Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Missing a piece for devices to fully communicate between VLANs

Greetings!

Well, I’ve been tossed into the fire and have spent the past few days reviewing these and other forums. Even though I am well beyond my comfort level, some progress has been made, there is probably a tiny piece that is preventing me from completing my task.

First, the goal is to use an SG300-20 to allow a Windows computer on either VLAN 1 or VLAN 22 to communicate with proprietary devices on VLANs 21 and 22, all numbered after the third octet of their IP address. (Eventually, on each VLAN will be a consumer router that will have multiple devices.) These devices use UDP ports 50500 and 50501 and TCP port 50502.

So I have created VLANs 21 and 22 on the “Create VLAN” page and set their IP address on the “IPv4 Interface” page to

VLAN 1 to 192.168.13.123/24
VLAN 21 to 192.168.21.1/24
VLAN 22 to 192.168.22.2/24

 

Next I have attempted to assign Port VLAN Membership which is probably where my problem is. (I’ve even locked myself out of the switch a few times requiring a reboot.) My current Port VLAN Membership table has these relevant entries:

GE1 [device on VLAN 21] is GENERAL mode, 1T, 21UP
GE2 [device on VLAN 22] is GENERAL mode, 1T, 22UP
GE4 [computer on VLAN 22] is GENERAL mode, 1T, 22UP
GE6 [computer on VLAN 1] is TRUNK mode, 1UP, 21T, 22T
GE19 [router on VLAN 1] is TRUNK mode, 1UP

 

“show vlan tag” indicates (condensed):

Vlan       Name                   Ports                Type     Authorization
---- ----------------- --------------------------- ------------ -------------
1          1                 gi1-20,Po1-8           Default      Required
21         21                   gi1,gi6            permanent     Required
22         22                 gi2,gi4,gi6          permanent     Required

“show interfaces switchport ge 1” returns (and GE2 returns the same except for referencing VLAN 22):

Port : gi1
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 21

Port is member in:
Vlan               Name               Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
 1                  1                   Tagged           System
 21                 21                 Untagged          Static

(Forbidden VLANS and Classification rules were blank and deleted for brevity.)

“show interfaces switchport ge 6” returns

Port : gi6
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll

Ingress UnTagged VLAN ( NATIVE ): 1

Port is member in:
Vlan               Name               Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
 1                  1                  Untagged          System
 21                 21                  Tagged           Static
 22                 22                  Tagged           Static

(Again, forbidden VLANS and Classification rules were blank and deleted for brevity.)

  • The device on GE1 has an IP of 192.168.21.3/24 and a gateway of 192.168.21.1
  • The device on GE2 has an IP of 192.168.22.3/24 and a gateway of 192.168.22.1
  • The computer on GE4 has an IP of 192.168.22.4/24 and a gateway of 192.168.22.1
  • The computer on GE6 has an IP of 192.168.13.120/24 and a gateway of 192.168.13.1
  • The SG300-20 has an IP of 192.168.13.123
  • On GE19 is a Cisco Linksys EA3500 router 

I'm thinking that my error must be in either the gateways or the Port VLAN Membership with regards to tagging or PVID, but I'm not sure. I have tried many combinations and learned how to reboot the switch from the console communications port very well. (Thankfully it reboots in the last known good state.)

In fact, in some combinations, the computer and devies can see UDP broadcast packets but not respond back to a specific IP address.

If anyone could offer any tips or suggestions as to where I might have gone astray or something that I have not encountered, I would be most appreciated.

Naturally, if the SG300-20 is not capable of this, or additional hardware is required, then recommendations are requested.

Also, I have tried for format my query for clarity and hope I provided everything that is needed. Naturally, if I am missing something here, please do not hesitate to ask for further information.

DG

 

21 REPLIES
VIP Purple

HelloAll what you are

Hello

All what you are explaing comes down to " inter-vlan routing" - now I am ot familer with this type of switch however it does seem to be layer 3 comaptible.

So what is requried is to enable  ip routing.

Basically you create the svi interfaces as you have posted = vlan 1,21,22 ( the ip addresses of these switch virtual interfraces will become the  Default Gateway for end hosts on that particuler vlan, and with ip routing enabled also you should be able to communicate between all vlans.

 

res

Paul
 

Please don't forget to rate any posts that have been helpful. Thanks.
Community Member

Thank you for your reply,

Thank you for your reply, Paul.

What you say makes sense but will take me a bit of study and figure out the practical side.

I am looking at the IPv4 Static Routes and it has three entries for 192.168.13.0, 192.168.21.0 and 192.168.22.0, all /24 and the "Route Type" is defined as "Local".

