Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Intervlan Routing on Cisco 3560G Switch

Hi Team,

I am extending my Lan behind the firewall, and for that i have configured Cisco 3560 Switch and have configured Vlans on this. Layer 2 Switch will conect to eaach of these vlans.

I have configured port 1 and 2 as trunk ports that belong to VLAN1.

Now in oreder to achive intervlan routing when i make any port as routed port with no switchport command, that port can no longer be seen in the vlan as its member.

Can you please help with this.

At the moment there is only one subnet attached to the Firewall inside interface but after this Firewall will connect to the Layer 3 Switch through Trunk ports and should have access to all subnets on all the vlans, and vlans will access each other via switch routing.

Please see the attached config

Thansk in Advance.

  • LAN Switching and Routing
Cisco Employee

Re: Intervlan Routing on Cisco 3560G Switch

Just to clarify a couple things:

1. trunks are L2 ports that carry multiple vlans.

In your config you do not use the 'switchport trunk allowed ...' or vtp to prune vlans from your trunks, therefore every time you add a vlan by typing 'vlan x' in config mode, both trunks on gig0/1 and 0/2 will carry this new vlan x.

2. Intervlan routing is enabled by having 'ip routing' enabled.

Remember, in most cases 1 subnet = 1 vlan (not always true, but good design).

So in your case you have:

1. subnet for FW

2. One or more subnets for users

Which totals at least 2 vlans (depends how many user subnets you want).

3. By default 3650 will know how to route between all directly connected subnets. A directly connected subnet is known to the switch by creating a physical or virtual port with an IP address.

In your case here is what you can do to simply it all:

a. create either a 'no switchport' with ip address or a separate vlan for your FW. This effectively will be a P2P vlan

b. set up a default route pointing to the FW's inside IP

'ip route '

c. set up switch virtual interfaces (SVIs) so the switch knows about directly connected user subnets:


interface vlan

ip address

Your trunk ports will now carry vlan y down to your L2 switches, all you have to do is make 'switchport access vlan y'


1. I used as an example since its a private IP address

2. I used since most people use either the highest or the lowest IP in the subet as the default gateway for the PCs

3. Make sure all PCs have their default gateway set to the IP address of the vlan interface you created

Packet flow:

PCs ARP for the internet IP addresses after DNS lookups, default gateway says 'that IP is out of your local subnet, so send it to me'. Default gateway (3560) looks in its routing table and sees the internet is out a default route to the FW.