Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3001
Views
0
Helpful
16
Replies

Layer 3 routing

Go to solution
Dav1787
Level 1
Level 1

‎04-24-2019 02:29 AM

Hi Hoping someone can advise me.

I have a sonicwall TZ400. Im migrating our network to vlan managed network.

At the moment all devices expect CCTV are on default vlan1.

 

I have a routing port setup 192.168.120.80 255.255.255.0 Which is connect to port X3 on the sonicwall.

 

X3 has a ip address of 192.168.120.254 which i can ping form the core switch and from the sonicwall but i cannot can out to the internet through the CCTV vlan. any advice.

 

The default Sonicwall LAN IP is 192.168.16.254 (X1) i have to keep this for VLAN1.

 

here are my static routes:

image.png

cctv-vlan 192.168.20.0

L3 Switch 192.168.120.80

 

Core Switch config

 

no aaa new-model
clock timezone gmt 1
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name *****.local
ip name-server 8.8.8.8
no ip dhcp use vrf connected
!
ip dhcp pool Voice
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8 8.8.4.4
!
!
!
!
crypto pki trustpoint TP-self-signed-1562173568
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1562173568
revocation-check none
rsakeypair TP-self-signed-1562173568
!
!
crypto pki certificate chain TP-self-signed-1562173568
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353632 31373335 3638301E 170D3933 30333031 30303034
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35363231
37333536 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A476 DA036124 20128049 28B4D1E7 607FAC0B 772389D0 A437DA1F 1BB1801A
1807FB3D 7AB1C838 D498724E 16D5C9E1 27549732 E25FEF98 BE773D29 DE622F18
F0CDAD27 2C7FA223 1E549829 158090DE FCAB8A2B 1A5F0C12 94BD29BC 1980C84E
BE330F03 43DD70C1 2C60800C EA1402D0 A487ADF3 4BA34158 C8251FF8 654775B2
C7210203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 154F542D 53572D30 352E6F73 74656368 2E6C6F63 616C301F
0603551D 23041830 16801482 7C73A7E6 F7B88868 5BD2C751 E534D7CA 6E5FD930
1D060355 1D0E0416 0414827C 73A7E6F7 B888685B D2C751E5 34D7CA6E 5FD9300D
06092A86 4886F70D 01010405 00038181 000CF7D5 0EE12C41 197D448D BA320CB2
BE2BBEE4 96439390 C28912CD D69641DC 1529C87A 7C06A5E2 16029409 EF503FEB
D74931AD 34949966 C2F2652D 46D376AA 9CCA70FC 32159276 81695E88 D8183FC6
27F3FF30 5C9E652D FB33FF20 1CB6F6C9 30B02F52 F5583A98 479D9FBB D2413863
CE7024E4 CC76BB15 BED39FC7 54E2EFC0 25
quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 99
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
switchport access vlan 20
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
switchport access vlan 20
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
switchport access vlan 20
!
interface GigabitEthernet1/0/17
switchport access vlan 20
!
interface GigabitEthernet1/0/18
switchport access vlan 20
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
switchport access vlan 20
!
interface GigabitEthernet1/0/21
switchport access vlan 20
!
interface GigabitEthernet1/0/22
switchport access vlan 20
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
no switchport
ip address 192.168.120.80 255.255.255.0
!
interface GigabitEthernet1/0/25
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,19-21,30,50,99,100
switchport mode trunk
!
interface GigabitEthernet1/0/26
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,19-21,30,50,99,100
switchport mode trunk
!
interface GigabitEthernet1/0/27
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,19-21,30,50,99,100
switchport mode trunk
!
interface GigabitEthernet1/0/28
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,19-21,30,50,99,100
switchport mode trunk
!
interface Vlan1
ip address 10.1.1.50 255.255.255.0
ip access-group 10 out
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group 20 out
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 30 out
!
interface Vlan50
no ip address
!
interface Vlan99
ip address 192.168.99.1 255.255.255.0
ip access-group 99 out
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip access-group 10 out
!
ip default-gateway 192.168.16.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.16.254
ip http server
ip http secure-server
!
!
access-list 1 deny 192.168.10.0 0.0.0.255
access-list 20 permit 192.168.18.104
access-list 20 permit 192.168.16.190
access-list 20 permit 192.168.17.190
access-list 20 deny 192.168.16.0 0.0.3.255
access-list 21 deny 192.168.16.0 0.0.3.254
access-list 30 deny 192.168.16.0 0.0.3.255
access-list 30 permit any
access-list 30 deny 192.168.100.0 0.0.0.255
access-list 99 deny 192.168.16.0 0.0.3.254
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
login
line vty 0 4
exec-timeout 0 0
password Pa55word
logging synchronous
login local
transport input ssh
line vty 5 15
exec-timeout 0 0
password Pa55word
logging synchronous
login local
transport input ssh
!
end

Core#ping 192.168.120.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.120.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

 

I

Labels:
0 Helpful
16 Replies 16

Go to solution
paul driver
VIP
VIP
In response to Dav1787

‎04-24-2019 08:44 AM - edited ‎04-25-2019 01:03 AM

Hello
So just to confirm you don’t want any other vlans accessing the new cctv vlan but wish the cctv vlan to access internet?

Example:
vlan  x 10.10.10.0/24
vlan x 11.11.11.0/24

ip access-list extended cctv-acl

deny ip 10.10.10.0 0.0.0.255 any

deny ip 11.11.11.0 0.0.0.255 any

permit ip any any

in vlan x < cctv vlan>
ip access-group cctv-acl OUT


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Dav1787
Level 1
Level 1
In response to paul driver

‎04-25-2019 12:28 AM

that's Correct thank you

0 Helpful
Customers Also Viewed These Support Documents