cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15110
Views
5
Helpful
12
Replies

SG300-10 VLAN Questions

jsshivers
Level 1
Level 1

network.jpg

My apologies if this has been asked before, but I have some questions regarding the setup of my new switch and network. I have never worked with switches before, so this is quite a learning experience. The picture above describes the current layout of my network. Here is how I have tried to set it up, so far.

VLAN 1 [Ports 1-4, Untagged, Trunk] (172.16.1.1/24)

Workstation A (Wired)

172.16.1.2/24

Server B (Wired)

172.16.1.3/24

VLAN 2 [Ports 5-8, Untagged, Trunk] (172.16.2.1/24)

Server C (Wired)

172.16.2.2/24

Server D (Wired)

172.16.2.3/24

Server E (Wired)

172.16.2.4/24

Server F (Wired)

172.16.2.5/24

VLAN 3 [Ports 9-10, Untagged, Trunk] (192.168.1.1/24)

Laptop G (Wireless)

DHCP via Router

Laptop H (Wireless)

DHCP via Router

Laptop I (Wireless)

DHCP via Router

Wireless Router

192.168.1.254/24

Now, my goal is to have all 3 VLANs be able to talk to each other but also have VLAN 1 access the internet, through the wireless router. In the future I would also like Server B to be able to expose services (http & ssh) to the outside. VLAN 2 shouldn't have internet access at all. I know I can add static routes to the wireless router, if need be. All three laptops, can access the internet through the wireless router, without any problems.

So my questions are:

1) Is there anything inherently wrong with the design of this network? If so, what could be changed?

2) Is VLAN 3 really necessary?

3) What would I need to do, to get the 3 VLANs communicating with each other?

4) What should the gateway be, to get VLAN 1 internet access?

5) What would I need to do, to expose Server B services to the outside?

6) What static routes do I need to add?

Thanks in advance!

   Jer

1 Accepted Solution

Accepted Solutions

Hello Jeremy,

I believe the issue probably lies with the router not routing traffic back to the switch. Which interface do you have specified in your routes? Once routing is working, DNS should also work.

Regards,

-David Aguilar

Cisco Small Business Support Center

View solution in original post

12 Replies 12

Carlos Gomez
Level 1
Level 1

I based my answers in the little acknowledge I have from CCENT, so correct me if Im wrong here.

I would change the IP addressing scheme. If your router is 192.168.1.1/24 then try to design all the subnets within the same class.

I don't think Vlan 3 is really necesary, but if your router supports it....

Does your router support dot1q? That's what you need to make the vlans talk to each other with VTP.

The Default gateway would be your router's IP.

To be able to permit or deny services you need to create an access list.

Just the one pointing the internet, if your router doesnt have one already.

122gleechow
Level 1
Level 1

I would say, change the switch to a layer 3 switch.

Create an interface for each vlan to would like, that would be your default gateway for each vlan.

the switch will create routes for each interface automatically.

davidagu
Level 1
Level 1

Hello Jeremy,

My name is David Aguilar, and I am an engineer with the Cisco Small Business Support Center. Thank you for writing.

To summarize several important concepts:

  • By default, the SG300 is in Layer-2 mode. Therefore, the switch will segment ports into different VLANs. However, for the VLANs to communicate with each other, they need to be trunked to a router that will route between the different subnets.
  • In Layer-3 mode, the SG300 is capable of performing routing functions. Therefore, you could achieve inter-VLAN communication and direct specific VLANs to the router.

So, you will need to discover and determine the following:

  • Does your router support 802.1Q VLANs? If so, you can configure a trunk port between the SG300 and the router. The trunk will carry the VLANs to the router. Then, given the router supports it, you can configure inter-VLAN routing to allows inter-VLAN and internet communication.
  • If you router does not support inter-VLAN routing, then you will need to put the SG300 into Layer-3 mode. This will allow you to assign IP interfaces to your VLANs, route between the VLANs locally on the switch, and configure a default gateway to route information to the router, and therefore, the Internet. However, you will need to configure the router to route information back to the switch. So, configuration on the router is still necessary.

If you experience any issues with the SG300, do not hesitate to call our Support Center. We can be reached 24/7 at 1-866-606-1866.

All the best,

-David Aguilar

Cisco Small Business Support Center

Thanks David! That puts it into a much clearer perspective! Unfortunately my router does not support 802.1Q. I switched to layer 3 mode and after the reset, I re-entered the settings. I created the VLANs in the same way as before, but with a more consistent, allocation. Here is the updated configuration.

VLAN 1 [Ports 1-4, Untagged, Trunk] (192.168.3.1/24)

Workstation A (Wired)

192.168.3.2/24

Server B (Wired)

192.168.3.3/24

VLAN 2 [Ports 5-8, Untagged, Trunk] (192.168.2.1/24)

Server C (Wired)

192.168.2.2/24

Server D (Wired)

192.168.2.3/24

Server E (Wired)

192.168.2.4/24

Server F (Wired)

192.168.2.5/24

VLAN 3 [Ports 9-10, Untagged, Trunk] (192.168.1.1/24)

Wireless Router

192.168.1.254/24

From Workstation A (192.168.3.2), I can ping each VLAN (192.168.1.1, 192.168.2.1 and 192.168.3.1) successfully. However, I cannot ping anything on the 192.168.1 and 192.168.2 subnets. Currently, the gateway and DNS settings for Workstation A are set to 192.168.3.1.

1) How do I get the VLANs communicating with each other?

2) What should the gateway be for Workstation A?

3) Once I can ping the gateway, how do I get DNS working for Workstation A (UDP 53 relay?)

4 ) What static routes do I need on the switch and the router?

Here are the current static routes on the router.

Thanks again!

   Jer

Okay, I managed to get inter-VLAN communication working, by using the VLAN IP address as the gateway in each subnet. Each VLAN can ping the others, without any issues. Naturally, to ping the router, I had to add the following static route, so the router would know, how to get back to the '3' subnet.

Subnet IP         Subnet Mask      Gateway

192.168.3.0      255.255.255.0     192.168.1.1

I am still unable to get DNS working, when specifying 192.168.3.1 as the default gateway and DNS server. However, when using 192.168.1.254 (Router IP) as the DNS server and leaving the 192.168.3.1 as the default gateway, pinging 'www.google.com', resolves to an external IP address, but then displays 4 net-unreachable messages. I get the same outcome, pinging from the switch as well as from the command prompt, on Workstation A. I am at a loss, as to what to do next. Any help would be greatly appreciated!

Thanks!

   Jer

Hello Jeremy,

Thank you for your interest and patience.

You are on the right track here. However, several important changes must be made. Consider the following concepts:

  • The concept of a native VLAN. The link between the router and the switch must be part of VLAN 1. Otherwise, information from the router will not be distributed correctly on the switch due to the current PVID of 3.
  • The VLAN IP Interface (VLAN IP Address) identifies the subnet for the VLAN. Therefore, thinking of the switch as a router, you are correct that the default gateway for each client should be the respective VLAN interface on the switch. The switch will automatically route between directly connected IP Interfaces and their subnets.
  • However, in order for your clients to get to network that the switch doesn't know about, (the internet), there must be a default route to the router.
  • Additionally, in order for the router to forward information from the internet back to the VLANs on the switch, the router must know how to reach the different VLANs.

The folloing linked figure (Fig. 1) describes an appropriate sample setup. See here.

