VLAN in PC5548 - is required L3 switch?

Similar Questions

• What configuration of VLAN requires a switch connectivity defined as an access port?

  What configuration of VLAN requires a switch connectivity defined as an access port?

  By external switch tagging

• Help the VLANS on Cisco SG200 - 08 p switch voice and data

  Hi all

  I'm faced with a problem of configuration on the Cisco SG200 - 08 p.

  We use Cisco SG200 - 08 p on a mobile carriage which will go from classroom to classroom who will have computer and phone VoIP cisco plugged into it. The question is that each of our closets are in different VLANS (1 voice and 1 data... Let's say data vlan 20 and vlan voice 2025 for conversation) and which move towards every closet.

  It would be great if I could just create a vlan voice dynamically pick up this switch upstream has however and generic data, it seems that I was failed to do.

  So far, I can pass the data Vlan no probably. The upstream switch port is set to access port and a switch port access voice vlan (these are x 3750 switches)

  If the above is not possible, I guess I'll take what I can get. Should I create data vlan 20 and vlan2025 of the voice on the Cisco SG200 - 08 p and make a port on the Cisco SG200 - 08 p and a trunk trunk on the 3750 x? Is there an option on the Cisco SG200 - 08 p to tag voice traffic?

  I am also concerned about DRIFTING and I did not see an area in the Cisco SG200 - 08 p to set it as a customer and a transparent mode.

  Thanks for any help,

  Dan

  Playne,

  first the bad news, the switches for small businesses currently do not support VTP, they support the GVRP Protocol which is like VTP, but there is no State that the VLAN used it will not automatically learn as VTP.

  You should be able to configure the 3750 as a trunk with a vlan 1U or unmarked and vlan 2025 as the tag for the voice. configuration of the port on the switch to small businesses the same way to its home port. All ports which have only phones will be 2025U of access and all ports only PC would be access 1U. All ports of phone and computer would be trunk 1u, 2025T

  Cisco Small Business Support Center

  Randy Manthey

  CCNA, CCNA - security

• Help with the VLAN on SG200-18 and two switches SG200-08

  Hello world. My apologies, but I'm only average at best with my CISCO skills. I have simple installation running some network devices connected via 3 CISCO switches. It is small office and two bedrooms - one with the servers and the other with the printer and pc. Each room has 8 ports SG200-08 pass.

  Router / firewall is Sonicwall TZ215 and manages the internal routing between VIRTUAL networks. Each SG200-08 was directly connected to TZ215 (no SG200-18 again) and VLAN worked perfectly. Please see diagram below...

  Problems started when I added in the Center SG200-18 more to handle additional devices. Everything that I'm doing wrong, but I can't do VLAN longer works. Something I won't set up correctly in SG200-18.

  Please help me to Setup VLAN here - tag, unidentified, PVID, trunk... I am completely lost and already had to reset SG200-18 twice.

  My work without port switch 18 Setup was like that.

  SG200-08 (1)
  G1 1 trunk 1U, 100 t
  G2 1 trunk 1U
  G3 1 trunk 1U
  G4 1 trunk 1U
  G5 1 trunk 1U
  G6 1 trunk 1U SERVER3
  G7 trunk 100 100U SERVER1
  G8 trunk 100 100U Server2

  SG200-08 (2)
  G1 1 trunk 1U, 50 t, 200 t
  G2 1 trunk 1U
  G3 1 trunk 1U
  G4 1 trunk 1U PC1A
  G5 1 trunk 1U PC1B
  G6 trunk 50 50U PC2A
  Trunk PC2B 50 50U G7
  NETWORK PRINTER for the 200 trunk 200U G8

  Thank you in advance.

  VLAN.jpg

  

  Hello

  Oh I'm sorry. I understand that you have 3xSG200-08 and 2 of them with the same configuration :-). So no need to use this port for now.

  Kind regards

  Aleksandra

• (Dell LCD) screen goes blank when I connect. Requires the switching on of the screen on and outside

  (Dell LCD) screen goes blank when I connect.  Requires power to the power on and off screen, at least 15 to 20 times before picture stays on.  Any suggestions? No to the problem site so don't have the model numbers.  Dell computer and about 8 years.

  Looks like your monitor is having problems sync-ing for the resolution settings that you have defined for your monitor.  When you get your screen is displayed, right-click on an empty area of your desktop-> properties-> (tab) settings.

