Cisco SG300-10 - How to set up Inter VLAN routing.

Unanswered Question
Jun 7th, 2012

I have an urgent issue with the above switch:

I have a connection on IP 192.168.1.21, Subnet 255.255.255.0 - this is on the default VLAN1 on the switch. I need to route this to IP 10.0.3.101, Subnet 255.255.252.0 - which is set up on VLAN2 on the switch. I have set the switch to Layer 3 via console.

Could someone please advise how I setup this route? I am use the Browser based interface.

Gavin

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (15 ratings)
David Hornstein Thu, 06/07/2012 - 08:52

Hi Gavin,

I know you set the switch into layer 3 mode already, but for others.  i think step 6 maybe be a relevant starting point for you. But the notes in red  far below are commonly neglected items.

step 1. Make sure the switch is using the most current version of firmware. As of today 7th June 2012,  that firmware is version 1.1.2.0

Step 2  change system mode.

I have to change the switches default  switching mode from layer 2 to layer 3

I personally find it easier to change the switch default layer 2 mode to layer 3 mode via a telnet session.

If your USB to serial dongle works fine goto to step 4 and enter the switch console menu..

otherwise  I have to enable the telnet service on the switch via the GUI.

Step 3.    telnet (or console)  into the switch and login .

         

Step 4.     type in 'menu' or try the CLI method as shown below

Step 5.      Goto menu   item 4.  'System Mode'   and  edit and change the mode to layer 3


Read the warning on that page as seen in the screen capture above, as the switch is reset to factory defaults, but with Layer 3 mode enabled..

The switch will reboot to factory defaults, but now we can add IP interfaces to your VLAN interfaces.

Below is the cli method;

CLI method

switch38cbaf#set system mode router

Changing the switch working mode will *delete* the startup configuration file

and reset the device right after that.

It is highly recommended that you will backup it before changing the mode, continue ? (Y/N)[N] Y


step 6. I want to  create the second vlan for the 10.0.0.x network

In my SG300-10P setup,  I  evenly segmented the switch ports as follows;

.

I will make ports 5 to 8 untagged in this new vlan 2  as per the screen capture below.

My reasoning was that any device such as a users PC or maybe server,  most likely is non vlan aware, so they expect to see untagged ethernet frames.

Now now go down to IP Configuration> IPv4 interfaces in the GUI,   and add a new IP address for this new VLAN 2.

note:

  • For the interface route to become active (ping-able) on VLAN 2,  a Host must be plugged into vlan 2

  • The router connected onto VLAN1 will have  to have a static route for the 10.0.0.x network with

        a gateway address of 192.168.1.21.

  • Remember to save your configuration , by clicking save at the top right corner of the GUI.

hope this helps

regards Dave

gavinstewart1971 Fri, 06/08/2012 - 00:02

Thanks Dave,

I have set it all up as you suggest but I cannot ping from VLAN1 to VLAN2 (I'm using 2 PCs to test this).

Also, does this setup allow and external device (in this case a Honeywell Modbus Client) on VLAN2 to request information from VLAN1 connection (In this case a Siemens CP443 Comms Card on 192.168.1.21, 255.255.255.0) via the IP 10.0.3.101, 255.255.252.0 as this is what our customer requires - they dont want to connect to any other devices on VLAN1.

Could you expand further on the static route and gateway parts please.

Thankyou for your assistance so far.

Gavin

David Hornstein Fri, 06/08/2012 - 06:35

Hi Gavin

Look closely at the following diagram. It roughly drawn by MS Paint, but a picture is worth a thousand words.

Print the diagram below, and follow closely the story as it unfolds.

There are two Hosts (PCs ) connected on the Sg300-10 switch., in my example above

A PC on switch port 1,  IP address=192.168.1.22 in VLAN1

IP host on switch port 7 with  IP= 10.0.3.111  in VLAN 2.

Lets say the host in VLAN 2 , which I will call host2  wants to 'talk' to the host in VLAN 1, which i will call host1.

Here is a vervbalized   story of how host2 wants to talk with host1

In general IP hosts,  can onlt talk to other IP hosts in their IP network.

But Host2 wants to communicate or send a  packets to host1 . 

Host2 has a default gateway, which is the IP address of VLAN2 on the SG300-10P

In other words it sends packets to the switches at IP address  10.0.3.101, and lets the switch decide how and where to forward the packet destined for host1.

