cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1404
Views
17
Helpful
10
Replies

vlan and default gw question

dlee_gmail
Level 1
Level 1

hi!

The vlan question is that i've 2x L2 3560 sitting behind a firewall connected to my core sw(4506). Behind this firewall, the 2x L2 switches(3560) are not configured with any vlan. it has only one network segment within it. The gw for this network segment is at the firewall connected to one of this sw. Currently there isn't any vlan created on the L2 3560 switches. (only switchport mode access, and default-gateway command configured)

My question is that, if i would to create a vlan (eg. vlan42) in the L2 3560  switches and assign all the sw ports (of course exclude the trunk between each sw) in there as vlan access port vlan42.....can the host in there still able to reach the host outside the firewall (currently it working fine)?

currently, the native vlan for the L3 4506 is vlan10 and the L2 3560's native vlan is 1. does that matter in this case?

--------------------------------------------------------

As for the command default-gateway at the end of each edge switches config, does that mean that whatever vlans configured in the edge sw, the the first gateway will always be that default-gateway on that particular switch before it's routed to other vlan interfaces?

thx

10 Replies 10

Reza Sharifi
Hall of Fame
Hall of Fame

Dave,

You currently have all users in vlan 1 on your 3560s. VLAN 1 is the native vlan and for security reasons it should not be used at all. If you move your users to a different vlan (42) you will need to make sure you add it to your trunks.  Also you would need to do this during a outage windows because moving your uses from vlan 1 to 42 will cause on outage for your users.

HTH

Reza

hi! thx for the reply. Need to check with you.....why does changing of interface port to vlan 42 will cause the outage? I just need to add in the new vlan and change all the access ports's vlan by the port range command. I believe that would be very fast right? Even if those access ports that do not have vlan configured will still be able to reach other vlan outside of the firewall right? unless i'm missing something here.

The trunk currently do not filter any vlan....Do i still need to specifically enable vlan 42 on the trunk?

taali
Cisco Employee
Cisco Employee

Dave

If i understand your question correctly, you have two 3560 switches trunked to each other.  One of the 3560 switches is connected to the FW.  All switch ports, including the FW, are currently on Vlan 1.  You have Layer 2 connectivity between devices on the switch and the FW.  You want to move these ports to Vlan 42 and maintain connectivity.

You will need to make sure the port the FW is connected to is also changed to Vlan 42.  You need to add Vlan 42 on the trunk between the 3560 switches.  The native vlan on both sides of the trunks needs to match.

Also, the ip default-gateway command will not route traffic for Vlan 42.  You need to create an SVI (Layer 3) interface for Vlan 42 in order to route off of that vlan:

interface vlan 42

ip address x.x.x.x y.y.y.y

The ip default-gateway command is used to set the gateway for the switch itself (to manage it) and does not effect user traffic.

HTH

hi! yes yr understanding of my setup is correct, but correctly if my understanding is wrong. i thought the ip default-gateway will be used if

it's a L2 device (i do not need that if i enable routing in the sw?) and not just for the management vlan. It's actually to forward traffic out for further routing if there's any?

as for the interface vlan xx command on a L2 switch is actually to enable remote management to that specific ip?

So, in my case do i really need to enable L3 feature in the 3560 sw if i only has a vlan in both of these switches? I just want to be able to shut my vlan 1 and create a flat network of vlan 42 and still able to route traffic out of the firewall which at the "WAN" port is connected to my core switches which have multiple svi configured. (the vlan in my core is different or seperated from the vlan behind the fw)

fyi: In the firewall itself i've 3 static route

src               dest                         gw               metric     interface          Origin

any               10.71.50.208/29      N/A               0               WAN              Connected Route

any               10.71.1.0/24           N/A               0               LAN               Connected Route

any               default                    10.71.50.209  100          WAN               static route

pls advise further. thx

Hi Dave

If you have a single VLAN and the FW will be routing for that VLAN, than no, you do not need to create an SVI for that VLAN.

The 'ip default-gateway' command is used when ip routing is disabled for connectivity to the switch itself.  It is not used by host/user traffic. 

If you enable routing, than you can manage the switch from any SVI you create on it, provided you have configured routes to the rest of your network statically or learned them dynamically via a routing protocol on the switch.

Hope this helps.

hi! thks for the reply. So in summary, just to confirm i can just turn on the vlan42

and assign to all switch port without affecting the user user connectivity to the resources in the core sw? whatever native vlan i used will not affect the connectivity + it doesn't matter whether i shut the vlan1 interface or not in this case, right?

thx

Hi Dave

Are you talking about the Native VLAN on the trunk link between the 3560 switches ?  If so, then it does not matter what the Native VLAN is as long as it matches on both sides of the trunk and VLAN 42 is allowed on the trunk.

Are you using VLAN 1's Layer 3 interface to manage the switch ?

hi! No, from i see fromt the config. although it's a L3 capable, the routing is not turned on. so the vlan 1 is L2 and there's a ip there just for management purpose. thx

Dave, this guy has spent a considerable amount of time getting you to understand some networking basics, and all you can cough up is a 4 -- on only one post, no less?

Please go back and rate the posts accordingly.

yes...taali is of great help.  i thot the rating is one rating for one discussion topic.....np

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: