Help with simple interVlan routing on L3 switch

kellybrady · ‎02-11-2010

Hi all - I just can't get my head around this really simple interVlan routing issue. I have two VLANs (1 & 6) on a 3560 L3 switch. I simply need to route between them. Here is how I have it set up:

Firewall is the VLAN1 client's default gateway:
10.10.22.1 /255.255.255.0

3560switch config:
ip subnet-zero
ip routing

VLAN1:
(hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
int vlan1
ip address 10.10.22.254 255.255.255.0
no shutdown

VLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
ip address 192.168.25.1 255.255.255.0
no shutdown

ip classless

int gi0/31 (an available unused port)
no switchport
ip address ?.?.?.?
no shutdown

***

Is the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying to find 192.168.25.x, when they would need to go to 10.10.22.254; then the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then give the router on gi0/31 the 10.10.22.254 address?

(as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)

Thanks for any help!

Matthew Warrick · ‎02-11-2010

If your 10.10.22.0/24 hosts are set up to use .1 as their default gateway and you are using .254 as the SVI for that network the simple answer is that their default gateway is not reachable. Either change the host's default gateway or change the address of the VLAN 1 SVI to match the clilents.

Delete the ip route 0.0.0.0 as it is not needed since both networks are "connected" on the L3 switch.

If you have multiple gateways on the same network (not a good idea) the clients would need a route added to them in order to reach the 25 network via the 254 interface.

kellybrady · ‎02-11-2010

Thanks for the reply. So if I change the gateway (to the internet) to .254, and make

the SVI .1, the clients can still get to the internet, correct?

Thanks again!

Matthew Warrick · ‎02-11-2010

The client computers need to have a 0.0.0.0 default route to the IP address that acts as the Internet gateway (10.10.22.1 in your case). In order to reach the 25 network via the 254 interface you will need to add a route on the host for the 25 network via the 254 SVI.

A client computer can only have a single default route (generally speaking). If you want to use more than one gateway for clients to leave a subnet you need to have a route on the host to tell the client which gateway to use otherwise it will just send the traffic to the default.

jfraasch · ‎02-12-2010

I think the easiest would be to add the route for the second subnet on the firewall. The clients need to default gateway of the Firewall and so the firewall should have a static route point to the 10.10.22.254 address as the gateway to VLAN6.

Put a specific route in the FW of ip route 192.168.25.0 255.255.255.0 10.10.22.254

Ganesh Hariharan · ‎02-12-2010

Hi all - I just can't get my head around this really simple interVlan routing issue. I have two VLANs (1 & 6) on a 3560 L3 switch. I simply need to route between them. Here is how I have it set up:

Firewall is the VLAN1 client's default gateway:
10.10.22.1 /255.255.255.0

3560switch config:
ip subnet-zero
ip routing

VLAN1:
(hosts on 10.10.22.x/255.255.255.0; gateway 10.10.22.1)
int vlan1
ip address 10.10.22.254 255.255.255.0
no shutdown

VLAN6: (hosts on 192.168.25.x/255.255.255.0; gateway 192.168.25.1)
ip address 192.168.25.1 255.255.255.0
no shutdown

ip classless

int gi0/31 (an available unused port)
no switchport
ip address ?.?.?.?
no shutdown

***

Is the issue that all my 10.10.22.x clients are going to 10.10.22.1 trying to find 192.168.25.x, when they would need to go to 10.10.22.254; then the switch should have an ip route of 0.0.0.0 0.0.0.0 10.10.22.1? Then give the router on gi0/31 the 10.10.22.254 address?

(as a side note, it would be easier for me to change the gateway's IP than to change each VLAN1 client's IP.)

Thanks for any help!

Hi,

With the above configuuration vlan 1 users will be going to firewll and if they want to reach vlan 6 firewall should have rule to permit for vlan 6 subnet and route towards vlan 6 interface and which is not there is your network.

Just clarify few things you want firewall to come into picture for every traffic which goes between vlan or not and in interface gi0/31 you will be connecting router also is this router is sending traffic to outside world if yes then you need to change some design configuration to route tha traffic from vlans to outside world.

If you want only inter vlan routing between vlan 1 and vlan 6 via firewall then make another zone in firewall and place that in vlan 6 with ip address as given in vlan 1 so that vlan 6 users can point traffic towards vlan 6 interface of firewall and in firewall just permit the vlan 6 communication with vlan 1 and drop a route for vlan 6 towards switch vlan 6 interface.

and if between vlans you dont want firewall to come into picture then the best is create three vlan one for vlan 1,vlan 6 and outside vlan between router and firewall and drop a default route towards firewall.In this case inter vlan routing will be taken care by switch and traffic towards outside world will scaaned as per rule given in firewall.

Hope to help

If helpful do rate the post

Ganesh.H

Pronoy Dasgupta · ‎03-23-2010

Hey Kelly,

Is the firewall connected to the Gi0/31 port? Is there any specific requirement of making it a routed port?

int gi0/31 (an available unused port)
no switchport
ip address ?.?.?.?
no shutdown

What happens if you connect your firewall to this port above configured as an access port in vlan 1? It might be a little different as Ganesh pointed out if you are trying to get all traffic through the firewall instead of just vlan 1. If this is simple inter vlan routing I suggest giving the above a shot, make Gi0/31 (or whichever port the firewall is connected to, an access port in vlan 1.

Thanks

Pronoy