Solved: Inter-VLAN Routing using SG350

NavA1239 · ‎02-02-2021

Hello,

How do I configure a network to have devices on Network A and Network B to communicate with each other

Network A is 169.254.X.X with subnetworks 169.254.145.X and 169.254.0.X

Network B is 10.2.0.X

There are no routers present, all routing is done through unmanaged switches. Both networks do not rely on DHCP and all machines have static IPs.
All the machines in Network A are Windows PCs, they can communicate with each other when the subnet mask is set to 255.255.0.0 in the network adapter settings on all machines.
Network B is for dedicated Linux machines where it is not possible to change any network settings and they have subnet mask 255.255.255.0

What I tried so far:

Thinking this can be done using a L3 switch, I setup a test bench with two Windows PCs, each representing a device on either networks and a SG350. (Plan is to replace the unmanaged switches with one L3 switch if it works)
Then I followed the instructions given in this video, https://www.youtube.com/watch?v=6_MxGNC6-OU
I created two VLANs and assigned ports to VLANs. I configured static IP address for VLANs and enabled IPv4 routing.
I was able to ping one SVI from the other using the option in switch's GUI.

But,

I can not ping any of the machines from the switch
I can not ping VLAN1 IP from the machine on VLAN2 and vice versa
I can not ping the machine on VLAN1 from machine on VALN2 and vice versa

Networking is not my area of expertise and a definitive answer would be very much appreciated. Thank you!

Tyson Joachims · ‎02-02-2021

You didn't specify the IP addresses that you assigned to the VLANs so I'm going to make an assumption as follows:

VLAN 1 = 169.254.0.1

VLAN 2 = 10.0.2.1

All the computers in each VLAN need to have their default gateway set to the IP address of the VLAN in which they reside. So for example, a computer in VLAN 1 would have the following sample configuration:

IP address = 169.254.0.150

Subnet Mask = 255.255.0.0

Default Gateway = 169.254.0.1

Because you are not able to configure the network settings of any of your Linux machines, this may prove to be a major issue.

Next you will need to assign switch interfaces that are connected to these computers to the appropriate VLANs (https://youtu.be/xK5HmMlaIlg). If you accidentally put a computer in the wrong VLAN, it will not be able to communicate with anything because it has been configured with an IP address and default gateway of a different VLAN.

At this point, the computer should be able to ping it's default gateway. Do not proceed any further until this is done. Keep in mind that if you try to ping the computer from the switch, the host firewall might actually block the pings. Windows computers typically do not allow you to ping them unless you either add a firewall rule allowing ping or you turn off the firewall all together (not recommended).

If you have two computers with each one in a different VLAN that are now able to ping their respective default gateways, they now should be able to ping each other (provided their host firewall settings permit pings).

View solution in original post

Tyson Joachims · ‎02-02-2021

You didn't specify the IP addresses that you assigned to the VLANs so I'm going to make an assumption as follows:

VLAN 1 = 169.254.0.1

VLAN 2 = 10.0.2.1

All the computers in each VLAN need to have their default gateway set to the IP address of the VLAN in which they reside. So for example, a computer in VLAN 1 would have the following sample configuration:

IP address = 169.254.0.150

Subnet Mask = 255.255.0.0

Default Gateway = 169.254.0.1

Because you are not able to configure the network settings of any of your Linux machines, this may prove to be a major issue.

Next you will need to assign switch interfaces that are connected to these computers to the appropriate VLANs (https://youtu.be/xK5HmMlaIlg). If you accidentally put a computer in the wrong VLAN, it will not be able to communicate with anything because it has been configured with an IP address and default gateway of a different VLAN.

At this point, the computer should be able to ping it's default gateway. Do not proceed any further until this is done. Keep in mind that if you try to ping the computer from the switch, the host firewall might actually block the pings. Windows computers typically do not allow you to ping them unless you either add a firewall rule allowing ping or you turn off the firewall all together (not recommended).

If you have two computers with each one in a different VLAN that are now able to ping their respective default gateways, they now should be able to ping each other (provided their host firewall settings permit pings).

NavA1239 · ‎02-02-2021

Right on! Thank you Tyson!

I had not configured the default gateway. After I took care of that, I was able to ping machine A (VLAN 1) from machine B (VLAN 2). I am still having issues with machine B. I made sure there is a firewall rule to allow ping on both machines, but for some reason I could not ping machine B. So, I swapped everything such that machine A is on VLAN 2 and machine B is on VLAN 1, and I can still ping machine A (VLAN 2) but not machine B. Is it safe to say it was something to do with that Windows PC and not the network switch?

Any ideas on how to work around, not being able to add a default gateway on some machines?

Tyson Joachims · ‎02-02-2021

So you can ping machine A from machine B but you cannot ping machine B from machine A? If that is the case, there's something on machine B that is just not allowing traffic to be initiated to the device but is allowing return traffic. What I mean is that if machine B is able to ping machine A, that means that

1. Machine B notices that it will be sending echo-request to another host that is not in the same network as it is so it sends packets to it's default gateway (VLAN 2 interface of the switch)

2. The switch receives the packet, looks at the destination, and routes the packet from VLAN 2 to VLAN 1

3. Machine A receives the packet and notices it needs to send an echo-response to a host that is not in the same network as it is so it sends the response to it's default gateway (VLAN 1 interface of the switch)

4. The switch receives the packet, looks at the destination, and routes the packet from VLAN 1 to VLAN 2

5. Machine B accepted the return traffic as indicated by the result on your command prompt

So we know for sure that by getting a successful ping from one computer on VLAN 2 to VLAN 1 that the data path is there and that the reason you cannot ping machine B from machine A is because of something on machine B. This is likely due to a firewall rule blocking the traffic. Check out this tutorial for adding a firewall rule in Windows (https://www.howtogeek.com/howto/windows-vista/allow-pings-icmp-echo-request-through-your-windows-vista-firewall/) I suggest scrolling halfway down and start at the section called "Allow Ping Requests by Using Windows Firewall with Advanced Security".

For a temporary test, you could try dropping the host firewall on machine B, try pinging it again from machine A, and then re-enable the host firewall.

As for adding default gateways, I would see if you can configure those machine's for DHCP. In doing so, they will ask for an IP address, subnet mask, default gateway, and DNS server from the DHCP server. The SG350 can act as a DHCP server if you don't already have one setup (https://www.youtube.com/watch?v=B3QLZaCdwVE).