Cisco Switching/Routing :: SG300 No Internet Access On New VLANs
Apr 16, 2012
I am trying to setup VLAN's in the company I work for and I am almost there but missing the part when the internet works.I have an SG300 as a L3 Router IP 192.168.0.93.I have created VLAN20 and VLAN40 Assigned VLAN20 192.168.2.1 and VLAN40 192.168.4.1
The static routes have been created and a default router going to the Sonicwall firewall at 192.168.0.1.Port 24 is configured as Untagged VLAN1, Untagged VLAN20 and VLAN40 in trunk mode and going to the Sonicwall NSA 2400. [code]
Working to move all 192.168.0.x network off of VLAN1 and move it a management switch.I have DHCP helper on pointing to the DHCP server.Both VLAN's once the DHCP server is configured to Gateway 192.168.0.93 can get an IP from the correct subnet either 192.168.2.x or 192.168.4.x
All PC's are getting a GW IP of 192.168.2.1 pr 192.168.4.1.All test PC's on both VLAN's can ping each other and any server with the correct GW.When I try to ping google.com or open a web page and try google.com it times out.
I was assigned a task to configure an SG300-28P to have 3 different vlans.Now on VLAN1 their will be only one device configured with static IP 192.168.0.230,On the other 2 VLANS there will be a separate router connected on each one of them and will also act as a DHCP server.
I have spent several days tearing my hair out trying to properly configure our small business switch (SG300-10p) for voice. The phones are a relatively new addition and will replace old POTS phones.Our network consists of a 1941 ISR router, the SG300-10P switch, a mac server (handing DHCP, DNS, AFP), 4 client desktops and 4 SGA525G2 IP phones. The router, server, desktops and phones all have their own connection to the switch and the second data ports on the back of the IP phones are not used. We do not have any unified comms devices for voice. Our VOIP solution is hosted by a local SIP provider, and each phone independently registers with the provider's SIP proxy over the internet.
Left almost to it’s own devices (or presumably flat, default settings on VLAN 1), this whole setup works just great. We can TFTP files, make and receive calls, and do all the usual XML stuff. Calls are crystal clear. Even the localisation and directory works. However, I’ve been told several times that to ensure good quality on VOIP calls during periods of busy traffic, I should set up some form of QoS. A Voice VLAN on the switch, I was told, is the best way to do this as it automagically gives priority to the whole voice VLAN over the normal data VLAN.
I have followed instructions in numerous manuals, articles and guides, and have managed to create the Voice VLAN, both manually and automatically (I can watch Smartport detect the phones and see the Auto Voice VLAN add the ports to the VLAN as I connect them). The trouble is, as soon as this happens, the phones lose connectivity with the rest of the network, including the DNS server and the router, and therefore the internet, causing them to lose registration with the SIP service.
I tried adding the server and router ports to the Voice VLAN and tweaking every possible combination of tagged, untagged, excluded, trunk, access, general and PVID settings I can think of (by the way, I have no idea what any of those mean). The switch is in Layer 2 mode, but adding the port connected to the router to all the VLANs does not result in internet connectivity to the phones. I have told the phones to tag frames with the VLAN ID and told them not to. I have tried upgrading firmware and I have rebooted the switch so many times I'm tired of those wretched little flashing lights.
Nothing seems to work. And so I am stuck with everything on VLAN 1. My most recent thought is that the 1941 needs to know about the Voice VLAN (I checked CDP and it knows about the switch), but I’m reluctant to start messing with the router config when this is our production network, at least without knowing what I'm doing. I don’t even know if QoS applies when a Voice VLAN is not set up and we're on VLAN 1, some articles say yes, others say no. And when it is set up right, how does that priority transfer to the router? I’ve looked in the router manual and config options and found something called 802.1Q, but I have no idea what it is, how it works or even if it applies to our situation. Can I forgo VLANs altogether and use QoS some other way, perhaps?I have googled enough to cobble together our setup in IOS up until now. Ideally, I would still like to be able to ssh or https into each device (as I do now) for management, and I’ve read about setting up a another VLAN for config, monitoring etc, but I guess that would mean routing between VLANs in Layer 3.
Is it possible to configure both Catalyst WS-C2960-24PC-L and Switch Cisco SG300-28 to work together for VLANs for voice and data ? If yes, can you give me the resources which I can refer to ?
i want to control access to internet on VLAN1 and VLAN2 (access on VLAN3), while providing access to VLAN4.My problem is in connecting to internet, i can't find a way to "route back traffic to VLANs 1 and 2 since HG8245 don't seem to provide proper static routing ON LAN interface. Maybe without resorting to changing the HG8245 router ?
They have a locked Cisco Router which is from the ISP and its confed on a fa 0/0 interface to share Internet access on the network. The ip on that interface is 195.198.11.217 255.255.255.252 and i tried it with a PC (set my personal ip to .218 and entered their dns info (195.67.199.27) and it is working. The question is now. My friend found a 3550 laying around and since the ISP wont let them conf their router he wants to use the 3550 to create 2 vlans with internet access and without access to eachother. Vlan 10 for the desktops and Vlan 20 for the wireless (Moving on to some netgear wireless switches) How would you configure the 3550 for this to work?
i am trying to set up a cisco 2950 with a vlan to seperate all of the pos machines on the network (4 of them) from all other machnes in the building (3 hard wired and wi-fi). i was going to use vlan 1 as a trunk to allow internet access to go from fa0/1 to both vlans (vlan 10 and vlan 20). i have read things about the acl having an explicit deny at the end, so i'm thinking that is my problem. i am testing it at my house before deploying it to the network. i have 1 laptop setup with an ip of 192.168.0.50, and the other is .60. my router is 192.168.0.1. i have the ethernet from the router plugged into fa0/1, the 1st laptop on fa0/2 and the other at fa0/3. before i set the vlans up, i checked the communication by just plugging them in and trying to ping, they could both ping each other, the router and 8.8.8.8. when i finished setting up the test vlans, they could not ping each other(what i wanted) and laptop 1 can ping the router, and 8.8.8.8. laptop 2 cannot ping anything. the only thing i did was create vlan 10 and 20, set port fa0/2 to vlan 10 and no sh, fa03 to vlan 20 and no sh, fa0/1 to vlan 1 and no sh. then i did switchport mode trunk on fa0/1, and switchport native vlan 1. this seems to be how i was supposed to do it, but it's been a while since i have worked with switches. i'm sure it's simple, but after searching the internet and poring over my cisco books for 5 hours, it is turning out not to be the case. here are some details:
I have a small cisco switch cluster (seven different 2924, 3524cisco switches) with 3550 as a cluster control which does all the inter vlan routing that works fine.
This cluster is in semi production PBX interop testing lab. This is a closed network without internet access and not connected to our corporate network.However now I have to add this capability so some equipment in the lab can get Microsoft updates over the internet.
I've created a port on a 3550 (fa0/19) and connected it to another network that has internet access. It picked an ip address and when I'm logged in to the 3550 I can ping hosts on the outside network. However I can't ping any hosts on that network from any hosts that are connected to my vlans.I've tried a few different things, but still can't make it to work.
Here is a short version of my 3550 configuration:
! version 12.2 no service pad service timestamps debug uptime service timestamps log datetime no service password-encryption
We need to give differentiated internet access to three VLANs. Each one of this VLANs is used for totally different purposes, so traffic between the VLANs is not allowed. Each VLAN has its own internet access provided for the data center using one fast ethernet connection.
We're thinking about using cisco 2911 for Internet access, VPN and firewall. I suppose that best option for VLANs is using Catalyst 2960S or a swithing module for the 2911, but these two options are too expensive for us. We're thinking about using swtiches from the SB series (maybe a SG-200).
We're totaly newbies to VLANs so we have many doubts. This are our questions:
1) The 2911 has three on board ethernet interfaces; we have three VLANs and three internet connections, so we need to use HWICs to get three more ethernet ports. That's right? 2) We need three HWICs or there is some kind of HWIC with more that one ethernet interface? 3) The routing solution is to assign static routes in the 2911 for each interface connected to a VLAN through a 2911's interface connected to internet? 4) Simply connecting three different router interfaces with three different switch ports, each one of them assigned to one of the three different VLAN, are we going to get internet access for all devices in those VLANs? or do we need to configure something else like trunking, VSIs...? 5) Can we achieve our goals using the SG-200 switch? 6) We have the chance to use older routers, is this possible? We're specially interested in knowing if a 1841 or a 2801 router could be used for this setup. 7) This is not a production environment so we can use refurbished equipment.
