Scott Milner
asked on
Help with inter-vlan routing on a Cisco SG500.
We currently have a flat network, with Cisco SG-series switches (an SG500 stack at the core and two SG300's on the shop floor). We're going to be adding a wireless infrastructure, so now is the logical time to restructure the network using some 'better' practices, including VLANs to separate out traffic. I have some small experience in this area, but nowhere near enough knowhow to be proficient, which leads me here.
To try to wrap my head around what I'm attempting to do, I've set up an SG500 on my test bench and am attempting to configure it with five VLANS. I'd like to be able to have connectivity between the data, telephony, and secure wireless vlans, with no access to other vlans for the guest wireless vlan. All vlans should have internet access.
My test vlans are as follows:
VLAN 1 - Management - 192.168.1.2
VLAN 2 - Data - 172.16.2.1
VLAN 3 - Telephony - 172.16.3.1
VLAN 4 - SecureWireless - 172.16.4.1
VLAN 5 - GuestWifi - 172.16.5.1
I have a Linksys RVS4000 firewall/router that I can connect to test internet functionality, but it's not connected at the present time. My hope was that I would be able to do all the routing at the switch level, and not at the router/firewall level.
I've set the SG500 to layer 3, and thought I configured routes between the vlans. I then attached a computer to a part configured for vlans 1 - 3 and begun testing, and I'm seeing odd results:
A PutTY session from the switch can ping everywhere... the vlan interfaces and the computers attached to each vlan... good!
However, things begin to break down when I try to ping from vlan to vlan.
Computer (192.168.1.11) in VLAN1 (192.168.1.2)
ping to vlan 1 interface, 192.168.1.2 - SUCCESS
ping to vlan 2 interface, 172.16.2.1 - FAIL Destination host unreachable
ping to vlan 2 computer, 172.16.2.11 - FAIL Destination host unreachable
ping to vlan 3 interface, 172.16.3.1 - FAIL Destination host unreachable
ping to vlan 3 computer, 172.16.3.11 - FAIL Destination host unreachable
Computer (172.16.2.11) in VLAN2 (172.16.2.1)
ping to vlan 2 interface, 172.16.2.1 - SUCCESS
ping to vlan 1 interface, 192.168.1.2 - SUCCESS
ping to vlan 1 computer, 192.168.1.11 - FAIL Request timed out
ping to vlan 3 interface, 172.16.3.1 - SUCCESS
ping to vlan 3 computer, 172.16.3.11 - SUCCESS
Computer (172.16.3.11) in VLAN3 (172.16.3.1)
ping to vlan 3 interface, 172.16.3.1 - SUCCESS
ping to vlan 1 interface, 192.168.1.2 - SUCCESS
ping to vlan 1 computer, 192.168.1.11 - FAIL Request timed out
ping to vlan 2 interface, 172.16.2.1 - SUCCESS
ping to vlan 2 computer, 172.16.2.11 - SUCCESS
This must mean that I'm missing something in my IP routes (as well as that I really don't know what I'm doing!), but I just don't understand enough to know why I'm getting the mixed results that I'm seeing.
Can anyone offer any assistance?
I've attached the current running config from my test setup.
To try to wrap my head around what I'm attempting to do, I've set up an SG500 on my test bench and am attempting to configure it with five VLANS. I'd like to be able to have connectivity between the data, telephony, and secure wireless vlans, with no access to other vlans for the guest wireless vlan. All vlans should have internet access.
My test vlans are as follows:
VLAN 1 - Management - 192.168.1.2
VLAN 2 - Data - 172.16.2.1
VLAN 3 - Telephony - 172.16.3.1
VLAN 4 - SecureWireless - 172.16.4.1
VLAN 5 - GuestWifi - 172.16.5.1
I have a Linksys RVS4000 firewall/router that I can connect to test internet functionality, but it's not connected at the present time. My hope was that I would be able to do all the routing at the switch level, and not at the router/firewall level.
I've set the SG500 to layer 3, and thought I configured routes between the vlans. I then attached a computer to a part configured for vlans 1 - 3 and begun testing, and I'm seeing odd results:
A PutTY session from the switch can ping everywhere... the vlan interfaces and the computers attached to each vlan... good!
However, things begin to break down when I try to ping from vlan to vlan.
Computer (192.168.1.11) in VLAN1 (192.168.1.2)
ping to vlan 1 interface, 192.168.1.2 - SUCCESS
ping to vlan 2 interface, 172.16.2.1 - FAIL Destination host unreachable
ping to vlan 2 computer, 172.16.2.11 - FAIL Destination host unreachable
ping to vlan 3 interface, 172.16.3.1 - FAIL Destination host unreachable
ping to vlan 3 computer, 172.16.3.11 - FAIL Destination host unreachable
Computer (172.16.2.11) in VLAN2 (172.16.2.1)
ping to vlan 2 interface, 172.16.2.1 - SUCCESS
ping to vlan 1 interface, 192.168.1.2 - SUCCESS
ping to vlan 1 computer, 192.168.1.11 - FAIL Request timed out
ping to vlan 3 interface, 172.16.3.1 - SUCCESS
ping to vlan 3 computer, 172.16.3.11 - SUCCESS
Computer (172.16.3.11) in VLAN3 (172.16.3.1)
ping to vlan 3 interface, 172.16.3.1 - SUCCESS
ping to vlan 1 interface, 192.168.1.2 - SUCCESS
ping to vlan 1 computer, 192.168.1.11 - FAIL Request timed out
ping to vlan 2 interface, 172.16.2.1 - SUCCESS
ping to vlan 2 computer, 172.16.2.11 - SUCCESS
This must mean that I'm missing something in my IP routes (as well as that I really don't know what I'm doing!), but I just don't understand enough to know why I'm getting the mixed results that I'm seeing.
