Solved: Catalyst 3560 as internal Router

imanco671 · ‎10-04-2011

Hello Community,

I am trying to configure my catalyst swtich as an internal router.

I want to route traffic between 4 different subnets.

192.168.200.0 /24

192.168.201.0 /24

192.168.202.0 /24

10.10.10.0 /24

Anyone have an idea how I can start?

Thanks in advance.

Jon Marshall · ‎10-06-2011

John

I'm not sure i follow this -

vlan2 - 10.10.10.222

vlan3 - 192.168.200.254

vlan4 - 192.168.202.222

what are the above gateways ?

If a server from my 10.10.10.0 network wants to talk to a server on my 192.168.200.0 network, it will get directed to 10.10.10.1 (the L3 switch) then the switch needs to route that traffic to the 192.168.200.0 vlan then the default gateway of the 192.168.200.0 subnet which is 192.168.200.254

I thought you wanted to use the L3 switch to route between vlans ? So the above should be -

server 10.10.10.x network sends packets to 10.10.10.1. The L3 switch then simply routes it onto the 192.168.200.x network and sends it to the 192.168.200.x server. There is no need for another gateway ie. there is no need for 192.168.200.254.

What you do is set the default-gateway for each device to the corresponding IP address of the vlan interface on the L3 switch so server in 10.10.10.x network would have a DG of 10.10.10.1 and the 192.168.200.x server would have a DG of 192.168.200.1 and then the L3 switch will simply route between these networks.

Note if you have DHCP or static IPs setup with the gateways you have listed above ie. 222/254 etc. then you can simply assign these IPs to the vlan interfaces on the L3 switches instead of the .1 addresses if this makes things simpler.

To test simply connect a device in one vlan to the switch and a device in another vlan and try pinging etc. Make sure if the devices have windows firewall or similiar you disable it temporarily for testing.

As for allocating ports to the correct subnet you have already done this on the L3 switch for a couple of ports eg -

interface FastEthernet0/1

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/3

switchport access vlan 4

switchport mode access

the "switchport access vlan " command is what is used to assign a port to a vlan. So to fa0/1 you would connect a device in the 10.10.10.x network. Fa0/2 a device in the 192.168.200.x network and fa0/3 to a device in the 192.168.202.x network.

You should also add this command to each port - "spanning-tree portfast" ie.

int fa0/1

switchport mode access

switchport access vlan 2

spanning-tree portfast

if you connect another switch or a server using a trunk link to your L3 switch do not use the "spanning-tree portfast" command on that interfaces configuration.

Jon

View solution in original post

IcebergTitanic · ‎10-07-2011

Get rid of manual routes on the laptops. Don't need them.

Your VLAN IP addresses should be your default gateways for the computers on those vlans.

So for Laptop 1, config is:

IP = 10.10.10.33 netmask 255.255.255.0

Default GW = 10.10.10.1

Laptop 2:

IP = 192.168.202.33 netmask 255.255.255.0

Default GW = 192.168.202.1

They should automatically throw traffic that doesn't match their own network (first three numbers) at the default gateway. The switch should then route them appropriately.

View solution in original post

shehinpm1 · ‎10-07-2011

Hi,

if u can reach different vlan interface,then the prob b'n that vlan interface to the host,chk the windwn firewall is off in remote host

View solution in original post

Marwan ALshawi · ‎10-04-2011

Hi

1- create L2 vlans per Vlan interface let's say you have there L3 Vlan interfaces 2,3,4

Vlan 2

Vlan 3

Vlan 4

2- Assign these vlans to a trunk or the desired switch port interfaced

Int fax/x

Switch port mode access

Switch port access Vlan 2

3- create L3 Vlan interfaces

Interface Vlan 2

Ip address 192.168.1.1 255.255.255.0

No shut

4- enable routing locally

Ip routing

You can also use routed interfaces where you convert the swtch port to L3 routed port example

Int fax/x

No switchport

Ip address 192.168.1.1 255.255.255.0

No shut

Hope this help

If helpful rate

Sent from Cisco Technical Support iPhone App

imanco671 · ‎10-05-2011

Thanks, but do you think I should do the L3 routed ports?

I do not know much about the L3 method. I have to do a little research, so I can talk to you "normal".

Which one is easer for me?

Also, do you recommend using the GUI or the CLI?

Jon Marshall · ‎10-05-2011

John

Generally speaking on a L3 switch you use L3 vlan interfaces as in Marwan's first example. You would have to do this anyway if you have clients within those vlans connected to the actual L3 switch which i suspect you may have.

L3 routed ports are useful when you want to connect your L3 switch to a device such as router or perhaps a firewall although again there is nothing to stop you using a vlan interface for this.

As for GUI vs CLI you will find that most people who work with these switches all the time generally recommend the CLI. Personally i would always use the CLI (i'd be a bit lost with the GUI ).

Jon

Ivan Krimmel · ‎10-05-2011

Go for CLI John, I even am not sure whether there's SDM approach for 3560 nowadays.

As for routed-ports versus SVI's - ports are more expensive, but for SVI to work you would need tagging and hence another switch with trunks and vlans etc. So it is more a design question.

HTH,

Ivan.

Marwan ALshawi · ‎10-05-2011

both of them easy

it depends if you have devices in those vlans and you need to provide L3 routing between them ( inter VLan routing )

or you want to use the Switch like a Router with L3 interfaces only ( here where you can use only routed interfaces )

se the bellow links for more details and config examples:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml

hope this help

pls rate the helpful posts

imanco671 · ‎10-06-2011

Hello, Thanks for the info, I have deleted my response and want to replace with the following:

I have figured out how to enable a vlan on a port, setup access mode. But I think things are not correct, so I wanted to share these commands:

Show run:

arisrouter#show run

Building configuration...