I have a Cisco C3560CG which is running C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2.The switch has vlan 1 and vlan 50 configured, vlan 50 should have access to a limited number of host in vlan 1.The following acl has been applied on the inbound to vlan 50:
I sure the above would work, but for some reason some of the packet counter are not incrementing but the traffic is being blocked. But I would like to see the counter increment.Also I have that I may beed to use VACL wouls this be the case?
I supplied 3 numbers of SG300 series switches for the sole reason to have inter-vlan routing. I created 4 VLANs in the switches and made one switch as Layer 3 switch and other 2 as Layer 2 switch. Inter-Vlan routing is working fine. I am able to ping PCs from different VLANs. But I am not to access shared folders. Customer has installed Window 2003 server installed and it is in VLAN 1. There are some folders created in this server and it is very important for users to have access to the folders.Also, I am not able to access shared folders in other VLANs. I have created a case with Cisco small business and I got a reply saying that the switches will not support shared folder feature, which I think is not real. I am getting a very time to implement this solution in the network. I have a Sonicwall firewall after Core switch which is connected to ISP.
I have a SG300 Switche working in layer 3 mode.I configured 3 VLANs on the switch, assigned all ports, given IP addresses to VLANs interfaces, etc.Now I want to implement ACL to permit or deny access between vlans and hosts.Can I apply an ACL to a whole VLAN (in or out) like Catalyst models?I mean apply the ACL to the entire vlan or the only way in this model is to implement that ACL port by port?Every time I have a new port configure to work in a Vlan I have to implement the ACL?
I have a SG300-28P that is our Main VLAN Switch. Though the VLANs that I have on it are there mostly because of our Edge Router and our AP541Ns.We have the Following VLANs defined (Subnets Changed to conseal Piblic IPs) [code]
VLAN200 and VLAN201 come into Our Edge Router and out on a Single GE Port via VLAN Tagged to thje SG300.The SG 300 Splits them out to Untagged Ports and they are connected to Two Firewalls, each with a IP in the 200 and 201 Subnets. The AP510 has the VLAN200, VLAN192 and VLA101 tagged Subnets sent to it. The AP521 has three SSID, each associated with a Paticular VLAN.
This all works fine, though there are a few hidden flaws. Since all of the VLANs are present, both Internal and Public IPs, one could craft packets form one network and use the SG300 as its gateway to the other subnet and Gain Access. How can I isolate the Subnets, so that I can still use the SG300 as a Default Gateway for the 10.1.0.0/16 Network Make it so if someone from the 10.1.0.0/16 netwok accesses the 201.201.201.0/24 Subnet it uses the SG300's 0.0.0.0 0.0.0.0 default router (the Firewall IP) and not the VLAN InterfaceIf somone in the 201, 200, 192 Subnets uses the SG300 as a Gateway and tries to access a 10.1.0.0/16 address it gets blocked.
I've seen lots of posts from people having problems routing traffic between two vlans with some complicated examples. Any simple step-by-step example for an SG300 switch (in layer 3 mode) to configure two vlans and sending traffic between the two vlans without an external router?
-VLAN1 10.10.10.0 -VLAN2 10.10.20.0
I've tried to do this through the GUI and can't seem to make it work. I'm missing something in the GUI.
upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?
I have the following config using a Cisco 1921. I am trying to get devices on the the native VLAN to get internet access via the gateway x.x.x.73.Any thing being routed from the other Vlans 15/20/30 can get access, but nothing from an internal IP address. Is there something I am missing.
The Xs replace the same 3 octets for each interface.I am trying to route from VLANs 15/20/30 to see VLAN 5. I have tried a few things, in terms of adding extra ip routes, but can't get anything to work. Each of those Vlans have another router on the other side of them, which I have also tried adding ip routes too, but nothing. One of the routers (Vlan15 is a Draytek 2830). [code]
On a small Bording School we have the students living in several small houses, each equipped with an AP.Each Ap serve 4 Vlans.I want to restrict the switch for these AP, in a way to keep the students from removing the AP and connecting their own equipment.I tried using the secure port feature on the SG300, but that had the result of allowing the AP but denying all the users connected to the AP.The switch is a SG300-28P placed in L3 mode.
I have came across this topic, and I am wondering if this images can be uploaded to any 2900 series switches or not, and if this will work as access port for more than vlans. URL...
We have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can i resrict access to the server VLANs? Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered?
I have set up a scenario for a small business and have some questions about how to manage the access between the VLANs. Is there is a better / another way to do it. See the attached picture for the topology / info.
My question is: My switches is set up with x numbers of VLANs and a routed port (no switch port) to the ASA for internet connectivity. How is the best (or only??) way to manage the access between the VLANs? Is it ACL's on the switch?
And by "managing access" I mean VLAN 50 (public WiFi) only have access to the internet, only management servers have access to management VLAN, Client VLAN only have RDP access to server VLAN and so on. Is there any way to do this in the ASA (or add another (gigabit) router to the topology)) or it the only way to have lots of ACL's on the switch itself? I have thought about "router on a stick", but then I imagine there will be a bottleneck between the switch and the ASA?
(Equipment is 2 x 3650G, ASA5505, AP1252 - see attached file).
I've got a 3750x stack set up as my core switch (only a small-ish environment) - I'm shortly going to be deploying an enterprise wireless network with Corporate and Guest SSID's. I'm going to be putting all traffic from the Guest SSID in VLAN 244, and don't want it to have access to any of the other VLANs (1 (Legacy Eqpt), 4, 8, 12, 16, 20, 24, 28, 32, 248 & 252).
IP ranges for all the main VLANs are:
1: 10.0.0.x/22 4: 10.0.4.x/22 8: 10.0.8.x/22 12: 10.0.12.x/22 16: 10.0.16.x/22 etc etc (you get the pattern)
I'll probably give Guest traffic (VLAN 248) the IP range 192.168.10.x/22 (not because I NEED that many addresses, but it's easier for everyone to remember/understand if I keep the subnet masks the same all round). However I also have a CCTV VLAN (252) which already has the range 192.168.0.x/24, which some people in other VLANs WILL need access to.
So my question is: What is the syntax for the ACL on my 3750x (IP base - 15.0.2) to prevent traffic from VLAN 244 gaining access to any of my other VLANs. I'm making a broad assumption here that a layer 3 switch is perfectly capable of supporting that function? I need ALL the syntax for setting up ACL's - I've never done it before
My gateway device by the way is 10.0.4.1, and I do have inter-VLAN routing set up on the core switch (obviously).
We have a network of 30 VLANS and currently all the vlans have access to everything. We are using Cisco 6509 switch for Layer3 routing.I would like to prevent some VLANs accessing the server VLANs. How can I restrict access to the server VLANs?Do i need to implement access-lists on the 6500 switch? or do i need to create VLANS on the firewall so that all traffic i filtered ?
I am not sure if what I am trying to accomplish is possible. On my internal network I have the following VLANs setup (102, 104, 106) and they map one to one to a subnet (ie: 102 = 192.168.102.0/23, 104 = 192.168.104.0/24, etc).All interVLAN routing is done on a 3560 via vlan SVI. Connected to the 3560 via a routed port is a ASA 5510. The routed port has IP 192.168.100.1 and the ASA interface on the other side of that routed port has IP 192.168.100.2. I use 802.1x on the wired network to assign users (based on their department) into a specific VLAN. I want to extend this concept to Remote VPN access. Therefore I setup multiple Group Policies (policy is applied based on an LDAP attribute) where each policy defines a different DHCP scope. This has successfully allowed me to login wtih different users who get assigned to different Group policies and they obtain the correct DHCP IP address from the internal DHCP server (ie: an engineering person logins remotely and gets an IP in 192.168.102.0 range). However the issue (and as I was planning this out I knew this would come up) is that traffic can be routed out from the VPN client to its destination but there is no return path.
Here is what I have. Windows Domain Controller running DHCP with configured scopes.I have one ASA5510 And 4 HP Procurve switches with VLANS preconfigure from vender.
Changes needed to make to the DHCP Server (AUSPDC) in order to get things working with the new switches.
1) Configure 3 new DHCP scopes on your DHCP server.
a) scope for 10.2.201.x/24 to serve LAN employees and give them a gateway address of 10.2.201.254.
b) a scope for 10.2.202.x/24 to serve WLAN employees and give them a gateway address of 10.2.202.254.
c) a scope for 10.2.203.x/24 to serve WLAN Guests and give them a gateway address of 10.2.203.254.
I just upgraded and decided to go with the VLAN configuration. None of my VLANS can get out to the internet or each other due to I think My ignorance in configuring the firewall.The PC's are getting proper IP address but they cannot get out or to the other VLANs. I tried to duplicate what is working for VLAN1 but it is not working.
My problem is that I have a Cisco 300 series small business switch with multiple VLANS each one with an IP address and two or three ports assigned to each VLAN. I have an E3200 wireless router that I want to use to use to share internet on the switch. All of the VLANs are reachable from the other VLANs and I've put a static route on the E3200 so that I can reach the VLANs from a machine connected only to the router. But I can't reach machines on the otherside of the router or get to the internet from the switch.
I have 2 SG300-10 switches, and I need two VLANs, one for internal network and one for WiFi APs.I need ports 1->4 on both switches to be part of 1st VLAN and ports 5->8 on 2nd VLAN; and port 10 uplink to 2nd switch.How I set up the VLANs and interface VLAN mode?
i am trying to get a SG300 work as a router between VLAN's?So fare without any lock?Test setup one SG300 switch and 2 PC's ?Ping works from host to VLAN IP's, but not from host A to host B
SG300 with FW 1.1.2.0 configuration i L3 mode set system mode router confip routing (needed on SG300??? - ti is on a 3560 i PacketTracer) vlan databasevlan 5vlan 6vlan 7
I have just purchased a SG300-28P switch I am using a GUI to do my config. I cant create VLANs just fine on this but I can not assign IP address to the VLANs.
I just want to have a Data and Voice VLAN on this I am planning on leaving data on VLAn 1 but I can't seem to find an option to assign an IP address to my voice vlan.
For some odd reason I cant access this switch using a console port.
I have 2 ISPs terminating on 2 FE ports on my 2811 router.ISP1 had always been here, used for the following:Internet access to LAN usersInternet access with public IP mapping to servers in different security zones (VLANS)Site to Site VPN tunnels to 3rd party partnersRemote VPN access to 3rd party partners We recently got a second ISP, mainly for the following:Internet access and public IP mapping to servers on seperate security zones (VLANS)Site to Site VPN tunnels to 3rd party partners as above, but different hosts So far, ISP1 and all the above service have worked based on the config below. However, having added ISP2, I have not been able to successfully create the site-to-site VPN tunnels.
version 12.4 ! ip source-route ! ip cef ! ip name-server 4.2.2.2 ip name-server 137.65.1.1 ip inspect WAAS enable
[code]....
Whenver I try to establish a tunnel on SDM_CMAP_2 and run a test using CCP, I get 2 failure reasons:
1. The peer must be routed through the crypto map interface. The following peer(s) are routed through non-crypto map interface - 4.58.130.130
2. The tunnel traffic destination must be routed through the crypto map interface. The following destinations are routed through non-crypto map interface - 4.58.130.134
The tunnels on SDM_CMAP_1 are all active Do I need to include a default route for the second ISP on the router? If so, how do I get this done? When I tried it, I had loops on the user LAN segment of the network.
How to setup 3 SG300-52 (in L2 mode) as per this diagram:Port 1 on all switches should be able to talk to each other and access the blob at the right.The ports 25 on the other hand should only be able to talk among themselves in their own private vlan. They are to carry sensitive traffic. So I created 3 vlans, vlan 78 for ports gi1, gi51 and vlan 10 for port25,49,50 and a dummy vlan: 666 with the intent of segratating vlan 10 from vlan 78. My attempts so far have failed. ports gi49-50 are configured as trunk ports and gi1,gi51 as access ports as the following cli output (excerpts of the startup config):
Ports gi1 can talk to each other and access the blob but ports 25 refuse to talk to each other. But as soon as I remove the access links to the blob they can! Obviously, at that point port gi1 lose access.Is such a topology feasable or even advisable?