Can anyone offer any assistance?
I've attached the current running config from my test setup.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On switch you are missing default route:
ip route 0.0.0.0 0.0.0.0 192.168.1.1
On router you need to configure routes to networks on SG500
ip route 172.16.2.0 255.255.255.0 192.168.1.2
ip route 172.16.3.0 255.255.255.0 192.168.1.2
ip route 172.16.4.0 255.255.255.0 192.168.1.2
ip route 172.16.5.0 255.255.255.0 192.168.1.2
or you can write it in two routes (summarization)
ip route 172.16.2.0 255.255.254.0 192.168.1.2
ip route 172.16.4.0 255.255.254.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
On router you need to configure routes to networks on SG500
ip route 172.16.2.0 255.255.255.0 192.168.1.2
ip route 172.16.3.0 255.255.255.0 192.168.1.2
ip route 172.16.4.0 255.255.255.0 192.168.1.2
ip route 172.16.5.0 255.255.255.0 192.168.1.2
or you can write it in two routes (summarization)
ip route 172.16.2.0 255.255.254.0 192.168.1.2
ip route 172.16.4.0 255.255.254.0 192.168.1.2
ASKER
Ok... If you don't mind, I'll restate what you wrote to ensure I understand it...
the default route is on the switch, and it's telling all outbound traffic that it needs to go out the IP address of my router. (makes perfect sense)
Are the second set of routes (for the router) there to tell it what to do with inbound/return IP traffic that isn't destined for it's own internal subnet? If so, then the switch will automatically understand how to route the inbound traffic, as the subnets are connected directly to it?
thanks again!
the default route is on the switch, and it's telling all outbound traffic that it needs to go out the IP address of my router. (makes perfect sense)
Are the second set of routes (for the router) there to tell it what to do with inbound/return IP traffic that isn't destined for it's own internal subnet? If so, then the switch will automatically understand how to route the inbound traffic, as the subnets are connected directly to it?
thanks again!
You may also need to adjust NAT statement, since traffic from all VLANs need to be natted and then sent to internet.
ASKER
ok.. i understand what you're saying there. However, my test 'router' (an older Cisco RVS4000), isn't quite as intuitive. I don't see anything regarding 'routes' in it's interface (or NAT, for that matter).
Would I be setting up IP-based Access Control Lists for the routing?
There's nothing on NATing, but there is Single Port Forwarding and Port Range Forwarding...
No worries if you're not familiar with the router. I've pulled down the admin guide and am beginning to read through it now to see what translates to what.
sm
Would I be setting up IP-based Access Control Lists for the routing?
There's nothing on NATing, but there is Single Port Forwarding and Port Range Forwarding...
No worries if you're not familiar with the router. I've pulled down the admin guide and am beginning to read through it now to see what translates to what.
sm
Routers forward packets according to best available route in routing table. If router does not know where your local networks are located return traffic (from internet) will be again sent to internet. The reason will be - the best route on router most likely will be default route... and default route points in internet direction.
NAT - network address translation. :)
NAT - network address translation. :)
ASKER
:) thanks... I should have told you that I knew what NAT was...
however, there's no options for NAT on this router. Under the firewall section, I'm seeing
IP Based ACL
Single Port Forwarding
Port Range Forwarding
I'm guessing I'd set up my return routes in the IP Based ACL section, but I'm not seeing anything on NAT.
however, there's no options for NAT on this router. Under the firewall section, I'm seeing
IP Based ACL
Single Port Forwarding
Port Range Forwarding
I'm guessing I'd set up my return routes in the IP Based ACL section, but I'm not seeing anything on NAT.
ACL is access-list and other two are port forward. None of those is NAT.
ASKER
I thought so... I'll research the RVS4000 and see if it's capable of doing this.
I really appreciate your help, Predrag.
sm
I really appreciate your help, Predrag.
sm
Typically you can configure static routes on almost any router, but NAT configuration for multiple VLANs can be removed from basic models (or can be strange). So, please check router's manual.
Maybe device is configured to NAT all traffic, so configure routes and try if internet is working properly from all VLANs.
You're welcome.
Maybe device is configured to NAT all traffic, so configure routes and try if internet is working properly from all VLANs.
You're welcome.
ASKER
thank you for your help, Predrag
ASKER
My next step in my test lab setup is to add internet connectivity. I'm a bit unsure 'where' exactly the internet connection should live... for now, I've configured the LAN side of my router to 192.168.1.1 (VLAN1) and attached it to GE50, an untagged port in VLAN1.
From a computer on VLAN1, I have connectivity to the router and out to the internet.
However, from computers on VLAN2 and VLAN3, I can successfully only ping to the VI for VLAN1 (192.168.1.2), but not beyond.
I'm assuming I must have something configured wrong for port GE50, as pinging the router should be no different than pinging a computer on any of the other VLANs, correct?
However, I'll need a default route statement for the entire switch telling it that all internet traffic should be routed out VLAN1's port GE50, correct?
Sorry for all the 'noob' questions... :)
and I remembered to attach the current config this time.
Scott
SG500Test.txt