Intervlan Routing on Cisco 3560G Switch

Unanswered Question
Jan 21st, 2009
User Badges:

Hi Team,


I am extending my Lan behind the firewall, and for that i have configured Cisco 3560 Switch and have configured Vlans on this. Layer 2 Switch will conect to eaach of these vlans.

I have configured port 1 and 2 as trunk ports that belong to VLAN1.


Now in oreder to achive intervlan routing when i make any port as routed port with no switchport command, that port can no longer be seen in the vlan as its member.


Can you please help with this.


At the moment there is only one subnet attached to the Firewall inside interface but after this Firewall will connect to the Layer 3 Switch through Trunk ports and should have access to all subnets on all the vlans, and vlans will access each other via switch routing.


Please see the attached config

Thansk in Advance.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Elly Bornstein Wed, 01/21/2009 - 21:34
User Badges:
  • Cisco Employee,

Just to clarify a couple things:

1. trunks are L2 ports that carry multiple vlans.


In your config you do not use the 'switchport trunk allowed ...' or vtp to prune vlans from your trunks, therefore every time you add a vlan by typing 'vlan x' in config mode, both trunks on gig0/1 and 0/2 will carry this new vlan x.


2. Intervlan routing is enabled by having 'ip routing' enabled.


Remember, in most cases 1 subnet = 1 vlan (not always true, but good design).


So in your case you have:

1. subnet for FW

2. One or more subnets for users


Which totals at least 2 vlans (depends how many user subnets you want).


3. By default 3650 will know how to route between all directly connected subnets. A directly connected subnet is known to the switch by creating a physical or virtual port with an IP address.


In your case here is what you can do to simply it all:


a. create either a 'no switchport' with ip address or a separate vlan for your FW. This effectively will be a P2P vlan


b. set up a default route pointing to the FW's inside IP


'ip route 0.0.0.0 0.0.0.0 '


c. set up switch virtual interfaces (SVIs) so the switch knows about directly connected user subnets:


vlan

interface vlan

ip address 192.168.1.1 255.255.255.0


Your trunk ports will now carry vlan y down to your L2 switches, all you have to do is make 'switchport access vlan y'


Note**

1. I used 192.168.1.1 as an example since its a private IP address

2. I used 192.169.1.1 since most people use either the highest or the lowest IP in the subet as the default gateway for the PCs

3. Make sure all PCs have their default gateway set to the IP address of the vlan interface you created


Packet flow:

PCs ARP for the internet IP addresses after DNS lookups, default gateway says 'that IP is out of your local subnet, so send it to me'. Default gateway (3560) looks in its routing table and sees the internet is out a default route to the FW.

Actions

This Discussion