Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet except when scanning with wireshark

Hi,

I am trying get inter vlan routing to work on a DF 300 - 24 port switch.    I have an existing company network on 192.168.111.0 and want to create a vlan on 192.168.1.1 that can talk to 192.168.111.0.    I have enabled layer 3 routing on the switch via console and also provided the ip routing command. I have the following VLAN's:

VLAN1 - Default 192.168.111.0

VLAN2 - 192.168.1.0

I have enabled DNS and provided my two DNS servers 192.168.111.82 & 192.168.111.212.  

I have set the VLAN1 interface to 192.168.111.217 and VLAN2 interface to 192.168.1.1.

Ports FE1 - FE15 are set to access ports and assigned to VLAN1 (untagged)

Ports FE16 - FE24 are set to access ports and assigned to VLAN2 (untagged)

I have set a default route for the switch to 0.0.0.0 0.0.0.0 192.168.111.254 (Draytek 2600 router). I have connected a computer (A) to VLAN1 port FE3 and a computer (B) to VLAN2 port FE16.   I have set Computer A default gateway to 192.168.111.217 and its IP address to 192.168.111.94.    I have set Computer B default gateway to 192.168.1.1 and IP to 192.168.1.2.   

Computer A has access to Mdaemon, file server via network drives but no internet (cannot ping google) and can ping computer B and RDP onto computer B.

Computer B can ping computer A and RDP onto computer A but does not have access to the company network i.e MDaemon, file server etc.   It also cannot access the internet.

From the console I can ping www.google.co.uk and all ip addresses in the company network i.e. 192.168.111.82 (DNS server).   I dont understand what i am doing wrong and have been banging my head for days just staretd a new job and desperatly need to get it working so any help would be greatly appreciated

If I scan computer A wirh wireshark the internet starts working wheird!

Configuration show below:

switch7c0a71#show run

vlan database

vlan 2

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 2

ip address 192.168.1.1 255.255.255.0

exit

interface vlan 1

ip address 192.168.111.217 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 192.168.111.254

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switch7c0a71

no passwords complexity enable

no snmp-server server

interface fastethernet1

switchport mode access

exit

interface fastethernet2

switchport mode access

exit

interface fastethernet3

switchport mode access

exit

interface fastethernet4

switchport mode access

exit

interface fastethernet5

switchport mode access

exit

interface fastethernet6

switchport mode access

exit

interface fastethernet7

switchport mode access

exit

interface fastethernet8

switchport mode access

exit

interface fastethernet9

switchport mode access

exit

interface fastethernet10

switchport mode access

exit

interface fastethernet11

switchport mode access

exit

interface fastethernet12

switchport mode access

exit

interface fastethernet13

switchport mode access

exit

interface fastethernet14

switchport mode access

exit

interface fastethernet15

switchport mode access

exit

interface fastethernet16

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet17

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet18

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet19

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet20

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet21

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet22

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet23

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface fastethernet24

switchport mode general

switchport general allowed vlan add 2 untagged

exit

interface vlan 2

name Development

exit

2 ACCEPTED SOLUTIONS

Accepted Solutions

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi Richard,

43 - Permit Protocol: Any To/From All

42- Deny  Protocol ALL from  192.168.2.0             0.0.0.255 -> to  192.168.111.0       0.0.0.255

41- Deny Protocol ALL from    192.168.111.0    0.0.0.255   ->  to  192.168.2.0     0.0.0.255

40- Permit Protocol RDP   from ALL to ALL   

etc

That should block everything, including MSSQL, except for RDP, and the other ports as you've defined above.  Are the other defined services working and just not the RDP? 

Richard, please remember to rate helpful posts and identify correct answers.

Best,

David

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi Richard,

I've attached a screenshot of what it should look like, though its not complete (I didn't do all of the services, but enough so you get the gist). You need both to and from rules and diff source/dest rules:

Best,

David

40 REPLIES

Re: Inter vlan routing on a Cisco SF 300-24 port switch No inter

What port on the sf300 is the router plugged in to? What are the vlan settings for that port, as well as the routes you have on the draytek?

Also, please try setting the default gateway on the computer to the routers ip.

Sent from Cisco Technical Support iPad App

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

Thanks for replying thought no one ever would.

Basically I need to create a secure area for the programmers in my company so they can access the company network but no one can access their systems.  

So I wanted to create a secure VLAN using ACL's within the existing network which is made up of cisco layer two switches running on the default VLAN1 i.e no vlan configuration (I cannot easily change this as they have 4 switches running off VLAN1).   

I have connected the sf 300 (layer 3 enabled) to the company network by removing the connection from my pc to the network and plugged that into port fa 0/1 and enabled it as a trunk port)

I then connected my computer (A) to port fa 0/2 of the sf 300 and enabled it as an access sport.

I then connected another computer (B) to port fa 0/16 of the sf 300 and enabled it as an access sport.

I created a second VLAN (VLAN2) ip address 192.168.2.1 and assigned it to fa 0/16 all other ports are assigned to VLAN1 (default).

I set my Computer A (IP 192.168.111.94) default gateway to the ip address of the sf 300 (192.168.111.218) and computer B (IP 192.168.2.2) default gateway to 192.168.2.1.

I set the default route to 0.0.0.0 0.0.0.0 192.168.11.254 (draytek router and default gateway for existing network) and added the DNS servers for my network to the sf 300.

Computer A still has access to the company drives, email etc but is unable to access the internet and can ping and RDP to computer B but cannot access the internet.

Computer B can ping and RDP to computer A but cannot access the company network or internet i.e I cannot ping the domain controller.

I have tried tagging VLAN2 to fa 0/1 trunk port but still no sucess and adding entries on the domains controllers DNS for computer B.

My main issue is that I cannot get VLAN2 to access the company network.  

I have created a digram of the setup below to hopfully give you a better idea

Many Thanks

Richard

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi Richard,

As for your main issue - getting vlan 2 to access the LAN and internet - you need to set a default route on the draytek to the effect of 192.168.2.0 255.255.255.0 192.168.111.218 ?  That may be computer B is not getting LAN access.

Why is the sf300 connected to the network as a trunk? Do you plan to have other vlan 2 computers plugged in elsewhere other than this switch? Or are there vlans other than 1 & 2?

Can you post a sh run for the switch so I can see what else is going on, and what, if any ACLs there are that may be preventing computer A from accessing the internet.  Can you also please change the default gateway on computer A to 192.168.1.254 and let me know if that works.

Best,

David

Please rate helpful posts.

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

I have set my draytek with a default route as you described (I cannot test this until Monday as I currently only have console access to the switch as I have plugged my computer back into the network and am not going through the switch).

Originally I had port fa 0/1 set as an access port because I thought the IT Manager only wanted the switch in  the IT department to host the secondary VLAN and I wouldnt have to cross switches. 

He has since said that he would like to have some computers in other rooms available to the secondary VLAN for testing purposes.  

He also wanted to increase the number of IP addresses as we are reaching the maximum on the current setup i.e 254.

Getting it working in just our area for now would take the heat off me though.

I thought I had to set the default gateway on computer A to the IP address of the sf 300 (192.168.111.218).  

If I set the default gateway of computer A to 192.168.111.254 it does indeed work and I get internet acess and network access as I had tested this previously.