Host1 has a default gateway, but that  is the IP address of the router, 192.168.1.1.

So,  when Host1 tries to communicate  anywhere outside it's known network, it just forwards the packet to the WAN router , and the wan router  has to make a decision as to  where to forward a packet.

Notice the routing table on the right side of the router. 

This table shows only  two entries in my example. The first entry with just about all the zero's in it is called a default route..

This default route basically tells the router , if you don't know where to send the packet,  send it out the WAN  interface to the next hop of  76.0.1.223. (In other words it lets the internet or service provider make the next decision as to  where to send a packet next.)

The second Router  route entry tells the router how to get to the 10.0.0.0 /22 network.

This static route statement, keyed in manually by me, if verbalized in english tells the router the following;

  to get to the 10.0.0.0 /22 network,  your next hop will be 192.168.1.21 on vlan 1.

Ah, 192.168.1.21 is the IP address of VLAN1 on the switch.

ok,  That's the rules.

So now we sort of understand some rules, so lets look at where the packets flow around this hypothetical network...

host2 wants to talk to host 1.

Host2 send a packet,  that is intercepted by switch interface vlan2 , IP address 10.0.3.101

The switch then looks in it's internal route table, but it knows where the 192.168.1.0 network is, because it has a interface  directly connected to vlan1.

That SG300-10  switch interface  has a ip address of 192.168.1.21.

Ok so,  the packet gets to HOST1 because the switch actually knows where host1 is.

But what happens when host1 wants to reply to host2.

host1 ( the PC) looks in it's built in and  hidden route table , but all it has is a default gateway of 192.168.1.1.

This default gateway is like the default route on the WAN router.

host1 just forwards the packets from unknown sources to it's default gateway, the router.

So, host1 (192.168.1.responds to host2 (10.0.3.111), by sending it's response to the router.

(Host1 can only assume that this traffic from 10.0.3.111 came from the router.   yeah pretty dumb.)

The router looks up it route table, but it knows where the 10.0.3.0 network is.  It looked through it's route table and says  to itself.

Oh,  i have to forward the packet from host1 to my host at 192.168.1.21, because it know where 10.0.0.0 network is.

The router doesn't know that 192.168.1.21 is a switch. 

the router lets that device at 192.168.1.21  worry about forwarding host1 response to host2.

That's basically the story, and explains what the wan router should have a static route .  Most routers, even domestic routers allow for the addition of a static route.

I hope this story helps you and other understand the packet flow..may have to read this story a few times.

regards Dave

gavinstewart1971 Fri, 06/08/2012 - 08:26

Hi Dave,

This is excellent and very helpful however one more question if you dont mind.

I do not have the external router referred to in your response (nor the internet connection). I only want to make sure that bi-directional communication can be possible between Host 2 & Host 1.

Is this possible without additional equipment? It appears the Host 2 can get through to Host 1 OK but not the other way round.

Please excuse the ignorance here - I am an electrical & control engineer who doesnt dabble in IT very often (at least not to this extent anyway)

If you could clarify that would be great and thanks again for your patience.

Regards

Gavin

David Hornstein Fri, 06/08/2012 - 09:37

Hi gavin,

Still using the network diagram ;

If you make host1 default gateway, 192.168.1.21, as seen in the diagram above,   then both host1 and host2  (on the different vlan) will be able to communicate. 

note: If the process control device,  communicates by broadcasting  traffic within the LAN, then  the broadcast will not jump normally from one vlan to the other vitual LAN (VLAN) .

regards Dave

gavinstewart1971 Sat, 06/09/2012 - 07:11

Thanks Dave,

I can now communicate from one VLAN to another. I have 2 x Hosts also on VLAN1 which do not have default gateway input capability - I can ping them but it usually times out after 1 response maybe 2. Is there a way I can setup a route in the SG300-10 for these devices which will allow it to be reliably "pinged"? They are Bently Nevada Type 92 Communications Gateways.

Thanks

Gavin

David Hornstein Tue, 06/19/2012 - 10:51

Hi gavijn,

I was away for a couple of weeks..sorry.

No need for setting up a routes..I would look elsewhere for the issue as when you create the VLAN and associate a IP address with it, a interface route is automaticcaly create when the vlan becomes active (device plugged into it).

regards Dave

electjeff Wed, 06/27/2012 - 13:37

This is informative indeed!  Thank you David and Gavin.

