Cisco – Routing on SG300 with VLANs

ciscocisco-sg300routing

My setup:

I receive from my ISP a /24 public IP subnet (e.g: 20.20.20.0/24).

Some of our departments want to have full control over their public IPs, so I split it up to several /27 subnets.

For the beginning I wanted to set up 3 VLANs:

  1. VLAN 100: 20.20.20.32/27
  2. VLAN 200: 20.20.20.128/27
  3. VLAN 5 (WAN connect): 20.20.20.0/30

The Gateway of the switch is 20.20.20.1.

I configured a static route on the SG300-28 (is in L3 mode):

0.0.0.0/0 over 20.20.20.1

Clients in the VLAN 100 or the VLAN 200 can't reach the ISP Gateway or the internet.

If I put the client in the VLAN 5 he can of course connect to the GW and the internet.

I am to blind to see the mistake, so I count on you guys.

Cisco Packet Tracer Example: PKT File

Config: 

config-file-header
switche5bce7
v1.4.5.02 / R800_NIK_1_4_194_194
CLI v1.0
set system mode router 

file SSD indicator encrypted
@
ssd-control-start 
ssd config 
ssd file passphrase control unrestricted 
no ssd file integrity control 
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 
!
vlan database
vlan 5,10,100,200 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
ip dhcp server 
ip dhcp pool network Pool_5
address low 20.20.20.6 high 20.20.20.10 255.255.255.224 
default-router 20.20.20.5
dns-server 8.8.8.8
exit
ip dhcp pool network Pool_100
address low 20.20.20.34 high 20.20.20.62 255.255.255.224 
default-router 20.20.20.33
dns-server 8.8.8.8
exit
ip dhcp pool network Pool_200
address low 20.20.20.130 high 20.20.20.158 255.255.255.224 
default-router 20.20.20.129
dns-server 8.8.8.8
exit
bonjour interface range vlan 1
ip access-list extended VLAN_100-IN
permit ip any any ace-priority 1
exit
ip access-list extended VLAN_1-IN
permit ip any any ace-priority 1
exit
hostname switche5bce7
line console
no autobaud
exit
no passwords complexity enable 
username cisco password encrypted d033e22ae348aeb5660fc2140aec35850c4da997 privilege 15 
ip ssh server
ip ssh-client server authentication 
ip telnet server
!
interface vlan 1
 no ip address dhcp 
 service-acl input VLAN_1-IN default-action permit-any 
!
interface vlan 5
 name WAN 
!
interface vlan 10
 name MGMT 
 ip address 10.10.10.10 255.255.255.0 
!
interface vlan 100
 name VLAN_100 
 ip address 20.20.20.33 255.255.255.224 
 service-acl input VLAN_100-IN default-action permit-any 
!
interface vlan 200
 name VLAN_200 
 ip address 20.20.20.129 255.255.255.224 
!
interface gigabitethernet1
 ip address 20.20.20.2 255.255.255.252 
!
interface gigabitethernet2
 switchport mode access 
 switchport access vlan 5 
!
interface gigabitethernet3
 switchport mode access 
!
interface gigabitethernet4
 switchport mode access 
!
interface gigabitethernet5
 switchport mode access 
!
interface gigabitethernet10
 service-acl input VLAN_100-IN 
 switchport mode access 
 switchport access vlan 100 
!
interface gigabitethernet20
 switchport mode access 
 switchport access vlan 200 
!
interface gigabitethernet25
 switchport mode access 
 switchport access vlan 10 
!
interface gigabitethernet26
 switchport mode access 
 switchport access vlan 10 
!
exit
ip default-gateway 20.20.20.1

Best Answer

It doesn't work because of a limitation of the SG300.
The SG300 doesn't have routed ports.

I set up a clean SG300 config but it was not possible to reach the ISP Gateway:
Config of SG300:

config-file-header
switche5bce7
v1.4.5.02 / R800_NIK_1_4_194_194
CLI v1.0
set system mode router 

file SSD indicator encrypted
@
ssd-control-start 
ssd config 
ssd file passphrase control unrestricted 
no ssd file integrity control 
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 
!
vlan database
vlan 100,200 
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switche5bce7
no passwords complexity enable 
username cisco password encrypted d033e22ae348aeb5660fc2140aec35850c4da997 privilege 15 
!
interface vlan 100
 name "VLAN100" 
 ip address 20.20.20.33 255.255.255.224 
!
interface vlan 200
 name "VLAN200" 
 ip address 20.20.20.129 255.255.255.224 
!
interface gigabitethernet1
 ip address 20.20.20.2 255.255.255.252 
!
interface gigabitethernet10
 switchport mode access 
 switchport access vlan 100 
!
interface gigabitethernet20
 switchport mode access 
 switchport access vlan 200 
!
exit
ip default-gateway 20.20.20.1

Afterwards I set up a Catalyst 3750 Switch with the same VLANs and config and I was able to issue no switchport on Interface Gigabit1/0/1.

Now I can reach the ISP Gateway how it should be.
Config of 3750: 

Current configuration : 3535 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c3750x-24p
system mtu routing 1500
ip routing
!
!
!         
!
crypto pki trustpoint TP-self-signed-2617031040
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2617031040
 revocation-check none
 rsakeypair TP-self-signed-2617031040
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
 no ip address
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
!
interface GigabitEthernet1/0/1
 no switchport
 ip address 20.20.20.2 255.255.255.252
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
 switchport access vlan 100
 switchport mode access
!         
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
 no ip address
!
interface Vlan100
 ip address 20.20.20.33 255.255.255.224
!         
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end
Related Topic