Inter Vlan Routing

Answered Question
Dec 23rd, 2009
User Badges:

Hello, I'm trying to configure a 3560G to route traffic between vlans, and send traffic to unknown networks to the router, all of my servers and printers are on my 10.4.4.0 network, all of the Switch's default Vlan1 is 10.4.4.100 and the firewall is 10.4.4.1, I cannot configure an address to the link from the switch to the router because it overlaps with the vlan interface1 address, do I need to change the subnet that the switch/router is on or is there another way to accomplish this?


Please let me know if I need to clarify, attached is what I'm working with.


Thanks

Attachment: 
Correct Answer by Jon Marshall about 7 years 5 months ago

Jason


Easiest thing to do is configure a P2P link between your 3650 and the firewall ie.


subnet = 192.168.5.0/30


3560 switch

=========


int gi0/1  <--- interface connected to ASA

no switchport

ip address 192.168.5.1 255.255.255.252


ip route 0.0.0.0 0.0.0.0 192.168.5.2


then configure the inside interface of the firewall with the IP address 192.168.5.2 255.255.255.252.


finally on the firewall you will need to add routes for the vlans being routed off the 3560 eg.


route (inside) 10.4.4.0 255.255.255.0  192.168.5.1


etc.. for each subnet.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 12/23/2009 - 10:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


Easiest thing to do is configure a P2P link between your 3650 and the firewall ie.


subnet = 192.168.5.0/30


3560 switch

=========


int gi0/1  <--- interface connected to ASA

no switchport

ip address 192.168.5.1 255.255.255.252


ip route 0.0.0.0 0.0.0.0 192.168.5.2


then configure the inside interface of the firewall with the IP address 192.168.5.2 255.255.255.252.


finally on the firewall you will need to add routes for the vlans being routed off the 3560 eg.


route (inside) 10.4.4.0 255.255.255.0  192.168.5.1


etc.. for each subnet.


Jon

sachinraja Wed, 12/23/2009 - 10:52
User Badges:
  • Red, 2250 points or more

Hi Jason


You have 2 solutions here:


1) You can configure vlan 1 on the switchport connecting to the router, and since vlan 1 SVI is configured as 10.4.4.100, youwill be able to ping 10.4.4.1 . In this case all the servers, routers/fw etc will be on vlan 1 and will share the same subnet.. since vlan1 has potential security risks, its better to opt solution 2.


2) configure a new vlan - say vlan 200, with an arbitary /29 or /30 ip address - 192.168.10.0/30.. assign a layer 3 interface for the port connecting to the router..

int fas 0/48

no switchport

ip address 192.168.10.1 255.255.255.252

description **** COnnected to router/fw *****


on the router have the ethernet configured for 192.168.10.2.. have routes for vlan 101, 111, 121 etc on the router pointing back to 192.168.10.1.. doing this would isolate your layer 3 vlans with the routed vlan interface connected to your firewall and will have more flexibility and support..


Hope this helps.. All the best


Raj

Jon Marshall Wed, 12/23/2009 - 11:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

sachinraja wrote:


Hi Jason


You have 2 solutions here:


1) You can configure vlan 1 on the switchport connecting to the router, and since vlan 1 SVI is configured as 10.4.4.100, youwill be able to ping 10.4.4.1 . In this case all the servers, routers/fw etc will be on vlan 1 and will share the same subnet.. since vlan1 has potential security risks, its better to opt solution 2.


2) configure a new vlan - say vlan 200, with an arbitary /29 or /30 ip address - 192.168.10.0/30.. assign a layer 3 interface for the port connecting to the router..

int fas 0/48

no switchport

ip address 192.168.10.1 255.255.255.252

description **** COnnected to router/fw *****


on the router have the ethernet configured for 192.168.10.2.. have routes for vlan 101, 111, 121 etc on the router pointing back to 192.168.10.1.. doing this would isolate your layer 3 vlans with the routed vlan interface connected to your firewall and will have more flexibility and support..


Hope this helps.. All the best


Raj


Hi Raj


Really good to see you back in these forums - you've been away quite a while.


Just a quick point - option 2 does not require a new vlan because the interface on the 3560 is a routed port.


Jon

sachinraja Wed, 12/23/2009 - 11:07
User Badges:
  • Red, 2250 points or more

Hi Jon


Thanks for pointing this out ! My bad.. Yes.. option 2 does not need a new VLAN ... I was initially thinking of typing a solution with a new VLAN 200 (just to avoid vlan 1, and having all components in the same broadcast domain) , instead of VLAN 1 and have a SVI for vlan 200 attached to the router.. but ended up configuring layer 3 SVIs with the new VLAN


yeah.. was away for a long time !! great to be back on track...


Raj

ansalaza Wed, 12/23/2009 - 10:54
User Badges:
  • Cisco Employee,

Look at this sample:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml#maintask1


Especially steps 4, 5, 6, which mentioned:


The no switchport command makes the             interface Layer 3 capable. The IP address is in the same subnet as the default             router.

Note: This step can be omitted if the switch reaches the default router                 through a VLAN. In its place, configure an IP address for that VLAN interface.


Can your Vlan 1 reach (ping) the Router's Interface?


HTH

Actions

This Discussion