I am extending my Lan behind the firewall, and for that i have configured Cisco 3560 Switch and have configured Vlans on this. Layer 2 Switch will conect to eaach of these vlans.
I have configured port 1 and 2 as trunk ports that belong to VLAN1.
Now in oreder to achive intervlan routing when i make any port as routed port with no switchport command, that port can no longer be seen in the vlan as its member.
Can you please help with this.
At the moment there is only one subnet attached to the Firewall inside interface but after this Firewall will connect to the Layer 3 Switch through Trunk ports and should have access to all subnets on all the vlans, and vlans will access each other via switch routing.
In your config you do not use the 'switchport trunk allowed ...' or vtp to prune vlans from your trunks, therefore every time you add a vlan by typing 'vlan x' in config mode, both trunks on gig0/1 and 0/2 will carry this new vlan x.
2. Intervlan routing is enabled by having 'ip routing' enabled.
Remember, in most cases 1 subnet = 1 vlan (not always true, but good design).
So in your case you have:
1. subnet for FW
2. One or more subnets for users
Which totals at least 2 vlans (depends how many user subnets you want).
3. By default 3650 will know how to route between all directly connected subnets. A directly connected subnet is known to the switch by creating a physical or virtual port with an IP address.
In your case here is what you can do to simply it all:
a. create either a 'no switchport' with ip address or a separate vlan for your FW. This effectively will be a P2P vlan
b. set up a default route pointing to the FW's inside IP
'ip route 0.0.0.0 0.0.0.0 '
c. set up switch virtual interfaces (SVIs) so the switch knows about directly connected user subnets:
ip address 192.168.1.1 255.255.255.0
Your trunk ports will now carry vlan y down to your L2 switches, all you have to do is make 'switchport access vlan y'
1. I used 192.168.1.1 as an example since its a private IP address
2. I used 126.96.36.199 since most people use either the highest or the lowest IP in the subet as the default gateway for the PCs
3. Make sure all PCs have their default gateway set to the IP address of the vlan interface you created
PCs ARP for the internet IP addresses after DNS lookups, default gateway says 'that IP is out of your local subnet, so send it to me'. Default gateway (3560) looks in its routing table and sees the internet is out a default route to the FW.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...