"show ip route conn" returns:

switch-sg300-20(config)#do sh ip route conn
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP

C  192.168.13.0/24    is directly connected                        vlan 1
C  192.168.21.0/24    is directly connected                        vlan 21
C  192.168.22.0/24    is directly connected                        vlan 22

Is that what you are referring to or is there more that I must do ?

Thanks

DG

VIP Super Bronze

Hi,I am not familiar with

Hi,

I am not familiar with SG300 series, but your route table looks correct. You have 3 local subnets and as long as IP routing is enabled on your device and each host has a correct default gateway, you should be able to ping from one host to the others. Also, make sure your PCs/Laptop don't have any firewall software installed, if they do the software prevent them from pinging or being pinged. Does the GUI has an option for turning on routing?

HTH

Community Member

Well, the command "show ip

Well, the command "show ip route static" shows

switch-cg300-20(config)#do show ip route static
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP

According to this, IP Forwarding is enabled. Is that the same as the routing you refer to?

What is curious to me is that the list is empty there and yet the GUI shows the values I posted earlier. Hmmmm....

 

And, yes, I agree about the firewalls and am absolutely certain that none are present. 

 

DG

 

 

 

 

 

VIP Super Bronze

Yes, I think, IP forwarding

Yes, I think, IP forwarding mans IP routing and it is enabled.

Very interesting output sh ip route conn vs sh ip route static

It seems to me that you have to do something else for the static routes to show up on the routing table.  When you trace from one host, to another, how far does the trace make it? It makes it harder for us to help you since most of us on this forum are not familiar with this switch series.

HTH

 

Community Member

Already Reza, I had typed out

Already Reza, I had typed out a whole response and boom, "Host unreachable." You'll understand why in a moment.

To recap what I tried while trying to control my excitement...

I did a tracert to 192.168.23.3, a known device, but the first hop was to the router at 192.168.13.1 and then to the outside world via my ISP. I suppose that trace is still bouncing around somewhere!

So I thought, that makes total sense since .13.1 is the gateway of my computer and so I thought that since VLAN 1 was .13.123, I should change it. So I did but it didn't work. The tracert stopped right there and reported "Destination host unreachable."

Thinking that the gateway for a VLAN other than 1 is .x.1, I need to try this on a PC on one of the other VLANs or maybe create a VLAN 2 just for this purpose. 

(At this point, I was typing my response and click Submit but I did it before I put the gateway back and lost all of my text!)

So, give me a little bit to try another computer and put it on another VLAN and see what I get. 

Maybe my ultimate solution is to put the Cisco Linksys wireless router on its own VLAN? Is that a recommended procedure?

Be right back...  (Getting excited again!)

VIP Super Bronze

Can you also put a quick

Can you also put a quick drawing together showing how every device (switch, wireless, Internet) is connected?

 

Community Member

These are the connections on

These are the connections on the Cisco SG300-20 switch:

Community Member

This is the diagram you

This is the diagram you requested:

VIP Super Bronze

Nice picture!Ok, lets figure

Nice picture!

Ok, lets figure out why you can't ping from one vlan to another first.

Are all the ports connected to the SG-300 switch configured as access port?

In one of your post, I saw vlan 21 and 22 tagged (trunked) can you configure both ports as access for vlan 21 and 22 and see if you can ping from one tempest to another?  Also, is there a way you can login to the device and enable "IP routing"?

HTH

Community Member

I just confirmed that I

I just confirmed that I cannot do this.

Using GE 1 for my example, which was configured as 21UP and 23T in Trunk mode, I tried to change to Access mode but it would not let me returning the error "Port gi1, belongs to a wrong number of VLANs."

So I went to Port VLAN Membership and removed 23T and returned to Interface Settings and was now able to change it to Access mode.

Then I returned to Port VLAN Membership and tried to re-add 23T but in Access mode, it only lets me have a single Untagged PVID entry. The error is "Interface can be added as untagged to only a single VLAN."

 

 

Regarding IP Routing, I thought we ascertained that IP routing was enabled or is there something else I should be looking for ?

VIP Super Bronze

 Answer last first:I am just

 

Answer last first:

I am just guessing and I think it make sense that IP forwarding means IP routing since I am not familiar with this platform.

As for the other issue, since we only have one device connected to vlan 21 and one to vlan 22, so for test we just need to add the specific port to specific vlan as access port and see if you can ping between the 2 vlans.

once we get the communication between these 2 vlans established, we can then move on to the other tasks

HTH

 

 

Community Member

As for the other issue, since

As for the other issue, since we only have one device connected to vlan 21 and one to vlan 22...

In my last post, I was using an interface (in that case GE 1) to change the mode to Access as you requested. It was in Access mode that I was unable to assign multiple VLANs to a single interface.

I can set multiple interfaces to the same VLAN in which case all common devices and the software works perfectly.