I have a similar arrangement, except I have two SG300-28 switches.  They are linked via GB fiber port.

Switch 1 has one VLAN (VLAN1) and Switch 2 has two VLANs (VLAN2 and VLAN3).  Existing post helps me understand how to get traffic between VLAN2 and VLAN3, but am unsure how to get traffic routed between the two switches and all of the respective VLANs. There needs to be a way to route traffic between any/all 3 VLANs.  How would I best approach this arrangement?

Thanks for any help you can provide,

Jeff I

David Hornstein Thu, 06/28/2012 - 05:18

Hi Jeff,

What follows is an approach you can take.

Let me preface my discussion by stating  that  Layer 3 switching within the 300 series is pretty simple,

You have to tell the switch how to route by manually  adding  static routes to tell the switch where to send packets.

The switch is smart enough to create interface routes under two conditions;

  • when you add a IP address and associate that with a VLAN an IP interface is created
  • This interface   becomes active only when at least one  switchport  interface is administratively up within the VLAN.   When it becomes active a interface route  appears in the sswitches IP route table.

phew.. them is a heap of words

Ok.. so let me try to  expand  and explain by using the diagram from the example way above.  I am connecting two layer 3 enabled SG300-10 switches together via a cat5e or even better CAT6 cable. 

Notice in switch two (on the right) I have assigned a IP address to the VLAN 1 interface of 192.168.1.22.

I then add a  static routes within each switch , telling each switch how to get to the IP  networks on the other switch.

I picked VLAN 1 in my example above as all ports are untagged in VLAN 1 by default, so VLAN1 existed on both switches.

Notice that on switch two,  I added something called a default route that has a next hop to the IP address of Switch 1 Vlan 1 interface.

This tells Switch 2, if you don't know where to send the IP packet send it onto vlan1 with a next hop of 192.168.1.21.

we may have to continue our discussion.

regards Dave

richardj@acs-tech.ca Wed, 03/20/2013 - 09:17

Hi Dave,

The explanation is great, unfortunately I cannot get either of the first two scenarios to work.

I have two Windows 7 workstations set up as the hosts, with their gateway addresses set to point to the respective VLAN address on the switch.

I have a Linksys WRVS4400N set up as the router on Port 10

The switch was originally on 1.0.0.4, and I have loaded the latest firmware 1.2.9.44, and also reset the switch to factory defaults before entering the configuration, and it still will not work.

From each host I can ping their respective VLAN address on the switch, and on VLAN 1 I can ping the router, from the workstation on that VLAN.

Both hosts show in the ARP table.

But I cannot establish communications between VLAN's in either direction.

Any Ideas, I have spent several days trying different setups with no success.

Many Thanks Richard

Tom Watts Wed, 03/20/2013 - 09:34

Hi Richard, if you are using the WRVS4400n, you need to make a trunk port on the switch with the default vlan untagged, all additional vlans tagged. On the WRVS4400n you will need to create the 2nd vlan and do the same thing, the default vlan 1 untagged, all additional vlans tagged.

If you are using the switch by itself and nothing else around, this topic answers the question.

-Tom
Please mark answered for helpful posts

richardj@acs-tech.ca Wed, 03/20/2013 - 10:48

Hi Tom,

Unfortunately still not working.

Here is what I have currently setup.

Host 1     IP address     192.168.1.100     mask     255.255.255.0     Gateway Address     192.168.1.1

     Connected to Port 1 as Trunk with Vlan 1 untagged and Vlan 2 tagged.

Host 2     IP Address      10.0.3.111          mask     255.255.252.0     Gateway Address      10.0.3.101

     Connected to Port 7 as Trunk with Vlan 2 tagged and Vlan 1 excluded.

Router     IP Address     192.168.1.1        mask     255.255.255.0     Port 1     VLAN 1     Trunk: None

     Connected to Port 10 as Trunk with Vlan 1 untagged and Vlan 2 tagged.

     Routing table in WRVS 4400N

     Destination     192.168.1.0     Mask     255.255.255.0     Gateway     192.168.1.1        LAN

                              192.168.1.0     Mask     255.255.255.0     Gateway     0.0.0.0                 LAN

                              70.79.152.0     Mask     255.255.252.0     Gateway     70.79.155.142   WAN

                              70.79.152.0     Mask     255.255.252.0     Gateway     0.0.0.0                 WAN

                              239.0.0.0          Mask     255.0.0.0              Gateway     0.0.0.0                 LAN

                              0.0.0.0               Mask     0.0.0.0                  Gateway     70.79.152.1        WAN

Switch is in Layer 3 with firmware 1.2.9.44

CDP enabled

LLDP enabled

VLAN 1     default     Static     192.168.1.21     255.255.255.0     Valid

VLAN 2     Voice     Static      10.0.3.101          255.255.252.0     Valid

Static Route     Destination:     0.0.0.0/0          Next Hop Router:     192.168.1.1     Static     Metric: 1

From Host 1, I can access the internet and ping any port or device on Vlan 1

From Host 2, I can ping any portor device on Vlan 2.

Nothing else works, Host 1 cannot ping host 2

If I try and enter a static route in the router of destination 10.0.3.0/22 with gateway 192.168.1.21 it is rejected.

If I try and enter a static route in the switch of destination 10.0.3.0/22 with gateway 10.0.3.111 it is rejected (Ip mask does not cover the destination address).

I cannot find how to create Vlan2 on WRVS4400n or how to tag or untag its ports.

regards

Richard

Tom Watts Wed, 03/20/2013 - 13:03

Hi Tom,

Unfortunately still not working.

Here is what I have currently setup.

Host 1     IP address     192.168.1.100     mask     255.255.255.0     Gateway Address     192.168.1.1

     Connected to Port 1 as Trunk with Vlan 1 untagged and Vlan 2 tagged.

This should be vlan 1 untagged

Host 2     IP Address      10.0.3.111          mask     255.255.252.0     Gateway Address      10.0.3.101

     Connected to Port 7 as Trunk with Vlan 2 tagged and Vlan 1 excluded.

This should be vlan 2 untagged

Router     IP Address     192.168.1.1        mask     255.255.255.0     Port 1     VLAN 1     Trunk: None

     Connected to Port 10 as Trunk with Vlan 1 untagged and Vlan 2 tagged.

     Routing table in WRVS 4400N

     Destination     192.168.1.0     Mask     255.255.255.0     Gateway     192.168.1.1        LAN

                              192.168.1.0     Mask     255.255.255.0     Gateway     0.0.0.0                 LAN

                              70.79.152.0     Mask     255.255.252.0     Gateway     70.79.155.142   WAN

                              70.79.152.0     Mask     255.255.252.0     Gateway     0.0.0.0                 WAN

                              239.0.0.0          Mask     255.0.0.0              Gateway     0.0.0.0                 LAN

                              0.0.0.0               Mask     0.0.0.0                  Gateway     70.79.152.1        WAN

Router table on the router doesn't matter since you're trying to be local to the switch

Switch is in Layer 3 with firmware 1.2.9.44

CDP enabled

LLDP enabled

VLAN 1     default     Static     192.168.1.21     255.255.255.0     Valid

VLAN 2     Voice     Static      10.0.3.101          255.255.252.0     Valid

Static Route     Destination:     0.0.0.0/0          Next Hop Router:     192.168.1.1     Static     Metric: 1

This is fine

From Host 1, I can access the internet and ping any port or device on Vlan 1

From Host 2, I can ping any portor device on Vlan 2.

Host 2, you won't access the internet until you get the router sorted out

Nothing else works, Host 1 cannot ping host 2

If I try and enter a static route in the router of destination 10.0.3.0/22 with gateway 192.168.1.21 it is rejected.

If  I try and enter a static route in the switch of destination 10.0.3.0/22  with gateway 10.0.3.111 it is rejected (Ip mask does not cover the  destination address).

I cannot find how to create Vlan2 on WRVS4400n or how to tag or untag its ports.

-Tom
Please mark answered for helpful posts

richardj@acs-tech.ca Wed, 03/20/2013 - 18:28

Hi Tom,

I tried the setup you recommended without the router, but no inter vlan communications in either direction.

           

   

However in digging deeper I discovered that the switch interprets the VLAN 2 address of 10.0.3.101 irrespective of the subnet mask, as belonging to network 10.0.0.0.

This can be seen when you do; show ip route

Maximum Parralel Paths: 1 (1 after reset)

IP Forwarding: enabled

C 10.0.0.0/22 is directly connected. vlan 2

C 192.168.1.0/24 is directly connected. vlan 1

If I connect my router as shown earlier, and enter an addtional route using 10.0.0.0 as the destination address using gateway 192.168.1.21, I can get most of the communications working, ie;

Host 1 to Vlan1 works

Host 1 to Internet works

Host 1 to Host 2 fails

Host 2 to Vlan 2 works

Host 2 to Internet works

Host 2 to Host 1 works

Note; The router is an older Linksys WRVS4400n and the firmware is different to the Cisco model.

 

If I insert a second router on Vlan 2 and enter a static route to it on the switch, I can communicate from Vlan 1 to the second router, but that defeats the purpose of a layer 3 switch, and uses up an additional port that I need.

It really is beginning to appear that this SG300 switch is not operating correctly.

regards

Richard

Attachment: 
Tom Watts Wed, 03/20/2013 - 18:33

Hi Richard, this is more complicated than it should be.

There is a very small requirement for this to work.

The requirements are

  • Switch in layer 3 mode
  • More than 1 vlan created
  • An IP address assigned to the vlan
  • At least 1 port assigned and connected within the desired vlan

This is the only requirements for intervlan communication for the switch to function. If you have a computer connected to vlan 2 the IP address of that computer should be in the same subnet as the vlan 2 interface and the default gateway should be that of the vlan 2 ip address/netmask.

If it does not work it is because of an external factor such as a Firewall or misconfiguration of a network card or something of this nature.

-Tom
Please mark answered for helpful posts

hwcoxjr1208 Fri, 11/29/2013 - 11:19

I've tried (or think I have tried) everything in this chain and I'm still having problems.  Below is a conceptual drawing of what I have right now.

The cisco 300-10 acting as a core switch is in L3 mode.  It serves as my DHCP server and sets it's self as the default gateway (192.168.2.11) for all clients on VLAN1.  It also is the default gateway through the 192.168.4.11 address for all devices on VLAN10.  As you can hopefully tell, I have devices from both VLANs attached to all three switches.  I am trying to get the Cisco 300 to do all internal vlan routing for me.  I have VLAN10 created on the Cisco 300 and it sees it as a local interface in the routing table.  I have one static route setup in the routing table, to send 0.0.0.0 to the RV042G router out to the internet. 

The reason I am trying to do this is because the RV042G does not handle vlans in the traditional sense at all.  So I'm trying the Cisco 300 as an intervlan router.  I think my real problem is that I have the RV042G and the default vlan on the cisco 300 both on the 192.168.2.xx subnet. 

So what I think I need to do is put the RV042G on another subnet (192.168.1.x) and leave it on vlan1.  Then on the cisco 300 make the default vlan somethng else (9 lets say) and move all the vlan1 ports to the new vlan 9, except for the port that is plugged into the router.  Then assign 192.168.1.2 to vlan1 which is only available on the port attached to RV042G and put the default route 0.0.0.0's next hop as 192.168.1.2.

Does that sound right?  Or am I way over thinking this?

thewesdude Sat, 11/30/2013 - 02:57

1)

turn off vlan 1.

if not possible, do not put an IP on it.

2)

make your management vlan 10

give it a say 10.5.10.0 /24

all your switches/router need an ip for management

3)

make a user vlan, call it 20

give it a say 10.5.20.0 /24

this is for host computers, users

4)

make a wireless vlan, call it 30

give it a say 10.5.30.0 /24

this is for "guest" users, put an acl that goes like:

permit ip 10.5.30.0 255.255.255.0 10.5.30.0 255.255.255.0

deny ip 10.5.30.0 255.255.255.0 10.0.0.0 255.0.0.0

permit any any

this allows wireless to talk to wireless

then blocks to all internal addresses

then permits all traffic

5)

make a video vlan, call it 40

give it a say 10.5.40.0 /24

this is for your wireless cameras and video server

6)

make a server vlan, call it 50

give it say 10.5.50.0 /24

this is where your other servers like file sharing and such go

7)

on your trunk ports, permit the vlans you want.  based on digram i see:

2v042g to 300-10 permit all vlans

300-10 to 302-08 permit 20 and 40

300-10 to sr208 permit 20 and 40

and then have the rv042 do all inter-vlan routing

or else you can have the 300-10 do the inter-vlan routing

this will allow you to add a "guest" wireless to your network

without compromising your network, just add it where you want

and throw the ports into that vlan.  just remember to NOT give

the wireless access points vlan 10 IPs, give them vlan 30 IPs

hwcoxjr1208 Sat, 11/30/2013 - 10:15

Thanks for the quick answer.  I was on the phone with cisco support last night and they had me go to just vlan 1 (default) and vlan 10 (security).  So I'm back to where I was in the earlier drawing.  I'm not sure what you mean by not having a IP address assigned to vlan1.  Don't I have to have one to specify the next hop.  At this point, all I think I need are the two VLANs.  The security camer vlan (10) and the default vlan (1).  I would like to get this working with those first.

