cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5131
Views
25
Helpful
16
Replies

Layer 3 from vlan to port

admin28373
Level 1
Level 1

Hi

I am trying to get my head around layer 3 switch routing and am missing the link between vlans and ports.

I'm configuring layer 3 with SVIs.

My switch is an SG250-08HP.  I have exec  IP routing.

I have added a vlan 10,20 with no shutdown and the switches GE1 ingress to the router set with tagged 1,10,20

So executed.

interface vlan 10
name Office
no shutdown
ip address 192.168.10.4 255.255.255.0
!
interface vlan 20
name Geek
no shutdown
ip address 192.168.20.4 255.255.255.0
!

 

I have an Access port interface that is an SVI as no switchport.

interface GigabitEthernet6
no switchport
!

But how does this port get the association with the intended vlan, say 20?

 

 

1 Accepted Solution

Accepted Solutions

The earlier part of this discussion was more general about how ports and vlans and inter vlan routing works. Now the discussion gets into a more specific situation. There are several things that we can consider. Given what you are trying to accomplish I believe that it makes sense to configure several vlans on your SG250. You would need to come up with an addressing plan so that each vlan gets a unique IP subnet. Each vlan would be configured with a layer 3 vlan interface and that interface would be configured with an IP address in the subnet allocated to that vlan. Devices connected in that vlan would use addresses in that subnet. You might want to use DHCP to assign the addresses to devices or you might want to manually configure devices with IP addresses, mask, and gateway.

 

Once you have the vlans and vlan interfaces configured you can think about routing. The SG250 should route between the devices in the connected vlans. You will need to arrange routing for traffic that wants to go outside. One option would be to configure a static default route which would have your Draytek as the next hop. Another option would be to run a routing protocol between your SG250 and the Draytek and have the Draytek advertise the default route to your switch. I believe that the SG250 supports RIPv2 as a routing protocol. You would need to check and see if Draytek supports that.

 

Another aspect of routing that you need to consider is once your switch has sent traffic from the new vlans to the Draytek how will the Draytek know how to send traffic to the new vlans. One option would be to configure static routes on the Draytek for each new subnet. The other option would be to run a routing protocol between SG250 and Draytek.

 

Once the routing is set up (either static or dynamic) another thing to consider is that the traffic from the new subnets will need address translation to be able to get to the Internet. I assume that the Draytek can be configured to do address translation for multiple remote subnets.

 

The other thing to work out would be the access lists that you would want on the SG250 to provide the protection and limited access that is part of your requirement.

HTH

Rick

View solution in original post

16 Replies 16

Hello,

 

--> 

I have an Access port interface that is an SVI as no switchport.

interface GigabitEthernet6
no switchport

!

But how does this port get the association with the intended vlan, say 20?

 

It does not. If you want that port to get associated with Vlan 20, you need to configure it as an access port in Vlan 20:

 

interface GigabitEthernet6

switchport mode access

switchport access vlan 20

But using switchport makes Layer 2 again?

I want layer 3 for inter vlan routing.

if you want to Layer3 port you need to configure IP address, what is the goal here?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I want to use inter vlan routing, with ACLs to separate vlans can share a printer and NAS drive. Also keep my PC separate for PCI compliance.

in that case, what we advise is correct, you created Layer SVI VLAN with IP address, and you assign ports to the right VLAN - so the are separated with different services.

 

interface vlan 10
name Office
no shutdown
ip address 192.168.10.4 255.255.255.0
!
interface vlan 20
name Geek
no shutdown
ip address 192.168.20.4 255.255.255.0
!

iinterface GigabitEthernet6   <-- this port belongs to VLAN 20
switchport mode access

switchport access vlan 20

no shutdown

 

here is another port belong to vlan 10 example :

 

iinterface GigabitEthernet5   <-- this port belongs to VLAN 10
switchport mode access

switchport access vlan 10

no shutdown

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

But use of switchport is layer 2.