 

 

 

VIP Super Bronze

Ok, let clarify,In your chart

Ok, let clarify,

In your chart port assignment the top tempest base is connected to port gi0/1 (vlan 21) and the next tempest is connected to gi0/2 (vlan 22).  Now, each tempest is in a separate vlan/subnet right? ok, so gi0/1 should belong to vlan 21 as access port and gi0/2 belong to vlan 22 as access port.

so far so good right?

ok, now each tempest should be able to ping their gateway which is the switch and if IP routing (forwarding )is enabled on the switch the tempests should be able to ping each other.

Is that the case?

HTH

Community Member

Well, you have me kinda

Well, you have me kinda stumped here.

I am assuming that Gi0 simply means Gigabit #0 and that higher end Cisco products might have more than one "channel" or pathway for data.

As for the bases doing any pinging, there is no such capability. I have no clue how to proceed on that instruction.

Stay tuned. I am trying all of the modes of Port VLAN Membership and am documenting my results.

 

 

Community Member

Okay, after a bit, no, make

Okay, after a bit, no, make that A LOT of stumbling around... 

I have found the combination that works!!!

First, the mode of all of the ports / interfaces are set to GENERAL Mode

Secondly, the shared VLANs must be joined via Untagged Packets.

There seems to be one condition is that created VLANs cannot join the default VLAN 1 as untagged. 

If the computer is on a created VLAN (21, 22 or 23), the software could communicate with all of the base devices.

If the computer is on the default VLAN 1, the software could not communicate with any of the bases, which I presume is due to the inability for a VLAN to join VLAN 1 as untagged.

Does this make any sense ?

At least, at this point, the proof-of-concept is done. 

DG

Community Member

 For reference, these are

 

For reference, these are screen shots of the relevant pages on the SG300-20 and a simplified network diagram to document the settings that is allowing the computer on VLAN 23 to talk to base devices on VLANs 21, 22 and 23.

 

 

 


 

Community Member

Reza, I just thought I'd give

Reza, I just thought I'd give you a further update.

I took another Cisco switch, an SG300-10P, reconfigured it as a Level 3 switch and was able to apply everything learned here to make that work, as well. 

Again, the key to configure the interfaces as General and all allowed vlans must be Untagged. The other key is that there is something different about VLAN 1 so the computer must be on a administrator-defined VLAN. 

Past those points, everything is working as expected.

Thank you for your assistance and walking through things with me.

DG

Community Member

New information!On a laptop

New information!

On a laptop that is on VLAN 23, I can access the device on VLAN 23 but still cannot access the ones on VLANS 21 or 22. 

However, don't despair! 

First, I did a tracert to those other devices and guess what, the trace made it. (Well, sometimes it did. The result was inconsistent but a couple of times, it made it there!)

Next, WireShark is now seeing the broadcast UDP packets to port 50500 from all three devices. That's big news.

The bad news is that the program that is monitoring port 50500 isn't seeing the other two. I can confirm the program is not receiving them at all. 

(Scratching my head)

I'm going to write a quick test program to see if I can grab those packets.... 

BRB

VIP Purple

HelloThat seems correct as

Hello

That seems correct as you have created them on the switch, however i have just noticed that you have a linksys router connected to this L3 switch, so maybe you don't need to do this on the switch and perform the routing on the linksys instead..

1) so linksys( ip routing with defaut route to isp and ip addreses created for the 3 vlans you specified)

2) Switch = ip addres of vlan 1 and default gateway of vlan 1 ( l2 vlans -  21,22 created--  NO IP ROUTING ENABLED)

3) Access Ports on switch assigned to either vlan 1, 21,22

res

Paul

 

Please don't forget to rate any posts that have been helpful. Thanks.
Community Member

Okay, Paul, I'll need a bit

Okay, Paul, I'll need a bit to think through what you propose since that runs oppose of how I've been studying.

Would you happen to know if, on the Cisco Linksys EA3500, that I need to put the entries on the "Advanced Routing" tab? If so, that means I need to disable NAT and enable "Dynamic Routing (RIP)". Once those changes are made, I propose that my table should look like:

Destination LAN IP: 192.168.13.1 
Subnet Mask: 255.255.255.0  
Gateway: 192.168.13.1

...and repeat for 192.168.21.1 and 192.168.22.1. Does this seem correct to you ?

BUZZ. Won't work. 192.168.13.1 is the router itself. Can't work. My bad.

DG

 

Added: Does that mean that I need to enable NAT somewhere else? Something about this doesn't pass the smell test....

Added: The Basic Setup page allows me to specify the Router Address, and it only has provision for one router address. 

 

369
Views
0
Helpful
21
Replies
CreatePlease to create content