Below are what I think are the relevant excerpts from my running-config

SW11#show running-config
config-file-header
SW11
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router

vlan database
vlan 10
exit
ip arp inspection vlan 1
ip arp inspection vlan 10
no ip arp proxy disable
ip dhcp pool network Security
address low 192.168.4.100 high 192.168.4.149 255.255.255.0
default-router 192.168.4.11
time-server 192.168.2.94
exit
ip dhcp pool network prod
address low 192.168.2.100 high 192.168.2.149 255.255.255.0
domain-name us.fs.com
default-router 192.168.2.11
time-server 192.168.2.94
dns-server 192.168.2.94
netbios-name-server 192.168.2.94
exit
ip access-list extended AllowAny
permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
exit
hostname SW11
!
interface vlan 1
ip address 192.168.2.11 255.255.255.0
no ip address dhcp
service-acl input AllowAny default-action permit-any
!
interface vlan 10
name Security
ip address 192.168.4.11 255.255.255.0
service-acl input AllowAny default-action permit-any
!
interface gigabitethernet1
switchport mode access
!
interface gigabitethernet2
switchport mode access
!
interface gigabitethernet3
switchport mode access
!
interface gigabitethernet4
switchport trunk allowed vlan add 10
!
interface gigabitethernet5
switchport trunk allowed vlan add 10
!
interface gigabitethernet6
switchport trunk allowed vlan add 10
!
interface gigabitethernet7
switchport mode access
switchport access vlan 10
!
interface gigabitethernet8
switchport trunk allowed vlan add 10
!
interface gigabitethernet9
switchport trunk allowed vlan add 10
!
interface gigabitethernet10
switchport trunk allowed vlan add 10
!
exit
ip default-gateway 192.168.2.1
SW11#

Thanks

Tom Watts Sat, 11/30/2013 - 16:30

Hi Chip, if you got time Sunday night (after 7pm EST)  or Monday/Tuesday the same time, after 7pm EST, let's take a look. I also do not work Wednesday-Friday and I wouldn't mind to volunteer the time to get you working as desired.

If you'd like to take me up, send an email to tmw0402@hotmail.com

-Tom
Please mark answered for helpful posts

thewesdude Sun, 12/01/2013 - 12:00

ok, for this to work, you create a vlan 10 on the RV042G, set it to ip 10.5.10.1, and set that as the default vlan

my assumptions:

gi1: unused, changing over to hot plugin for management with dhcp.  setup so you can plug in a computer, get dhcp ip in your management vlan to configure/manage anything

gi2: uplink trunk port to your edge device the RV

gi3: unused

gi4: server directly connected

gi5: server directly connected

gi6: server directly connected

gi7: video server

gi8: unused

gi9: downlink trunk port to 302-08 with users, video, adding guest/wireless, assuming it is vlan capable, needs IP on its management vlan interface, possibly 10.5.10.3

gi10: downlink trunk port to SRW2008 with users, video, adding guest/wireless, assuming it is vlan capable, needs ip on its management vlan interface, possibly 10.5.10.4

1) i am adding in the NTP configuration i use for my switch with syncs with NIST's servers which works on a round-robin setup, they ask that you use their DNS record rather than IP for load balancing, so configured google DNS.  you can now point all your devices at this device to pull their NTP/Time information

2) vlans are all configured to use google's DNS servers, you can change the IPs to your ISPs DNS if you want, keep in mind that google DNS is a Class A DNS server which means they get updates fast, and provide public access to users at large which is rare for Class A DNS owners.  Most ISPs with Class A DNS servers just use them as reflectors for B and C DNS.

