Announcement

Collapse
No announcement yet.

inter VLAN routing on SG300

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • inter VLAN routing on SG300

    i cannot access the Internet in my network from VLANs different than the default one?
    I'm using SG300 switch in L3 mode where VLANS are created and connected to PIX firewall- looks like this probably don't know about VLANS? DHCP and DNS are one MS server ....can anyone suggest some solution please?

  • #2
    Re: inter VLAN routing on SG300

    All of your vlans have a corresponding SVI (Layer 3 interface with ip address)? How is nat setup on your pix. Can you post the config of the pix?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: inter VLAN routing on SG300

      PIX Version 6.3(5)
      interface ethernet0 auto
      interface ethernet1 100full
      nameif ethernet0 outside security0
      nameif ethernet1 inside security100
      enable password xxx
      passwd xxx
      hostname xxxlab
      domain-name xxx.lab
      clock timezone CST -6
      clock summer-time CDT recurring
      fixup protocol dns maximum-length 512
      fixup protocol ftp 21
      fixup protocol h323 h225 1720
      fixup protocol h323 ras 1718-1719
      fixup protocol http 80
      fixup protocol rsh 514
      fixup protocol rtsp 554
      fixup protocol sip 5060
      fixup protocol sip udp 5060
      fixup protocol skinny 2000
      fixup protocol smtp 25
      fixup protocol sqlnet 1521
      fixup protocol tftp 69
      names
      name 192.168.0.0 testnetwork
      name 192.168.0.6 dns_dhcp
      object-group service domaingroup tcp
      port-object eq domain
      object-group service DNSport53 tcp-udp
      description dns requests
      port-object range domain domain
      object-group network servers_test
      network-object dns_dhcp 255.255.255.255
      access-list inside_outbound_nat0_acl permit ip any 192.168.5.168 255.255.255.248
      access-list outside_access_in permit ip any any
      access-list outside_access_in permit udp any any
      access-list outside_access_in permit icmp any any
      access-list inside_access_in permit ip any any
      access-list inside_access_in permit icmp any any
      access-list inside_access_in permit udp any any
      pager lines 24
      mtu outside 1500
      mtu inside 1500
      ip address outside xxx.xxx.xxx.xxx 255.255.255.224
      ip address inside 192.168.0.252 255.255.255.0
      ip audit info action alarm
      ip audit attack action alarm
      pdm location testnetwork 255.255.0.0 inside
      pdm location dns_dhcp 255.255.255.255 inside
      pdm location 192.168.5.168 255.255.255.248 outside
      pdm group servers_test inside
      pdm logging informational 100
      pdm history enable
      arp timeout 14400
      global (outside) 1 interface
      nat (inside) 0 access-list inside_outbound_nat0_acl
      nat (inside) 1 0.0.0.0 0.0.0.0 0 0
      access-group outside_access_in in interface outside
      access-group inside_access_in in interface inside
      route outside 0.0.0.0 0.0.0.0 zzz.zzz.zzz.zzz 1
      timeout xlate 0:05:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
      timeout sip-disconnect 0:02:00 sip-invite 0:03:00
      timeout uauth 0:05:00 absolute
      aaa-server TACACS+ protocol tacacs+
      aaa-server TACACS+ max-failed-attempts 3
      aaa-server TACACS+ deadtime 10
      aaa-server RADIUS protocol radius
      aaa-server RADIUS max-failed-attempts 3
      aaa-server RADIUS deadtime 10
      aaa-server LOCAL protocol local
      http server enable
      http testnetwork 255.255.0.0 inside
      no snmp-server location
      no snmp-server contact
      snmp-server community public
      no snmp-server enable traps
      floodguard enable
      sysopt connection permit-ipsec
      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
      crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
      crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
      crypto map outside_map client authentication LOCAL
      crypto map outside_map interface outside
      isakmp enable outside
      isakmp policy 20 authentication pre-share
      isakmp policy 20 encryption 3des
      isakmp policy 20 hash md5
      isakmp policy 20 group 2
      isakmp policy 20 lifetime 86400
      telnet testnetwork 255.255.0.0 inside
      telnet timeout 5
      ssh testnetwork 255.255.0.0 inside
      ssh timeout 5
      console timeout 0
      dhcpd lease 3600
      dhcpd ping_timeout 750
      username zzz password zzz encrypted privilege 15
      terminal width 80
      Cryptochecksum:zzz
      : end

      Comment


      • #4
        Re: inter VLAN routing on SG300

        You need to trunk those vlans to the pix. How many vlans you can trunk will depend on the version and type of hardware. I dont believe the pix 501 will support vlans but the 506 and better will with release 6.3. The trunk has to be a dot1q trunk as well. On the switch side just create your 802.1q trunk port and allow those vlan across the trunk. Here is an example of the pix config. With 7.0 and above the config and syntax is similar to a IOS router config.



        Step (1) Create 2 VLAN interfaces from Ethernet1:
        ---------

        pix1(config)# interface ethernet1 vlan10 physical
        pix1(config)# interface ethernet1 vlan20 logical

        Step (2) Give the Interfaces Names:
        ----------
        pix1(config)# nameif vlan10 dmz1 security10
        pix1(config)# nameif vlan20 dmz2 security20

        Step (3) Assign IP Addresses to the new Interfaces:
        --------------
        pix1(config)# ip address dmz1 192.168.10.0 255.255.255.0
        pix1(config)# ip address dmz2 192.168.20.0 255.255.255.0
        Last edited by auglan; 17th May 2012, 16:42.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: inter VLAN routing on SG300

          is there any other way to go around it if it is L3 switch ??
          i have pix 501 so it is not going to work

          Comment


          • #6
            Re: inter VLAN routing on SG300

            Sorry didnt see you had a Layer 3 switch in place. Yeah if you have a layer 3 switch just make sure your Layer 3 interfaces for your vlans are configured on the switch. Point your vlan clients to their respective gateways. Then plug in your pix to your L3 switch. You can create its own vlan if you like and switch the traffic at layer 2 or create a layer 3 interface on the L3 switch connecting to the pix. Then just create a default static route on the L3 switch pointing to the inside interface of the pix. You will also need routes for your internal vlans on your pix as well. Actually I think this may be your problem as I dont see the routes in the config you posted.


            route inside 10.x.x.x 255.255.255.0 10.0.0.1
            Last edited by auglan; 17th May 2012, 17:58.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: inter VLAN routing on SG300

              does it needs to be a trunk between switch and pix ?
              what interface it needs to be to direct traffic from switch to firewall?

              Comment


              • #8
                Re: inter VLAN routing on SG300

                i used
                conf t
                ip default-gateway <pix_address>

                on the switch and than the Internet started to work but only for default (1) vlan

                Comment


                • #9
                  Re: inter VLAN routing on SG300

                  You use the ip default-gateway command when the switch is running as a layer 2 device for remote management.


                  If your running layer 3 you should issue the command


                  ip routing


                  Then add your default route


                  ip route 0.0.0.0 0.0.0.0 X.X.X.X (Where X is the inside interface of the pix)


                  All of your Layer3 interfaces on the switch will also show up in the routing table as connected
                  Last edited by auglan; 17th May 2012, 19:28.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: inter VLAN routing on SG300

                    it works
                    thank you soo much

                    Comment


                    • #11
                      Re: inter VLAN routing on SG300

                      Glad you got it working
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment

                      Working...
                      X