Solved

SG500 -  Inter VLAN Routing - Help

Posted on 2013-06-27
8
3,815 Views
Last Modified: 2013-07-04
Hi all - I'm new to the Exchange.

I have a new Cisco SG500 - I'm not new to Cisco by any means, but this is the first SG500.

I have enabled L3 mode, rebooted and started my config.  But as I have added new VLAN interfaces I can't even ping them from the SG500 itself.   A traceroute shows the traffic trying to go out to the default gateway and 'show ip route' shows no corresponding route entry.

I have enabled routing "ip routing".

Ultimately I need this device to route traffic between the VLANs.  

Below is the config, I'm sure I'm just not thinking correctly or something.  Any guidance is appreciated.  

-------

SW0#show run
config-file-header
SW0
v1.2.7.76 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 50,150,200
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname SW0
line ssh
exec-timeout 0
exit
username xxxxxxx password encrypted xxxxxxxxxxxxxxxxxxxxxxx privilege 15
ip ssh server
ip http timeout-policy 0 https-only
clock timezone " " -7
clock summer-time web recurring usa
!
interface vlan 50
 name test
 ip address 192.168.50.1 255.255.255.0
!
interface vlan 150
 name UAT
 ip address 192.168.150.1 255.255.255.0
!
interface vlan 200
 name PROD
 ip address 192.168.200.1 255.255.255.0
!
interface gigabitethernet1/1/7
 switchport mode access
!
interface gigabitethernet1/1/13
 switchport trunk native vlan 150
!


-------------------------------

SW0#ping 192.168.200.1
Pinging 192.168.200.1 with 18 bytes of data:

PING: no reply from 192.168.200.1
PING: timeout
PING: no reply from 192.168.200.1
PING: timeout
PING: no reply from 192.168.200.1
PING: timeout
PING: no reply from 192.168.200.1
PING: timeout

----192.168.200.1 PING Statistics----
4 packets transmitted, 0 packets received, 100% packet loss
0
Comment
Question by:schemm
  • 4
  • 4
8 Comments
 
LVL 11

Expert Comment

by:naderz
Comment Utility
Do you have any interfaces configured for Vlan 200? If not, assign some interfaces to Vlan 200 (and others) and test again.

What is the result of "show ip interface brief"?
0
 

Author Comment

by:schemm
Comment Utility
So, in the mean time I've been working with Cisco TAC -  Who are  basically scratching their heads at this point (which I kinda find amusing, but not really).   We have completely wiped the system and started over.  

But to answer your question, "yes".  

At this point we have recreated the same situation with some different values.  Here's the result of 'show ip int'  (their is no brief on this thing).

switch070c80#show ip int


    IP Address         I/F       Type     Directed   Precedence   Status
                                          Broadcast
------------------- --------- ----------- ---------- ---------- -----------
10.11.12.176/24     vlan 1    DHCP        disable    No         Valid
192.168.2.1/24      vlan 5    Static      disable    No         Valid
192.168.3.1/24      vlan 10   Static      disable    No         Valid



Then  here's the problem as far as I'm concerned:

switch070c80#show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding:          enabled

Codes: C - connected, S - static, D - DHCP

D  0.0.0.0/0          [1/2] via  10.11.12.1  5:44:40               vlan 1
C  10.11.12.0/24      is directly connected                        vlan 1


Note there's no entry for the 5 and 10 Vlan interfaces - those should have gone into the table  automatically when the vlan interfaces was defined.   And then Traceroute from the system itself and from the outside all show that packets which should go to the 5 or 10 vlans are sent back out to the default gateway rather than to the VLAN interface.  Which makes sense given the route table.

switch070c80#traceroute ip 192.168.2.1
Tracing the route to 192.168.2.1 (192.168.2.1) from , 30 hops max, 18 byte packets
Type Esc to abort.
 1  10.11.12.1 (10.11.12.1)  <20 ms  <20 ms  <20 ms
 2   *  *  *
 3   *  *  *
 4   *  *  *


 Here's the entire new/current config:

switch070c80#show run
config-file-header
switch070c80
v1.2.7.76 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 5,10
exit
vlan database
map protocol 0800 ethernet protocols-group 5
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switch070c80
line ssh
exec-timeout 0
exit
username cisco password encrypted 9edca3ad7050b3f9c1654c11b7316128fc858d19 privilege 15
ip ssh server
!
interface vlan 5
 name Test
 ip address 192.168.2.1 255.255.255.0
!
interface vlan 10
 name Test10
 ip address 192.168.3.1 255.255.255.0
!
interface gigabitethernet1/1/4
 switchport trunk native vlan 5
!
interface gigabitethernet1/1/6
 switchport trunk native vlan 10
!



I'm still hoping that this again something stupid (like me for example), but the fact that the TAC seemed to be stumped is a bit worrisome.      I have a 3560 and 4948 that I've been trying this on too. They work just as expected although one must of course do a 'no shut' on the new VLan interfaces, but this SG500 has no 'shut' directives.  

The other thing is that I can't find anybody who seems to have this working on a 500 series.  -    

So, anybody with bright ideas?  I'd appreciate it.    

Thanks in Advance.
0
 
LVL 11

Expert Comment

by:naderz
Comment Utility
Just to confirm: have you set the system mode to "router"?

What is the result of "show system mode"?
0
 
LVL 11

Expert Comment

by:naderz
Comment Utility
In case you don't have this: The command for system mode router is "set system mode router".
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:schemm
Comment Utility
yeah,  

switch070c80#show system mode

Feature                 State
-------------------     ---------
Mode:                   Router



But keep ideas coming, cause I'm still nowhere on this.
0
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
Comment Utility
Question: what is connected to interfaces 1/1/4 and 1/1/6? Have you tried configuring a couple of interfaces for Vlans 5 and 10 for just access not trunk?
0
 

Assisted Solution

by:schemm
schemm earned 0 total points
Comment Utility
SOLVED - OK,  here's the deal:  

So unlike any other Cisco L3 switch I have where once you set up the VLAN interface the entry appears in the route table, this SG500 apparently will not add the route into the table unless there is a physical port associated with the VLAN AND there must be a link on that port (it must be active).

Once you do that the SG500 populates the route table and then everything works as expected for that VLAN, and it does route traffic as expected.    

That's a tough little idiosyncrasy.    

Thanks to "naderz", got me there.
0
 

Author Closing Comment

by:schemm
Comment Utility
Combination of details need to solve this issue.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now