3) as far as i know, we cannot apply ACLs to vlan interfaces, so i applied the guest/wireless vlan to the trunk ports that will allow guest/wireless to talk to each other, then blocks it to all private space, with a closing permit any any to allow connected devices to hit the internet but not allow it to hit your internal network.  you can change that to meet your needs.

4) you will have to create the vlans on the devices, and it makes it really easy to add wireless/guest ports.  just put one of those ports into vlan 30, connect your AP, make sure DHCP is disabled, and it will pass DHCP requests to your device although you may need to configure the IP on them.  you can assign 10.5.30.2-99 to your APs and your hosts will pull an ip 101-200.

SW11#show running-config

config-file-header

SW11

v1.3.5.58 / R750_NIK_1_35_647_358

CLI v1.0

set system mode router

spanning-tree mode mst

default-vlan vlan 10

exit

vlan database

vlan 1,20,30,40,50

exit

ip arp inspection vlan 10

no ip arp proxy disable

ip dhcp server

ip dhcp pool network Management

address low 10.5.10.50 high 10.5.10.55 255.255.255.0

default-router 10.5.10.1

dns-server 8.8.8.8 8.8.4.4

exit

ip dhcp pool network Users

address low 10.5.20.10 high 10.5.20.200 255.255.255.0

default-router 10.5.20.1

dns-server 8.8.8.8 8.8.4.4

exit

ip dhcp pool network Wireless_Guest

address low 10.5.30.100 high 10.5.30.200 255.255.255.0

default-router 10.5.30.1

dns-server 8.8.8.8 8.8.4.4

exit

ip dhcp pool network Video

address low 10.5.40.10 high 10.5.40.200 255.255.255.0

default-router 10.5.40.1

dns-server 8.8.8.8 8.8.4.4

exit

ip dhcp pool network Servers

address low 10.5.50.10 high 10.5.50.200 255.255.255.0

default-router 10.5.50.1

dns-server 8.8.8.8 8.8.4.4

exit

hostname SW11

ip access-list extended Guest_Wireless_30

permit ip 10.5.30.0 0.0.0.255 10.5.30.0 0.0.0.255

deny ip 10.5.30.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip 10.5.30.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 10.5.30.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip any any

clock timezone " " -5

clock summer-time web recurring usa

sntp anycast client enable ipv4

sntp broadcast client enable ipv4

clock source sntp

sntp unicast client enable

sntp unicast client poll

sntp server time.nist.gov poll

ip name-server 8.8.8.8 8.8.4.4

!

interface vlan 1

no ip address

no ip address dhcp

service-acl input AllowAny default-action permit-any

!

interface vlan 10

name Management

ip address 10.5.10.2 255.255.255.0

!

interface vlan 20

name Users

ip address 10.5.20.1 255.255.255.0

!

interface vlan 30

name Wireless_Guest

ip address 10.5.30.1 255.255.255.0

!

interface vlan 40

name Video

ip address 10.5.40.1 255.255.255.0

!

interface vlan 50

name Servers

ip address 10.5.50.1 255.255.255.0

!

interface gigabitethernet1

description Hot_MGMT

switchport mode access

switchport access vlan 10

!

interface gigabitethernet2

description Uplink_RV042G

switchport trunk allowed vlan add 10,20,30,40

shutdown

!

interface gigabitethernet3

description EMPTY

switchport mode access

shutdown

!

interface gigabitethernet4

description Downlink_Server#1

switchport mode access

switchport access vlan 50

!

interface gigabitethernet5

description Downlink_Server#2

switchport mode access

switchport access vlan 50

!

interface gigabitethernet6

description Downlink_Server#3

switchport mode access

switchport access vlan 50

!

interface gigabitethernet7

description Video_Server

switchport mode access

switchport access vlan 40

!

interface gigabitethernet8

description EMPTY

switchport mode access

shutdown

!

interface gigabitethernet9

description Downlink_302-08

switchport trunk allowed vlan add 10,20,30,40

ip access-list extended Guest_Wireless_30

!

interface gigabitethernet10

description Downlink_SRW2008

switchport trunk allowed vlan add 10,20,30,40

ip access-list extended Guest_Wireless_30

!

exit

ip default-gateway 10.5.10.1


Actions

Login or Register to take actions

This Discussion

Posted June 7, 2012 at 1:52 AM
Stats:
Replies:20 Avg. Rating:5
Views:36816 Votes:1
Shares:0

Related Content

Discussions Leaderboard