 

"Enabling a switch interface to be a routed interface instead of a switched interface is simple: just use the no switchport subcommand on the physical interface. Cisco switches capable of being a Layer 3 switch use a default of the switchport command to each switch physical interface. Think about the word switchport for a moment. With that term, Cisco tells the switch to treat the port like it is a port on a switch—that is, a Layer 2 port on a switch. To make the port stop acting like a switch port and instead act like a router port, use the no switchport command on the interface.\"

You are right if you want to convert Layer 2 port to Layer 3 port as suggested if you looking to connect point to point link between switches,

But in your case, it is not required.

you creating SVI Layer 3 and associating the interface to that VLAN to different segments.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The original post says "am missing the link between vlans and ports." I believe that there is some lack of understanding about some of the terms and concepts so let me try to provide some explanation. When we are talking about ports on a switch they are by default treated as layer 2 access ports. A layer 2 access port will belong to some vlan (by default they belong to vlan 1 but can be assigned to other vlans and that is very frequently done). A vlan is a layer 2 entity and forwarding between devices in the vlan is based on the layer 2 mac address.

 

If a device in one vlan (perhaps vlan 10) wants to communicate with a device in a different vlan (perhaps vlan 20) then we need to be able to forward traffic based on the layer 3 IP address. Each layer 2 vlan can have a layer 3 interface (sometimes referred to as an SVI or switched virtual interface) which provides layer 3 forwarding for the traffic within its vlan. So we might have interface vlan 10 with IP address 192.168.10.1 and might have interface vlan 20 with IP address 192.168.20.1 and these would allow devices in vlan 10 and devices in vlan 20 to communicate with each other. Note that for this to work it is also required that the switch enable ip routing.

 

There is another approach to consider. We might configure a switch port with the command no switchport. This changes the port from being a layer 2 access port into being a layer 3 routed port. In this case the port is not associated with any vlan but is associated with an IP subnet. 

HTH

Rick

Thank you Robert, that was explained well and took some of your time. 

So the layer 3 SVIs are normally on a trunk port to the router, if it is router on a stick setup. That is where the routing between VLans can take place because the svi is associated with an IP address. 

I know about IP Routing to enable this.

The next part is the static routes between the interface vlan IP addresses to facilitate the inter vlan routing.

If I have that right I'm further on my way to understanding and implementing.

I believe that your understanding is improving but I would like to clarify a few things. You started the discussion with this statement "I am trying to get my head around layer 3 switch routing and am missing the link between vlans and ports." So the context here is layer 3 forwarding/routing on switches. My explanation focused on the fact that within a vlan traffic is forwarded using layer 2 logic with mac addresses. But when we want to go between vlans we can not do that at layer 2. To go from one vlan to another vlan some thing must use layer 3 forwarding/routing with layer 3 IP addresses. In the context of doing this on switches then we need SVIs which are the layer 3 interfaces on the switch.

 

In your most recent response you change the context in a very significant way. When we start talking about trunks and router on a stick then the layer 3 forwarding is being done on a router and not on a switch. With router on a stick there is not any need for SVI on the switch because the layer 3 forwarding is now being done on the router and not on the switch.

 

Perhaps one way to look at this is to think about the question: when a switch has multiple vlans and we want to have traffic go between the vlans where will the layer 3 forwarding take place? Will it be on the switch (then we need SVI) or will it be on a router (no need for SVI).

 

Your most recent response also brings up another topic which is static routes. The discussion so far has been in terms of multiple vlans (and multiple subnets) which all connect on a single device (which might be a layer 3 switch or might be a router). If all of the subnets connect on a single device then that device has all the information that it needs to route between all of the subnets. But what if some subnets (some vlans) connect on one layer 3 device (switch or router) while other subnets (other vlans) connect on a different layer 3 device (switch or router)? Now each layer 3 device knows how to reach some subnets but does not know how to reach other subnets. How do we solve this?

 

The solution is that each layer 3 device needs some information about remote subnets. One way to solve this is through static routes and another way to solve this is through dynamic routing protocol. Perhaps a simple example might help with this understanding: 

let us think about vlan 10 (192.168.10.0) which is connected to device A (might be layer 3 switch or might be router) and think about vlan 20 (192.168.20.0) which is connected to device B (might be layer 3 switch or might be router). If some device 192.168.10.10 wants to communicate with some other device 192.168.20.20) how would it work? The source 192.168.10.10 sends the packet which arrives at device A. It knows the destination is in subnet 192.168.20.0 - but where is that and how do I get there? A static route can provide that information about where it is and how to get there. (and a dynamic routing protocol can also provide that solution).

HTH

Rick

Hello again Richard. Thank you again for you detailed reply. You have given me much to think about and digest.

I use a Draytek 2927 router that provides inter vlan routing but no way to control access between a two connected vlans.

I need to place a PC and laptop in a more secure vlan but still have access to a nas and printer that other PCs need access to in a separate vlan. The reason is for PCI compliance around take card payments.

Why I bought the SG250 was to learn more about this topic and do hopefully move the inter vlan routing to the layer 3 capable switch. I know that I can control access to vlans with ACLists.

Perhaps what I'm thinking now is this. I do not enable inter vlan routing on the router. I have a trunk port 1 with the tagged vlan frames.

Is it then possible to setup the switch so it performs the subsequent routing so I may limit it with ACLs.

 

 

Alternatively, I can remove all vlans except vlan1 from the router. Then that single vlan could access P1 set up as SVI layer 3. Then presumably I can do the routing from that port.

 

The earlier part of this discussion was more general about how ports and vlans and inter vlan routing works. Now the discussion gets into a more specific situation. There are several things that we can consider. Given what you are trying to accomplish I believe that it makes sense to configure several vlans on your SG250. You would need to come up with an addressing plan so that each vlan gets a unique IP subnet. Each vlan would be configured with a layer 3 vlan interface and that interface would be configured with an IP address in the subnet allocated to that vlan. Devices connected in that vlan would use addresses in that subnet. You might want to use DHCP to assign the addresses to devices or you might want to manually configure devices with IP addresses, mask, and gateway.

 

Once you have the vlans and vlan interfaces configured you can think about routing. The SG250 should route between the devices in the connected vlans. You will need to arrange routing for traffic that wants to go outside. One option would be to configure a static default route which would have your Draytek as the next hop. Another option would be to run a routing protocol between your SG250 and the Draytek and have the Draytek advertise the default route to your switch. I believe that the SG250 supports RIPv2 as a routing protocol. You would need to check and see if Draytek supports that.

 

Another aspect of routing that you need to consider is once your switch has sent traffic from the new vlans to the Draytek how will the Draytek know how to send traffic to the new vlans. One option would be to configure static routes on the Draytek for each new subnet. The other option would be to run a routing protocol between SG250 and Draytek.

 

Once the routing is set up (either static or dynamic) another thing to consider is that the traffic from the new subnets will need address translation to be able to get to the Internet. I assume that the Draytek can be configured to do address translation for multiple remote subnets.

 

The other thing to work out would be the access lists that you would want on the SG250 to provide the protection and limited access that is part of your requirement.

HTH

Rick

This has been an interesting discussion as it moved from more general explanations of vlans and SVI and routing to more specific implementation. I am glad that our suggestions have been helpful.Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

balaji.bandi
Hall of Fame
Hall of Fame

Layer 3 feature in the SG switch

 

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5073-switching-to-layer-3-mode-on-the-sf-sg-300-series-switches.html

 

 

If you want to switch port to belong to access port to VLAN 20

 

interface GigabitEthernet6
 switchport  mode access

switchport access vlan 20

no shutdown

 

here is a sample configuration guide for reference:

 

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb4986-vlan-configuration-via-cli-on-300-500-series-managed-switche.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card