Current configuration : 1759 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname arisrouter

!

enable secret 5 $1$.R0k$6PnP310VyPHU1HNP1xUfw/

enable password

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

ip routing

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport access vlan 2

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 3

switchport mode access

!

interface FastEthernet0/3

switchport access vlan 4

switchport mode access

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 10.10.10.1 255.255.255.0

!

interface Vlan3

ip address 192.168.200.1 255.255.255.0

!

interface Vlan4

ip address 192.168.202.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.201.222

ip http server

!

snmp-server community public RO

!

control-plane

!

line con 0

line vty 0 4

password T3m5xlD2D62

login

line vty 5 15

password T3m5xlD2D62

login

!

end

arisrouter#sho vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7

Fa0/8, Fa0/9, Fa0/10, Fa0/11

Fa0/12, Fa0/13, Fa0/14, Fa0/15

Fa0/16, Fa0/17, Fa0/18, Fa0/19

Fa0/20, Fa0/21, Fa0/22, Fa0/23

Fa0/24, Gi0/1, Gi0/2

2 VLAN0002 active Fa0/1

3 VLAN0003 active Fa0/2

4 VLAN0004 active Fa0/3

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

2 enet 100002 1500 - - - - - 0 0

3 enet 100003 1500 - - - - - 0 0

4 enet 100004 1500 - - - - - 0 0

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs

------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

arisrouter#show interface fastethernet 0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: static access

Operational Mode: down

Administrative Trunking Encapsulation: negotiate

Negotiation of Trunking: Off

Access Mode VLAN: 2 (VLAN0002)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

cadet alain · ‎10-06-2011

Hi,

You must connect devices to your access ports and then verify your SVIs are up/up:

sh ip int br | in Vlan

Then do pings to test, every device in each vlan must have as gateway the ip address of SVI in this vlan.

Regards.

Alain.

Don't forget to rate helpful posts.

imanco671 · ‎10-06-2011

Hello,

Thanks for your reply, how should I plug in to test?

My networks are live, the only network not active is 192.168.201.0

Will testing work if I plug the 192.168.201.0 network cables in? (just to bring the ports up)

Jon Marshall · ‎10-06-2011

John

As mentioned by Alain to bring up each vlan interface you need to have at least one port in that vlan active ie. a device conneted to the port that is up. If you had a trunk link on the switch you would just need that to be up but you don't have one so you need a port in each vlan to be active.

When you have done this run this command "sh ip int br | include Vlan" and then make sure that each vlan interface is up/up and then you should be able to test.

Jon

imanco671 · ‎10-06-2011

okay, Thanks Jon,

I will have to wait until downtime to do this.

How does my commands from above look to you? Do you think I should be good to go once I make the switch from my production environment?

John

Jon Marshall · ‎10-06-2011

John

You have default-route of -

ip route 0.0.0.0 0.0.0.0 192.168.201.222

but you don't have a L3 interface in that subnet so how is the L3 switch going to send packets to 192.168.201.222 ?

Jon

imanco671 · ‎10-06-2011

hi Jon,

what is a L3 interface? how do I set one up? I have the switch connecting to an ASA router interface 192.168.201.222

Do I have to secify an L3 on the switch?

Sorry for the beginner q's?

Jon Marshall · ‎10-06-2011

Well it depends on whether you have clients in that subnet ie. 192.168.201.0/24. If you do have clients in that vlan then you need to setup a vlan and a vlan interface as you have done with vlans 2,3 & 4.

However if you don't then you simply need to configure one of your spare ports on the switch as -

int fa0/4

no switchport

ip address 192.168.201.x <-- where .x is a spare address from the 192.168.201.x network.

Remember you will need to add routes to the ASA for the vlans on your 3560. Assuming you set up the fa0/4 as above and using .x as 10 as an example eg. 192.168.201.10 then you would need to add these routes on the ASA -

route inside 10.10.10.0 255.255.255.0 192.168.201.10

route inside 192.168.200.0 255.255.255.0 192.168.201.10

route inside 192.168.202.0 255.255.255.0 192.168.201.10

if you have clients in the 192.168.201.x network that will be connecting to the 3560 switch and so need a vlan let me know.

Jon

imanco671 · ‎10-06-2011

Hi Jon,

Thanks,

Sorry, my 192.168.201.0 is my DMZ, that should probably be included on my internal L3 switch, I can worry about the DMZ later b/c things are already confusing enough.

The only vlans are the below:

Here will be my VLans:

vlan2 - 10.10.10.1

vlan3 - 192.168.200.1

vlan4 - 192.168.202.0

How do I get all of them to start talking? I know the first step is to connect a network cable to each respective port (vlan owner port)

Then once I do that, what is needed?

Here are the gateways of each vlan, do I need to define these anywhere?

vlan2 - 10.10.10.222

vlan3 - 192.168.200.254

vlan4 - 192.168.202.222

If a server from my 10.10.10.0 network wants to talk to a server on my 192.168.200.0 network, it will get directed to 10.10.10.1 (the L3 switch) then the switch needs to route that traffic to the 192.168.200.0 vlan then the default gateway of the 192.168.200.0 subnet which is 192.168.200.254.

Is my setup ready to handle the routing part?

I know the ASA needs the configuration, thanks for the commands, I will use them once I get the L3 switch ready.

Also, I dont know how I can dedicate the ports on my L3 switch for each subnet, but thats another discussion topic I will start once I know routing is proper.

John