topic layer 2 layer 3 vlan cisco 3750 in Switching

layer 2 layer 3 vlan cisco 3750

amit bhatnagar — Fri, 08 Mar 2019 02:32:22 GMT

hello we have a 3750 cisco switch , need to built a setup with 2 vlans

vlan 10 with subnet 172.16.20.0/24 gateway ip address is 172.16.20.1 which is on firewall which is connected to uplink port eth 1/1 on 3750

vlan 20 10.10.10.0/24 with gateway 10.10.10.1 on this 3750 switch .

I understand we need to create Layer 2 vlan for Vlan 10 and layer 3 vlan for Vlan 20 , but was not sure what config i need to put if any one can help will be great

layer 2 layer 3 vlan cisco 3750

Jon Marshall — Wed, 05 Mar 2014 11:36:00 GMT

Amit

Do you need vlan 10 to have it's gateway as the firewall ?

It would be more logical to have both vlans routed on the 3750 and then have a separate connection to the firewall.

Is it for security reasons ?

Also is it just one firewall or a pair ?

If you could clarify we can help you with the config.

Jon

layer 2 layer 3 vlan cisco 3750

amit bhatnagar — Wed, 05 Mar 2014 12:22:05 GMT

hello John ,

We have one firewall its not a pair ,

And we are asked to use the firewall interface for Vlan 10 , can we still configure layer 3 for both vlan on 3750 ? if not what will be suggested solution .

Regards

Amit

layer 2 layer 3 vlan cisco 3750

Jon Marshall — Wed, 05 Mar 2014 12:37:19 GMT

Amit

You can use the firewall for vlan 10 but that means for traffic between the two vlans you will need to send traffic back out of the same interface on the firewall ie.

PC1 in vlan 10 has it's default gateway set to the firewall inside interface. If that PC1 sends traffic to PC2 in vlan 20 then the traffic goes to the firewall and then has to be sent back out of the same interface to the 3750.

Do you know if your firewall can do this and are you okay with configuring that ?

Jon

layer 2 layer 3 vlan cisco 3750

amit bhatnagar — Wed, 05 Mar 2014 12:59:46 GMT

Hello ,

Yes our firewall can do that , we are ok with this config .

Regards

Amit

Re: layer 2 layer 3 vlan cisco 3750

Jon Marshall — Wed, 05 Mar 2014 13:04:49 GMT

Amit

On the 3750 -

1) enable ip routing if it isn't already ie. -

switch(config)# ip routing

2) create both vlans at L2

switch(config)# vlan 10

switch(config)# vlan 20

3) create L3 SVIs for both vlans eg.

int vlan 10

ip address 172.16.20.x 255.255.255.0 <-- where x is unused IP

no shut

int vlan 20

ip address 10.10.10.1 255.255.255.0

no shut

4) add a default route pointing to the firewall -

ip route 0.0.0.0 0.0.0.0 172.16.20.1

then on the firewall you need to add a route for vlan 20 if it is ASA it would look like -

route inside 10.10.10.0 255.255.255.0

the default gateway for clients in vlan 10 is still the firewall. The vlan 10 SVI on the 3750 is only used to route to and from vlan 20 clients.

Jon

layer 2 layer 3 vlan cisco 3750

amit bhatnagar — Wed, 05 Mar 2014 13:44:33 GMT

really sincerely appreicate your help on this Jon , one quick query I need to keep PC default gateway as below

PC 1 Vlan 10 172.16.20.1 <------which is the firewall

PC2 Vlan 20 10.10.10.1 <--------- which is 3750

Also is this standard solution or work around ?

regards

Amit

layer 2 layer 3 vlan cisco 3750

Jon Marshall — Wed, 05 Mar 2014 13:48:39 GMT

The "standard" solution is as i say to route both vlans on the 3750 and only send traffic to the firewall for the internet.

With this solution you use a separate subnet for connectivity between the 3750 and the firewall.

But you said you had to have the default gateway of the clients in vlan 10 to be the firewall so i adjusted the configuration accordingly.

Jon

layer 2 layer 3 vlan cisco 3750

amit bhatnagar — Wed, 05 Mar 2014 13:54:05 GMT

just wanted to know if we want to use standard solution with both subnets VLAN 10 and VLAN 20 , do we need another subnet for P2P link between 3750 and firewall . will be great help if you can share config for it

layer 2 layer 3 vlan cisco 3750

Jon Marshall — Wed, 05 Mar 2014 14:01:48 GMT

Amit

If you wanted to do that then you can use the same config as before but it would mean readdressing the inside interface of your firewall plus some modifications to the routing. So using the original config i posted -

1) use a new subnet for the 3750 to firewall connection. As you only have one firewall then you can use a L3 routed link eg.

3750

====

int gi0/0 <-- this connect to the firewall

no switchport

ip address 192.168.5.1 255.255.255.252

firewall

======

the inside interface then needs to use the IP address 192.168.5.2 255.255.255.252

2) you need to update the routing -

3750

====

replace the existing default route with -

ip route 0.0.0.0 0.0.0.0 192.168.5.2

firewall

=======

you need routes for both subnets now eg.

route inside 172.16.20.0 255.255.255.0 192.168.5.1

route inside 10.10.10.0 255.255.255.0 192.168.5.1

4) finally the default gateway of the vlan 10 clients should point to the 3750 L3 vlan 10 interface.

Note, if you do not want to readdress the firewall interface then you can use the existing vlan 10 subnet for the connection from the 3750 to the firewall and then use a new IP subnet for vlan 10. If all the clients used DHCP this may be easier but it may not.

You would need to modfy the config accordingly if you did that.

Jon

layer 2 layer 3 vlan cisco 3750

amit bhatnagar — Wed, 05 Mar 2014 14:25:32 GMT

Thanks Jon , One more thing , in the first solution I need to put the trunk port config on 3750 right ?

Gi0/0 connects to Firewall

int gi0/0 <-- this connect to the firewall

no switchport

switchport mode trunk aloowed all

is that right ?

regards

Amit

Re: layer 2 layer 3 vlan cisco 3750

Jon Marshall — Wed, 05 Mar 2014 14:27:37 GMT

Amit

No it is not a trunk unless you want to route both vlans off the firewall.

If you do then the configuration needs changing but you said you wanted to route vlan 20 on the 3750.

Jon

layer 2 layer 3 vlan cisco 3750

amit bhatnagar — Wed, 05 Mar 2014 14:43:53 GMT

Thats right want to keep vlan 20 layer 3 on 3750 .

So below is the only configration i need to do on 3750 on port which connects to firewall ?

int gi0/0 <-- this connect to the firewall

no switchport

regards

Amit

layer 2 layer 3 vlan cisco 3750

Jon Marshall — Wed, 05 Mar 2014 14:46:41 GMT

Amit

It depends on whether you are routing vlan 10 on the firewall or not.

You wouldn't do "no switchport" if you are routing vlan 10 on the firewall.

Please be specific in what you want as it keeps changing and it's not clear what you want.

Jon

layer 2 layer 3 vlan cisco 3750

amit bhatnagar — Wed, 05 Mar 2014 15:16:06 GMT

Apology for confusion and taking your time ,

Just wanted to know with below config which was prepaired for first time what configration i need to give on interface gi0/0 which connects to firewall please thanks

----------------------------------------------------

1) enable ip routing if it isn't already ie. -

switch(config)# ip routing

2) create both vlans at L2

switch(config)# vlan 10

switch(config)# vlan 20

3) create L3 SVIs for both vlans eg.

int vlan 10

ip address 172.16.20.x 255.255.255.0 <-- where x is unused IP

no shut

int vlan 20

ip address 10.10.10.1 255.255.255.0

no shut

4) add a default route pointing to the firewall -

ip route 0.0.0.0 0.0.0.0 172.16.20.1

then on the firewall you need to add a route for vlan 20 if it is ASA it would look like -

route inside 10.10.10.0 255.255.255.0

the default gateway for clients in vlan 10 is still the firewall. The vlan 10 SVI on the 3750 is only used to route to and from vlan 20 clients.

------------------------------

layer 2 layer 3 vlan cisco 3750

Jon Marshall — Wed, 05 Mar 2014 15:18:46 GMT

Amit

No problem.

The gi0/0 interface should be in vlan 10 ie.

int gi0/0

switchport

switchport mode access

switchport access vlan 10

Jon

layer 2 layer 3 vlan cisco 3750

amit bhatnagar — Wed, 05 Mar 2014 15:20:52 GMT

thanks allot Jon appreciate your time

regards

amit

layer 2 layer 3 vlan cisco 3750

srprasaad_nj — Wed, 05 Mar 2014 15:55:16 GMT

Hi Jon,

It looks like amit may be looking for config which is simialr to RoA,. Instead of router they have got firewall here.

Amit, you may need to use the belwo cinfig on your switch and needto check with your FW team on the config at their end.

vlan 10

vlan 20

interface Ethernet1/1

description ** Trunk, to FW Inside interface**

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20

switchport mode trunk

speed 100

duplex full

ip default-gateway 172.16.20.1 or ip route 0.0.0.0 0.0.0.0 172.16.20.1

on Firewall end

And they need to have L3 SVI interface cretaed , config to be checkd with FW team as it may chnage according to vendor.

int e1/1.10 -->

encap dot1q 10

ip add 172.16.20.1/24

int e 1/1.20

encap dot1q 20

ip add 10.10.10.1/24

By the above config routing of VLAN's will happen at forewall.

Hope this hleps.

Re: layer 2 layer 3 vlan cisco 3750

Jon Marshall — Wed, 05 Mar 2014 15:59:02 GMT

vlan 10 with subnet 172.16.20.0/24 gateway ip address is 172.16.20.1 which is on firewall which is connected to uplink port eth 1/1 on 3750

vlan 20 10.10.10.0/24 with gateway 10.10.10.1 on this 3750 switch

If you look at the above from the original post it clearly states that vlan 20 should be routed on the L3 switch.

Jon

layer 2 layer 3 vlan cisco 3750

srprasaad_nj — Wed, 05 Mar 2014 16:15:02 GMT

Then it hsould work in theb elwo way

vlan 10

vlan 20

create L3 SVIs for both vlans

int vlan 10

ip address 172.16.20.x254255.255.255.0

int vlan 20

ip address 10.10.10.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.20.1

If firewall is connected to G0/0 then

int g 0/0

switchport

switchport mode access

switchport access vlan 10

This should work for amit as he has got all vlan 10 pc's with DG as firewall and VLAN 20 Pc's wiill have routign in L3 switch itself.

Any inter vlan routing between vlan 10 and vlan 20 will happen within L3 switch itself. Corretc me if I am wrong.