In this scenario, a SG300-10 is configured with 3 VLANs:

  • VLAN 1 - Default VLAN, used for management - 192.168.1.x/24 - Ports 9-10 - 1U - Trunk Mode
  • VLAN 2 - Servers - 192.168.2.x/24 - Ports 5-8 - 2U - Trunk Mode
  • VLAN 3 - Workstations - 192.168.3.x/24 - Ports 1-4 - 3U - Trunk Mode


VLAN 1 is used to communicate to the router. Therefore, the following default route must be added to the switch's configuration:

  • ip route      0.0.0.0      0.0.0.0      192.168.1.1

The switch will automatically build the routes between the VLANs local to the switch. Visualize Server C going togoogle.com. Its IP address is 192.168.2.2. Its default gateway should be the VLAN 2 IP Interface on the switch (192.168.2.254 in this example). Because the default route is configured, the switch will forward the internet request to the router. The router will then forward the request to your ISP out the WAN where it will eventually reach Google.

However, when the request comes back into the router, the router must know to route it to the 192.168.2.x subnet. So, in order for this to work, routes that accomplish the following must be configured on your router:
Subnet IP               Mask                    Gateway                                              Interface
192.168.2.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
192.168.3.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN


As you have already discovered, there are several limitation to using a router that does not support 802.1Q tagging. Chiefly, your clients will not receive either DHCP or DNS automatically from the router. To mitigate this, you can do either of the following:

  • Run a DHCP server with multiple DHCP scopes on a device connected to your switch. You can then use Option 82 on the switch to route DHCP requests and DNS info between VLANs on the switch.
  • Statically configure IP and DNS information. You could enter Open DNS Servers or Google's DNS servers on your clients.

Ideally, you would want to use a router that supports 802.1Q tagging. In this figure here (Fig. 2), you can see the VLANconfiguration page for a Cisco RV180W, a very capable and affordable small business router that I highly recommend. Port 1 on the RV180W is configured as a trunk port and carries VLANs 1-3 to the switch. The clients automatically receive IP addresses and DNS information from the correct DHCP pool on the router.

Do not hesitate to contact us. We are always happy to help.

All the best,

-David Aguilar

Cisco Small Business Support Center

1-866-606-1866

Thanks a bunch David! The pieces are really starting to line up nicely! Thanks for the recommendation! However, in the current configuration, I am stuck with this particular router. In the coming months, I am definitely purchasing one that supports 802.1Q. Per your advice, I made the necessary changes.

I added the default route on the switch

0.0.0.0     0.0.0.0     192.168.1.254

I changed the VLAN configuration

VLAN 1 [Ports 9-10, Untagged, Trunk] (192.168.1.1/24)

VLAN 2 [Ports 5-8, Untagged, Trunk] (192.168.2.1/24)

VLAN 3 [Ports 1-4, Untagged, Trunk] (192.168.3.1/24)

I added the return route on the wireless router

192.168.3.1      255.255.255.0     192.168.1.1

I enabled DNS on the switch and defined a server at 192.168.1.254 (not sure if necessary)

From the switch CLI, I was able to resolve and ping google.com successfully

I setup a client on VLAN 3

IP: 192.168.3.2/24

GW: 192.168.3.1

DNS: 192.168.3.1

From the client, pinging google.com doesn't resolve and pinging 74.125.225.98 (google.com) times out. I still must be missing something besides DNS, since I can't even ping an external address outside the local network. Changing the above DNS to 192.168.1.254 and pinging again, resolves the IP, but I get the 4 net-unreachable messages.

The only clients on the network that will use DHCP, will be the laptops connecting to the wireless router. Since the clients in VLAN 2 and 3 will all have static information for their network settings, am I right in assuming Option 82 in this case, won't help? Any further info you have to add, will be a great help!

Thanks!

   Jer

Hello Jeremy,

I believe the issue probably lies with the router not routing traffic back to the switch. Which interface do you have specified in your routes? Once routing is working, DNS should also work.

