Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4345
Views
0
Helpful
11
Replies

All Vlan traffic to Proxy Server Interface

Go to solution
aamirshafiq
Level 1
Level 1

‎02-23-2015 08:47 AM

Hi!

I need little bit help to route the all VLans traffic to proxy server.

I have different vlans on 200-26 L2 switches and using 300-28 at L3 for routing.

I have already created vlans and able to route them but facing problem to route the traffic to proxy interface for internet access.

 

I have different vlans e.g. Vlan 10, 10.10.10.0/24 Sales, Vlan20, 10.10.20.0/24 Marketing. I have trunk interfaces between switches and 1U default is same on all switches.

My proxy server have two nic, one is attached to my dsl modem and other one to switch port is using ip address 192.168.0.2 in default vlan1.

I am able to surf internet using vlan1 but not on ther vlans. 

I have set the default route at the switch to 192.168.0.2 but not routing for internet for other vlans.

 

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
cchamorr
Level 5
Level 5
In response to aamirshafiq

‎02-23-2015 12:17 PM

Hello, 

To answer your questions:

1- Will I have to update from the following files?

https://software.cisco.com/download/release.html?mdfid=283019617&release=1.0.0.27&softwareid=282463181

Yes, please let me know what firmware and boot code you have right now and I will tell you what is the best path for you to upgrade since you shouldn't go straight to the latest firmware unless you are already running 1.3.5.58 or later.

2- It only supports for 8 dhcp pools. I already have pools but  I have more than 8 Vlans. I have set all the parameters, working fine.

You are right and I forgot to mention the limitation of only 8 DHCP pools, I'm sorry. That being said, make sure that your current DHCP server is using the IP addresses assigned to every VLAN on the switch as the Default gateway for the respective VLANS.

3- for the Proxy server, I have to figure out how to point back the vlans routes to correspondence vlan static address on the switch. I am little bit confused in this.

I understand this can be confusing, let me see if I can explain it a little better.

Assuming that everything on the switch is configured as per my recommendations then

1- You need a single, default route on the switch, so that when a PC connected to any of the VLANS on it tries to go online, to an IP address unknown to the switch, this one will send it to the Ip address of the router, because the proxy server will be able to reach that unknown, public IP address to reach any website.

2- When the traffic is comes back from that website, it will be destined to a different subnet than the proxy server is on. Let's pretend the response is looking for 10.10.10.100 (a subnet unknown to the proxy server), without a static route on the proxy server telling it where to send that traffic to, the packets will just get dropped.

3- You will have to create the same amount of static routes on the proxy server as the amount of VLANS you have on your network.

At the moment I know that the proxy server is at 192.168.0.2 on VLAN 1 but I don't know what the IP address of the switch is on the same VLAN, it should be something on the 192.168.0.x range.

All your routes should look like this:

10.10.10.1 255.255.255.0 send it to 192.168.0.x (IP address of the switch on VLAN 1)

10.10.20.1 255.255.255.0 send it to 192.168.0.x (IP address of the switch on VLAN 1)

Alternatively, if all your internal VLANS are on the 10.10.x.x range then you should be able to create a single rule to summarize all the VLANS like this:

10.10.1.1 255.255.0.0 send it to 192.168.0.x (IP address of the switch on VLAN 1)

Please let me know if this was a little bit more clear.

Do not hesitate to ask any questions.

 

 

 

 

 

View solution in original post

0 Helpful

Go to solution
cchamorr
Level 5
Level 5
In response to aamirshafiq

‎02-23-2015 09:43 PM

Thank you for your reply.

In regards to the SG300, here is the download link:

https://software.cisco.com/download/release.html?mdfid=283019617&softwareid=282463181&release=1.4.0.88&relind=AVAILABLE&rellifecycle=&reltype=latest

You will need to upgrade to 1.3.5.58 which also will need for yo to upgrade the boot code (the rfb file inside the zip). For you to upgrade the bootcode you will need a TFTP server. Check this document for instruction on upgrading the firmware and boot code:

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=08ef98be59904ccc9c4d69a657f5550f_Firmware_Upgrade_via_TFTP_on_200_Series_Switches.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search

After you are done upgrading the firmware as well as boot code to 1.3.5 you can then upgrade to 1.4.0.88 (firmware only no bootcode).

The same exact recommendations and procedures apply for the SG200-26.

Here is the link to the firmware download page for this device:

https://software.cisco.com/download/release.html?mdfid=283771818&softwareid=282463182&release=1.4.0.88&relind=AVAILABLE&rellifecycle=&reltype=latest

Please keep us posted.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
cchamorr
Level 5
Level 5

‎02-23-2015 10:33 AM

Hello, 

I'm very positive you can do this configuration.

Here are all the steps, check them and see if you have done them all.

1- You should create all the VLANS on the SG300 and add static IP addresses to all of them.

2- If possible you should use the SG300 to provide DHCP for all VLANS. To do this you will need to be running the latest firmware and boot code. Firmware 1.4 and boot code 1.3

3- All the devices for all the VLANS will need to use the IP address of the switch on their respective VLAN as the Default Gateway.

4- Create a default route on the switch pointing the traffic to the IP address of the proxy server.

5- Lastly, (and I don't know if this is possible on the proxy server), you will need to create static routes for all the VLANS back to the switch. For instance create rules pointing all traffic going to 10.10.10.x /24 to the IP address of the switch on Vlan 1 (192.168.0.?). Do this same exact rule for all other VLANS on the switch.

I hope this is helpful

0 Helpful

Go to solution
aamirshafiq
Level 1
Level 1
In response to cchamorr

‎02-23-2015 11:12 AM

Hi!

Thanks for your comments.

I have not updated the firmware yet, I have the default. Will I have to update from the following files?

https://software.cisco.com/download/release.html?mdfid=283019617&release=1.0.0.27&softwareid=282463181

 

2. It only supports for 8 dhcp pools. I already have pools but  I have more than 8 Vlans. I have set all the parameters, working fine.

3. for the Proxy server, I have to figure out how to point back the vlans routes to correspondence vlan static address on the switch. I am little bit confused in this.

May be someone add more comments here.

0 Helpful

Go to solution
cchamorr
Level 5
Level 5
In response to aamirshafiq

‎02-23-2015 12:17 PM

Hello, 

To answer your questions:

1- Will I have to update from the following files?

https://software.cisco.com/download/release.html?mdfid=283019617&release=1.0.0.27&softwareid=282463181

Yes, please let me know what firmware and boot code you have right now and I will tell you what is the best path for you to upgrade since you shouldn't go straight to the latest firmware unless you are already running 1.3.5.58 or later.

2- It only supports for 8 dhcp pools. I already have pools but  I have more than 8 Vlans. I have set all the parameters, working fine.

You are right and I forgot to mention the limitation of only 8 DHCP pools, I'm sorry. That being said, make sure that your current DHCP server is using the IP addresses assigned to every VLAN on the switch as the Default gateway for the respective VLANS.

3- for the Proxy server, I have to figure out how to point back the vlans routes to correspondence vlan static address on the switch. I am little bit confused in this.

I understand this can be confusing, let me see if I can explain it a little better.

Assuming that everything on the switch is configured as per my recommendations then

1- You need a single, default route on the switch, so that when a PC connected to any of the VLANS on it tries to go online, to an IP address unknown to the switch, this one will send it to the Ip address of the router, because the proxy server will be able to reach that unknown, public IP address to reach any website.

2- When the traffic is comes back from that website, it will be destined to a different subnet than the proxy server is on. Let's pretend the response is looking for 10.10.10.100 (a subnet unknown to the proxy server), without a static route on the proxy server telling it where to send that traffic to, the packets will just get dropped.

3- You will have to create the same amount of static routes on the proxy server as the amount of VLANS you have on your network.

At the moment I know that the proxy server is at 192.168.0.2 on VLAN 1 but I don't know what the IP address of the switch is on the same VLAN, it should be something on the 192.168.0.x range.

All your routes should look like this:

10.10.10.1 255.255.255.0 send it to 192.168.0.x (IP address of the switch on VLAN 1)

10.10.20.1 255.255.255.0 send it to 192.168.0.x (IP address of the switch on VLAN 1)

Alternatively, if all your internal VLANS are on the 10.10.x.x range then you should be able to create a single rule to summarize all the VLANS like this:

10.10.1.1 255.255.0.0 send it to 192.168.0.x (IP address of the switch on VLAN 1)

Please let me know if this was a little bit more clear.

Do not hesitate to ask any questions.

 

 

 

 

 

0 Helpful

Go to solution
aamirshafiq
Level 1
Level 1
In response to cchamorr

‎02-23-2015 09:15 PM

Hi!

Thanks for your details reply.

My Switchs 300-28 L3 (SRW2024-K9 V02) Firmware is 

Firmware Version (Active Image): 1.3.0.62

Boot Version:  1.1.0.6


Other 9 switches in lab 200-26 (SLM2024T V02)
Firmware Version (Active Image): 1.3.0.62
Boot Version:  1.1.0.6

 

2.

As per your description, I am going to test/implement Proxy Settings, I will update here.

0 Helpful

Go to solution
cchamorr
Level 5
Level 5
In response to aamirshafiq

‎02-23-2015 09:43 PM

Thank you for your reply.

In regards to the SG300, here is the download link:

https://software.cisco.com/download/release.html?mdfid=283019617&softwareid=282463181&release=1.4.0.88&relind=AVAILABLE&rellifecycle=&reltype=latest

You will need to upgrade to 1.3.5.58 which also will need for yo to upgrade the boot code (the rfb file inside the zip). For you to upgrade the bootcode you will need a TFTP server. Check this document for instruction on upgrading the firmware and boot code:

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=08ef98be59904ccc9c4d69a657f5550f_Firmware_Upgrade_via_TFTP_on_200_Series_Switches.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search

After you are done upgrading the firmware as well as boot code to 1.3.5 you can then upgrade to 1.4.0.88 (firmware only no bootcode).

The same exact recommendations and procedures apply for the SG200-26.

