I would do the following.

L2(Switch) ---> L3(Switch) ---> Firewall ---> Internet

Have the link between the L2 switch and L3 switch be a trunk carrying the vlans you need or all, doesn't matter.

Make sure to specify who ports belong to which vlan on the L2 switch. I would then setup L3 intervlan routing on the

L3 switch. That way traffic will flow via L2, to the Default Gateway on the L3 switch, then following routing to specified

vlans or hit the default route and go out to the Internet. You're traffic flow, troubleshooting, and everything else will be

must easier.

Thanks John,

yes i aggreed with you this is a ideal solution is to have network like

L2(Switch) ---> L3(Switch) ---> Firewall ---> Internet

but in my case i dont have sufficient resources to put aal netwrok computers in a vlan. so i am trying to separate atlease one network. so in future slowally i can migrate the other one also.

can we do something like this

what ever host not available in L3. destination to those address will broadcast to interface connected to  plane switch.

or

some sort of source and destination based routing.

as of now from layer3 switch i can ping to all devices but from vlan 8 and vlan 10 it fail.

I keep forgetting you have a plain L2 switch. Well the L2 plain switch, is currently only in one broadcast domain which is 172.16.0.0/28. You have bi-directional intervlan communication of your vlans on the L3 switch, and you have 172.16.0.254 on the VLAN1 interface. You know that the switch can ping the firewall and other hosts on the L2 switch. Now, if the host on 172.16.0.0/28 network wants to communicate with a host on one of the vlans on the L3 switch, it will go to its default gateway which if it's 172.16.0.254, it should work. Because, it should have directly connected networks for the specific vlans that are terminated on that L3 switch.

soryy for confusion, my firewall ip add ress is 172.16.0.250 . my internal network 172.16.0.0/21 using firewall interface as an default gateway to send traffic outside (internet and branches). in above case i have to change gatway of my all client computer and server. in that case also traffic to internet will not pass becoase we will make 172.16.0.254 as our new default gateway.

please correct me incase i;m making some mistake.

Well if traffic from hosts on the L3 switch, reach the DR out 172.16.0.250(Firewall IP), and goes out on the internet, and then comes back, the L2 switch isn't going to have a route back to any of the networks on the L2 switch. The reason that it's working fine for hosts on 172.16.0.250 is, that switch is on that directly connected network(same vlan) will work fine.

thans John,

i have put route on my firewall to route a traffic having destination to vlan 8 should be point to my vlan 1.

plane switch client->gateway 172.16.0.250(firewall interface)->destination 172.16.8.0/23 (vlan 8 in L3)->forward to 172.16.0.254/21 (vlan 1 ip on L3)

using this i can not able to ping vlan 8 (172.16.8.1/23) but only problem is that i cannot able to ping the client connetce to vlan 8 (172.16.8.2/23)

any suggestion??

Switch#show run

Building configuration...

Current configuration : 2335 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

ip routing

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

interface FastEthernet0/1

switchport mode access

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

switchport access vlan 8

switchport mode access

!

interface FastEthernet0/9

!

interface FastEthernet0/10

switchport access vlan 10

switchport mode access

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface FastEthernet0/25

!

interface FastEthernet0/26

!

interface FastEthernet0/27

!

interface FastEthernet0/28

!

interface FastEthernet0/29

!

interface FastEthernet0/30

!

interface FastEthernet0/31

!

interface FastEthernet0/32

!

interface FastEthernet0/33

!

interface FastEthernet0/34

!

interface FastEthernet0/35

!

interface FastEthernet0/36

!

interface FastEthernet0/37

!

interface FastEthernet0/38

!

interface FastEthernet0/39

!

interface FastEthernet0/40

!

interface FastEthernet0/41

!

interface FastEthernet0/42

!

interface FastEthernet0/43

!

interface FastEthernet0/44

!

interface FastEthernet0/45

!

interface FastEthernet0/46

!

interface FastEthernet0/47

!

interface FastEthernet0/48

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface GigabitEthernet0/3

!

interface GigabitEthernet0/4

!

interface Vlan1

ip address 172.16.0.254 255.255.248.0

!

interface Vlan8

ip address 172.16.8.1 255.255.254.0

!

interface Vlan10

ip address 172.16.10.1 255.255.254.0

!

ip classless

ip http server

ip http secure-server

!

!

control-plane

!

!

line con 0

line vty 5 15

!

end

Switch#

-----------------------------------------------------

Switch#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C       172.16.8.0/23 is directly connected, Vlan8

C       172.16.0.0/21 is directly connected, Vlan1

Switch#

I don't think you're going to have to much luck considering that the L2 switch can't do routing. Is the Plain switch a unmanaged dumb switch?

as of now i am not considering to do routing using l2 here i am using l3 switch.

we lan created on l3 once evey think is fine to extend the number of host i will connect l2 with l3 as a trunk.

as of now all host are conneted to the l3.

yes the plane switch is un managebale switch.

Hello,

This is to inform you that i have manage to fix the problem.

After doing routing on my firewall destination to newlaly cretaed vlan. i can manager to ping gateway of vlan.

since the interface is directally connected with firewall vlan interface is pinging.

for desktop connected to vlan i have creted a filter rule in firewall. after that its working fine..

we can able to ping all rdevices from both direction.

Thanks

I'm glad to hear it dipak. Getting it to work is always a good thing

Have a good one!