VLANs and Internet

Answered Question
Nov 3rd, 2008
User Badges:

Hi All,

I have a VLANs set up as the attached diagram. And the VLAN setup command as follow.


Switch(config)# ip routing


Switch(config)# vlan 2

Switch(config-vlan)# name vlan2


Switch(config)# vlan 3

Switch(config-vlan)# name vlan3


Switch(config)# vlan 4

Switch(config-vlan)# name vlan4


Switch(config)# int vlan 2

Switch(config-if)# ip address 192.168.32.1 255.255.240.0

Switch(config-if)# ip helper-address 192.168.16.2

Switch(config-if)# no shut


Switch(config)# int vlan 3

Switch(config-if)# ip address 192.168.48.1 255.255.240.0

Switch(config-if)# ip helper-address 192.168.16.2

Switch(config-if)# no shut


Switch(config)# int vlan 4

Switch(config-if)# ip address 192.168.16.1 255.255.240.0

Switch(config-if)# no shut


Switch(config)#int range fa1/0/7 - 12

Switch(config-if-range)#switchport access vlan 2

Switch(config-if-range)#switchport mode access


Switch(config)#int range fa1/0/13 - 18

Switch(config-if-range)#switchport access vlan 3

Switch(config-if-range)#switchport mode access


Switch(config)#int range fa1/0/19 - 22

Switch(config-if-range)#switchport access vlan 4

Switch(config-if-range)#switchport mode access


The DHCP and DNS server is on a box in VLAN 4.


When the default gateway on the box with DNS and DHCP is set to 192.168.16.1, all clients on all VLANs can get IP Address from the DHCP, and DNS can resolve request for internal names. But DNS cannot resolve request for external names.


When the default gateway on the box with DNS and DHCP is set to 192.168.16.8, which is the ip address of firewall and Internal Proxy server, only clients in VLAN 4 can get IP Address from the DHCP, and DNS can resolve request for both internal and external names for Client in VLAN4 only. I understand that the DNS can get help from DNS from Internet to resolve the external names because it can route the request through the default gateway which is pointing to the firewall box. But also because of this, the DHCP cannot answer the DHCP request for clients from other VLANs through the right gateway.


There must be a way to let clients from all VLANs to get ip address from DHCP, and DNS can resolve names for internal and external. How to do it please?




Attachment: 
Correct Answer by Jon Marshall about 8 years 8 months ago

Mark


See attached link for adding routes to Linux system -


http://www.linuxquestions.org/questions/linux-networking-3/permanently-add-static-route-16769/


If you are connecting the checkpoint firewalll directly into the 3750 you can use routed or switched. With firewalls i tend to go for switched and use a dedicated vlan. That way if you then want to have a failover firewall later on you can just add the new firewall into the same vlan.


Normally i would pick a /29 subnet eg


192.168.5.0/29 which gives 192.168.5.1 -> 192.168.5.6 with 5.7 as the broadcast.


Whether you choose the routed or switched port option you will need to modify your routing in that the firewall will also now need to know how to get back to the 192.168.16.0 network as it is no longer part of that. It's just a case of adding an additional static route on your firewall.


If you want to use a routed port


int gi1/0

no switchport

ip address x.x.x.x x.x.x.x


Jon

Correct Answer by Jon Marshall about 8 years 8 months ago

Mark


You need to set the default-gateway on your DHCP/DNS servers to be 192.168.16.1 so that all clients can get IP addresses.


Then on your 3750


ip route 0.0.0.0 0.0.0.0 192.168.16.8


so your DNS server sends it's request to it's default-gateway which is 192.168.16.1 and then the 3750 forwards it on to the firewall/proxy because of the default-route.


A further note. Ideally you would have your firewall in a separate vlan that your servers for security reasons.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 11/04/2008 - 01:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark


You need to set the default-gateway on your DHCP/DNS servers to be 192.168.16.1 so that all clients can get IP addresses.


Then on your 3750


ip route 0.0.0.0 0.0.0.0 192.168.16.8


so your DNS server sends it's request to it's default-gateway which is 192.168.16.1 and then the 3750 forwards it on to the firewall/proxy because of the default-route.


A further note. Ideally you would have your firewall in a separate vlan that your servers for security reasons.


Jon

markxgzhang Tue, 11/04/2008 - 03:23
User Badges:

Hi Jon,

Did what you said. The result is:

Clients from VLAN4 (192.168.16.0/20) can access everything. But clients from VLAN3 (192.168.48.0/20), they can get IP address, can get external name resolved, but cannot ping firewall box both by name or ip, and cannot access Internet.


part of show run is as follow:

!

interface Vlan2

ip address 192.168.32.1 255.255.240.0

ip helper-address 192.168.16.2

!

interface Vlan3

ip address 192.168.48.1 255.255.240.0

ip helper-address 192.168.16.2

!

interface Vlan4

ip address 192.168.16.1 255.255.240.0

!

ip default-gateway 192.168.16.8

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.16.8

no ip http server


By the way, I put the "ip http server" in, and then tried to remove it by "no", and you can see it is still there. Any way to remove it?

Thanks

Jon Marshall Tue, 11/04/2008 - 03:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark


Sorry, forgot to mention that the firewall will need to know how to get to vlans other than vlan 4 as it is a member of vlan 4.


Your firewall will have a default-route pointing to the upstream Internet router. You will also need to add routes to your firewall for any vlans on the 3750 that are not vlan 4 so


ip route 192.168.48.0 255.255.240.0 192.168.16.1


Note that the syntax is only to give you an idea of what is needed on the firewall. You don't say which type of firewall it is so to add a route may be different syntax.


Jon

markxgzhang Tue, 11/04/2008 - 04:02
User Badges:

Thanks Jon. Currently, it is a testing environment and the firewall is a simple one, firestarter on a Fedora v5.0 box, I will try to figure out the routing things on this box. Another thing is, the company that i am working with is going to use a CheckPoint UTM-1 box as a firewall, and one LAN port is going to be used to connect VLANs. Is that true that Routed-port or another VLAN can do the job? which way is better? It just need one port with a single IP as the connection point (as far as I know at this stage). So, the routed-port is the better way, isn't it? If so, can you show me what command should be used?

Regards

Correct Answer
Jon Marshall Tue, 11/04/2008 - 04:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark


See attached link for adding routes to Linux system -


http://www.linuxquestions.org/questions/linux-networking-3/permanently-add-static-route-16769/


If you are connecting the checkpoint firewalll directly into the 3750 you can use routed or switched. With firewalls i tend to go for switched and use a dedicated vlan. That way if you then want to have a failover firewall later on you can just add the new firewall into the same vlan.


Normally i would pick a /29 subnet eg


192.168.5.0/29 which gives 192.168.5.1 -> 192.168.5.6 with 5.7 as the broadcast.


Whether you choose the routed or switched port option you will need to modify your routing in that the firewall will also now need to know how to get back to the 192.168.16.0 network as it is no longer part of that. It's just a case of adding an additional static route on your firewall.


If you want to use a routed port


int gi1/0

no switchport

ip address x.x.x.x x.x.x.x


Jon

markxgzhang Tue, 11/04/2008 - 04:50
User Badges:

Thank you very much Jon, it is very helpful. I will do some further testing tomorrow, and get back here.


Regards

Mark

markxgzhang Thu, 11/06/2008 - 16:42
User Badges:

Hi Jon,

Just want to find out, suppose I use a routed-port, the "ip route" statement is still necessary, isn't it?


int gi1/0

no switchport

ip address 192.168.5.1 255.255.255.248


ip route 0.0.0.0 0.0.0.0 192.168.5.1


am i right?


Mark


Jon Marshall Thu, 11/06/2008 - 23:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark


If you use a routed port then yes you would still need a route. However i am a bit confused by the route you have written. Is this route meant to be on the switch ? If so the next-hop wouldn't be 192.168.5.1 because that is the routed port - it would be 192.168.5.x where x is whatever you have given to firewall.


Jon

markxgzhang Fri, 11/07/2008 - 03:01
User Badges:

Sorry Jon, I did not check it carefully.

Suppose the firewall port on the firewall device is 192.168.5.2, then on the switch:


int gi1/0

no switchport

ip address 192.168.5.1 255.255.255.252


ip route 0.0.0.0 0.0.0.0 192.168.5.2


it looks right this time, isn't it:

Thanks

Jon Marshall Fri, 11/07/2008 - 04:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yep, that looks fine now.


Jon

Actions

This Discussion