Here is the link to the firmware download page for this device:

https://software.cisco.com/download/release.html?mdfid=283771818&softwareid=282463182&release=1.4.0.88&relind=AVAILABLE&rellifecycle=&reltype=latest

Please keep us posted.

0 Helpful

Go to solution
aamirshafiq
Level 1
Level 1
In response to cchamorr

‎02-24-2015 12:08 AM

Hi!

Very Thanks, I appreciate your help.

I am going to update my switches later today and What I have to do next to make the ACLs. Hopefully I will do that In case of any problem I will get back to you.

 

Vlans are now able to access internet through proxy. Thanks for your help, below is a just a quick overview.

-We have 12 Switches 200-26 series and 300-28 L3 series switches.

-We have almost 12 Vlans e.g.

Sales 10.10.10.0/24 (Switch port(GW for clients) 10.10.10.1/24)

Marketing 10.10.20.0/24 (Switch port (GW for clients) 10.10.20.1/24)

 

-All switch to switch connected ports are trunks to carry multiple vlan e.g. 1U, 10T, 20T

 

-Default route on switch set to 192.168.4.2 (Proxy IP)

 

-All VLans able to ping to each other Now final to route them to internet through proxy server.

 

-What I have done so far

  1. Create a new VLan with 192.168.4.0 (Switch IP: 192.168.4.1)

  2. Proxy one Lan card (eth0) attached with the ADSL modem (192.168.0.5). (Proxy is running Cenos6.5/squid/dansguardain)

  3. Proxy second Lan card (eth1) with IP address 192.168.4.2 (attached to Switch port in vlan 4, 4U Trunk port)

 

  1. I already have a rule in iptables to route my port 80 traffic to my squid port 3128. and default route to my second lan address.

  2. I have added another route i.e. 10.10.0.0  255.255.0.0  GW 192.168.4.1 (point back to switch port), This also can be done in gui mode in ip settings.

 

  1. finally my route table in proxy (route -n) looks like

 

92.168.4.0     0.0.0.0         255.255.255.0   U     1      0        0 eth1

192.168.0.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0

10.10.0.0       192.168.4.1     255.255.0.0     UG    1      0        0 eth1

0.0.0.0         192.168.0.5     0.0.0.0         UG    0      0        0 eth0

 

Have a nice day!

 

 

0 Helpful

Go to solution
cchamorr
Level 5
Level 5
In response to aamirshafiq

‎02-24-2015 02:28 AM

Hello,

This is absolutely incredible. You seem to have a very extensive setup and it appears to be working very well.

Thank you so much for the very complete reply, I'm sure all that information will be very helpful to several other users with similar setup.

Thank you for marking the answer as correct, I'm very glad my suggestion worked for you.

 

0 Helpful

Go to solution
aamirshafiq
Level 1
Level 1
In response to cchamorr

‎02-26-2015 02:13 AM

Hi!

I would like to know another thing please.

If you place the above scenario in mind then is this possible to route one vlan direct to internet bypassing the proxy server.

 

1.

Is this possible to route some of the vlan's internet traffic to another specific interface?

For Example. I want to route the VLAN 10 (10.10.10.0/24) (switch Vlan IP 10.10.10.1) internet traffic bypassing the proxy. For that I can make another vlan 5 (192.168.0.0/24) Switch port 192.168.0.1 and modem port 192.168.0.2

OR any other possibility

Thanks and Regards,

0 Helpful

Go to solution
cchamorr
Level 5
Level 5
In response to aamirshafiq

‎02-26-2015 07:28 AM

Hello, 

I'm sorry but I don't think this is possible.

Remember that for the switch to be able to send the VLANS to the internet, we had to create a default route pointing to the proxy server, this is needed so that when you are going to an unknown address outside of the switches scope (www.yahoo.com or www.google.com) all of that traffic will go to the proxy server.

You can only have a single default route.

With this in mind, you can definitely create a new VLAN and static routes to another destination than the proxy, but since your default route is pointing to the proxy, the new VLAN will not be able to go online as all the packets with unknown destinations (like www.yahoo.com or www.google.com) will be forwarded to the proxy server and desecrated if you don't have a route back.

I hope this helps

0 Helpful

Go to solution
aamirshafiq
Level 1
Level 1
In response to cchamorr

‎02-26-2015 08:32 AM

Hi!

Well Thanks, I got it.

Then what you suggest in this scenario. I have 3 300-28 series, One of them running in L3 mode connecting VLANs and rest of the switches are 200-26 series.

I already have a ADSL connection sharing internet through proxy and we intend to have a new dedicated fiber optic line.

I want to use both of the internet connections.

Best Regards,

0 Helpful

Go to solution
cchamorr
Level 5
Level 5
In response to aamirshafiq

‎02-26-2015 11:14 AM

Hello, 

With the provided information I can think of two options:

1- Put other one of your SG300 switches on layer 3 and use it as the router for only the VLAN you are trying to get out of the other internet connection.

2- Get a RV320, Dual WAN VPN router, that way you can connect both ISP's to it and let it do all the routing for your network. You can also bind VLANs to a specific WAN port.

Please let me know if you have any more questions

0 Helpful
Customers Also Viewed These Support Documents