While I believe that some participants might benefit from your experience of setting it up, I believe that the main one who will benefit will be you. So an important question is whether you want to undertake this - do you want the challenge of setting up this environment - or would you just as soon get it to work with routing on the router and move on to other things? 

 

We also might need to assess the potential impact of making the changes to test out inter vlan routing on the switches. If this network is set up for a lab to be able to test things then it is probably easy to say yes lets try to implement inter vlan routing on the switches.  If this network is a home network then perhaps the impact of finding how to make it work is worth it. If this is a real network with live traffic then you need to decide if the impact to the network is worth it. 

 

HTH

 

Rick

HTH

Rick

Rick:

 

Sorry it took a bit to get back to you just busy at work.  You brings up some valid points about the network. Yes I am working on a live network. However. I am pretty sure that I can save the current configurations so to get it back up and running if there are issues would not be too difficult. 

 

One thing that would be helpful is to lay out all the steps that I need to do and the correct order.

 

If we can do that it would speed things up tremendously. Also we can work directly with remote access of that would help any also.

 

Thanks again for all your help.

I hope that you will find this a good educational experience. Here are my suggestions about what you should do. I am not sure that the ordering of steps matters a lot. Connectivity for your network will be impacted as you make the first change and will not function completely correctly till the changes are completed. This order makes sense to me but you could probably arrange it differently and have it work just fine.

 

As we contemplate doing this there is a question to address. Do you want to do DHCP and routing on each switch or to have a single switch perform the functions for all of the network. My suggestion would be to have a single switch (and it seems logical that it should be the 192.168.1.4 switch that connects directly to the router) and that is how I will set up the steps. If you want to do it on each switch it should be easy to add those steps in the process.

 

I suggest starting by configuring the switch that connects to the router for layer 3 system operation. Each switch will have all vlans configured and with appropriate interfaces assigned to each vlan. The first switch will have vlan interfaces with IP addresses configured for each vlan except for vlan 22. Note that having layer 3 system operation and vlan interfaces with IP addresses will enable routing between the vlans and should create entries in the routing table for each vlan (except for vlan 22). The switch should have a default route configured with its next hop being the router interface address of vlan 1 (192.168.1.1).

 

Then on the router remove the vlan sub interfaces for vlans 2, 10, and 100. Note that this should remove the entries in the routing table for those vlans. On the router configure static routes for vlans 2, 10, and 100. Each of these static routes should have the switch interface address 192.168.1.4 as the next hop. The router will continue to have a default route with the ISP as the next hop.

 

Then we can change  DHCP. Currently the router has DHCP for all vlans. I suggest removing from the router the DHCP for vlans 2, 10, and 100 leaving DHCP for 1 and 22. On the switch enable DHCP and configure DHCP for vlans 2, 10, and 100. In each of those the default router should be the IP address of the switch in that vlan (192.168.2.4, 192.168.10.4, 192.168.100.4).

 

With these changes made the network should work as you expect. The router will be routing vlans 1 and 22 as directly connected and routing for vlans 2, 10, and 100 with the static route having the switch interface as the next hop. Devices connected in vlans 1 and 22 will have default gateway of the router vlan interface address while devices connected in vlans 2, 10, and 100 will have default gateway of the switch interface address.

 

Let me know if you have questions about this or want to discuss anything further.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: