04-14-2013 09:27 PM - edited 03-04-2019 07:35 PM
Hi guys,
I am tryingto add a new VLAN on my C3560E Layer 3 switch for administration purpose.
My goal is to make this VLAN for administration only and to let the administrators from 172.17.1.1 connect to any host of the internal network 172.16.0.0 plus exit to the internet via the default gateway 172.16.1.245.
Here an extract of what done so far:
ip routing
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
!
interface Vlan1
ip address 172.16.0.75 255.255.0.0
!
interface Vlan30
ip address 172.17.1.1 255.255.255.0
!
ip default-gateway 172.16.1.245
!
Output of show ip route:
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/16 is directly connected, Vlan1
L 172.16.0.75/32 is directly connected, Vlan1
172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.17.1.0/24 is directly connected, Vlan30
L 172.17.1.1/32 is directly connected, Vlan30
What happened is that:
1. The host connected to Vlan30 can correctly ping the interface it is connected to.
2, The internal network can access the internet
3. The host connected to VLAN30 cannot access the internet and cannot connect to any internal server.
Any suggestion? Do I have to add a static route?
This is a production envuironment and it is my first experiment with a layer3 switching in production, so I cannot mistake :-)
Thanks,
Dario Vanin
04-14-2013 09:43 PM
Hello, you need to have a gateway of last resort instead of your ip default gateway. You only use ip default gateway when ip routing is disabled.
ip routing
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
!
interface Vlan1
ip address 172.16.0.75 255.255.0.0
!
interface Vlan30
ip address 172.17.1.1 255.255.255.0
!
Ip route 0.0.0.0 0.0.0.0 172.16.1.245
Please make any changes with change control, and advised to be done out of hours. The Internet access is working for everyone in Vlan 1 since the firewall/gateway is in the same Vlan and probably has this set on DHCP.
If you want to lock down on which subnet has access to vty lines you can do this:
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended VTY_ACCESS
R1(config-ext-nacl)#
R1(config-ext-nacl)#10 permit tcp 172.17.1.0 0.0.0.255 any eq 22
R1(config-ext-nacl)#20 permit tcp 172.17.1.0 0.0.0.255 any eq telnet
R1(config-ext-nacl)#100 deny any any
R1(config-ext-nacl)#line vty 0 4
R1(config-line)#access-class VTY_ACCESS in
R1(config-line)#end
Hope this helps
Sent from Cisco Technical Support iPhone App
04-14-2013 09:46 PM
Yes, you will need a default route:
ip route 0.0.0.0 0.0.0.0 172.16.1.245
The default network command will not be used for actual data routing
Sent from Cisco Technical Support iPhone App
04-14-2013 09:57 PM
Hi guys,
I've run these commands as I have another VLAN that has not to be routed: it is currently routed by my ASA firewall.
ip route 172.16.0.0 255.255.0.0 172.16.1.245
ip route 172.17.3.0 255.255.255.0 172.16.1.245
no ip default-gateway 172.16.1.245
Unfortunately it did not work :-(
Dario
04-14-2013 10:02 PM
You cannot do it this way. You need the ip route 0.0.0.0 0.0.0.0 172.16.1.245 command suggested in my previous post.
Take all the routes you added, out and just add this one static route.
If you want to block the other vlan from being routed I suggest you do this:
Ip access-list extended DENY
10 Deny any any
Interface vlan x
Ip access-group DENY out
If its being routed to your ASA firewall is it in the same vlan?
This will block everything on that vlan from being routed or going out.
I also edited my previous post showing how you can lock down remote access to your subnet only. I think that was a requirement for you
Hope this helps
Sent from Cisco Technical Support iPhone App
04-14-2013 10:33 PM
Hi guys,
here my configuration. Still not working :-(
ip routing
!
ip name-server 8.8.8.8
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
!
interface Vlan1
ip address 172.16.0.75 255.255.0.0
!
interface Vlan30
ip address 172.17.1.1 255.255.255.0
!
ip default-gateway 172.16.1.245
ip route 0.0.0.0 0.0.0.0 172.16.1.245
ip route 172.16.0.0 255.255.0.0 172.16.1.245
ip route 172.17.1.0 255.255.255.0 172.16.1.245
Here the show ip route:
S* 0.0.0.0/0 [1/0] via 172.16.1.245
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/16 is directly connected, Vlan1
L 172.16.0.75/32 is directly connected, Vlan1
172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.17.1.0/24 is directly connected, Vlan30
L 172.17.1.1/32 is directly connected, Vlan30
Thanks,
Dario
04-14-2013 10:37 PM
Hello, please do the following
ip route 0.0.0.0 0.0.0.0 172.16.1.245
No ip default-gateway 172.16.1.245
No ip route 172.16.0.0 255.255.0.0 172.16.1.245
No ip route 172.17.1.0 255.255.255.0 172.16.1.245
I've explained in my previous posts how you can prevent a vlan from being routed.
Hope this helps
Sent from Cisco Technical Support iPhone App
04-14-2013 10:48 PM
Hi guys,
Unfortunately it still does not work.
Here below the only "ip route" I have in my config after purging the old ones:
ip route 0.0.0.0 0.0.0.0 172.16.1.245
Here the output of "show ip route":
Gateway of last resort is 172.16.1.245 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.1.245
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/16 is directly connected, Vlan1
L 172.16.0.75/32 is directly connected, Vlan1
172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.17.1.0/24 is directly connected, Vlan30
L 172.17.1.1/32 is directly connected, Vlan30
Dario
04-14-2013 10:03 PM
Do you configure the default route
ip route 0.0.0.0 0.0.0.0 172.16.1.245
I don't see if in the config you listed
Sent from Cisco Technical Support iPhone App
04-14-2013 10:52 PM
Do I have to remove "ip default-gateway 172.16.1.245"?
04-14-2013 10:55 PM
Hello, yes it would be better if you removed this. Also please ensure that your pc in vlan 30 has the default gateway of your vlan 30 interface.
Assuming that you can ping to both interfaces and subnets?
Hope this helps
Sent from Cisco Technical Support iPhone App
04-14-2013 11:00 PM
Hi Bilal,
I;ve removed the default-gateway but nothing changed. The default gateway of the pc in vlan30 is the interface of the switch configured to be part of vlan30 in access mode. I can ping the computer from the interface and viceversa but if I ping anything else (VLAN1 or internet) it doesn't work :-(
Thanks,
Dario
04-14-2013 11:05 PM
Hello Dario, this is probably because all the devices in vlan 1 have a default gateway of the firewall IP?
You need to either:
Change all PCs in vlan 1 to have the default gateway of the 3560
Or have a route on the firewall pointing back towards your 3560 saying, to get to vlan 30 you need to go to (vlan 1 address on the switch)
You will definitely need the latter because how is your Internet traffic going to get back to you when the firewall doesn't even know where vlan 30 is?
Hope this helps
Sent from Cisco Technical Support iPhone App
04-14-2013 11:09 PM
Hi Bilal,
The firewall is the default gateway of all the computers of the internal network but in this case I am talking about a different VLAN and I would like to keep the firewall as it is for the moment...
My goal is to manage this routing internally in the switch. That's why I bought a Layer3 switch :-)
Thanks,
Dario
04-14-2013 11:13 PM
Okay, understood. So you need a route on your firewall.
The firewall has no idea of where vlan 30 is yet.
This is why your pings are unsuccessful.
On ASDM you might be able to see the logs.
If you do a show route, on the firewall, do you see vlan 30 subnet? If not then this is why pings not working.
Hope this helps
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide