Setup Vlan

QuikeyMan_2 · ‎05-19-2008

I would like to setup a vlan on our existing network. We have a 2800 used as an edge router connected to cat. 3750 used as a layer 3 switch. We have several other layer 2 switches connected to the 3750.

I have a subnet that will be used for the vlan, but I am not sure where to begin with the 3750 configuration. At this point I am not going to worry about DHCP for the vlan. Any tips or appropriate guides would be appreciated.

Jon Marshall · ‎05-19-2008

On the 3750

switch(config)# vlan 20

switch(config-vlan)# name v20

switch(config)# int vlan 20

switch(config-if)# ip address 192.168.5.1 255.255.255.0

switch(config-if)# no shut

Note that the above assumes

1) That your layer 2 switches are connected to your L3 switch via trunks and that they are VTP clients of the 3750. If they are in VTP transparent mode you will need to manually add vlan 20 to each Layer 2 switch you need it on.

2) That you want the 3750 to be responsible for routing for vlan 20.

Jon

QuikeyMan_2 · ‎05-19-2008

Will I need to configure anything with the router in order to access the internet from this vlan?

mahmoodmkl · ‎05-19-2008

Hi

U need to decide where u want u r router to be i.e u want u r router in one of the vlans then u need to assign it in one of the vlans.configure a default route in 3750 pointing it to the router and on router u need add routes for ur vlans subnets pointing it to the SVI of the vlan in which router is assigned.

Thanks

Mahmood

QuikeyMan_2 · ‎05-19-2008

Wait, what? Given the router is in vlan 1, I do not see a reason why I would also want it in the newly created vlan. Given the new vlan is being added to an existing setup, wouldn't the new vlan utilize the trunk port to go from layer 2 switch to the 3750 and out through the router?

bvsnarayana03 · ‎05-19-2008

if you have "ip routing" enabled on the 3750 then the switch should be routing between the L3 vlans. Your router just has to take care of the internet routing & specific routes to L3 subnets, or run a routing protocol between 3750 & router.

QuikeyMan_2 · ‎05-19-2008

IP routing is enabled on the 3750. My assumption was that the router forwarded to the 3750, and the 3750 would see which vlan the packets need to go to based off a routing table.

Jon Marshall · ‎05-19-2008

You're assumption is correct. You don't need to change the router setup. But you will need to add a route to the router unless you are running a dynamic routing protocol between the 3750 and your router.

So if it was a static route using previous example on the router you would

ip route 192.168.5.0 255.255.255.0

Jon

QuikeyMan_2 · ‎05-19-2008

Currently, all of our ACLs are configured on our firewall, which I did not mention previously. This would lead me to think that any ACLs I would configure for the new vlan would also be set on the firewall? I can see the default route of the router goes out to our isp, the default route of the firewall going to the ip of the router, but I cannot find anything on the 3750 in regards to a configured route.

Jon Marshall · ‎05-19-2008

So is your firewall between the router and the 3750 ?

Assuming it is if your 3750 is routing and you are not using a dynamic routing protocol between the 3750 and the firewall then you need to add a default route to the 3750

ip route 0.0.0.0 0.0.0.0

What is the output of a "sh ip route" on your 3750 ?

Jon

QuikeyMan_2 · ‎05-19-2008

You are correct, the firewall is between the router and the 3750.

show ip route states that gateway of last resort is not set, no actual ip routes are listed.

Jon Marshall · ‎05-19-2008

Have you enable ip routing on the 3750 ?.

If not do you have an "ip default-gateway" set on the 3750.

On your clients in the existing vlan is the default-gateway set to the 3750 SVI or is it set to the inside firewall interface.

If you have no default-route on your 3750 then how does it know to send traffic onto the firewall ?

By the way if ip routing is not enabled don't just go and enable it as you need to be caerful. Come back with answers to above questions first.

Jon

QuikeyMan_2 · ‎05-19-2008

IP routing is enabled on the 3750.

The clients on the exisiting vlan use the inside firewall address, 172.20.4.1, as the default gateway.

Jon Marshall · ‎05-19-2008

Okay but do you have any active vlan interfaces on the 3750 because they should show up in a "sh ip route".

This is why you don't need any routes because the 3750 may be running ip routing but for your existing vlan the firewall is the default-gateway not the 3750 switch.

So do you want the firewall to continue routing for the existing vlan or do you want to move this to the 3750.

Regardless of that you must have a L3 vlan interface in the same vlan as the inside firewall interface with an ip address out of that subnet. Because when you add your new vlan if you want to route it off the 3750 you will need to do 2 things

3750

====

ip route 0.0.0.0 0.0.0.0

Firewall

ip route 192.168.5.0 255.255.255.0

Note that the vlan ip address is not the new vlan ip address of 192.168.5.1 but the vlan ip address of the exsiting vlan interface.

Does this make sense ?

Jon

QuikeyMan_2 · ‎05-19-2008

Should I expect to see an active vlan interface given none are configured, just the default of vlan 1? I may have been misleading in mentioning an existing vlan, because I was refering to vlan 1.

That being said, I do not know if your line of questioning would change. If so, disregard the following.

I would like to continue routing for vlan 1 with the firewall. Would it be possible to use the firewall to route for the new vlan, or will the 3750 have to be used?