cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
0
Helpful
19
Replies

Inter VLAN routing - Layer 3 stwtch

Hi guys,

I am tryingto add a new VLAN on my C3560E Layer 3 switch for administration purpose.

My goal is to make this VLAN for administration only and to let the administrators from 172.17.1.1 connect to any host of the internal network 172.16.0.0 plus exit to the internet via the default gateway 172.16.1.245.

Here an extract of what done so far:

ip routing

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

switchport mode access

!

interface GigabitEthernet0/2

switchport access vlan 30

switchport mode access

!

interface Vlan1

ip address 172.16.0.75 255.255.0.0

!

interface Vlan30

ip address 172.17.1.1 255.255.255.0

!

ip default-gateway 172.16.1.245

!

Output of show ip route:

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.0.0/16 is directly connected, Vlan1

L        172.16.0.75/32 is directly connected, Vlan1

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.1.0/24 is directly connected, Vlan30

L        172.17.1.1/32 is directly connected, Vlan30

What happened is that:

1. The host connected to Vlan30 can correctly ping the interface it is connected to.

2, The internal network can access the internet

3. The host connected to VLAN30 cannot access the internet and cannot connect to any internal server.

Any suggestion? Do I have to add a static route?

This is a production envuironment and it is my first experiment with a layer3 switching in production, so I cannot mistake :-)

Thanks,

Dario Vanin

19 REPLIES 19
Bilal Nawaz
Engager

Hello, you need to have a gateway of last resort instead of your ip default gateway. You only use ip default gateway when ip routing is disabled.

ip routing
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
!
interface Vlan1
ip address 172.16.0.75 255.255.0.0
!
interface Vlan30
ip address 172.17.1.1 255.255.255.0
!
Ip route 0.0.0.0 0.0.0.0 172.16.1.245

Please make any changes with change control, and advised to be done out of hours. The Internet access is working for everyone in Vlan 1 since the firewall/gateway is in the same Vlan and probably has this set on DHCP.

If you want to lock down on which subnet has access to vty lines you can do this:

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended VTY_ACCESS
R1(config-ext-nacl)#
R1(config-ext-nacl)#10 permit tcp 172.17.1.0 0.0.0.255 any eq 22
R1(config-ext-nacl)#20 permit tcp 172.17.1.0 0.0.0.255 any eq telnet
R1(config-ext-nacl)#100 deny any any
R1(config-ext-nacl)#line vty 0 4
R1(config-line)#access-class VTY_ACCESS in
R1(config-line)#end

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Steven Clinton
Beginner