  Then, in the 'Screen Resolution' area, try to move the cursor to the end of 'Less' and click 'apply '.  It will then try to change to this new resolution.  If your screen is empty for now, just wait about 30 seconds and it will return to the previous resolution (which can mean that you need to power cycle your monitor you have done to get it back)-otherwise accept the settings if your display looks OK.  Try to find a solution that works with your monitor.  It is also possible that your monitor is going bad.

  HTH,

  JW

• SD205 (switch) and VLAN

  In addition to all my switches Cisco Catalyst (successful), I have a bunch of Linksys SD205 unmanaged switches on my local network.

  I want to configure my network for VLANs, which means I have all my managed Cisco switches will change to a "Routing" configuration   This configuration works well with Cisco Catalyst switches

  Question: the SD205 can operate in this environment?  I know I can't put one of the ports on the SD205 to be 'delivery', but I would like to connect the SD205 to a port of Cisco, which is "effective", so that the devices on the SD205 can communicate to the rest of the world.

  So far, I have not crowned success, then - maybe - they won't work in a shared resource environment.  Someone at - it a definitive answer?  If they simply can't do it, I will stop wasting my time!

  Thank you

  # A unmanaged switch is not compatible 802. 1 q. It will pass any frame ethernet that was 802. 1 q tagged. The only executives who pass through a switch are unmarked, frames that is the VLAN port on the catalyst native.

  If you want to use unmanaged switches, you have to connect to a port configured in mode access, Member of a single VLAN. For example, you can configure a port on the catalyst for access VLAN 10 mode and connect a switch to that port. All devices connected to the switch unmanaged will be VLAN 10. This as you can do.

  But several VLANS: alert the unmanaged switches is impossible because all frames ethernet on the switch must not be tagged.

• RV082 SB + switches with functionality of tag vlan

  Hi guys,.

  I have a small laboratory data center at home, with 1 Server iSCSI and VMware ESXi 5.1 3 guests. I run a few linux servers and windows servers.

  And a couple of years ago I bought a Cisco SB double RV082 VPN router and a Netgear smart switch in order to have more segmentantion and management on my network and the virtual machines. I was really happy with the Cisco router, because of stability and functionality.

  But after a while, I wanted to learn VLANS and vlan tagging and discovered that I wanted to create interfaces for the different VLANs. I installed the firewall open source pfSense, in order to create these VLANS with tagging of the firewall and on switches/esxi hosts. The pfSense has been installed in a virtual machine on one of the hosts vSphere, and which has become a headache if something happened to the host. So I decided to go back to the Cisco SB RV082.

  So here's my question:

  Is it possible to still have all these VLANS that I created on the switches and ESXi hosts when I swap to the Cisco router? Even if the Cisco support only port service VLAN, this shouldn't be a problem? Because of the Multiple subnet feature? These VLANs will have access to the Internet and does not have access to another. Only the primary network management network should have access to the VLAN.

  Let's say my primary network is 192.168.1.X and I have 5 VLAN with IP 192.168.2.X,... 3.X... 4.X etc. To be able to use these VLANs on all devices, do I need to assign each VLAN on the Cisco to a specific port? Which means I'll have 5 Cisco cables to the switch?

  I'll probably have a DC with DHCP and DNS on a few of VLANS I create. If DHCP for the different VLANs will be created like that and won't have the firewall (which RV082 can't stand?)

  In my head, this logical text/topic. But I'm not quite sure if you guys understand what I'm saying or want to accomplish here. So please don't not to ask :-)

  Thanks in advance.

  Hi Ruben, this router supports the only port VLAN basis. It does not support any tag VLAN (802. 1 (q). This is reflected by in, VLAN does not matter them, only the subnets.

  If you need the subnets to communicate through the router, you can activate the functionality of multiple subnet.

  If you want to limit disclosure of the host, you can try to establish access rules to limit communication subnet.

  -Tom
  Please mark replied messages useful

• How to configure the VLAN for Cisco SG500 - switch 28

  Hello

  First of all, it's my first post here, I hope that someone can help me and please be patient because I am very little known.

  OK, so let me explain to you the scénarion I face and I hope someone can help me.

  We have a Cisco SG500 - 28 port gigabit switch in our workplace.

  Our goal is to create 3 VLANs and separate networks between the various departments.

  Vlan1 (which is the default VLAN in the switch)-will be used for the COMPUTER service and management.

  VLAN100 - will be used for business.

  VLAN200 - will be used for clients who need to connect to internet via WiFi.

  I created VLAN100 and VLAN200, and VLAN1 is there by default.

  I want to use port 13 for VLAN200 and to connect the-Wifi access point there.

  The uplink is in port 25.

  I would be happy if you could explain things first to a more general, abstract level, and then we can look at the specific scenario that we have.

  SG500 Cisco - 28 Gets a Sophos UTM 9 router internet.

  I need to take care of the inter - VLAN routing so, subnet and DHCP

  Thanks in advance,

  Sincere greetings,

  D

  Hi Desmond, looking at this DHCP pool it looks correct.

  For the second part, you waant VLAN 200 only work on VLAN 200, that's fine. So if you have an access point, and everything on the VLAN 200 connects to the access point, you can make an access to this list. The access list is entered only, which means the inbound interface.

  So if you have a gateway connecting to #1 port. You'll need to build the access list and apply it to port number 1. That's assuming you make a list of access 'decline' subnet source IP of VLAN 200 destined for the other subnet, that you do not want access.

  The image on another post to fill out your reference numbers, then for the ACL link, it should be placed on the interface VLAN 200 first comes to the switch (IE, the port the access point connects, make sure that you choose to bind by port instead of per VLAN)

  -Tom
  Please mark replied messages useful
  http://blogs.Cisco.com/smallbusiness/

• VLANS with Cisco ASA 5505 and non-Cisco switch

  I have an ASA5505 and a switch Netgear GSM7224 L2 that I try to use together.  I can't grasp how VLANs (or at least how they should be put in place).  When configuring my VLAN on the ASA5505 it seems simple enough, but then on my switch, I thought I'd create just the same VLAN numbers that I used on the SAA and then add the ports that I wanted to use for each VLAN.

  Currently on my ASA, I have the following VLAN configured...

  outside - vlan11 - Port 0/0

  inside - vlan1 - Port 0/1

  dmz_ftp - vlan21 - Port 0/2

  Port of Corp - vlan31 - 0/3

  I need to do the same thing on my switch as well...  On my way, I'm a little confused as to how I need to configure the VLAN.  Below is the screenshot of web GUI...

  

  Note: Normally you can now change the VLAN ID (red), but in this case the default vlan (vlan id 1) may not be changed or deleted, you can does not change its settings.

  Tagged (green), Untagged (purple) and Autodetect (yellow) you must select at least 1.  I'm not sure how to in one place to tell my inner vlan (vlan1).

  I want VLAN1 ports 1-8 on my Netgear switch used alone to talk to interface/0/1 on the ASA5505 port.  I don't want to NOT port 9-24 able to talk to ports 1-8 on the Netgear switch ports OR 0/0, 0/2 - 0 / 7 on the Cisco ASA 5505.

  So, how can I configure my inner Vlan1 on ports 1-8 on the switch?  Do mark, UNTAG, autodetect them?  What about tours?  I've been a bit the impression that I would set up my VLAN on both devices, then trunk port 1 and dedicate this port on both devices to nothing other than the sheath and the security of vlan would then take the packages where they need to go.  Is this the wrong logic?

  Hi Arvo,

  If the port of the ASA is just part of a single VLAN (i.e. e0/0 single door 11 VLAN), this is called an access port. If the port of the ASA had to carry several VLANs, it would constitute a Trunk port.

  To access ports (VLAN unique), you must set the switch corresponding to be unidentified for port this VLAN individual. If you decide to configure a trunk port, then the port of the switch must be set for labelling for each of VLAN who win the trunk.

  For example, ASA I have:

  interface Ethernet0/1
  switchport access vlan 20
  !
  interface Vlan20
  nameif inside
  security-level 100
  ip address 192.168.100.254 255.255.255.0
  

  With the above configuration, the configuration of the switch would look like this (assuming the e0/1 port of the SAA is connected to 0/1 on the switch):

  VLAN 20 - 0/1 = untagged

  If instead you use a trunk port, the config would look like this:

  interface Ethernet0/0
  switchport trunk allowed vlan 10,20
  switchport mode trunk
  !
  interface Vlan10
  nameif outside
  security-level 0
  ip address dhcp setroute
  !
  interface Vlan20
  nameif inside
  security-level 100
  ip address 192.168.100.254 255.255.255.0
  

  Assuming that the ASA e0/0 port is connected to 0/1 on the switch):

  VLAN 10 - 0/1 = tagged
  VLAN 20 - 0/1 = tagged
  

  Hope that helps.