Regards,

-David Aguilar

Cisco Small Business Support Center

Yep David, you were right. The router does not allow me to specify the interface for the static route. Unfortunately, it's outbound (WAN) only. At least, I can get a new router, sooner than expected! =)

Thanks,

  Jer

Glad to know we found a resolution. For everyone's benifit, here is the link I was talking about: https://www.articledashboard.com/Article/Understanding-Routing-Basics-Static-Routes-Part-2/1249174

Thanks for posting, Jeremy. Feel free to contact us anytime.

Regards,

-David Aguilar

Cisco Small Business Support Center

David,

I've just come across your article and have a few questions relating. My set-up is an SG-300 with multiple VLANs, this use to be connected to a Cisco E3000, but I needed to port forward to hosts on several vlans. Since the E3000 was connected to vlan1 it only allowed me to port forward to hosts on that vlan. So.... I bought an RV180 configure the LAN with the same IP as the E3000 and plugged it in.

All the hosts on the switch show Internet connectivity, I do a tracert from a host and it completes, but I can't browse the web. I have VLANs disabled on the router and I've plugged LAN port 4 into a port on the switch that is in VLAN1. What am I missing?

*I have the default route set-up on the SG-300

I'm guessing that I need to re-enable VLANs on the Router, make sure Port 4 on the Router is in the default VLAN...same as the port on the SG-300...what next?

Regards,

Sean

Hello Sean,

Thanks for writing. My apologies for the belated reply.

The RV180 will work well for your purposes. To meet your goals, you will need to complete the following:

  • Define the VLANs on the RV180 and the SG300.
  • Configure a trunk between the RV180 and the SG300.
  • Assign physical ports to the appropriate VLANs.
  • Finally, create your desired port forwardings that map to the appropriate hosts on their respective VLANs.

So, first, login to the router. Under Networking>LAN>VLAN Membership, you can create multiple VLANs. Let's say you create VLAN 2 and then 3. You will notice, that reading the VLAN table from top to bottom, each port will be untagged in VLAN 1, and tagged in VLAN 2 and 3. (See this post for a detailed explanation on this: https://supportforums.cisco.com/message/3632423#3632423)

Also, under the Multiple VLAN Subnets page, you can observe that the router automatically assigns a subnet for each additional VLAN. Members of VLAN 2 will have IP address is the 192.168.2.0 network.

Secondly, it is necessary to configure a trunk between the RV180 and the SG300. On the switch, under VLAN Management>Create VLAN, add VLAN 2 and 3. A trunk carries multiple VLANs to another device. The two ports that connect the RV180 and the SG300 together should be untagged on the default VLAN (1), and tagged on all others. Therefore, the correct setting for both ports is 1UP,2T,3T. This is already configured on the RV180 by default. You can accomplish this on the SG300 by going to the Port to VLAN page under VLAN Memebership, changing the drop down box to VLAN 2, clicking go, and, in the column for the port that connects to the router, making the port tagged. Repeat this for all additional VLANs.

Finally, you will need to join individual ports to the desired VLAN. To join a port to a VLAN, it should be untagged in that VLAN. Again, using the Port to VLAN page on the SG300, you can make individual ports untagged in a specific VLAN.

Once this is accomplished, here is how everything works: Say you plug a computer into port 5 on the switch. Because port 5 is untagged in VLAN 3 (has the setting of 3UP under the Port VLAN Membership table, found under VLAN Management on the SG300), it will join VLAN 3. Therefore, due to the fact that the router know about VLAN 3, and there is a trunk on, say, port 10 of the switch, to port 4 on the router (both ports 1U,2T,3T), the router will receive the information from the computer, and assign it the correct IP address from the subnet for VLAN 3 (by default, 192.168.3.0)

You can configured port forwarding on the RV180 by going to the Firewall page, creating a Custom Service, and then using that Custom Service in an Access List. The Access List defines the port forwarding operation.

If you have further questions, do not hesitate to contact us anytime. We would be happy to assist you further.

All the best,

-David Aguilar

Cisco Small Business Support Center

1-866-606-1866

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X