I would like to setup a vlan on our existing network. We have a 2800 used as an edge router connected to cat. 3750 used as a layer 3 switch. We have several other layer 2 switches connected to the 3750.
I have a subnet that will be used for the vlan, but I am not sure where to begin with the 3750 configuration. At this point I am not going to worry about DHCP for the vlan. Any tips or appropriate guides would be appreciated.
On the 3750
switch(config)# vlan 20
switch(config-vlan)# name v20
switch(config)# int vlan 20
switch(config-if)# ip address 192.168.5.1 255.255.255.0
switch(config-if)# no shut
Note that the above assumes
1) That your layer 2 switches are connected to your L3 switch via trunks and that they are VTP clients of the 3750. If they are in VTP transparent mode you will need to manually add vlan 20 to each Layer 2 switch you need it on.
2) That you want the 3750 to be responsible for routing for vlan 20.
U need to decide where u want u r router to be i.e u want u r router in one of the vlans then u need to assign it in one of the vlans.configure a default route in 3750 pointing it to the router and on router u need add routes for ur vlans subnets pointing it to the SVI of the vlan in which router is assigned.
Wait, what? Given the router is in vlan 1, I do not see a reason why I would also want it in the newly created vlan. Given the new vlan is being added to an existing setup, wouldn't the new vlan utilize the trunk port to go from layer 2 switch to the 3750 and out through the router?
if you have "ip routing" enabled on the 3750 then the switch should be routing between the L3 vlans. Your router just has to take care of the internet routing & specific routes to L3 subnets, or run a routing protocol between 3750 & router.
IP routing is enabled on the 3750. My assumption was that the router forwarded to the 3750, and the 3750 would see which vlan the packets need to go to based off a routing table.
You're assumption is correct. You don't need to change the router setup. But you will need to add a route to the router unless you are running a dynamic routing protocol between the 3750 and your router.
So if it was a static route using previous example on the router you would
ip route 192.168.5.0 255.255.255.0
Currently, all of our ACLs are configured on our firewall, which I did not mention previously. This would lead me to think that any ACLs I would configure for the new vlan would also be set on the firewall? I can see the default route of the router goes out to our isp, the default route of the firewall going to the ip of the router, but I cannot find anything on the 3750 in regards to a configured route.
So is your firewall between the router and the 3750 ?
Assuming it is if your 3750 is routing and you are not using a dynamic routing protocol between the 3750 and the firewall then you need to add a default route to the 3750
ip route 0.0.0.0 0.0.0.0
What is the output of a "sh ip route" on your 3750 ?
You are correct, the firewall is between the router and the 3750.
show ip route states that gateway of last resort is not set, no actual ip routes are listed.
Have you enable ip routing on the 3750 ?.
If not do you have an "ip default-gateway" set on the 3750.
On your clients in the existing vlan is the default-gateway set to the 3750 SVI or is it set to the inside firewall interface.
If you have no default-route on your 3750 then how does it know to send traffic onto the firewall ?
By the way if ip routing is not enabled don't just go and enable it as you need to be caerful. Come back with answers to above questions first.
Okay but do you have any active vlan interfaces on the 3750 because they should show up in a "sh ip route".
This is why you don't need any routes because the 3750 may be running ip routing but for your existing vlan the firewall is the default-gateway not the 3750 switch.
So do you want the firewall to continue routing for the existing vlan or do you want to move this to the 3750.
Regardless of that you must have a L3 vlan interface in the same vlan as the inside firewall interface with an ip address out of that subnet. Because when you add your new vlan if you want to route it off the 3750 you will need to do 2 things
ip route 0.0.0.0 0.0.0.0
ip route 192.168.5.0 255.255.255.0
Note that the vlan ip address is not the new vlan ip address of 192.168.5.1 but the vlan ip address of the exsiting vlan interface.
Does this make sense ?
Should I expect to see an active vlan interface given none are configured, just the default of vlan 1? I may have been misleading in mentioning an existing vlan, because I was refering to vlan 1.
That being said, I do not know if your line of questioning would change. If so, disregard the following.
I would like to continue routing for vlan 1 with the firewall. Would it be possible to use the firewall to route for the new vlan, or will the 3750 have to be used?
It depends. Does your firewall support 802.1q trunking or do you have a spare interface on your firewall.
If either of the above then yes you could route the new vlan off the firewall if you want to.
With either of the above you do not need to create a L3 vlan interface on the 3750 for the new vlan.
If you don't have spare interfaces but you can run 802.1q on your firewall then you will need to reconfigure the firewall and the switch to some extent.
Our firewall is an ASA 5510, so yes, it does support 802.1q trunking. Will I have to create a subinterface of the inside interface of the ASA given it has the ip address of 172.20.4.1, and then apply the new subnet for the new vlan to the subinterface?
On a side note, am I incorrect in thinking that the 3750 does any routing, meaning the firewall is actually doing all the routing here?
Yes i believe you are right when you say that the 3750 is not doing any routing in your scenario. It could if you wanted it to but it doesn't look like it is at the moment.
Yes on the ASA you would need to create a subinterface for your existing vlan and one for the new vlan + you need to make the connection from the ASA to 3750 an 802.1q trunk link on the 3750.
I'm finding more pieces as we go here. There is a cat. 2948 switch between the firewall and the 3750. sh ip route shows Destination = 172.20.0.0 / Gateway = 172.20.5.253 / RouteMask = 0xffff0000 / Flags = U / Use = 9524 / Inerface = sc0. sc0 connects to the 3750 on GigabitEthernet 2/0/2 with the attributes of Switchport trunk encapsulation dot1q, duplex full, speed 1000. So, given this, will anything that needs configured be changed, and if so, what?
Okay 2948 is not L3 capable so that is purely a L2 switch only. What address is 172.20.5.253 ?
If it is connected the 3750 with a trunk what vlans are carried on that trunk.
It's difficult now to recommend what to do, you need to work out what this switch is doing. It might be for DMZ's and the vlans on it are routed off the ASA but that is just guess work. Best thing you can do is draw out the network concentrating on vlans, IP subnets, and which ports on the switches are in which vlan.
Edit - actually what is the exact model of the 2948 as i think some versions could route traffic.
sh int on the 2948G-GE-TX shows under sc0, vlan 1, inet 172.20.5.253 netmask 255.255.0.0 broadcast 172.20.255.255. 172.20.5.253 is the address I use to telnet into the switch. We do not utilize DMZs.
Okay, that is a L2 switch only so you need to understand why it is trunking to the 3750.
Is the connection to the firewall an access port ie. not a trunk link.
It almost sounds like the 3750 has been bought to either
a) route for all internal vlans
b) replace the 2948 but it depends on how many ports are already in use on the 3750 and the 2948.
Without drawing this out properly i would want to suggest a course of action.
I think I have everything mapped out correctly, but I will need to wait until users leave for lunch to verify the route of one cable.
Let me know if this sounds correct, the interface on the 2948, with the ip address of 172.20.5.253, is there because that switch does not support ip routing? Given it is a layer 2 switch, my next assumption is that layer 2 switches are not capable of ip routing because that cannot build an ip table to use with a routing protocol?
I am 98% certain this is how I network is laid out:
-Lines come in to a multilink on our router, 2800, and then go out FastEthernet 0/0 to the firewall.
-Line comes in on Ethernet 0/0, with a public IP, and then goes out on Ethernet 0/1, with a private IP, *to the 3750 (which are actually 2 3750's stacked)
-Line comes in at port 34 on the non-master 3750.
-Lines go out from the master 3750 to our other layer two switches**.
It seems as though our network was not setup with growth in mind, but instead as simple as possible, no trunks because everything is in the same default vlan, vlan 1.
*I physically traced the cable to the 3750, and then checked the 5 minute averages on all ports and noted that this port, 34, had the highest input average by far.
**The line that goes to the 2948 comes in at interface sc0 mentioned above. The other switches are not connected to the 3750 by an interface because they all have ip routing enabled.
Okay that makes sense.
To return to your issue you can either
1) route your new vlan off the firewall which is where you route vlan 1 at the moment. You would need to
i) change the link between the firewall and the 3750 to a trunk
ii) create subinterfaces for vlan 1 and your new vlan.
2) Move the inter-vlan routing to the 3750. To do this you would need to
i) make sure ip routing is enabled on the 3750.
ii) Assuming that all your clients in vlan have the default-gateway set to the firewall inside interface i would transfer this address to the vlan 1 interface on your 3750.
iii) I would then create another vlan purely for connecting your 3750 to the firewall.
iv) Add a default-route on the 3750 pointing to the firewall inside interface ie.
ip route 0.0.0.0 0.0.0.0
v) On the firewall add routes for vlan 1 and your new vlan pointing to the 3750 vlan interface you created for communication between your 3750 and the firewall.
Both will involve downtime.
1) requires less config but i would personally go for option 2) which gives you more flexibility in the future.
If you do go option 2 you need to make sure that migrating the inside interface IP address of the firewall to the 3750 will not affect any of the firewall functionality. It shouldn't really but you need to check.
It sounds like your network has evolved. There may be a reason why the firewall was used for vlan 1 routing and if these are security reasons then you may want option 1).
As i said though, all things being equal i would go with option 2.