Re: Layer 3 switch - routing configuration Need

Yasmeen · ‎09-02-2019

Hi team,

I am using 192.168.128.0/20 subnet for my network. I am dividing this network as VLSM concept, as attached document, i am using two cisco sg550 switches, in this switch i have configured four vlans, but i in real switch i am unable to do routing different vlans not communicating ech other, please help me to configure needed commands on my switch.

Gateway of last resort is 192.168.139.66 to network 0.0.0.0

10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, Vlan4

20.0.0.0/24 is subnetted, 1 subnets

C 20.1.1.0 is directly connected, Vlan5

C 192.168.128.0/20 is directly connected, FastEthernet0/3

S* 0.0.0.0/0 [1/0] via 192.168.139.66

second switch:

Gateway of last resort is 192.168.139.65 to network 0.0.0.0

C 192.168.132.0/23 is directly connected, Vlan2

192.168.137.0/25 is subnetted, 1 subnets

C 192.168.137.128 is directly connected, Vlan3

192.168.139.0/29 is subnetted, 1 subnets

C 192.168.139.64 is directly connected, FastEthernet0/3

S* 0.0.0.0/0 [1/0] via 192.168.139.65

Seb Rupik · ‎09-02-2019

Hi there,

What device is connected to Fa0/3 on both switches, a router?

For the VLANs routed on the switches to talk with eachother, the router needs to have routing entries in its own routing table detailing which subnets are available via each segment. Say for example:

Sw1, fa0/3 ---> fa0/1, router

SW2, fa0/3 ---> fa0/2, router

Then the router will need the following routing table entries:

!
ip route 10.1.1.0 255.255.255.0 <switch1_fa0/3_ip_address>
ip route 20.1.1.0 255.255.255.0 <switch1_fa0/3_ip_address>
ip route 192.168.132.0 255.255.254.0 <switch2_fa0/3_ip_address>
ip route 192.168.139.0 255.255.254.0 <switch2_fa0/3_ip_address>
!

cheers,

Seb.

Yasmeen · ‎09-02-2019

Hi,
I am using 192.168.128.0/20 as my network in that i have 12 subnets as vlsm concept, i have configured default routing on both switches then it should route between them know.
why should i need to configure each vlsm gateway.

Yasmeen · ‎09-02-2019

Hi,
This is my 1st switch running config,
switchf8f915#show running-config
config-file-header
switchf8f915
v2.4.0.91 / RTESLA2.4_930_181_042
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink te
unit-type unit 2 network gi uplink te
unit-type unit 3 network gi uplink te
unit-type unit 4 network gi uplink te
unit-type unit 5 network gi uplink te
unit-type unit 6 network gi uplink te
unit-type unit 7 network gi uplink te
unit-type unit 8 network gi uplink te
unit-type-control-end
!
vlan database
vlan 2-4
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switchf8f915
!
interface vlan 1
shutdown
!
interface vlan 2
name cisco
ip address 192.168.132.2 255.255.254.0
!
interface vlan 3
name Arris
ip address 192.168.137.130 255.255.255.128
!
interface GigabitEthernet1/0/1
ip address 192.168.139.66 255.255.255.248
no switchport
!
interface GigabitEthernet1/0/2
no switchport
!
interface GigabitEthernet1/0/4
switchport access vlan 4
!
interface GigabitEthernet1/0/8
switchport access vlan 2
!
interface GigabitEthernet1/0/9
switchport access vlan 3
!
interface loopback1
ip address 1.1.1.1 255.255.255.255
!
exit
ip default-gateway 192.168.139.65
switchf8f915#

Yasmeen · ‎09-02-2019

Hi,
This is my 2nd switch configuration,
switchf8fa54#show running-config
config-file-header
switchf8fa54
v2.4.0.91 / RTESLA2.4_930_181_042
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink te
unit-type unit 2 network gi uplink te
unit-type unit 3 network gi uplink te
unit-type unit 4 network gi uplink te
unit-type unit 5 network gi uplink te
unit-type unit 6 network gi uplink te
unit-type unit 7 network gi uplink te
unit-type unit 8 network gi uplink te
unit-type-control-end
!
vlan database
vlan 4-6
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
hostname switchf8fa54
!
interface vlan 1
shutdown
!
interface vlan 5
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet1/0/1
ip address 192.168.139.65 255.255.240.0
no switchport
!
interface GigabitEthernet1/0/12
switchport access vlan 5
!
exit
ip default-gateway 192.168.139.66
switchf8fa54#

Seb Rupik · ‎09-02-2019

OK, below is the config to have switch1 provide the routing function for all subnets.

!
no vlan 2
no vlan 3
no int vlan 2
no int vlan 3
!
int gi1/0/1
  no ip address
!
vlan 10
  name A
vlan 11
  name B
vlan 12
  name C
vlan 13
  name D
vlan 14
  name E
vlan 15
  name F
vlan 16
  name G
vlan 17
  name H
vlan 18
  name I
vlan 19
  name J
vlan 20
  name K
vlan 21
  name L
!
int vlan 10
  ip address 192.168.139.65 255.255.255.248
int vlan 11
  ip address 192.168.132.1 255.255.254.0
int vlan 12
  ip address 192.168.128.1 255.255.252.0
int vlan 13
  ip address 192.168.134.1 255.255.254.0
int vlan 14
  ip address 192.168.136.1 255.255.255.128
int vlan 15
  ip address 192.168.136.129 255.255.255.128
int vlan 16
  ip address 192.168.137.1 255.255.255.128
int vlan 17
  ip address 192.168.138.129 255.255.255.192
int vlan 18
  ip address 192.168.139.193 255.255.255.192
int vlan 19
  ip address 192.168.139.1 255.255.255.192
int vlan 20
  ip address 192.168.137.129 255.255.255.128
int vlan 21
  ip address 192.168.138.1 255.255.255.128
!
int gi1/0/1
  switchport mode trunk
  switchport trunk allowed vlan all
  no shut
!
no ip default-gateway
!

...and switch2 will just operate at layer2:

!
no vlan 5
no int vlan 5
!
vlan 10
  name A
vlan 11
  name B
vlan 12
  name C
vlan 13
  name D
vlan 14
  name E
vlan 15
  name F
vlan 16
  name G
vlan 17
  name H
vlan 18
  name I
vlan 19
  name J
vlan 20
  name K
vlan 21
  name L
!
int gi1/0/1
  switchport mode trunk
  switchport trunk allowed vlan all
  no shut
!
no ip default-gateway
!

Of course if you want both switches to take part in routing, then you can move some of the SVIs onto switch2. Just make sure you reinstate the static routing between the switches for the selected subnets.

cheers,

Seb.

Yasmeen · ‎09-03-2019

HI,
i am unable to access like this, same vlan only communicate each other, not as intervlan routing

Seb Rupik · ‎09-03-2019

I thought from the title of this post that this was a routing question.

If you want to prevent the subnets from communicating with each other you will need a Layer3 ACL. For each SVI the ACL will permit traffic from the connected subnet and drop all other traffic.

cheers,

Seb.

Yasmeen · ‎09-03-2019

HI,
Can you share me the commands to configure on my sg550 switches

Seb Rupik · ‎09-03-2019

on switch1 for VLAN10 the config would be:

!
ip access-list VLAN-10-IN permit 192.168.139.64 255.255.255.248 
!
int vlan10
  service-acl input VLAN-10-IN default-action deny-any
!

cheers,

Seb.

Yasmeen · ‎09-03-2019

Hi Seb Rupik,
In My setup have one firewall and this firewall connected with my cisco SG550 switch - in this switch i have created 3 vlans under 192.168.128.0/20 subnet,
firewall - cisco SG550 switch - PC
192.168.139.65/20 - 192.168.139.66/29 - 192.168.137.129/25 is my subnet
But i am unable to reach my firewall interface
I have created ip route 0.0.0.0 0.0.0.0 192.168.65 as my route after that also not worked.
when i troubleshoot via wireshark - my packet can go till firewall interface ip address after that i am not getting reply from firewall
My doubt is will i want to add reverse route on my each and ever vlsm subnet
or else any configuration need to add on switch
can u pls help me to make reachable to firewall and switch port connected PC.
for reference see previous posts,
and one more doubt is - what is the use of Reverse Route.

Seb Rupik · ‎09-03-2019

Hi there,

The reason the routing does not work is that you have the default route on each switch directing traffic to the other switch.

Where does the firewall fit into this topology? Is it connected to one switch? Both?

Regarding the routing, the switches should have a default directed to the firewall. The firewall should then have a route for the 192.168.128.0/20 summary address directed back towards the switch.

cheers,

Seb.