  -Mike

• Implementing 802. 1 x in a by-switch-VLAN topology

  We have several switches 6509E access that currently have a single user VLANS by switch (for example access-switch1 users are to vlan 101, access-switch2 users on vlan 102 etc.).

  We want to implement 802. 1 x, so that users find themselves either on one vlan allowed or a vlan comments based on a successful authentication. However, we would like to keep the VLAN by switch topology so that users on switch1 go on vlan if authenticated 101 or comments vlan 201 If untrusted users on switch 2 would go on vlan 102 if authenticated or 202 if not authenticated etc..

  We are able to get this to work with a single vlan trust and only comments vlan, but they will have to extend over the entire network. Any body know if it is possible to allocate VLAN in 802. 1 x, according to what switch they authenticate to so that they are placed in the vlan OK for the switch?

  Thanks in advance.

  Hi Paul,.

  Dot1x RFC 3580 specifies that the tunnel Tunnel-private-Group-ID attribute is a string and is not specifically a number so that the solution to your problem can be done by entering the name of VLAN in the RADIUS server and configuring your access switches with the VLAN individual that you want to use on each VLAN one, but those who have the same function in all switches must have the same name that you entered in the server RADIUS exactly for example

  Switch1 - TECH 100 of VLAN, VLAN 150 COMMENTS

  SWITCH2 - VLAN 200 TECH, VLAN 250 COMMENTS

  Entries of RADIUS

  TECH

  COMMENTS

  So if a user with mac1 connects to switch1 or switch2 and is authenticated successfully the RADIUS server responds with the Tunnel-private-Group-ID = TECH instead of 100 or 200, regardless of the local number of VLAN on the switch if name is the name of the configuration of the switch, the switch will place it in the numbered right VLAN based on the name , hopefully eliminating the confusion of having to figure out how to the same user in a VLAN different numbered based on the access switch they connect at the time.

  Hope this helps

  Howard

  Howard Hooper CCIE 23470

  CCDA CCNP CCNA

  MCP CWSE

• The VLAN on a Switch Standard

  I am currently creating a new environment and we have a number of VLANS trunked together, I created a Standard switch for our virtual machine-to-machine network and the DMZ network, have each VLAN resources shared.

  What is the best way to do it?

  That I should...

  Create a vss and create groups of ports of individual virtual machine for each VLAN IDS? (for example, a switch for virtual machine VLANS and a switch to DMZ with groups of individual ports?)

  Or should I create just a switch for each with all 4095 active?

  Hey, as previously stated, the large traps with it would be the single points of failure, but since you're ok with it, I'm going to shut up

  Configuring VMware site seems ok, if you do not touch the vSwitches default security settings.

  Regarding the loss of connectivity, I am looking for the reason outside of VMware (VLAN not on two physical switch ports, bad IP/gateway settings within the operating system prompted, etc..)

• VMware switch Vlan configuration

  It is possible to switch the configuration that resembles a vmware

  interface GigabitEthernet0/4

  Description calculate node 1 eth1

  switchport trunk vlan 100 native

  switchport trunk encapsulation dot1q

  switchport trunk allowed vlan 100, 101 102

  switchport mode trunk

  spanning tree portfast trunk

  on the gigabitEthernet 0/4, I have a linux machine that needs these config.

  Thank you!

  Ah, very good. Sorry for my confusion!

  Yes, you can do it.

  interface GigabitEthernet0/4

  Understand and document how the switchport is connected to your ESXi host.  When you start, your ESXi host lists its physical network cards, called vmnic.  Enable CDP on your vSwitches (or LLDP if you use a vDS) so that you know how your ESXi host connects to the North.

  Description calculate node 1 eth1

  You cannot configure the descriptions on vSwitches Standard (you * can * configure them on a vDS). You can also, of course, port name groups however you like, with a few caveats.

  switchport trunk vlan 100 native

  The virtual switches VMware isn't exactly the notion of VLAN native.  If you want to leave the untagged packets ESXi host, you don't assign just one VLAN to that particular port group.

  
  

  switchport trunk encapsulation dot1q

  VMware only use 802. 1 q of marking.  There is no need to explicitly configure.  In addition, you can't.

  
  

  switchport trunk allowed vlan 100, 101 102

  Create a VLAN that you like on the ESXi hosts using the parameters of port group VLAN.  Don't forget not to set up a local VIRTUAL network for the port group that hosts the VLAN native.

  
  

  switchport mode trunk

  ESXi hosts accept several VLANs on a vmnic out of the box.  There is no need to configure.

  
  

  spanning tree portfast trunk

  This option isn't strictly for switching equipment, end-hosts as ESXi.  Your ports ESXi NIC will come as soon as possible.

  -----------------------------------------

  Remember to mark this reply 'proper' or 'useful', if you found it useful.

  Mike Brown

  NetApp, VMware and Cisco data center guy

  Consultant engineer

  [email protected]

  Twitter: @VirtuallyMikeB

  Blog: http://VirtuallyMikeBrown.com

  LinkedIn: http://LinkedIn.com/in/michaelbbrown

• The switch configuration of 6500 catalyst for IPS Inline the METHOD works

  I understand how to configure the switch Catalyst 6500 so that the monitoring of ports are access ports in two VLAN separate operation online.

  However, I don't see any document that describes how the desired VLAN traffic gets forced through the IPS.

  "Promiscuous" mode, you can use copy/capture VACL and forwards traffic wished the METHOD of analysis. I don't see how to get traffic desired through the IPS.

  Note that the 6500 host is running native SXE IOS 12.2 (18).

  Thanks for any help.

  A transparent firewall is a pretty good comparison.

  Say you have vlan 10 with 100 PCs and 1 router for the network.

  If you want to apply a transparent firewall on this vlan you can put not just the Firewall interface on vlan 10. Nothing would go through the firewall.

  Instead, you need to create a new vlan, say 1010. Now you place the Firewall interface on vlan 10 and the other on the vlan 1010. Nothing is still going through the firewall. So now move you that router from vlan 10 to vlan 1010. Everything you do is to change the vlan, IP address and the mask of the router remain the same.

  The firewall transparent bridge vlan 10 and vlan 1010. The SCP on the vlan 10 ae is able to communicate and through the router, but must go through the transparent firewall to do.

  The firewall is transparent because there no IP Route between 2 VLANS, instead, the same IP subnet is on the VLAN and the transparent firewall ensuring the beidges between the 2 VLANS.

  The transparent firewall can do firewall between the SCP on the vlan 10 and the router on vlan 1010. But PC has vlan 10 talks for PC B on vlan 10, then the transparent firewall does not see and cannot block this traffic.

  An InLine sensor is very similar to the transparent firewall and will fill between the 2 VLANS. And similarly an InLine sensor is able to monitor InLine between PCs traffic on vlan 10 and the router on vlan 1010, but will not be able to monitor the traffic between 2 PCs on vlan 10.

  Now the PC on the other vlan and the router on a virtual LAN is a classic deployment for the sensors online, but your VLAN need not be divided in this way. You can choose to place some servers in one vlan and desktop to another vlan. You subdivide them VLAN to whatever the logical method for your deployment.

  Now for the surveillance of several VLANs the same principle still applies. You can't control traffic between machines on the same vlan. So for each the VLAN that you want to analyze, you will need to create a new vlan and divide the machines between the 2 VLANS.

  In your case with Native IOS, you are limited to only 1 pair of VLAN for InLine followed, but your desired deployment would require 20 pairs of vlan.

  The IPS 5.1 software now has the ability to manage the 20 pairs, but the native IOS software doesn't have the ability to send the 40 VLAN (20 pairs) to the JOINT-2.

  Changes in native IOS are in testing right now, but I have not heard a release date for these changes.

  Now cat BONES has already made these changes. So here is a breakdown of basic of what you could do in the BONE of cat and you can use to prepare for a deployment native IOS when it came out.

  For VLAN 10-20 and 300-310, you want monitored, you will need to break each of those VLANs in VLAN 2.

  Let's say that keep us it simple and add 500 to each vlan in order to create the new VLAN for each pair.

  Therefore, the following pairs:

  10/510, 511/11, 12/512, etc...

  300/800, 801/301, 302/802, etc...

  You configure the port to probe trunk all 40 VLAN:

  set the trunk 5/7 10-20 300-310 510-520 800-810

  (And then clear all other vlans off this trunk to clean things up)

  In the configuration of JOINT-2 create the 20 pairs of vlan inline on interface GigabitEthernet0/7

  NW on each of VLAN original 20 leave the default router for each LAN virtual vlan original to the vlan 500 +.

  At this point, you should be good to go. The JOINT-2 will not track traffic that remains inside each of the 20 VLAN original, but would monitor the traffic is routed in and out of each of the 20 VLAN.

  Due to a bug of switch, you may need to have an extra PC moved to the same vlan as the router if the switch/MSFC is used as the router and that you deploy with a JOINT-2.

• Only AAS, 2 inside the kernel switches (HSRP) Best Practice Design

  Hello

  I design a N/W with following equipment.

  1: 2 * carrots (4503)

  2: single Firewall ASA 5520

  I have following design options;

  DRAWING 1:

  1. Basic switches use HSRP
  2. VLANs are active on a (primary) switch at a time
  3. CONNECT THE TWO CŒURS WITH ASA
  • ASA E0 - outside (routers) switch
  • ASA (redundant interface = E1 + E3) R1 - the two nuclei (HSRP)
  • ASA E1 - Core 1 (F3/48) + ASA E3 - Core 2 (F3/48)
  • ASA E2 - switch DMZ

  DESIGN 2:

  1. Basic switches use HSRP
  2. VLANs are active on a (primary) switch at a time
  3. CONNECT THE TWO CŒURS FOR LAYER 2 SWITCH (INNER AREA)
  4. CONNECT THE LAYER 2 SWITCH TO ASA E1

  The first options looks better avoid me point single failure (Layer 2 of insdie switch).

  Unfortunately, I'm short on time and do not currently have access to the LAB.

  Please

  1. Share your experience and suggest which option is preferable
  2. Advantages, disadvantages during the failover hsrp, other features, etc.
  3. indicate if there is an alternate option
  4. Precautions

  BR,

  ABDUL MAJID KHAN

  Your "redundant ASA interface" is not really. Only one ASA has no real redundancy. I guess you could make a "inside the 1" and "inside 2", but they would have separate IP addresses and within hosts would not automatically from one to the other. " I would say that the complexity that introduced more than offset the second idea to have a small switch L2 VLAN between your ASA unique within the interface and your L3 core switches.

  That's why I prefer the second option. A switch L2 deemed unchanged configuration being done is quite reliable - I regularly fall on them with years of availability. You can also add a quasi redundancy in option 2 by tying together your ASA E1 interfaces and E3 in an etherchannel (requires a Software ASA 8.4 or later version). that option is not possible with option 1 (at least not in the two basic switches) as an Etherchannel are two IOS switches at one end.

• Problem with the VLAN routing

  I try to put in place several VLAN on a Cisco 3560 switch. These new segments must be able to communicate with the VLAN 1 and even Internet access. I managed to add the VLAN and have network connectivity between the new VLAN.  However, these VIRTUAL to VLAN1 networks routing was not working properly.  Certainly something is missing or correct in this configuration. It would be much appreciated if someone can shed some light. Thanks in advance.

  Basic IP information:

  • Gateway 10.1.1.2
  • VLAN1: 10.1.1.1/24
  • VLAN2: 10.1.2.1/24
  • VLAN3: 10.1.3.1/24

  What works:

  • Hosts in VLAN 1 can ping the DG and access the internet
  • LAN 2 and 3 communicate with each other.  Hosts in VLAN2 (e.g. 10.1.2.2) can ping hosts in VLAN3 (e.g. 10.1.3.2) on the same switch
  • Hosts in VLAN 2 and 3 can ping to the IP of VLAN1 (10.1.1.1) interface

  What does not work:

  • Hosts in VLAN 2 and 3 cannot ping hosts in VLAN 1 on the same switch, or vice versa.
  • Hosts in VLAN 2 and 3 cannot even ping the DG.

  Yched blocks my post if I understand the config.  I'm sorry that I have to include it as an attachment.

  We have no information on the DG - what it is, how it is configured.  It is likely:

  1. unknown subnet vlan2 and vlan3 ranges.  Therefore can not to return packages for them.

  2. the default gateway for vlan1 customers is 10.1.1.2, so when customers vlan1 are trying to answer to vlan 2, 3, packets is directed to a DG, which probably ONLY has a default route to the Internet.

  3. once it is somehow solved (extra static on DG), Internet for vlan 2.3 will require same NAT rules with respect to the vlan 1.