I have a test lab in which i have setup Vsphere VST. The lab contains 1 host with 2 physical nic's. On the Host I have setup 3 VM's. Physicl nic 1(vswitch 0) is part of the ESxi management n/w and Physical NIC 2(vswitch 1) is attached to the 3 VM's. I have created 2 VLAN's - VLAN 10 and 20 on vswitch 2 on different portgroups
2 VM's are part of VLAN 10 and the 3rd VM is part of both VLAN 10 and 20
The physical NIC;s are connected to an Cisco SG300 switch. Also i have connected an interface on the Cisco switch to my ISP
My 3rd VM is a firewall, so all traffic from VLAN 10 to the internet will have to come to the 3rd VM and then to the ISP router
My questions is regarding how traffic will be routed from VLAN 20 to the ISP router .
I have configured port 2 (connection to ISP) as a trunk port to allow VLAN 20
Also port 4 on the physical switch -vswitch 1 (where all VM's are connected) is set as trunk port to allow VLAN 20
My questions is regarding how traffic will be routed from VLAN 20 to the ISP router .
I hope someone can help on this
SG300#sh run
config-file-header
SG300
v1.4.7.6 / R800_NIK_1_4_194_194
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb
!
port jumbo-frame
vlan database
vlan 10,20
exit
bonjour interface range vlan 1
hostname SG300
username user1 password encrypted xxxxx privilege 15
ip ssh server
snmp-server location LAB
clock timezone " " 0 minutes 0
!
interface vlan 1
ip address 10.20.10.254 255.255.255.0
no ip address dhcp
!
interface vlan 10
name PRODUCTION
ip address 192.168.1.254 255.255.255.0
!
interface vlan 20
name WAN
ip address 192.168.0.254 255.255.255.0
!
interface gigabitethernet1
description "From Laptop- Switch"
!
interface gigabitethernet2
description TO-ISP
switchport trunk allowed vlan add 20
!
interface gigabitethernet4
description HOST-1-VSWITCH-1
switchport trunk allowed vlan add 20
!
interface gigabitethernet5
description "ESXI-1 MGMT"
!
exit
ip route 192.168.0.0 /24 192.168.0.12
SG300#
Hi
So if I summarise IP addreses in VLAN 20
- VM3 firewall WAN VLAN 20: 192.168.0.12
- SG300 VLAN 20: 192.168.0.254
- ISP Router 192.168.0.1
With VLAN enabled, from VM firewall try to ping SG300 VLAN 20 & ping ISP router
If you can ping SG300 VLAN 20: 192.168.0.254 but not the ISP router, most likely the ISP router is not configured in 802.1q or trunk mode.
In that case, change your config to ISP into something like below
!
interface gigabitethernet2
description TO-ISP
switchport mode access
switchport access vlan 20
!
Are you running Layer 2 switch mode or Layer 3 routing mode on your SG300?
I can see that you have interface vlan 10 ip address 192.168.1.254 255.255.255.0
and interface vlan 20 ip address 192.168.0.254 255.255.255.0
Do you want a default gateway for each VLAN in the SG300?
If you have gateway in the SG300, the VMs in VLAN 10 would be able to go straight to SG300 and to WAN/ISP without going through the 3rd VM firewall.
Is the VM firewall a layer 3 firewall or a transparent layer 2 firewall?
If it is a layer 3 firewall then normally VMs default gateway is in the firewall and you could do something like below:
- Delete interface vlan 10
- Optionally delete interface vlan 20 if you want people from Internet go straight to firewall
- Assign the IP 192.168.1.254 in the 3rd VM firewall so all VMs gateway is the firewall
- VM firewall default route to ISP (or to vlan 20)
- If you have interface vlan 20 and SG300 is doing layer 3 routing, people from Internet can traverse to other vlan if you don't have any access list in the SG300
Hi I am running the SG 300 in Layer 3 mode
I have set the default gateway for the 2 VLAN as follows
VLAN 10 - includes VM 1,2 and 3 as - 192.168.1.250 - This is the LAN ip of the firewall VM3
VLAN 20 - includes VM 3 as -192.168.0.12 and the gateway for the firewall VM as 192.168.0.1 - which is the ISP router ip address
The firewall VM is a layer 3 firewall
Hi, that looks good to me.
If VM-1 / VM-2 need to traverse to the other subnet, they will reach the gateway which is VM-3/firewall.
I assume:
- Routing in Firewall is enabled
- Firewal ports has been opened in the Firewall
- ISP is internet and there is a device that does NAT after VM-3 Firewall, else you would need to configure NAT (SNAT) on the VM-3 firewall so VM-1/VM-3 can access the Internet.
I can get my VM's connect to the internet while having the VLAN's removed and making the physical switch in L2 mode. However when i enable VLAN's for VM's in Esxi (VST) and make the physical switch ports as trunk ports to allow VLAN 20 on vswitch1 and the port where my isp router is connected, i dont seem to connect to the internet. I am not sure what i am missing
With VLAN enabled:
1. try to do a traceroute from the VMs and see where the traceroute stops.
2. from VM, test ping to firewall inside interface and outside interface
3. from firewall, test ping to VM
4. from firewall, test ping to ISP inside interface & Internet e.g. 8.8.8.8
5. Try to add VLAN 10 on the SG300 port interface gigabitethernet4 attached to vmnic1
!
interface gigabitethernet4
description HOST-1-VSWITCH-1
switchport trunk allowed vlan add 10,20
!
Hello
With VLAN enabled:
1. try to do a traceroute from the VMs and see where the traceroute stops - tracert to 8.8.8.8 stops on firewall outside interface with the result destination host unreachable
2. from VM, test ping to firewall inside interface and outside interface - get a reponse for both firewall inside and outside interface
3. from firewall, test ping to VM - get a reply from the vm's
4. from firewall, test ping to ISP inside interface & Internet e.g. 8.8.8.8 - 100% packet loss to both isp inside interface and 8.8.8.8
5. Try to add VLAN 10 on the SG300 port interface gigabitethernet4 attached to vmnic1 - have done and no still no response
Based on your testing results, the issue seems to be the VM3 firewall connection to the outside - from firewall to ISP inside interface & Internet 8.8.8.8
The firewall is able to reach the internal VMs which they are on the same subnet, but not to the outside or VLAN 20.
Could you verify that VM3 firewall outside NIC is attached to the PortGroup WAN on vSwitch1 and not Production/VM Network?
Hi yes my firewall called HOME in the pic is attached to portgroup belonging to VLAN 20. What i think is traffic exiting Port 4 on the physical switch does not seem to reach Port 2 on the physical switch. I have made sure port 4 and 2 are in trunk mode to allow vlan 20 to outside.
also i have a route for 192.168.0.0 from 192.168.0.12 which is my firewall wan interface
Hi
So if I summarise IP addreses in VLAN 20
- VM3 firewall WAN VLAN 20: 192.168.0.12
- SG300 VLAN 20: 192.168.0.254
- ISP Router 192.168.0.1
With VLAN enabled, from VM firewall try to ping SG300 VLAN 20 & ping ISP router
If you can ping SG300 VLAN 20: 192.168.0.254 but not the ISP router, most likely the ISP router is not configured in 802.1q or trunk mode.
In that case, change your config to ISP into something like below
!
interface gigabitethernet2
description TO-ISP
switchport mode access
switchport access vlan 20
!
Thank you. All lan clients in VLAN 10 now use the firewll VM in vlan 20 to connect to the internet.
Glad if it works now.
Please note that if you have multiple ESXi hosts (let say in the future) you would need to have VLAN 10 on the GE 4 trunk port
If you have multiple ESXi hosts, VM to VM inside VLAN 10 will traverse through the SG300 physical switch and you need VLAN 10 in the SG300 and the trunk port connected to ESXi hosts vSwitch1 vmnic1