I have since changed the config for the switch which is shown below but it might be worse than the previous config:

switch7c0a71#show run

vlan database

vlan 4

exit

interface  gi1

switchport default-vlan tagged

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 4

ip address 192.168.2.249 255.255.255.0

exit

interface vlan 1

ip address 192.168.111.250 255.255.255.0

exit

no ip arp proxy disable

ip route 0.0.0.0 0.0.0.0 192.168.111.254

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switch7c0a71

no snmp-server server

ip name-server  192.168.111.212 192.168.111.82

interface fastethernet1

switchport mode access

exit

interface fastethernet2

switchport mode access

switchport access vlan 4

exit

interface fastethernet3

switchport mode access

exit

interface fastethernet4

switchport mode access

exit

interface fastethernet5

switchport mode access

exit

interface fastethernet6

switchport mode access

exit

interface fastethernet7

switchport mode access

exit

interface fastethernet8

switchport mode access

exit

interface fastethernet9

switchport mode access

exit

interface fastethernet10

switchport mode access

exit

interface fastethernet11

switchport mode access

exit

interface fastethernet12

switchport mode access

exit

interface fastethernet13

switchport mode access

exit

interface fastethernet14

switchport mode access

exit

interface fastethernet15

switchport mode access

exit

interface fastethernet16

switchport mode access

exit

interface fastethernet17

switchport mode access

exit

interface fastethernet18

switchport mode access

exit

interface fastethernet19

switchport mode access

exit

interface fastethernet20

switchport mode access

exit

interface fastethernet21

switchport mode access

exit

interface fastethernet22

switchport mode access

exit

interface fastethernet23

switchport mode access

exit

interface fastethernet24

switchport mode access

exit

interface gigabitethernet1

switchport trunk allowed vlan add 4

exit

interface vlan 4

name ARC_Developer

exit

Kind Regards

Richard Leyshon

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi Richard,

Im using a sg300 here to test, and mine is working fine. I did have to put a default route in my router for the vlan 4 network, but this is my sh run:

switchf1cc3a#sh run

vlan database

vlan 4

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface vlan 1

ip address 10.10.1.79 255.255.255.0

exit

interface vlan 4

ip address 192.168.2.249 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 10.10.1.1

interface vlan 1

no ip address dhcp

exit

bonjour interface range vlan 1

hostname switchf1cc3a

no snmp-server server

interface gigabitethernet8

switchport mode access

switchport access vlan 4

exit

I am able to use either the switch ip or router ip for the default gateway on my vlan 1 and am able to get both lan and internet access. Can you please post a sh ip route from both the switch and draytek?

My switch shows the following:

switchf1cc3a#sh ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP 

S  0.0.0.0/0          [1/1] via  10.10.1.1  0:10:58                vlan 1

C  10.10.1.0/24       is directly connected                        vlan 1

C  192.168.2.0/24     is directly connected                        vlan 4

Best,

David

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

I have telnet into the draytek and I see the following ( I thought I added a default route but apparently you can only do this by telnet not through the web interface).   

If I add a second default route will it nock out the route shown above as I dont want to down the internet connection as I am doing this remotely from home and dont want to kill the router. 

I have 4 ethernet ports in the draytek. ethernet port 1 is plugged into the network (which I think is IF0) and the adsl cable is plugged into the ADSL port  IF3 (I think) .

The syntax for the draytek is as follows:

Do I need to patch a cable from the draytek (ethernet port 2) into the network and setup a default route on that interface or can I add one to the existing interface (ethernet port 1)?

The show ip route for the switch is as follow (I dont have anything plugged into it though):

switch7c0a71#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP

S  0.0.0.0/0          [1/1] via  192.168.111.254  118:22:47        vlan 1

C  192.168.111.0/24   is directly connected                        vlan 1

switch7c0a71#

Hope this makes sense.

Kind Regards

Richard

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Richard,

I'm not at all familiar with draytek devices. It surprises me that adding a route would knock out the route thats in there now, but again, might just be a draytek thing. I would think you can simply add the route to the interface you're currently using.  The other thing of note is take a look at the difference between my sh ip route and yours, mine shows the 192.168.2.0  network as directly connected, while yours does not.

As far as a course of action, we're not going to be able to make progress while your at home on your weekend, so stop thinking about this until monday, and try the following then and report back:

1 - Add the proper route into the draytek. From your screenshot, it looks to me like the proper syntax would be ip route add 192.168.2.0 255.255.255.0 192.168.111.250

2 - check the sf300's vlan 4 address, and that computer B can ping 192.168.2.249. Make sure that the sf300 is showing that network as directly connected in its ip routing table.

At this point, you should have internet and lan access on both hosts A + B.

On vlan 4 - are the addresses being assigned via DHCP or statically assigned?

Best,

David

Please rate helpful posts.

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

I have added the route to the draytek as shown below:

I think VLAN2 is not saying directly connected because Computer B which belongs to VLAN2 is not currently connected. 

At present VLAN4 ip addresses are being statically assigned but I have added a new DHCP range to the domain controller for 192.168.2.0 so I presume I could dish out IP addresses via DHCP when it is all working?

I will get back to you on Monday once I have plugged it all in and tested, again many thanks for your help David have a great weekend.

Kind Regards

Richard

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Richard,

Let me know how it looks come monday morning. Can you ping the switch's 192.168.2.249 address from the draytek?

The route should show up if the ipv4 interface for vlan 4 is configured properly - its showing the subnet is connected in sh ip route - rather than the host.

Best,

David

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

I have tested the configuration and I can get network access in VLAN1 using default gateway of 192.168.111.254 and network access in VLAN4 using a default gateway of 192.168.2.249.

But I am unable to get internet access in VLAN4, I can ping the default gateway (192.168.2.249) for VLAN4 from the computer in VLAN4 (192.168.2.2) and unable to ping google etc.   Internet access in VLAN1 is ok.

My show IP route is as follows:

switch7c0a71#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP

S  0.0.0.0/0          [1/1] via  192.168.111.254  0:17:15          vlan 1

C  192.168.2.0/24     is directly connected                        vlan 4

C  192.168.111.0/24   is directly connected                        vlan 1

I can also ping 192.168.2.249 from the draytek (using telnet).   

Kind Regards

Richard

Re: Inter vlan routing on a Cisco SF 300-24 port switch No inter

Good morning Richard,

Just a quick question while I re-read some of the thread. The screenshots dont show up on the ipad app...

Could it be a dns issue on vlan 4? Can you ping 4.2.2.2?

Best,

David

Sent from Cisco Technical Support iPad App

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

I have tried to ping google's IP address  but 173.194.67.94 but it times out.   I am not sure what you mean by 4.2.2.2 but I tried to ping it without sucess.   I have attached a grab of the route print command from  192.168.2.2:

I can also ping the network DNS servers (192.168.111.82 & 192.168.111.212) from 192.168.2.2

Kind Regards

Richard

Bronze

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hello Richard,

From vlan4 (192.168.2.x) can you ping the router (192.168.111.254)? If yes, then can you ping your WAN IP address on the router?

It may be possible that the router is not doing NAT for your second vlan. If this is the case then, your ping out would be dropped once it hits the internet.

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi Robert,

I can ping the Router IP address from VLAN2.

I thought it might be NAT myself but I have just pinged the ISP IP address from VLAN2 and it came back sucessfull:

Kind Regards

Richard

Bronze

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Can you ping 8.8.8.8? If not, i recommend a tracert to 8.8.8.8 to see how far you can get.

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi Robert,

I have run a tracert on 8.8.8.8 and I get the following:

1      *     *     * request timed out

2     *     *     * request timed out

3     *     *     * request timed out

etc

Kind Regards

Richard

Re: Inter vlan routing on a Cisco SF 300-24 port switch No inter

Hi Richard,

What IP from your ISP are you pinging thats working?

Since you're able to ping the draytek from the vlan 4 computer, and the reverse (and access the LAN), I think your switch is config'd properly at this point, and its something with the draytek.

Best,

David

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

I have taken the WAN IP address from the WAN status page of the router, I dont want to post the IP address though for obvious reasons.

Kind Regards

Richard

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

I did a tracert on the ISP IP address and got the following:

1     *          *               *               Request timed out.

