Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing on IOS 12.2(55)se3 C3560X

I have 2 vlans for practical purposes 10 - 10.10.10.x/24 and 20 10.10.20..x/24. I have each vlan connected to my firewall with a gateway on each port to its corresponding vlan - eg

10.10.10.1/24 (Vlan10) and my FW interface (10.10.10.254)

10.10.20.1/24 (Vlan20) and my FW interface (10.10.20.254)

I have each port set up facing the FW as static access vlan xx - no trunking

I had removed the Default-Gateway because both vlans need to go to its respecting interface without trunking. In packet tracer using an older switch this works without any issue. On these switches C3560X w IOS 12.2(55)SE3 It is not, So I had added the following routes:

0.0.0.0 0.0.0.0 10.10.10.254

0.0.0.0 0.0.0.0 10.10.20.254

I thought this would basically push the packets to their respective gateways but this did not work as expected and it kept creating 10.10.20.254 as the gateway. This configuration would allow vlan 20 out to internet and vlan 10 would keep going to wrong interface. I had removed the last route but this did not allow vlan 10 out.

Gateway of last resort is 10.10.20.254 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 3 subnets

C       10.10.10.0 is directly connected, Vlan10

C       10.10.20.0 is directly connected, Vlan20

C       10.10.50.0 is directly connected, Vlan50

S*   0.0.0.0/0 [1/0] via 10.10.20.254

IS there a way on this OS to statically define routes so that Vlan 20 only goes out to gateway 10.10.20.254 and Vlan 10 to 10.10.10.254? I had thought by default the switch would allow this but it would appear as if I am missing something with this IOS version.

I tried to add routes and it did not work - see below

(config)#ip route 10.10.10.1 255.255.255.0 10.10.10.254

%Inconsistent address and mask

I thought default behavior on Vlans were to communicate within its own subnet which would explain why this does not work. So without sounding redundant- by vlans are not going out through the respected ports. I do have Vlan 10 set up with Spanning_Tree as it is the Mangement network -however it has a server on it that needs access to internet (jump box).  I had made sure that the outbound port was not disabled by STP. Any help would be appreciated.

  • LAN Switching and Routing
6 REPLIES
New Member

Routing on IOS 12.2(55)se3 C3560X

Hi Anthony

0.0.0.0 0.0.0.0 10.10.20.254   this is your default route ideally you are only going to have one Default route.

If you know the destination address you can force the traffic through the second hop 10.10.20.254

Using the command  IP route 192.168.1.1 255.255.255.255 10.10.10.254  (try using this one)

Another way of doing that is to create the VLAN on your firewall (which means the firewall will be the Gateway anf you would have same vlan ID configured on your switch as L2) would normally use this design for DMZ.

I hope this answers your question

New Member

Routing on IOS 12.2(55)se3 C3560X

Ideally I wanted to skip having any type of gateway of last resort or routes entirely and just have 2 collision domains Vlan 10 and 20 only commuicating with their respective gateways on the firewall. I have noticed that using that configuration does not produce the results I was expecting with older OS's. Can I be missing something, I thought that this is basic switching 101

Vlan 10 - ip addr 10.10.10.1 255.255.255.0 communicates with firewall gateway 10.10.10.254

Vlan 20- ip addr 10.10.20.1 255.255.255.0 communicates with firewall gateway 10.10.20.254

This would eliminate packets going to the wrong interface by having a dedicated interface on the same subnet as the next highest number, but it seems to not be working as expected. What do you think could be causing this issue?

New Member

Routing on IOS 12.2(55)se3 C3560X

I am bit confused here

1> If not wrong you can ping 10.10.10.254 and 10.10.20.254 from the switch ? if yes proceed to option 2

2> If you are trying to ping the firewall 10.10.10.254 from source address 10.10.10.1 you are only going to go over the interface that connects to the firewall that is tagged with vlan ID 10

3> If you are trying to ping the firewall 10.10.20.254 from source address 10.10.10.1 there is a possibility you will see traffic on both interfaces as you can see some broadcast  traffic generated.

To Chose the soure address (when pinging from the switch)

Example

ping 10.10.10.254 source 10.10.10.1

Re: Routing on IOS 12.2(55)se3 C3560X

Do the hosts on the Vlans have the proper gateway set? That's really the question. The firewall should route for you.

Sent from Cisco Technical Support iPad App

Re: Routing on IOS 12.2(55)se3 C3560X

The default gateway is used to route administrative packets from the switch. You don't have to set default routes if the 3560 isn't routing for you (which it can), but you should set a default gateway in the same subnet as the administrative interface of the switch. If you want to make sure the 3560 doesn't route issue no ip routing at the global config level.

Sent from Cisco Technical Support iPad App

New Member

Re: Routing on IOS 12.2(55)se3 C3560X

It would stand to reason that pinging to an unknown destination of 8.8.8.8 would force the traffic through a different interface because of the following route

0.0.0.0 0.0.0.0 10.10.20.254

Vlan 10 is set up and directly connected to 10.10.10.254 on the firewall and why it wont route out must be because of the Gateway of Last Resort.

1. I am thinking of putting a next-hop ACL on vlan 10 forcing all its traffic through 10.10.10.254

2. I would like to have static routes defined but with having the below routes the packets seem to hit through both interfaces

0.0.0.0 0.0.0.0 10.10.10.254

0.0.0.0 0.0.0.0 10.10.20.254

--Any idea's on how to approach this - Everything was working well when I had created a seperate Vlan and trunked it into one interface on the FIrewall. From a security standpoint seperating server traffic and management traffic (avoid vlan hopping or forged vlan packets) was good but so far has been daunting, I am thinking it could be the firewall but then again probably because my routes.

683
Views
0
Helpful
6
Replies
This widget could not be displayed.