06-07-2014 02:09 PM - edited 03-07-2019 07:39 PM
Greetings!
Well, I’ve been tossed into the fire and have spent the past few days reviewing these and other forums. Even though I am well beyond my comfort level, some progress has been made, there is probably a tiny piece that is preventing me from completing my task.
First, the goal is to use an SG300-20 to allow a Windows computer on either VLAN 1 or VLAN 22 to communicate with proprietary devices on VLANs 21 and 22, all numbered after the third octet of their IP address. (Eventually, on each VLAN will be a consumer router that will have multiple devices.) These devices use UDP ports 50500 and 50501 and TCP port 50502.
So I have created VLANs 21 and 22 on the “Create VLAN” page and set their IP address on the “IPv4 Interface” page to
VLAN 1 to 192.168.13.123/24 VLAN 21 to 192.168.21.1/24 VLAN 22 to 192.168.22.2/24
Next I have attempted to assign Port VLAN Membership which is probably where my problem is. (I’ve even locked myself out of the switch a few times requiring a reboot.) My current Port VLAN Membership table has these relevant entries:
GE1 [device on VLAN 21] is GENERAL mode, 1T, 21UP GE2 [device on VLAN 22] is GENERAL mode, 1T, 22UP GE4 [computer on VLAN 22] is GENERAL mode, 1T, 22UP GE6 [computer on VLAN 1] is TRUNK mode, 1UP, 21T, 22T GE19 [router on VLAN 1] is TRUNK mode, 1UP
“show vlan tag” indicates (condensed):
Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- 1 1 gi1-20,Po1-8 Default Required 21 21 gi1,gi6 permanent Required 22 22 gi2,gi4,gi6 permanent Required
“show interfaces switchport ge 1” returns (and GE2 returns the same except for referencing VLAN 22):
Port : gi1 Port Mode: Trunk Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 21 Port is member in: Vlan Name Egress rule Port Membership Type ---- -------------------------------- ----------- -------------------- 1 1 Tagged System 21 21 Untagged Static
(Forbidden VLANS and Classification rules were blank and deleted for brevity.)
“show interfaces switchport ge 6” returns
Port : gi6 Port Mode: Trunk Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan Name Egress rule Port Membership Type ---- -------------------------------- ----------- -------------------- 1 1 Untagged System 21 21 Tagged Static 22 22 Tagged Static
(Again, forbidden VLANS and Classification rules were blank and deleted for brevity.)
I'm thinking that my error must be in either the gateways or the Port VLAN Membership with regards to tagging or PVID, but I'm not sure. I have tried many combinations and learned how to reboot the switch from the console communications port very well. (Thankfully it reboots in the last known good state.)
In fact, in some combinations, the computer and devies can see UDP broadcast packets but not respond back to a specific IP address.
If anyone could offer any tips or suggestions as to where I might have gone astray or something that I have not encountered, I would be most appreciated.
Naturally, if the SG300-20 is not capable of this, or additional hardware is required, then recommendations are requested.
Also, I have tried for format my query for clarity and hope I provided everything that is needed. Naturally, if I am missing something here, please do not hesitate to ask for further information.
DG
06-08-2014 11:44 AM
Well, you have me kinda stumped here.
I am assuming that Gi0 simply means Gigabit #0 and that higher end Cisco products might have more than one "channel" or pathway for data.
As for the bases doing any pinging, there is no such capability. I have no clue how to proceed on that instruction.
Stay tuned. I am trying all of the modes of Port VLAN Membership and am documenting my results.
06-08-2014 02:24 PM
Okay, after a bit, no, make that A LOT of stumbling around...
I have found the combination that works!!!
First, the mode of all of the ports / interfaces are set to GENERAL Mode
Secondly, the shared VLANs must be joined via Untagged Packets.
There seems to be one condition is that created VLANs cannot join the default VLAN 1 as untagged.
If the computer is on a created VLAN (21, 22 or 23), the software could communicate with all of the base devices.
If the computer is on the default VLAN 1, the software could not communicate with any of the bases, which I presume is due to the inability for a VLAN to join VLAN 1 as untagged.
Does this make any sense ?
At least, at this point, the proof-of-concept is done.
DG
06-08-2014 02:54 PM
For reference, these are screen shots of the relevant pages on the SG300-20 and a simplified network diagram to document the settings that is allowing the computer on VLAN 23 to talk to base devices on VLANs 21, 22 and 23.
06-08-2014 07:34 PM
Reza, I just thought I'd give you a further update.
I took another Cisco switch, an SG300-10P, reconfigured it as a Level 3 switch and was able to apply everything learned here to make that work, as well.
Again, the key to configure the interfaces as General and all allowed vlans must be Untagged. The other key is that there is something different about VLAN 1 so the computer must be on a administrator-defined VLAN.
Past those points, everything is working as expected.
Thank you for your assistance and walking through things with me.
DG
06-07-2014 06:36 PM
New information!
On a laptop that is on VLAN 23, I can access the device on VLAN 23 but still cannot access the ones on VLANS 21 or 22.
However, don't despair!
First, I did a tracert to those other devices and guess what, the trace made it. (Well, sometimes it did. The result was inconsistent but a couple of times, it made it there!)
Next, WireShark is now seeing the broadcast UDP packets to port 50500 from all three devices. That's big news.
The bad news is that the program that is monitoring port 50500 isn't seeing the other two. I can confirm the program is not receiving them at all.
(Scratching my head)
I'm going to write a quick test program to see if I can grab those packets....
BRB
06-07-2014 05:14 PM
Hello
That seems correct as you have created them on the switch, however i have just noticed that you have a linksys router connected to this L3 switch, so maybe you don't need to do this on the switch and perform the routing on the linksys instead..
1) so linksys( ip routing with defaut route to isp and ip addreses created for the 3 vlans you specified)
2) Switch = ip addres of vlan 1 and default gateway of vlan 1 ( l2 vlans - 21,22 created-- NO IP ROUTING ENABLED)
3) Access Ports on switch assigned to either vlan 1, 21,22
res
Paul
06-07-2014 06:32 PM
Okay, Paul, I'll need a bit to think through what you propose since that runs oppose of how I've been studying.
Would you happen to know if, on the Cisco Linksys EA3500, that I need to put the entries on the "Advanced Routing" tab? If so, that means I need to disable NAT and enable "Dynamic Routing (RIP)". Once those changes are made, I propose that my table should look like:
Destination LAN IP:192.168.13.1Subnet Mask: 255.255.255.0 Gateway:192.168.13.1
...and repeat for 192.168.21.1 and 192.168.22.1. Does this seem correct to you ?
BUZZ. Won't work. 192.168.13.1 is the router itself. Can't work. My bad.
DG
Added: Does that mean that I need to enable NAT somewhere else? Something about this doesn't pass the smell test....
Added: The Basic Setup page allows me to specify the Router Address, and it only has provision for one router address.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: