cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
67194
Views
10
Helpful
9
Replies

VLAN routing between switch and router

SP2
Level 1
Level 1

First to give the overview of topology- I have an enviornment of 3 X 3560G of which I have 1st switch-CORE(f0/10) connecting to the VPN router(CE) interface-f0/0. Remaining 2 Cisco3560's(Access) are connected to Gi0/1 and Gi0/2 on the 1st switch-CORE via gi0/1 . On all three switches I have created multile VLANs and assigned ports to these VLAN. The switch to switch connection is trunk allowing all VLANs created on all these 3 switches. Now the issue is how I am going to have all these VLANs routed through single interface on the routeri-e f0/0, as all these subnets will communicating to remote site over VPN. What should be default gateway on the 2 Access switches and the CORE switch, also what static route should be on router to reach all subnets(VLANs) created on these 3 switches.

Is there anyone who can help on this. I have read inter-VLAN routing i-e creatiing sub interfaces on router but dont want to proceed with that and looking for any other way to have my VLANs talk on all three switches and then are accessible to remote site ove VPN?

Please advice/help me, I need it urgent...

Thanks!

2 Accepted Solutions

Accepted Solutions

easy peasy ;-)

below is just a quick and generic view of what I understand your topology to be

  VPN router

          |

          |

        sw1

     |          |

     |          |

  sw2     sw3

on SW1

-     configure L3 VLAN interfaces (a.k.a. SVI) for each VLAN with the respective IP address.  This device will be were all of your HOST gateways will live for these networks so the IP's assigned to each SVI would ideally be x.y.z.1 (e.g. 172.23.33.1 255.255.255.0).

- this will also allow for the inter-VLAN routing...no need for router on a stick when using a L3 switch (e.g. 3560)

- also configure a VIP for management.  If not using VLAN 1 it will should be shut down.

- configure a pruned trunk on the links from SW1 to SW2 and from SW1 to SW3 which allows only the VLANs which will be used on those devices

on SW2 & SW3

- configure UNPRUNED trunk ports from both SW2 & SW3 going up to SW1

- switch gateways can point to the management VLAN ip configured on SW1 (this gateway is used by the switch only and not any of the attached hosts)

- no interfaces should need to be configured on these switches...SW1 will know with port to send host traffic to via mac-addresses as will each access switch.

- configure each access port to the appropriate vlan

HOSTS

- configure the gateway address of each host to be the address of the VIP configured on SW1

additonal notes:

- there is no need to configure default routes on the access switches as they will never use it or need to use it if your network is designed correctly...

Core Switch trunk port f0/24 connecting to Router f0/0->

interface FastEthernet0/24

switchport access vlan 100

switchport trunk encapsulation dot1q

switchport mode trunk

switchport port-security violation restrict

In your above configuration...if the link is suppose to be an unpruned trunk I would remove the "switchport access vlan 100" configuration. 

I think that covers everything but if I left something out or you have any other questions let us know...

Regards.

View solution in original post

Something you might want to also consider is leaving the VLAN interfaces configured on SW1 and instead of having a trunk link configured between SW1 and the router...simply configure it as a L3 link.  Then use default or static routing on SW1 pointing to the IP configured on the connected router interface.  In my opinion this is more scalable and aligns better with Cisco's campus design model. 

So those are the two ways you can configure your environment... 

quick recap;

option 1:

remove VLAN interfaces from SW1 and add them to the router instead

option 2 (best option, IMHO)

create a layer 3 link between SW1 and your router...then use default or static routing on SW1 pointing to the IP of the routers connected interface.

View solution in original post

9 Replies 9

John Blakley
VIP Alumni
VIP Alumni

If you don't have your switches configured as L3, you'll need to set up a router-on-a-stick configuration in your router. Suppose you have vlans 1,10,20,30. Your router would be configured like:

int fa0/0 (interface connected to switch)

ip address 192.168.1.1 255.255.255.0

i

nt fa0/0.10

encapsulation dot1q 10

ip address 192.168.10.1 255.255.255.0

int fa0/0.20

encapsulation dot1q 20

ip address 192.168.20.1 255.255.255.0

int fa0/0.30

encapsulation dot1q 30

ip address 192.168.30.1 255.255.255.0

The switchport on the switch that connects to the router will be trunked. You won't need static routes on the router to get to the switch because all of these subnets will show as locally connected.

If the switch is configured for routing, you can do it a couple of ways. Either connect your router to a routed port and set that as a /30 subnet or you can connect your router to a trunk port on a vlan that has an address in the subnet that your router is. For example:

Router: 192.168.1.1

Switch:

vlan 1 - 192.168.1.2

vlan 10 - 192.168.10.2

vlan 20 - 192.168.20.2

vlan 30 - 192.168.30.2

Your static routes on the router would be:

ip route 192.168.10.0 255.255.255.0 192.168.1.2

ip route 192.168.20.0 255.255.255.0 192.168.1.2

etc.

It all depends on how your switch is configured really....

HTH,

John

HTH, John *** Please rate all useful posts ***

Thanks John- I have dropped the option to configure router on a stick as too many changes on the router side... All my switches are L3(Cisco 3560G). On the 2 Access switches I configure default gateway(static route) to the Core switch's Management VLAN IP and on Core I have default gateway for Router's f0/0 IP address. On the router I will have route to all VLANs I have to createe on all these 3 switches. Also the port used for connecting Core switch to router is trunk port, please check the config below for this port.. But anyhow I am unable to ping from router to any VLAN on any of the 3 switches and vice versa.

easy peasy ;-)

below is just a quick and generic view of what I understand your topology to be

  VPN router

          |

          |

        sw1

     |          |

     |          |

  sw2     sw3

on SW1

-     configure L3 VLAN interfaces (a.k.a. SVI) for each VLAN with the respective IP address.  This device will be were all of your HOST gateways will live for these networks so the IP's assigned to each SVI would ideally be x.y.z.1 (e.g. 172.23.33.1 255.255.255.0).

- this will also allow for the inter-VLAN routing...no need for router on a stick when using a L3 switch (e.g. 3560)

- also configure a VIP for management.  If not using VLAN 1 it will should be shut down.

- configure a pruned trunk on the links from SW1 to SW2 and from SW1 to SW3 which allows only the VLANs which will be used on those devices

on SW2 & SW3

- configure UNPRUNED trunk ports from both SW2 & SW3 going up to SW1

- switch gateways can point to the management VLAN ip configured on SW1 (this gateway is used by the switch only and not any of the attached hosts)

- no interfaces should need to be configured on these switches...SW1 will know with port to send host traffic to via mac-addresses as will each access switch.

- configure each access port to the appropriate vlan

HOSTS

- configure the gateway address of each host to be the address of the VIP configured on SW1

additonal notes:

- there is no need to configure default routes on the access switches as they will never use it or need to use it if your network is designed correctly...

Core Switch trunk port f0/24 connecting to Router f0/0->

interface FastEthernet0/24

switchport access vlan 100

switchport trunk encapsulation dot1q

switchport mode trunk

switchport port-security violation restrict

In your above configuration...if the link is suppose to be an unpruned trunk I would remove the "switchport access vlan 100" configuration. 

I think that covers everything but if I left something out or you have any other questions let us know...

Regards.

Thanks Rettuc- Your predicted it right. But I have SVIs created on all three switches as user connectes in all of them so have VLAN s created and assigned ports to it. I did what you recomended and I can ping from host to SW1 gateway with in each VLAN but can't ping to the router from any switch or host. The router has 2 FE ports one for WAN and one for LAN which is connected to F0/24 on SW1 which has unpruned trunk as suggested by you. Do you know why can'y I ping to router LAN from any switch and vice versa ?

sorry for leaving that detail out..for the traffic to get from either switch to the router and back you will need to configure a routing protocol, static routes or a default route on both sw1 (reference the diagram in my previous response) and the the neighboring router.

an easy way to configure and manage this would probably be to configure OSPF on both devices but this might also cause more confusion or problems, so at this point I'd suggest just using a default route on SW1 and static routes on the router.

SW1 config. example default route

ip route 0.0.0.0 0.0.0.0 [connected ROUTER interface address]

ROUTER config. example static route

ip route [network] [mask] [connected SW1 interface address]

    -example using your host network address: ip route 172.23.0.0 0.0.255.255 X.Y.Z.# 

**NOTE:  For the static route being configured on the Router, be sure to only include the range of networks configured on SW1.  

It didn't work Question- The port(f0/24) on SW1 connecting to Router (f0/0) should be in trunk mode to carry all VLAN traffic to router from all 3 switches ? Just waht I have is like this:

interface FastEthernet0/24

description-> towards CE Router f0/0

switchport trunk encapsulation dot1q

switchport mode trunk

Also can I be able to ping from host on one VLAN to other- for example say from VLAN 10 to VLAN 100 ?

Thank you so much for your help and prompt replies...I really apprciate that!

No worries...  my apologies for not being able to reply to you last message yesterday.

Since the link between SW1 and the router is an L2 trunk you can simply remove the gateway interfaces from SW1 and configure them on your router.  At that point the router should be the only device with VLAN interfaces configured on it...

As long as the VLAN interfaces (a.k.a. VIPs) are configured on the same L3 device hosts from one VLAN should be able to ping hosts in another VLAN.

If for some reason this doesn't work for you...please let me know what type of device your router is and we should be able to figure it out at that point.

Something you might want to also consider is leaving the VLAN interfaces configured on SW1 and instead of having a trunk link configured between SW1 and the router...simply configure it as a L3 link.  Then use default or static routing on SW1 pointing to the IP configured on the connected router interface.  In my opinion this is more scalable and aligns better with Cisco's campus design model. 

So those are the two ways you can configure your environment... 

quick recap;

option 1:

remove VLAN interfaces from SW1 and add them to the router instead

option 2 (best option, IMHO)

create a layer 3 link between SW1 and your router...then use default or static routing on SW1 pointing to the IP of the routers connected interface.

Awesome Rettuc- Everythign worked as a chime   A big thanks for all the help provided!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco