Hey guys, I’m hoping the network wizards here can lend a hand and point out where I’m going wrong with my network setup. I’m pretty new to this calibre of networking and have likely bitten off more than I can handle with my current knowledge.
I’m in the process of setting up a small network for the SMB I work for. Our ISP has supplied a Cisco C1117 router that they manage, a /29 subnet, gateway/router IP and a couple of DNS IPs.
On our end there’s a Netgear M4300-52G switch that I was trying to set up a couple of VLANs on and get those talking to the web. Originally I’d set up VLAN 10 for general data and desktop comms, with the intention of another VLAN for separating VMs on our server , a VLAN for VoIP, and leaving VLAN 1 as management.
I’ve set up VLAN 10 on 192.168.10.0, with interfaces 1/02-24 associated to it.
1/0/1 and 1/0/49 are trunk ports.
I believe to have set the right vlan associations on access ports, PVIDs, native VLAN is set to 10 and I can ping hosts attached to VLAN10 from both the switch and from each other, similarly with the default gateway.
The issue comes when I try to ping 8.8.8.8 - it returns “Destination unreachable” as a reply from 192.168.1.4, the IP of 1/0.49 which is currently hooked up to the router on LAN interface 1.
I’m confident that I’ve screwed something up in the setup but want to be absolutely certain of that before I go crying to my ISP who’s dragged their feet for 3 months.
Thanks in advance for any help, or otherwise, given
I threw together a quick network layout below (as a spreadsheet, but attached as screenshots); is this more or less what you’re working with or intending?
I personally like Unifi’s default allow through vlans rather than most hardware’s default drop policy. I know many dont like it that way, but it makes setting up VLANs easier so you can get them all in and check that everything is good and then add your block rules to lock things down. I have a feeling that right now you have your VLANs set up but cant ping DNS servers because you didnt make the allow rules you need to let traffic through.
A few questions came to mind, but I ran out of time earlier:
Do the native VLANs match between the router and the switch on the trunk port(s)? (Router port 1 and switch port 49)
Does your switch have more than 1 IP? (1 for each VLAN? Just curious)
It appears that your switch has L3 capabilities; are you intending to use the switch or the router for inter-VLAN routing? If using the switch, does it have a default route configured?
If using the router for inter-VLAN routing, are the VLANs configured on the router? Are there routes configured for the VLANs and do the firewall rules allow traffic between the VLANs? (You said your ISP manages the router, so I suppose these questions are more for them than you :))
As I said, I’m new to this and I suspect there are 10’s of things I’ve gotten wrong, overlooked, or just not configured to the proper industry standard, but I need to get a basic network setup asap then I can get my colleagues off my back and get on with the fun stuff…
As a side note, I’ve tried plugging a host directly into LAN1, and through a basic 4P L2 switch to try to rule out any mistakes I’ve made with the L3 but I still can’t get access.
I guess a caveat to that is currently I only have VLAN 10 set up as that’s the core network that needs access right now, I removed the others just to simplify the network and further eliminate errors I may have made.
W.R.T your additional questions -
I’m unsure, my ISO hasn’t given any information on the routers native VLAN; on the switch side, VLAN 10 is setup as the native VLAN for the trunk ports.
Switch has 1 IP I believe.
Intend on using the switch, but no need for inter-VLAN routing until I set up the other VLANs, I’d rather get it all set up now if I’m able to but currently just focusing on getting VLAN10 configured to give internet access to hosts.
I suspect not but as you say, I can’t manage it unfortunately (or fortunately given my inexperience, depending on how you look at it)
Edit: Switch has two VLANs not 1, VLAN 1 & 10 - switch has 1 IP (answer 2)
Managed to get the switch to ping the router IP and Google DNS but can’t get hosts on VLAN 10 to ping past the switch. Suspecting I misconfigured a trunk port and some access rules as has been mentioned.
Just a reminder, typically you’ll only configure ports as trunk if they are an uplink/downlink to a router, switch, or access point (or a server/hypervisor with multiple VLANs). Best if the PVIDs (native VLANs) match across devices. In this case, VLAN 1.
I’m not necessarily recommending this, but if you just had to get it working asap, you could probably do the following on the switch:
Configure an IP on the switch on VLAN 10 (e.g. 192.168.10.250) (this could be in addition to whatever IP the switch has on VLAN 1)
Configure a default route on VLAN 10 on the switch to point to the routers IP (e.g. 0.0.0.0/0 to 192.168.1.1).
This should probably only be temporary until you can get the router configured by the ISP—the “router on a stick” method. That’d probably be simpler to maintain for your team, if you don’t have anyone with strong network skills. (I hope this doesn’t sound condescending—it’s certainly not meant to!)
But, back to just getting it working: Do you have a DHCP server for clients on VLAN 10? They will need to use the switch’s IP (on VLAN 10) as their default gateway, either static or via DHCP.
Also, if you have any ACLs configured on the switch, I’d probably just clear them all until you get communication working as intended; then come back through and lock it down.
