cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1267
Views
0
Helpful
5
Replies

Inter Vlan Routing

Jason Whitehead
Level 1
Level 1

Hello, I'm trying to configure a 3560G to route traffic between vlans, and send traffic to unknown networks to the router, all of my servers and printers are on my 10.4.4.0 network, all of the Switch's default Vlan1 is 10.4.4.100 and the firewall is 10.4.4.1, I cannot configure an address to the link from the switch to the router because it overlaps with the vlan interface1 address, do I need to change the subnet that the switch/router is on or is there another way to accomplish this?

Please let me know if I need to clarify, attached is what I'm working with.

Thanks

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Jason

Easiest thing to do is configure a P2P link between your 3650 and the firewall ie.

subnet = 192.168.5.0/30

3560 switch

=========

int gi0/1  <--- interface connected to ASA

no switchport

ip address 192.168.5.1 255.255.255.252

ip route 0.0.0.0 0.0.0.0 192.168.5.2

then configure the inside interface of the firewall with the IP address 192.168.5.2 255.255.255.252.

finally on the firewall you will need to add routes for the vlans being routed off the 3560 eg.

route (inside) 10.4.4.0 255.255.255.0  192.168.5.1

etc.. for each subnet.

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Jason

Easiest thing to do is configure a P2P link between your 3650 and the firewall ie.

subnet = 192.168.5.0/30

3560 switch

=========

int gi0/1  <--- interface connected to ASA

no switchport

ip address 192.168.5.1 255.255.255.252

ip route 0.0.0.0 0.0.0.0 192.168.5.2

then configure the inside interface of the firewall with the IP address 192.168.5.2 255.255.255.252.

finally on the firewall you will need to add routes for the vlans being routed off the 3560 eg.

route (inside) 10.4.4.0 255.255.255.0  192.168.5.1

etc.. for each subnet.

Jon

sachinraja
Level 9
Level 9

Hi Jason

You have 2 solutions here:

1) You can configure vlan 1 on the switchport connecting to the router, and since vlan 1 SVI is configured as 10.4.4.100, youwill be able to ping 10.4.4.1 . In this case all the servers, routers/fw etc will be on vlan 1 and will share the same subnet.. since vlan1 has potential security risks, its better to opt solution 2.

2) configure a new vlan - say vlan 200, with an arbitary /29 or /30 ip address - 192.168.10.0/30.. assign a layer 3 interface for the port connecting to the router..

int fas 0/48

no switchport

ip address 192.168.10.1 255.255.255.252

description **** COnnected to router/fw *****

on the router have the ethernet configured for 192.168.10.2.. have routes for vlan 101, 111, 121 etc on the router pointing back to 192.168.10.1.. doing this would isolate your layer 3 vlans with the routed vlan interface connected to your firewall and will have more flexibility and support..

Hope this helps.. All the best

Raj

sachinraja wrote:

Hi Jason

You have 2 solutions here:

1) You can configure vlan 1 on the switchport connecting to the router, and since vlan 1 SVI is configured as 10.4.4.100, youwill be able to ping 10.4.4.1 . In this case all the servers, routers/fw etc will be on vlan 1 and will share the same subnet.. since vlan1 has potential security risks, its better to opt solution 2.

2) configure a new vlan - say vlan 200, with an arbitary /29 or /30 ip address - 192.168.10.0/30.. assign a layer 3 interface for the port connecting to the router..

int fas 0/48

no switchport

ip address 192.168.10.1 255.255.255.252

description **** COnnected to router/fw *****

on the router have the ethernet configured for 192.168.10.2.. have routes for vlan 101, 111, 121 etc on the router pointing back to 192.168.10.1.. doing this would isolate your layer 3 vlans with the routed vlan interface connected to your firewall and will have more flexibility and support..

Hope this helps.. All the best

Raj

Hi Raj

Really good to see you back in these forums - you've been away quite a while.

Just a quick point - option 2 does not require a new vlan because the interface on the 3560 is a routed port.

Jon

Hi Jon

Thanks for pointing this out ! My bad.. Yes.. option 2 does not need a new VLAN ... I was initially thinking of typing a solution with a new VLAN 200 (just to avoid vlan 1, and having all components in the same broadcast domain) , instead of VLAN 1 and have a SVI for vlan 200 attached to the router.. but ended up configuring layer 3 SVIs with the new VLAN

yeah.. was away for a long time !! great to be back on track...

Raj

ansalaza
Level 1
Level 1

Look at this sample:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml#maintask1

Especially steps 4, 5, 6, which mentioned:

The no switchport command makes the             interface Layer 3 capable. The IP address is in the same subnet as the default             router.

Note: This step can be omitted if the switch reaches the default router                 through a VLAN. In its place, configure an IP address for that VLAN interface.

Can your Vlan 1 reach (ping) the Router's Interface?

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: