Inter VLAN Routing on layer 3 switch

Answered Question
Dec 21st, 2009

I have a Catalyst 3560G layer 3 switch, I am trying to configure the switch to route traffic between vlans without using our Watchguard firebox to route between them. The WG also currently gives all devices DHCP and this device must be the default gateway for all hosts. The layer 3 switch sits between the hosts and the WG. Can this be configured to route the packets without being the default gateway?

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 1 month ago

Hello Chad,

>> Can this be configured to route the packets without being the default gateway?

user PCs will use their default gateway, that must be a device with an ip address in the same subnet.

So you can deploy inter vlan routing in parallel with the other box but DHCP clients will not use it unless they add a route in the OS shell pointing to the L3 switch ip address in their subnet.

Be aware that this can create security holes if all traffic is supposed to go via the other device that may be implementing security policies.

if you want to keep the WG for internet traffic you need to add a specific route for all the private network pointing to the L3 switch in all devices or you need to have the L3 switch takes the ip address that WG advertises in the DHCP leases.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Mon, 12/21/2009 - 14:20

Hello Chad,

>> Can this be configured to route the packets without being the default gateway?

user PCs will use their default gateway, that must be a device with an ip address in the same subnet.

So you can deploy inter vlan routing in parallel with the other box but DHCP clients will not use it unless they add a route in the OS shell pointing to the L3 switch ip address in their subnet.

Be aware that this can create security holes if all traffic is supposed to go via the other device that may be implementing security policies.

if you want to keep the WG for internet traffic you need to add a specific route for all the private network pointing to the L3 switch in all devices or you need to have the L3 switch takes the ip address that WG advertises in the DHCP leases.

Hope to help

Giuseppe

Jon Marshall Mon, 12/21/2009 - 15:25

chadbooth wrote:

Looks like im going to need a new DHCP server

Chad

Can the WG only hand out DHCP addresses to clients connected to it ? ie. if the WG can hand out addresses for subnets that the WG has no interfaces in then you don't need a new DHCP server.

You could leave the WG handing out addresses for a subnet but have the DG for that subnet be the 3560G. Then on the 3560G you just have a default-route pointing to the WG. On the WG you would need a route for the new subnet pointing to the 3560G.

If you must have the WG as the DG then a new DHCP server will make no difference so not sure what you mean ?

Jon

chadbooth Mon, 12/21/2009 - 15:42

The WG currently supplies addresses for multiple vlans through a single interface, But it only provides the option for itself to be the default gateway for addresses it hands out.

Currently I have a layer 2 switch that forwards all vlan traffic to the WG and the watchgaurd handles the routing, I do not want any traffic going to the WG unless it is destined for the Internet. That is why I purchased the L3 switch.

Any help is appreciated.

attached is a diagram of my current network.

Jon Marshall Mon, 12/21/2009 - 15:58

chadbooth wrote:

The WG currently supplies addresses for multiple vlans through a single interface, But it only provides the option for itself to be the default gateway for addresses it hands out.

Currently I have a layer 2 switch that forwards all vlan traffic to the WG and the watchgaurd handles the routing, I do not want any traffic going to the WG unless it is destined for the Internet. That is why I purchased the L3 switch.

Any help is appreciated.

attached is a diagram of my current network.

Okay, then you will need a DHCP server.

On the 3560G you would create the L2 vlans + the L3 vlan interfaces for each vlan. The DHCP server would hand out addresses for each subnet and the DG would be the corresponding L3 vlan interface on the 3560G.

Then you can connect the WG to the 3560G on it's own P2P link.

On the 3560G

int gi0/1  <--- this connects to the WG

no switchport

ip address 192.168.5.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 <192.168.5.2>

on the watchguard you need to add routes for each of the 3560G vlans (or run a routing protocol between the WG and the 3560G). The next-hop for the routes would be 192.168.5.1

Don't forget that on each L3 vlan interface you will need to configure an "ip helper-address "

Jon

chadbooth Tue, 12/22/2009 - 16:17

Thank you for the help, I'm getting a better understanding on how things are going to have to work, I have over 200 machines that I currently have IP address reservations binded to mac addresses, and from what i can see, the Cisco switch will make this task difficult, Should I use something else as the DHCP server?

Jon Marshall Tue, 12/22/2009 - 16:29

chadbooth wrote:

Thank you for the help, I'm getting a better understanding on how things are going to have to work, I have over 200 machines that I currently have IP address reservations binded to mac addresses, and from what i can see, the Cisco switch will make this task difficult, Should I use something else as the DHCP server?

Chad

Yes i would recommend using a server as a DHCP server such as Windows or Unix/Linux variant. Personally i don't like using switches/routers as DHCP servers as they are limited and the devices are not really designed to do that.

Jon

Actions

This Discussion

Related Content