2     <1 ms   <1 ms      <1 ms       ISP IP ADDRESS   

regards

Richard

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Thats your public ip, correct? can you ping your ISP's default gateway?

Best,

David

Sent from Cisco Technical Support iPad App

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

How do I find out the ISP's default gateway.

Kund Regards

Richard

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

Just found it, I am unable to ping the GW IP Addr  displayed on the router status page.

Regards

Richard

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

I also cannot ping the primary and secondary dns servers for the ISP.

Regards

Richard

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Richard,

I think that you should try and get in touch with Draytek support or follow up on that end.

Check out this thread:

http://www.network-builders.com/draytek-vigor-2600-multi-nat-dmz-vlan-question-t34149.html

I emailed Draytek directly and got the following response:

a. The Vigor can only deal with one subnet. You could still use the

Vigor VLAN facility to separate the ports but you'd need two more

devices to act as the gateway for the other two subnets.

My suggestion prior to reading that would be to set up the subnet on the draytek (if the draytek has multiple interfaces) or use the draytek router to create the vlan, but you may be running into the limits of the router.

Best,

David

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

I have found this on the draytek router:

Would I have to do this here?

Kind Regards

Richard

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Richard,

Your guess is as good as mine - I have NEVER used a draytek router. It might be time to find documentation from Draytek on this, or contact their support people.

However, if I could play with the router for a bit, I would first backup the config on the draytek if possible, or take very detailed notes of everything you change.

Then, I would enable the ip routing usage, and put the 192.168.2.254 (lets give that IP to the router, which would now be the default gateway on that subnet's machines), and leave the subnet mask as it is.

I don't know if doing that will automatically create the proper routes? But I'd like to think it does... Obviously, I can't see the rest of the configurable settings on that draytek page, or the rest of the web interface.

Best,

David

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Richard,

Just wanted to check in and see how things were progressing. Any luck with the Draytek?

Best,

David

New Member

Inter vlan routing on a Cisco SF 300-24 port switch No internet

Hi David,

Sorry for not getting back sooner ive been on Holiday, I replaced the Draytek Vigor 2600 with a Draytek Vigor 2830 which allowed me to route two private subnets so I have internet access on both VLAN1 and VLAN4.   

I know need to allow VLAN4 access to the mail server, fileserver and ability to RDP onto the servers in VLAN1 but deny VLAN1 computers access to VLAN4.   I am trying to do this with access control lists but am a bit lost would you be able to point me in the right direction?

Kind Regards

Richard 

Re: Inter vlan routing on a Cisco SF 300-24 port switch No inter

Hi Richard,

Hope you enjoyed your holiday!

Are all the vlan 4 machines off the SF300?  Probably the best way to to this is to use the draytek to configure the access policies, but again, I can't be much help with the draytek.

If you want to give it a shot with the SF300:

1. In the GUI, Access Control->IPv4-Based ACL

2. Click add, name the ACL (access control list) and apply.

3. Access Control -> IPv4-Based ACE (access control element), click add

4. In the pop up now: ACEs with higher priority are processed first. I created priority 50, permit all to all.

5. Create priority 40, action deny, protocol any, source user defined (use vlan 1 subnet 192.168.111.0 0.0.0.255), destination ip, user defined, vlan 4 subnet addr 192.168.1.0 0.0.0.255 and then apply.

5. Then create permit rules for the services that you want to have access to the vlan 4, ie AD server priority 30  @ 192.168.111.xxx 0.0.0.0 permit to 192.168.1.0 0.0.0.255

6. Then go to Access Control -> ACL Bindings and apply the ACL to the ports. Edit, check the box, apply, copy settings to other ports. When an ACL is bound to an interface, its ACE rules are applied to packets arriving at that interface.

Just a note with IPv4 based ACLs, packets are checked, but others like ARP are not.

You may need to tweak the priorities, etc as needed but I hope that gives you a good enough idea. 

Let me know how it goes.

Best,

David

16876
Views
30
Helpful
40
Replies