Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
2
Replies

VLAN no internet

EugeneRata10268
Level 1
Level 1

‎03-09-2020 01:55 PM

i,

please check the attached image, diagram of my network.
I need the Offshore developers who remotely connect to my PCs do not see each other and nothing from the green zone. 

So I put the Cisco Switch in place, created VLANs, connected Offshore PCs to the specific ports from VLANs. And here is the problem, none of the Offshore PCs can see the internet. 

I can ping google from the Cisco switch, I can ping the switch from Offshore PCs.

Any ideas?

Here is the switch config

 

config-file-header
switch98b1c6
v2.5.0.92 / RTESLA2.5_930_364_107
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 10
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switch98b1c6
username dev password encrypted 92e463b7d96d516fd6717fa2baf40c6547a78d46 privilege 15
!
interface vlan 10
 name OffShore
!
interface GigabitEthernet1
 switchport access vlan 10
!
interface GigabitEthernet2
 switchport access vlan 10
!
exit

network.png

Labels:
0 Helpful
2 Replies 2

Seb Rupik
VIP Alumni
VIP Alumni

‎03-10-2020 12:44 AM

Hi there,

What port is the SG350 connected to the Netgear? What does the configuration of the Netgear port look like?

 

Where is VLAN10 routed? On the eero?

 

By default all switchports on the SG350 will be access ports in VLAN1. If you can ping google from the SG350 this indicates that connectivity is working and the SG350 VLAN1 SVI must be receiving a DHCP address. To get the offshore PC switchports to work, the easiest solution would be to place them in VLAN 1:

!
interface GigabitEthernet1
 switchport access vlan 1
!
interface GigabitEthernet2
 switchport access vlan 1
!

If you want to use use VLAN10 for the offshore PCs, then you need to:

  • configure the SG350 VLAN1 SVI with a fixed IP
  • configure the VLAN10 SVI with a IP address
  • configure VLAN10 DHCP scope
  • add a default route on the SG350 directing traffic towards the eero VLAN1 SVI
  • add a route on the eero route to the VLAN10 subnet directing traffic to the SG350 VLAN1 SVI

 

Alternatively, configure the VLAN10 SVI and DHCP scope on the eero router and trunk VLAN 10 all the way to the SG350.

 

cheers,

Seb.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Seb Rupik

‎03-10-2020 09:54 AM

I appreciate that the easy solution wold be to put all ports into vlan 1. But clearly that violates the basic requirement that the Offshore developers do not see anything in the green zone. 

 

There are many things that we do not know about this environment and that impacts our ability to give good advice. I believe that there are probably multiple issues present in achieving the desired results for this network. But the original post seems to focus on the issue that the developers can not reach the Internet. And while we do not have definite information to identify this issue I believe that we can guess at the issue with some confidence. It is clear that the devices in vlan 10 are in some IP subnet that is different from vlan 1. And if those devices do have access to the Internet then we can be confident that somewhere in the network those addresses go through address translation. And we can guess with some confidence that the subnet for vlan 10 is not getting translated. So it is likely that the solution for vlan 10 to access the Internet is to provide address translation for those addresses. I will also observe that for this to work that the netgear will need a route for the subnet used by vlan 10.

 

Looking at the original post I focused on this statement of the requirement

Offshore developers who remotely connect to my PCs do not see each other and nothing from the green zone

Giving those developers access to Internet is not difficult to achieve. But preventing them from seeing the green zone may be more of a challenge. Simply providing a separate subnet does not necessarily achieve this. To achieve this somewhere in the network must be a device that implements a security policy to allow both subnets access to Internet but not allow access to each other. I am not sure that this switch is the place to do that but am not clear what else would.

 

And the statement that the developers should not see each other is also a challenge. If both developers are in vlan 10 then what prevents them from seeing each other? On some switches we might be able to use something like private vlans. But I doubt that this switch supports that functionality. So perhaps the solution might be to have vlan 10 for one and vlan 20 for the other developer?

 

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents