Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

layer 2 layer 3 vlan cisco 3750

hello we have a 3750 cisco switch , need to built a setup with 2 vlans

vlan 10 with subnet 172.16.20.0/24  gateway ip address is 172.16.20.1 which is on firewall which is connected to uplink port eth 1/1 on 3750

vlan 20 10.10.10.0/24  with gateway 10.10.10.1 on this 3750 switch .

I understand we need to create Layer 2 vlan for Vlan 10 and layer 3 vlan for Vlan 20 , but was not sure what config i need to put if any one can help will be great

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

layer 2 layer 3 vlan cisco 3750

Amit

No problem.

The gi0/0 interface should be in vlan 10 ie.

int gi0/0

switchport

switchport mode access

switchport access vlan 10

Jon

25 REPLIES
Hall of Fame Super Blue

layer 2 layer 3 vlan cisco 3750

Amit

Do you need vlan 10 to have it's gateway as the firewall ?

It would be more logical to have both vlans routed on the 3750 and then have a separate connection to the firewall.

Is it for security reasons ?

Also is it just one firewall or a pair ?

If you could clarify we can help you with the config.

Jon

New Member

layer 2 layer 3 vlan cisco 3750

hello John ,

We have one firewall its not a pair ,

And we are asked to use the firewall interface for Vlan 10 , can we still configure layer 3 for both vlan on 3750 ? if not what will be suggested solution .

Regards

Amit

Hall of Fame Super Blue

layer 2 layer 3 vlan cisco 3750

Amit

You can use the firewall for vlan 10 but that means for traffic between the two vlans you will need to send traffic back out of the same interface on the firewall ie.

PC1 in vlan 10 has it's default gateway set to the firewall inside interface. If that PC1 sends traffic to PC2 in vlan 20 then the traffic goes to the firewall and then has to be sent back out of the same interface to the 3750.

Do you know if your firewall can do this and are you okay with configuring that ?

Jon

New Member

layer 2 layer 3 vlan cisco 3750

Hello ,

Yes our firewall can do that , we are ok with this config .

Regards

Amit

Hall of Fame Super Blue

Re: layer 2 layer 3 vlan cisco 3750

Amit

On the 3750 -

1) enable ip routing if it isn't already ie. -

switch(config)# ip routing

2) create both vlans at L2

switch(config)# vlan 10

switch(config)# vlan 20

3) create L3 SVIs for both vlans eg.

int vlan 10

ip address 172.16.20.x 255.255.255.0   <-- where x is unused IP

no shut

int vlan 20

ip address 10.10.10.1 255.255.255.0 

no shut

4) add a default route pointing to the firewall -

ip route 0.0.0.0 0.0.0.0 172.16.20.1

then on the firewall you need to add a route for vlan 20 if it is ASA it would look like -

route inside 10.10.10.0 255.255.255.0

the default gateway for clients in vlan 10 is still the firewall. The vlan 10 SVI on the 3750 is only used to route to and from vlan 20 clients.

Jon

New Member

layer 2 layer 3 vlan cisco 3750

really sincerely appreicate your help on this Jon , one quick query I need to keep PC default gateway as below

PC 1 Vlan 10 172.16.20.1          <------which is the firewall

PC2 Vlan 20 10.10.10.1        <--------- which is 3750

Also is this standard solution or work around ?

regards

Amit

Hall of Fame Super Blue

layer 2 layer 3 vlan cisco 3750

The "standard" solution is as i say to route both vlans on the 3750 and only send traffic to the firewall for the internet.

With this solution you use a separate subnet for connectivity between the 3750 and the firewall.

But you said you had to have the default gateway of the clients in vlan 10 to be the firewall so i adjusted the configuration accordingly.

Jon

New Member

layer 2 layer 3 vlan cisco 3750

just wanted to know if we want to use standard solution with both subnets VLAN 10 and VLAN 20 , do we need another subnet for P2P link between 3750 and firewall . will be great help if you can share config for it

Hall of Fame Super Blue

layer 2 layer 3 vlan cisco 3750

Amit

If you wanted to do that then you can use the same config as before but it would mean readdressing the inside interface of your firewall plus some modifications to the routing. So using the original config i posted -

1) use a new subnet for the 3750 to firewall connection. As you only have one firewall then you can use a L3 routed link eg.

3750

====

int gi0/0 <-- this connect to the firewall

no switchport

ip address 192.168.5.1 255.255.255.252

firewall

======

the inside interface then needs to use the IP address 192.168.5.2 255.255.255.252

2) you need to update the routing -

3750

====

replace the existing default route with -

ip route 0.0.0.0 0.0.0.0 192.168.5.2

firewall

=======

you need routes for both subnets now eg.

route inside 172.16.20.0 255.255.255.0 192.168.5.1

route inside 10.10.10.0 255.255.255.0 192.168.5.1

4) finally the default gateway of the vlan 10 clients should point to the 3750 L3 vlan 10 interface.

Note, if you do not want to readdress the firewall interface then you can use the existing vlan 10 subnet for the connection from the 3750 to the firewall and then use a new IP subnet for vlan 10. If all the clients used DHCP this may be easier but it may not.

