cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
987
Views
3
Helpful
11
Replies

Cross-VLAN Routing among 3550XLs

drumrb0y
Level 1
Level 1

I have a test network set up to emulate our production network topology and I'd like some assistance in configuring the VLANs. I have a 3550XL set up as the core switch, with a range of ports set to each of 3 VLANs; one port in each VLAN is connected to a PIX525 on the appropriate interface (Inside/Outside/DMZ).

The 'inside' trunk port is connected to a 3500XL which is in the same VTP domain as the core 3550; the host port is connected to the inside domain controller on the 'inside' VLAN, and the 3500 management VLAN matches the core 3550. The 'inside' host port is configured thus:

interface FastEthernet0/1

description Inside host

switchport access vlan 23

duplex full

speed 100

spanning-tree portfast

The trunk from the 'inside' switch to the core switch is configured thus:

interfaceGigabitEthernet0/1 description Trunk to Core

switchport trunk encapsulation dot1q

switchport mode trunk

The 'outside' trunk port is connected to a 3550XL which is in a DIFFERENT VTP domain as the core 3550; its host port is connected to an 'outside' host on it's own VLAN (but the VLAN ID matches the 'outside' VLAN ID in the core switch), and the management VLAN has a different IP address than the 'Inside' network's management VLAN.

The outside host port is configured thus:

interface FastEthernet0/1

description Inside host

switchport access vlan 21

duplex full

speed 100

spanning-tree portfast

The trunk from the 'outside' switch to the core switch is configured thus:

interface GigabitEthernet0/1

description Trunk to Core

switchport trunk encapsulation dot1q

switchport mode trunk

Issues:

- I can ping within the 3 different VLANs from host to PIX and vice versa, but not across VLANs. I know the 3550s are capable of cross-VLAN routing, but I'm missing something. I'd like anyone's help in determining what it is...

This is the config of the 'core' 3550 switch:

hostname 3550-24_CORE

!

ip subnet-zero

ip routing

ip host PIX a.a.1.254

ip domain-name test.x

ip name-server x.x.8.101

ip name-server y.y.1.101

!

spanning-tree mode pvst

spanning-tree extend system-id

spanning-tree uplinkfast

!

interface FastEthernet0/1

description Outside vlan

switchport access vlan 21

no ip address

duplex full

speed 100

spanning-tree portfast

!

interface FastEthernet0/2-7

-same

!

!

interface FastEthernet0/8

description DMZ

switchport access vlan 22

no ip address

duplex full

speed 100

spanning-tree portfast

!

interface FastEthernet0/9-12

-same

!

!

interface FastEthernet0/13

description INSIDE

switchport access vlan 23

no ip address

duplex full

speed 100

spanning-tree portfast

!

interface FastEthernet0/14-24

-same

!

!

interface GigabitEthernet0/1

description Trunk to OUTSIDE

switchport access vlan 21

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/2

description Trunk to INSIDE

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan1

description MANAGEMENT VLAN

ip address a.a.1.1 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Vlan21 [outside]

ip address y.y.8.1 255.255.255.0

!

interface Vlan22 [DMZ]

ip address x.x.70.1 255.255.255.0

!

interface Vlan23 [inside]

ip address x.x.1.1 255.255.255.0

!

ip default-gateway a.a.1.1

ip classless

ip http server

!

The PIX currently is configured wide-open (i.e., permit any any) on all 3 interfaces, but doesn't even register a hit-count when pings are attempted.

I'm a newbie starting out in an enterprise-scale agency; time to sink or swim!

Thanks for all who assist.

11 Replies 11

vmiller
Level 7
Level 7

A pix won't "route" traffic. it can listen to RIP updates, but not much else. If your 3550's are just running the layer 2 image, your toast.

Originally, I had a 4006 with a SupII engine as the core switch; as they don't do L3 routing, I was toast already...unless I missed something there.

I had posted a previous message asking how exactly does a PIX permit traffic between subnets(VLANs), but got no replies. In theory as far as I know, the 3550 can route traffic between the VLANs, leaving the PIX completely bypassed - but then, where would the function of the PIX be? I'm still working on cross-VLAN connectivity right now...the PIX will be the next step - and I'll probably post again about it :-P

subbarao.s
Level 1
Level 1

Hello,

I assume you are using Catalyst 3550 L3 Switch as core switch (Does not matter whether you have SMI or EMI Image in it)

What is the default gateway of hosts of respective segments? is it PIX address or L3 Switch SVI address? If it is PIX address, you cant expect inter VLAN routing by Cat3550.

Then you may also need to reconsider the switch VLAN trunk policy. trunk configuration does not seems to be consistant. Please verify the trunk status also from either end.

-Subba

Thank you for your reply;

Yes, I'm using a Cat 3550 Switch as the core switch as well as one for the "outside core" switch that is trying to communicate with the "inside" network across a trunked port.

I changed the hosts' default-gateways to the ip of it's respective VLAN on it's "core" switch, and the default-gateway of the inside edge switch (a 3500XL) to the management VLAN ip on the core. I can now ping across VLANs, but only within each 3550's VTP domain.

My final hurdle will be to get the 2 separate VTP domains to route to each other's hosts. I have dot1q enabled on both trunk ports of the separate core switches, but I'm not sure if I should have the "inside" trunk tag all incoming traffic to VLAN 21 (the "outside" VLAN) or to leave it trunked.

I guess the whole question now is, how do I get 2 separate VTP domains to communicate across a trunked port...

the only way i know of to get VTP domains to communicate would be routing. Or, make em one big domain. If you have the emi code. configure routing,

As far as the Pix goes, its a packet inspection device (firewall) You have to tell it what to let in,

OK... I know the 3550s can do L3 routing - any config lines that can help me along?

I'm really not sure how routing and VLANs mix...still trying to wrap my brain around that one.

depends on the values for a.a y.y and x.x in your previous posts, and what masking you are using.

If we assume that your network address is 172.16

you can add a line or 2 for running RIP.

in config mode, router rip

version 2

network 172.16.0.0

that should get you running.

as far as roting and vlans go, remember a vlan is a layer 2 concept. you can assign ports to a vlan, and that puts them in the same broadcast domain. you can then route those vlans, just like normal.

get your hands on kennedy clarks cisco lan switching,

its a good read.

calvinie2001
Level 1
Level 1

hi ,

you need to active your ip routing in sw3550

and if still no good . try this

1> ip routing

2> create a vlan interface for each vlan

3> set up a routing pro like ospf to route

All 3 VLANs use different network addresses (i.e.,VLAN1=192.168.0.0, VLAN21=172.16.1.0, VLAN22=15.15.1.0, VLAN23=20.20.1.0) and all have /24 masks; VLAN1 is the mgmt. VLAN, and all have virtual interfaces with addresses.

The core 3550 has >ip routing in the config and I can now ping to each VLAN from the core switch (even across to the outside vtp domain), but I can't ping to different VLANs from the host PCs on the differing VLANS - they are still restricted to their own subnets.

Can you give me some config examples to tweak the routing on the 3550 so that the respective hosts can ping each other...

OR...will static address translation in the PIX provide the inside host with an IP address on the outside subnet?

I would strongly consider re thinking your IP addressing. you have 4 completely different networks.

Otherwise your will need either 4 network statements

or 4 static routes.

The addresses are not "real"...but yes, I have 4 completely separate networks, each in its own VLAN..."Inside", "Outside", "DMZ" and "Management"...that setup duplicates what we have in production, but in smaller scale, actually.

My project is to implement a PIX525, running a v6.3 image, to act as the firewall between each VLAN; each interface on the PIX is connected to the core switch (the 3550) on a port assigned to the corresponding VLAN; I'm working on getting the host in each network to ping THROUGH the PIX and out to the other networks, based on the access-list permits and address translations.

My issue is that even without the PIX in place, the core 3550 should route traffic between VLANs (and the different networks)..and it it NOT. The core switch can ping out to all networks (being the vtp server) and hosts can ping the core switch, but the hosts on each network cannot ping PAST the core switch to OTHER networks (VLANs).

I've been working this all week and I feel like I'm running in circles with the configs...

Review Cisco Networking for a $25 gift card