Cisco Small Business Switch VLAN Configuration

Hi Victor,

I assume you use the SG300 as the default gateway for all your hosts? If so, interVLAN routing should work. There is no need to create any routes as these networks are directly connected for the SG300. The only route you had to create was a default route pointing to your router for internet access.

See if you can ping the gateway addresses from the other VLANs. For example, a device in VLAN 2…can it ping 192.168.4.1? (assumining 192.168.20.1 + 4.1 are both on the SG300).

Rene

Hi Rene,

Thanks for replying.

Each VLAN has it’s own .1 as gateway, so 4.1 is the Entertainment gateway for 4.0/24; 20.1 is the Main gateway for 20.0/24 etc.

from a pc in 20.0 I can ping the 4.1 gateway, but I cannot ping a host inside the 4.0.

From one of the desktops which is 192.168.20.14, I can ping 192.168.4.1 which is the gateway, but I cannot ping 192.168.4.8 which is another pc.

And yes, I have default route to the firewall/router and each VLAN has internet access, therefore, that is already working good.

the Cisco SG300 has a fixed IP 192.168.1.10 and it’s connected on GE9 to the ZyWall as Trunk. Each other VLAN port is Access Untagged.

I’m not using the SG300 as default gateway for all hosts, because when I was creating the IP Pools for each interface, if I tried to use the SG300 as Default Gateway (192.168.1.10) it said: “Default Gateway must be on the same subnet as a pool range/address”; therefore, the Default Gateway for each VLAN is it’s own .1 address.

Hi Victor,

That’s something you should fix. It’s best to use the SG300 as the default gateway for all devices for inter-VLAN routing.

Hosts require a default gateway IP address WITHIN their own subnet, that’s why you got that error.

For example for VLAN 2 and 4:

VLAN 2: 192.168.20/ 24 with 192.168.20.1 as the default gateway on the SG300.

VLAN 4: 192.168.4.0 /24 with 192.168.4.1 as the default gateway on the SG300.

192.168.20.1 should be configured on the SG300 on the VLAN 2 interface and 192.168.4.1 on the VLAN 4 interface.

A host in VLAN 2 will use 192.16.20.1 as its default gateway and a host in VLAN 4 will use 192.168.4.1 as its default gateway.

Rene

Hi Rene,

I am almost having the same issue as victor

I have two vlans,

vlan 1 (dafaut and management vlan) vlan ip address is: 10.10.10.42
Host is this vlan are using 10.10.10.42 as the gateway all is working well inter vlan pings and the internet all good.

- vlan 100 (test vlan) vlan ip address 10.100.10.42
Host is this vlan are using 10.100.10.42 as the gateway. pings between the vlans are working but no internet on th is vlan…

default route has been setup as
ip default-gateway 10.10.10.254

Hi Muhammad,

10.10.10.254 is your router that is connected to the ISP? Since inter-VLAN routing is working, your VLANs & default gateway for the hosts is OK.

Since VLAN 1 is able to access the Internet, that proves that you SG300 knows where to send unknown traffic (default route).

The problem probably has to do with your router. There are two things you should check:

  1. Does the router have a route for the 10.100.10.x network? There should be a static route pointing to the SG300.
  2. Does the router translate traffic rom 10.100.10.x with NAT/PAT ?

Rene

when i checked the logs on the firewall (using as a router) i could see the traffic was coming via from vlan 100 but not going any where, and fixed was to add a static route in fortigate to point the traffic back to the switch for vlan 100

i added a static route in the firewall / router (in this case i used fortigae 60D firewall)

- navigate to Router>static routes.
- define the VLAN 100 subnet in destination field 10.100.10.0/24
- and then switch ip address as default gateway - dafaut and management vlan (10.10.10.42)

so it looks like
VLAN 100 subnet traffic - 10.100.10.0/24 ----> to ----> switch ip address as dedault gateway - 10.10.10.42

by doing the above it is working now

Good job Muhammad,

Without the static route, your fortigate probably only had 1 route…a default route pointing to the ISP so that’s where your traffic for VLAN 100 went. With the static route to the switch, it sends it in the right direction.

Rene

I am trying to create VLANs based on a Barracuda Firewall and a SG500x, its layer2/3 by default. I have a subnet defined on the Firewall 10.1.5.0/24 and its connected on port 1 to port 1 of the SG500x. In Native mode the SG500x picks up DCHP from the firewall, assigns any devices an IP and connects to the internet (native VLAN 1). I can’t seem to get the VLAN tagging, trunks working. And seems I cannot have the VLAN 1 active with any other VLANS. What should the connected cable on port 1 be a TRUNK port? Then say I have ports 456 I want to be VLAN 100 so I have to make then all Access Ports then add Port 1 Trunk. Can port 1 TRUNK for all Vlans on the switch? Thanks for your help.

Hi Bron,

There’s two ways how you can approach this. Let me explain them.

Option 1:

You use the barracuda firewall as the gateway for everything, not only for internet but also for inter-VLAN routing. The advantage of this solution is that you can use your barracuda for security between VLANs (if required). Of course your firewall requires support for multiple VLANs and gateway IP addresses on its LAN interface. If you configure it like this then you require a trunk between your barracuda + SG500 for the VLANs. You can assign the ports on your SG500 the VLANs you want and use the barracuda as the default gateway.

Option 2:

If you want to use the SG500 for Inter-VLAN routing then you’ll have to configure an IP address for each VLAN on the SG500, this address will be used as the default gateway for each VLAN. You don’t require a trunk between the SG500 and firewall since the VLANs “terminate” at the SG500. The SG500 will function as a router and you can leave your 10.1.5.0/24 subnet between the SG500/firewall like it is. Make sure you add a default route on the SG500 to the IP address of the barracuda or your SG500 has no idea where to forward internet traffic to.

Hope this helps, if not let me know and I’ll draw some pictures to explain it better :slight_smile:

Rene

Hi Rene

After another day of banging my keyboard I learned a few things.

1 - my Barracuda DCHP sever needs to be rebooted on changes - many times it was not giving DCHP (which led me to think VLANS were broken) but on static assignments of IP the VLAN could ping the Firewall. This took 2 days to figure out.

  1. I finally think I got the TRUNKING correct. I did it this way

Port 1 - TRUNK - 10UP, 100T, 200T
Port 2 - 49 - ACCESS in 3 groups of ports for 10, 100 200

IPV4 routing enabled on Cisco
Subnets and DCHP all defined on Firewall

VLAN routing first set as DCHP one for each 10, 100, 200 worked, but the router got very confused by the same MAC for each IP and would make 10.1.200.1 the gateway for all 3 VLANS, so only that subnet could get internet.

I set the Cisco admin to be 10.1.5.2 static assignment on ACCESS PORT connected to firewall on 10UP. the 10 VLAN is only the spare ports + the ADMIN. I can access this from my laptop that works. After trying 10 ways to get the Internet working by trunking 10UP , deleting all the Cisco VLAN IPs etc I gave up and tried Static. YAY, by giving each VLAN a static ip of 10.1.200.2 and 10.1.100.2, each VLAN uses the Firewalls subnet and acesss to internet and the Laptop finally got the correct gateway of 10.1.100.1 and 10.1.200.1 on each subnet. Before with DCHP the Cisco would put 0.0.0.0 out either VLAN , whichever seemed to get assigned LAST. This failed no idea why really. I also tried just deleting the IPS complely except ADMIN and turning off IPV4 on the Cisco but it didnt work. I thought maybe just using it as L2 with Barracuda doing all the work would be fine, but seems I have got the same effect by assigning the firewall subnet and static IP on VLANs.

I had to create the VLANS, Subnets, DCHP service then assign to PORT 4 of my firewall which is TRUNKED to port 1 (10UP,100T,200T) on Cisco. I tried deleting 10UP from the Trunk but the Cisco gave me ERROR must have one untagged in trunk. Not sure why I have to have an untagged mixed with the two tagged. Or why DCHP was such a pain in the ass. But after 3 days I finally got it working with trial and error.

I also set the default VLAN to 10 and deleted 1

I tested and 10.1.100.1 cannot ping or see the 10.1.200.1 network.

Sounds right to you? Not sure if I just didn’t disabled the L3 good enough or what.

Hi Bron,

  1. Having to reboot for something like this is annoying :slight_smile: When you are playing with VLANs it’s a good idea to use static IPs.

  2. It might be useful to create a little network diagram with all the IP addresses, if you mail this to me then it’s easier to comment on it :slight_smile: Also, what barracuda firewall do you use? I’ll check to see what the best implementation would be.

Rene

Hi is the F380

https://www.barracuda.com/products/ngfirewall/models#SUB

That is a nice firewall. I see it requires that all VLANs have to be tagged though. On your Cisco switch you’ll have to enable tagging for the native vlan as well:

vlan dot1Q tag native

Hmm well

The only tagged port right now is the Trunk for 100/200 Vlans
It will not let me TAG the 10 (default) port it says it must have

The interface should be untagged in one VLAN.

So its not possible to tag 10 it seems.

None of the VLAN members are tagged I assumed they were tagged
on the way out by the trunk port.

That’s too bad, I’m not sure if it’s possible to tag all VLANs on the SG switches. By default there’s always one native VLAN that is untagged but on the Cisco Catalyst switches you can even tag this one.

If VLAN 10 has issues with your barracuda then I would use another VLAN as the native VLAN (just pick anything that you don’t use) so that the switch won’t complain about lacking an untagged VLAN. You can then tag VLAN 10,100 and 200.

Hi Rene, Cisco defaults to PORT 1 Default (reserved) and every port a TRUNK

I changed this to port 10 Default and every port ACCESS in the 10 VLAN group
Nothing is then tagged at all in the 10 group at port 1 is the TRUNK and its
10UP , 100T , 200T

So 10 is the default untagged not used VLAN that if anything gets plugged in all it can see is the other 10 ports but doesn’t have internet access. This means the default VLAN doesn’t have access to really anything except itself. Each VLAN then has its own IP/MAC/Gateway and they can get internet WAN from the Barracuda on their Subnets as these VLANS are also represented with their subnets on the Barracuda.

So why do I need to tag anything other then PORT 1. Barracuda will give DCHP to Cisco ports system under their correct VLANs, and allow traffic to WAN also. So don’t see any need to TAG each Access port , nor does it seem possible.

Seems to me what I did was make my Cisco each VLAN is its own switch, the default VLAN does nothing I can see except for some reason the TRUNK needs 1 untagged VLAN why?

19 posts were merged into an existing topic: Cisco Small Business Switch VLAN Configuration

From CISCO

Understanding the Native VLAN ID for Trunk Ports
A trunk port can carry untagged packets simultaneously with the 802.1Q tagged packets. When you assign a default port VLAN ID to the trunk port, all untagged traffic travels on the default port VLAN ID for the trunk port, and all untagged traffic is assumed to belong to this VLAN. This VLAN is referred to as the native VLAN ID for a trunk port. The native VLAN ID is the VLAN that carries untagged traffic on trunk ports.

The trunk port sends an egressing packet with a VLAN that is equal to the default port VLAN ID as untagged; all the other egressing packets are tagged by the trunk port. If you do not configure a native VLAN ID, the trunk port uses the default VLAN.