Routing home internet via L3 switch

xenodamusxenodamus Member Posts: 758
Hello all - I feel like I must be missing some basic logic here, as it's been a while since I have had to think about packet flow.

I have a Cisco SG300 SMB switch and a DSL connection via an AT&T gateway (2Wire 2701HG-B). I'd like to add a 2nd VLAN to my home network and route traffic to the internet from it. Here's what I've got thus far:

2Wire: 192.168.1.1 (connected via gi20, vlan1)

SG300 VLAN1 int: 192.168.1.254
SG300 VLAN2 int: 192.168.2.254
SG300 default gateway: 192.168.1.1

PC: 192.168.2.10 (connected via gi1, vlan2)

Static route on the 2Wire: 192.168.2.0 255.255.255.0 > 192.168.1.254

I can ping from the PC through the switch to the 2Wire, so inter-VLAN routing is working as it should. Traceroutes from the PC to the internet stop at the 2Wire, however. From the switch CLI I can ping the internet, but not when I source it from VLAN2.

What am I missing here? I should be able to get this done with L3 switching right? Or is my 2Wire too dumb in some regard?

SG300 config:
*****************************************
LabSG300#sh run
config-file-header
LabSG300
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router


file SSD indicator encrypted

ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 2
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname LabSG300
no passwords complexity enable
username cisco password encrypted 7af78c911d5b48bea1dc2449d9d89513abeb4be5 privilege 15
ip ssh server
!
interface vlan 1
ip address 192.168.1.254 255.255.255.0
no ip address dhcp
!
interface vlan 2
name Lab
ip address 192.168.2.254 255.255.255.0
!
interface gigabitethernet1
switchport mode access
switchport access vlan 2
!
interface gigabitethernet2
switchport mode access
!
interface gigabitethernet20
switchport mode access
!
exit
ip default-gateway 192.168.1.1
***************************************************
CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V

Comments

  • xenodamusxenodamus Member Posts: 758
    My searches seem to indicate that interface gi20, which connects to the 2Wire gateway, needs to be a routed port rather than a switchport.

    I see that you can do this with the "no switchport" command on enterprise gear. That command isn't supported on the SG300, though........
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • xenodamusxenodamus Member Posts: 758
    Looks like the SG300 doesn't support routed ports. So unless I'm missing something, I'm going to need a router in between my L3 switch and the 2Wire gateway.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • paq7512paq7512 Member Posts: 102 ■■□□□□□□□□
    xenodamus: Take a look and see if the 2wire is setup to NAT the 192.168.2.0/24 subnet to the Internet.
  • Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    Take a look at this post. I'm not sure it's up to date but it looks like it is addressing your questions.

    https://supportforums.cisco.com/discussion/11520346/cisco-sg300-10-how-set-inter-vlan-routing
  • xenodamusxenodamus Member Posts: 758
    Thanks for the suggestions.

    I found that Cisco thread, along with many others, where folks are having issues with inter vlan routing in general. At this point I've got traffic being routed between vlans and can ping from hosts on vlan1 to the DSL router on vlan2. I'm just not getting out to the internet.

    NAT sounds like a potential issue since I can't get past the internet router. Shouldn't my internet bound traffic be sourced from the SVI on the same subnet as the internet router? If that's the case, the existing NAT rules should work. Either way, it doesn't look like the 2Wire has any configurable options for NAT.

    Worst case, I still have an old 2600 series router with 2 fa ports that I can put in between. That just defeats my whole purpose in buying a L3 switch.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • networker050184networker050184 Mod Posts: 11,962 Mod
    You need a default route (ip route 0.0.0.0 0.0.0.0 192.168.1.1) not the ip default-gateway. That isn't going to do anything for routed traffic.

    In order for this to work you also need one of two things, your hosts on the same subnet as the 2Wire inside interface or a route on the 2Wire back to your other subnet and NAT updated on the 2Wire.
    An expert is a man who has made all the mistakes which can be made.
  • xenodamusxenodamus Member Posts: 758
    Thanks...that clears it up. Since I need internet on both VLANs, I've got to be able to configure the NAT filtering on my WAN device.

    I can't find any way to configure the NAT filtering on this 2Wire, so I may pick up a nice linksys or netgear (with configurable NAT rules) and put the 2Wire in bridge mode. That may be the simplest solution here.

    Thanks again all!
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
Sign In or Register to comment.