cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Inter VLAN routing - Layer 3 stwtch

Hi guys,

I am tryingto add a new VLAN on my C3560E Layer 3 switch for administration purpose.

My goal is to make this VLAN for administration only and to let the administrators from 172.17.1.1 connect to any host of the internal network 172.16.0.0 plus exit to the internet via the default gateway 172.16.1.245.

Here an extract of what done so far:

ip routing

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

switchport mode access

!

interface GigabitEthernet0/2

switchport access vlan 30

switchport mode access

!

interface Vlan1

ip address 172.16.0.75 255.255.0.0

!

interface Vlan30

ip address 172.17.1.1 255.255.255.0

!

ip default-gateway 172.16.1.245

!

Output of show ip route:

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.0.0/16 is directly connected, Vlan1

L        172.16.0.75/32 is directly connected, Vlan1

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.1.0/24 is directly connected, Vlan30

L        172.17.1.1/32 is directly connected, Vlan30

What happened is that:

1. The host connected to Vlan30 can correctly ping the interface it is connected to.

2, The internal network can access the internet

3. The host connected to VLAN30 cannot access the internet and cannot connect to any internal server.

Any suggestion? Do I have to add a static route?

This is a production envuironment and it is my first experiment with a layer3 switching in production, so I cannot mistake :-)

Thanks,

Dario Vanin

19 REPLIES 19

Bilal Nawaz
Engager
Engager

Hello, you need to have a gateway of last resort instead of your ip default gateway. You only use ip default gateway when ip routing is disabled.

ip routing
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
!
interface Vlan1
ip address 172.16.0.75 255.255.0.0
!
interface Vlan30
ip address 172.17.1.1 255.255.255.0
!
Ip route 0.0.0.0 0.0.0.0 172.16.1.245

Please make any changes with change control, and advised to be done out of hours. The Internet access is working for everyone in Vlan 1 since the firewall/gateway is in the same Vlan and probably has this set on DHCP.

If you want to lock down on which subnet has access to vty lines you can do this:

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended VTY_ACCESS
R1(config-ext-nacl)#
R1(config-ext-nacl)#10 permit tcp 172.17.1.0 0.0.0.255 any eq 22
R1(config-ext-nacl)#20 permit tcp 172.17.1.0 0.0.0.255 any eq telnet
R1(config-ext-nacl)#100 deny any any
R1(config-ext-nacl)#line vty 0 4
R1(config-line)#access-class VTY_ACCESS in
R1(config-line)#end

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Steven Clinton
Beginner
Beginner

Yes, you will need a default route:

ip route 0.0.0.0 0.0.0.0 172.16.1.245

The default network command will not be used for actual data routing

Sent from Cisco Technical Support iPhone App

Hi guys,

I've run these commands as I have another VLAN that has not to be routed: it is currently routed by my ASA firewall.

ip route 172.16.0.0 255.255.0.0 172.16.1.245

ip route 172.17.3.0 255.255.255.0 172.16.1.245

no ip default-gateway 172.16.1.245

Unfortunately it did not work :-(

Dario

You cannot do it this way. You need the ip route 0.0.0.0 0.0.0.0 172.16.1.245 command suggested in my previous post.
Take all the routes you added, out and just add this one static route.

If you want to block the other vlan from being routed I suggest you do this:

Ip access-list extended DENY
10 Deny any any

Interface vlan x
Ip access-group DENY out

If its being routed to your ASA firewall is it in the same vlan?

This will block everything on that vlan from being routed or going out.

I also edited my previous post showing how you can lock down remote access to your subnet only. I think that was a requirement for you

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi guys,

here my configuration. Still not working :-(

ip routing

!

ip name-server 8.8.8.8

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0

no ip address

no ip route-cache

shutdown

!

interface GigabitEthernet0/1

switchport mode access

!

interface GigabitEthernet0/2

switchport access vlan 30

switchport mode access

!

interface Vlan1

ip address 172.16.0.75 255.255.0.0

!

interface Vlan30

ip address 172.17.1.1 255.255.255.0

!

ip default-gateway 172.16.1.245

ip route 0.0.0.0 0.0.0.0 172.16.1.245

ip route 172.16.0.0 255.255.0.0 172.16.1.245

ip route 172.17.1.0 255.255.255.0 172.16.1.245

Here the show ip route:

S*    0.0.0.0/0 [1/0] via 172.16.1.245

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.0.0/16 is directly connected, Vlan1

L        172.16.0.75/32 is directly connected, Vlan1

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.17.1.0/24 is directly connected, Vlan30

L        172.17.1.1/32 is directly connected, Vlan30

Thanks,

Dario

Hello, please do the following

ip route 0.0.0.0 0.0.0.0 172.16.1.245

No ip default-gateway 172.16.1.245
No ip route 172.16.0.0 255.255.0.0 172.16.1.245
No ip route 172.17.1.0 255.255.255.0 172.16.1.245

I've explained in my previous posts how you can prevent a vlan from being routed.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi guys,

Unfortunately it still does not work.

Here below the only "ip route" I have in my config after purging the old ones:

ip route 0.0.0.0 0.0.0.0 172.16.1.245

Here the output of "show ip route":

Gateway of last resort is 172.16.1.245 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.1.245

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.0.0/16 is directly connected, Vlan1

L        172.16.0.75/32 is directly connected, Vlan1

      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks

C       172.17.1.0/24 is directly connected, Vlan30

L       172.17.1.1/32 is directly connected, Vlan30

Dario

Steven Clinton
Beginner
Beginner

Do you configure the default route

ip route 0.0.0.0 0.0.0.0 172.16.1.245

I don't see if in the config you listed

Sent from Cisco Technical Support iPhone App

Do I have to remove "ip default-gateway 172.16.1.245"?

Hello, yes it would be better if you removed this. Also please ensure that your pc in vlan 30 has the default gateway of your vlan 30 interface.

Assuming that you can ping to both interfaces and subnets?

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Bilal,

I;ve removed the default-gateway but nothing changed. The default gateway of the pc in vlan30 is the interface of the switch configured to be part of vlan30 in access mode. I can ping the computer from the interface and viceversa but if I ping anything else (VLAN1 or internet) it doesn't work :-(

Thanks,

Dario

Hello Dario, this is probably because all the devices in vlan 1 have a default gateway of the firewall IP?

You need to either:
Change all PCs in vlan 1 to have the default gateway of the 3560

Or have a route on the firewall pointing back towards your 3560 saying, to get to vlan 30 you need to go to (vlan 1 address on the switch)

You will definitely need the latter because how is your Internet traffic going to get back to you when the firewall doesn't even know where vlan 30 is?

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Bilal,

The firewall is the default gateway of all the computers of the internal network but in this case I am talking about a different VLAN and I would like to keep the firewall as it is for the moment...

My goal is to manage this routing internally in the switch. That's why I bought a Layer3 switch :-)

Thanks,

Dario

Okay, understood. So you need a route on your firewall.

The firewall has no idea of where vlan 30 is yet.

This is why your pings are unsuccessful.
On ASDM you might be able to see the logs.

If you do a show route, on the firewall, do you see vlan 30 subnet? If not then this is why pings not working.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: