Re: adding VLAN help

fkatsumi1 · ‎10-11-2006

Hello,

I'm trying to configure switches to add a vlan. I currently have a flat (default VLAN 1) with two 3750 connecting two locations A and B via a trunk. Address space is 10.1.1.0 class C consisting of clients an servers and the default gate is the firewall 10.1.1.2 in location A.

Location A 3750 - 10.1.1.73

Location B 3750 - 10.1.1.74

I want to create a new VLAN at Location A with 172.16.1.0/24 for new devices (avaya voice pbx). I understand I should create a new VLAN in A, assign SVI, and let 3750 in A do the routing from VLAN 1 to 2. However I'm not sure how the default gateway gets assigned. All servers and clients have the default gate of 10.1.1.2 and I guess the AVAYA will forward all packets 172.16.1.1.

Thanks

mahmoodmkl · ‎10-11-2006

Hi

As per u r understanding u r right.create the new vlan.create the SVI and assign the ports in the new vlan i.e avaya.u need to define in avaya default gateway as SVI IP Address created in 3750.As 3750 is layer 3 capable it will take care of intervlan routing.

Thanks

Mahmood

sundar.palaniappan · ‎10-11-2006

Hi,

You are correct for the most part with one exception. As the existing gateway is set to firewall, which doesn't route traffic out the same interface it received traffic on (or) does not do ip redirects, your inter-vlan routing would fail. Hence, PCs/Servers need to have the default gateway set to 3750_A switch's SVI IP of 10.1.1.73 for inter-vlan routing to work. Configure a default route on 3750_A to point to the firewall.

If you aren't using DHCP and won't be able to change the gateway on all clients then you could use the 10.1.1.2 as the SVI IP on 3750_A switch and give the firewall a different address.

HTH

Sundar

fkatsumi1 · ‎10-11-2006

Thanks. Do I need to add this static route in 3750_A or is it not necessary?

ip route 0.0.0.0 0.0.0.0 10.1.1.2

sundar.palaniappan · ‎10-11-2006

Yes, you do need it as any unknown traffic would be routed over to the firewall.

HTH

Sundar

fkatsumi1 · ‎10-11-2006

Ok. I applied the route and it appears the packets flow to the firewall and out to the internet from VLAN 1 but not from the newly created VLAN 2. Inter-VLAN is working fine. Is there something else needed in switch config on Location A? Or is this a routing issue with the firewall?

Thanks for assistance.

fred

sundar.palaniappan · ‎10-11-2006

Fred,

You need a route for the newly created subnet in the firewall. In addition to that, check the NAT and ACL rules on the firewall to allow traffic from the newly created subnet to get out.

HTH

Sundar

fkatsumi1 · ‎10-12-2006

thanks. will do

mahmoodmkl · ‎10-11-2006

Hi

in addition to sunder post one thing i would suggest is that make sure u r firewall has the appropriate routes and it is configured in vlan 1 as per u r topology.

Thanks

Mahmood

fkatsumi1 · ‎10-12-2006

i created per sundar a static route in the firewall

route add 172.16.1.0/24 10.1.1.73

My only other question is this.

Do clients in VLAN1 need the switch (10.1.1.73) as the default gate or leave it as the firewall (10.1.1.2) and let the firewall redirect packets destined for VLAN2 back to the switch?

mahmoodmkl · ‎10-13-2006

Hi

As u said that u r switch is multilayer switch the gateway for u r vlan 1 clients will be ip address of u r SVI vlan 1 and gateway for u r vlan 2 will be svi of vlan 2.

the switch will have a default route pointing to firewall.

the firewall will a route pointing to vlan 1 svi for both the subnets.

Thanks

Mahmood

sundar.palaniappan · ‎10-13-2006

As I stated earlier, the default gateway on the client has to be pointing to 10.1.1.73 as firewall doesn't redirect packets. Read my earlier post for more info.

HTH

Sundar