You would need to modfy the config accordingly if you did that.

Jon

New Member

layer 2 layer 3 vlan cisco 3750

Thanks Jon , One more thing , in the first solution I need to put the trunk port config on 3750 right ?

Gi0/0 connects to Firewall

int gi0/0 <-- this connect to the firewall

no switchport

switchport mode trunk aloowed all

is that right ?

regards

Amit

Hall of Fame Super Blue

Re: layer 2 layer 3 vlan cisco 3750

Amit

No it is not a trunk unless you want to route both vlans off the firewall.

If you do then the configuration needs changing but you said you wanted to route vlan 20 on the 3750.

Jon

New Member

layer 2 layer 3 vlan cisco 3750

Thats right want to keep vlan 20 layer 3 on 3750 .

So below is the only configration i need to do on 3750 on port which connects to firewall ?

int gi0/0 <-- this connect to the firewall

no switchport

regards

Amit

Hall of Fame Super Blue

layer 2 layer 3 vlan cisco 3750

Amit

It depends on whether you are routing vlan 10 on the firewall or not.

You wouldn't do "no switchport" if you are routing vlan 10 on the firewall.

Please be specific in what you want as it keeps changing and it's not clear what you want.

Jon

New Member

layer 2 layer 3 vlan cisco 3750

Apology for confusion and taking your time ,

Just wanted to know with below config which was prepaired for first time what configration i need to give on interface gi0/0 which connects to firewall please thanks

----------------------------------------------------

1) enable ip routing if it isn't already ie. -

switch(config)# ip routing

2) create both vlans at L2

switch(config)# vlan 10

switch(config)# vlan 20

3) create L3 SVIs for both vlans eg.

int vlan 10

ip address 172.16.20.x 255.255.255.0   <-- where x is unused IP

no shut

int vlan 20

ip address 10.10.10.1 255.255.255.0

no shut

4) add a default route pointing to the firewall -

ip route 0.0.0.0 0.0.0.0 172.16.20.1

then on the firewall you need to add a route for vlan 20 if it is ASA it would look like -

route inside 10.10.10.0 255.255.255.0

the default gateway for clients in vlan 10 is still the firewall. The vlan 10 SVI on the 3750 is only used to route to and from vlan 20 clients.

------------------------------

Hall of Fame Super Blue

layer 2 layer 3 vlan cisco 3750

Amit

No problem.

The gi0/0 interface should be in vlan 10 ie.

int gi0/0

switchport

switchport mode access

switchport access vlan 10

Jon

New Member

layer 2 layer 3 vlan cisco 3750

thanks allot Jon  appreciate your time

regards

amit

New Member

layer 2 layer 3 vlan cisco 3750

Hi Jon,

It looks like amit may be looking for config which is simialr to RoA,. Instead of router they have got firewall here.

Amit, you may need to use the belwo cinfig on your switch and needto check with your FW team on the config at their end.

vlan 10

vlan 20

interface Ethernet1/1

description ** Trunk, to FW Inside interface**

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20

switchport mode trunk

speed 100

duplex full

ip default-gateway 172.16.20.1 or ip route 0.0.0.0 0.0.0.0 172.16.20.1

on Firewall end

And they need to have L3 SVI interface cretaed , config to be checkd with FW team as it may  chnage according to vendor.

int e1/1.10  -->

encap dot1q 10

ip add 172.16.20.1/24

int e 1/1.20

encap dot1q 20

ip add 10.10.10.1/24

By the above config routing of VLAN's will happen at forewall.  

Hope this hleps.

Hall of Fame Super Blue

Re: layer 2 layer 3 vlan cisco 3750

vlan 10 with subnet 172.16.20.0/24  gateway ip address is 172.16.20.1 which is on firewall which is connected to uplink port eth 1/1 on 3750

vlan 20 10.10.10.0/24  with gateway 10.10.10.1 on this 3750 switch

If you look at the above from the original post it clearly states that vlan 20 should be routed on the L3 switch.

Jon

New Member

layer 2 layer 3 vlan cisco 3750

Then it hsould work in theb elwo way

vlan 10

vlan 20

create L3 SVIs for both vlans

int vlan 10

ip address 172.16.20.x254255.255.255.0  

int vlan 20

ip address 10.10.10.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.20.1

If firewall is connected to G0/0 then

int g 0/0

switchport

switchport mode access

switchport access vlan 10

This should work for amit as he has got all vlan 10 pc's with DG as firewall and VLAN 20 Pc's wiill have routign in L3 switch itself.

Any inter vlan routing between vlan 10 and vlan 20 will happen within L3 switch itself. Corretc me if I am wrong.

Hall of Fame Super Blue

Re: layer 2 layer 3 vlan cisco 3750

Any inter vlan routing between vlan 10 and vlan 20 will happen within L3 switch itself.

No it won't and that wasn't what was asked for. 

The requirement was to have vlan 10 routed on the firewall and vlan 20 routed on the L3 switch.

So the default gateway for vlan 10 clients is the firewall and the default gateway for vlan 20 clients is the L3 switch.

The routing between the vlans has to go via the firewall and is not done directly on the L3 switch.

Jon

New Member

layer 2 layer 3 vlan cisco 3750

Sorry it's my bad...I am confused. you are right . If my understanding is correct in this scenarion , any PC in vlan 20 wants to commnicate with PC in vlan 10.  The packet and process flow will be as belwow:. Correct , me If iam wriong

Step 1: PC in VLan 20 will build the arp request with src ip (10.10.10.10)  , src mac (abcd.efgh.xyzq), dest ip (172.16.20.20) and dest mac (ffff.ffff.ffff/).

Step 2:  As PC in vlan 20 does it calculation and undertsands that the dest IP is not in it's subnet and it forwards the packet to it's default gateway which is 10.10.10.1. An arp reply will be sent from the rotuer with dest mac as router interface mac in this case  SVI(int VLan 20)  will respond and the packet is forwarded to next hop based on routing table entry. In this case it will take default gateway which is 172.16.20.1. 

Step 3: As the packet reaches firewall or another router , in this case it's firewall the packet is decpasulated and checks for the dest ip in the routing table entry. And it chekcs the arp table and it follwos the same process till it reahces the destination pc in vlan 20.

Is my udnerstanding correct ? 

Hall of Fame Super Blue

Re: layer 2 layer 3 vlan cisco 3750

Is my udnerstanding correct ?

Almost.

Step 1 and 2 are mixed up though ie. -

PC in vlan 20 does it's calculation and realises the dst IP is in a different subnet. So it then builds the ARP request for it's default gateway (assuming it doesn't already have it which it probably will).

So the vlan 20 PC's ARP request will never have the dst IP of 172.16.20.20 ie. it must be 10.10.10.1 (the vlan 20 SVI IP address) as the PC is simply trying to get a mac address for the default gateway. When the packet is sent from the PC it will be -

src mac = PC in vlan 20

dst mac = vlan 20 SVI

src IP = PC1 IP address

dst IP =  PC in vlan 10

Does this make sense ?

Jon

New Member

layer 2 layer 3 vlan cisco 3750

Yeah...you are right. Here in this case the ARP table for PC's in VLAN 20 is managed/maintained in L3 switch , MAc-address-table is also manaitinaed in L3 switch (3750).

If my undertsandign is correct, for PC's in VLan 10, the entire arp table is manged by Firewall but the CAM table (Mac addresseS)  is manged by L3 switch.

Is my above understanding correct ?

In this case , does the L3 SVI of VLAN 20 knows to reach the Firewall by default rotue and reverse path for firewall is know throgu teh static route ? Is it right, correct me if i am wrong again ?

Hall of Fame Super Blue

layer 2 layer 3 vlan cisco 3750

Actually no, it won't work like that because traffic will be routed by the switch directly to the vlan 10 clients.

So my mistake, and i can understand where your confusion is coming from.

So if a PC in vlan 20 sends a packet to a PC in vlan 10 it will be routed directly to the client in vlan 10 and not via the firewall.

The return traffic will be routed via the firewall because that is the default gateway for the vlan 10 clients.

Good spot and i need to update this thread.

The only way to get this to work in terms of all traffic going via the firewall for vlan 10 is to not have a vlan 10 SVI on the switch which means you need subinterfaces on the firewall because you need a new subnet to route between the firewall and the switch which is not in vlan 10.

Let me update the thread and then if you still have any other queries i'll address those.

Thanks for all the questions, it has made me realise the solution i proposed won't work as well as intended.

Jon

Hall of Fame Super Blue

layer 2 layer 3 vlan cisco 3750

Amit

Apologies but the solution i proposed doesn't work as intended. The problem is traffic from a PC in vlan 20 to a PC in vlan 10 will be routed directly by the switch and will not go to the firewall.

The return traffic would go via the firewall because that is the default gateway of the vlan 10 clients.

So you can either -

1) route both vlans off the firewall

or

2) if you still want to route only vlan 20 on the L3 switch but make sure any traffic both ways between vlan 10 and vlan 20 go via the firewall then you need to -

1) remove the SVI for vlan 10 from the L3 switch

2) create a new vlan/IP subnet used for the L3 switch to ASA connection

3) if you have a spare interface on the firewall run a new connection back to the L3 switch and allocate the port on the L3 switch into the new vlan

if you do not have a spare interface on the firewall then you will need to use subinterfaces on the firewall interface and make the link to the 3750 a trunk link which allows only vlan 10 and the new vlan

4) create an SVI for the new vlan on the L3 switch and give it an IP.

5) allocate the an IP to new interface or subinterface on the firewall

6) point the default route on the L3 switch to the IP in 5)

7) add a route for vlan 20 on the firewall pointing to the IP in 4)

this way all traffic between vlan 10 and vlan 20 will have to go via the firewall in both directions.

Once again apologies for the mistake.

Jon

392
Views
5
Helpful
25
Replies
CreatePlease to create content