Need to provide a route to internet for servers on another VLAN

neil6 · ‎08-10-2021

This has been bugging me for sometime now. I’ve worked with Cisco on and off for a number of years at a rather basic (small business) level and now find myself immersed in a more complex network environment which a previous colleague used to look after and clearly held quite close to their chest without documenting anything. Just because I’ve logged into a Cisco device before, setup a couple of VLAN’s and a few static routes all of a suddenly I’m the expert.

Basically the network infrastructure is made up of two Layer-3 Core switches C3560G’s) and 7 Access switches (these are actually C3560’s too with the exception of the last access switch which is a C2960) with a number of VLANS and routes to other sites along with a route to the Internet via a Sonicwall NSA appliance (soon to be replaced but the same principles will apply).

These are not the actual IP’s but lets just say the Sonicwall has a interface with IP 192.168.1.254 so the Gateway to the internet right?

The 1st Core switch has a SVI address on VLAN10 of 192.168.1.1, Core Switch 2 192.168.1.2 right through to Access switch 7 which has an SVI Address of 192.168.1.9 on it’s VLAN10 interface.

I have computers on VLAN10 which have internet connectivity as needed but use a DG Address of 192.168.1.1 (not 192.168.1.254) but it works so I haven’t dabbled with it.

We then have another VLAN for the phone system. Let’s keep it easy and call this VLAN20 and uses the 192.168.2.0 subnet. Let’s also say the switches have also been configured with SVI addresses for this VLAN too so 192.168.2.1 through to 192.168.2.9. This subnet has a number of servers provided by the phone system supplier and calls go out via a separate and dedicated connection looked after and maintained by them. However they have requested a route for one of the servers to go via our Internet connection, still to this day I’m not sure why but that’s just the way it is.

Let’s say these servers have been pre-configured with a default gateway address of 192.168.2.1 (the VLAN20 SVI address of Core Switch1). As it stands I can access the Voice Recorder Server’s web interface (192.168.2.10) via any of the computers on VLAN10 which is great. Just as we want it, no problem there. However my problem comes when I try to configure a route to the internet for one of the servers.

With my laptop connected to VALN20 I can ping the Gateway address 192.168.2.1 but there’s no next hop.

What I have tried is to configure another physical interface/port on the Sonicwall with the VLAN20 DG address and change Core Switch 1’s VLAN20 SVI address to another unused VLAN20 IP Address (e.g 192.168.2.254). The net result of this is the servers have internet. Great! But I lost my connectivity from VLAN10 to the Voice Recorder server on VLAN20 (I haven’t checked but assume I’ve lost connection to all of VLAN20, I only access the Voice Recorder on this VLAN for retrieving voice messages, there’s no need for me to connect to anything else). I also found the VoIP phones also lost the ability to make receive calls which I don’t understand. My understanding here is these are all handled by a dedicated voice server on VLAN20) but I’ve ignored that just for the minute and will deal with it accordingly if it doesn’t all come right trying to fix the immediate requirement.

What I have noticed is on the Sonicwall the 192.168.1.254 interface has been configured as a VLAN Sub-interface on physical port X1 so firstly I’m wondering if I need to do the same for the port (X2) that’s connected to VLAN20 (so it handles the tagged traffic?). This is where I start to get out of my depth.

Otherwise I guess I’m thinking can I route VLAN20 traffic through VLAN10 to get to the gateway but that doesn’t seem logical.

Should I be using the Core’s SVI as the Gateway on VLAN20 and trunking this to the Sonicwall? Should I put a VLAN20 sub-interface on the same physical interface (X1) on the Sonicwall or patch it in on a separate physical interface (X2) as I attempted previously?

If anymore info is needed just let me know.

If anyone’s able to figure this out and provide the answer I shall more than likely want to kiss you, virtually of course.

Georg Pauwen · ‎08-10-2021

Hello,

since you are not revealing 'real' IP addresses: I assume that the SonicWall has a public IP address, and that the SonicWall does the NAT for all your internal networks ?

What usually helps (a lot) is to see a diagram of your topology showing the physical and logical connections, so if you have that, post it here...

Richard Burts · ‎08-10-2021

I think I have understanding of some parts of the original post but not clear on some other parts.

Perhaps the first question is the choice of default gateway for devices in vlan 10. The original post suggests that perhaps the devices default gateway should be 192.168.1.254 address of Sonicwall. I would suggest that the current default gateway 192.168.1.1 of the core switch is a better choice. Using the core switch as default gateway would make it easier to implement inter vlan routing. If a host in vlan 10 wants to communicate with a host in vlan 20 it is simple if the dg is the core switch - packet from host to core switch and directly to host in vlan 20. If the dg is Sonicwall then packet from host to core switch, from core switch to Sonicwall, from Sonicwall back to core switch, and core switch to host in vlan 20.

Perhaps the next question is vlan 20 access to Internet. I think I understand that vlan 20 is for phones and related servers. Currently there is some inter vlan routing between servers in vlan 20 and hosts in vlan 10 and Internet access for devices in vlan 20 is through the phone provider. Now they want to have one server in vlan 20 get Internet access using your Internet connection. If they change the configured default gateway for that server to be the core switch address of 192.168.2.1 then that server would go through the core switch to access the Internet. Pretty simple change and it should work. The thing to be aware of (and is perhaps not so simple) is that now the Sonicwall be start receiving traffic with source address in 192.168.2.0 subnet and forwarding it to the Internet. So Sonicwall will need to be configured to perform address translation for that address in addition to the translation it is currently doing for 192.168.1.0.

I understand that you made a separate connection from vlan 20 to Sonicwall and configured the server in vlan 20 to have default gateway of Sonicwall. When you do this the server does have Internet access but you lose connectivity from your PC in vlan 10 to the server in vlan 20. That is to be expected because the Sonicwall has not been configured to do inter vlan routing. And I suspect that this also explains why the ip phones are having a problem.

The part that is less clear is the discussion about vlan subinterfaces on the Sonicwall. I think that suggests that Sonicwall expects to be connected on an interface configured as a trunk on the core switch. Is that the case? Is the interface on the core switch connected to Sonicwall configured as a trunk? If that is the case then I would think that you could just add vlan 20 to the trunk on the switch and configure another vlan subinterface on Sonicwall and not need the separate physical connection between core switch and Sonicwall.

HTH

Rick

nagrajk1969 · ‎08-11-2021

No wonder you are a Guru!!!

You are absolutely correct in your assessment of the deployment, and your suggestion is prefectly and more importantly "logicall correct"

I think in addition to

a) vlan10 hosts configuring their Default-Gw as 192.168.1.1 (the core-switch svi addr for vlan10), and

b) all devices in vlan20 configuring the default-gw as 192.168.2.1 (the core-switch svi addr for vlan20)

there should be

a) a static route added on sonicwall appliance as below for replying/reaching 192.168.2.0/24 network

ip route 192.168.2.0 255.255.255.0 192.168.1.1

b) and importantly there should be a "default route" on both core-switches (only core-switch1 would do as such)...pointing to the sonicwall appliance for forwarding traffic to internet (from 192.168.1.0/24 and 192.168.2.0/24 network)

ip route 0.0.0.0 0.0.0.0 192.168.1.254

and

c) The voice-server that requires its internet traffic to be routed via the sonicwall gateway will have to be confgured with default-gw ipaddr as 192.168.2.1....this will also be needed for this voice-server (and other voip devices in vlan20) to route to 192.168.1.0/24 network too

Thanks for the valuable learning and insights from you as always

best regards

Richard Burts · ‎08-11-2021

Thank you for the kind words. I do appreciate it when people mention my contributions to the community. And I do appreciate your contributions to the community. We share what we know and hope to help others in the community grow in their networking capabilities.

We know only a little bit about this environment. I have wondered about the second core switch. How does it fit into the network design? We are told that devices in vlan 10 use the IP of core 1 as their default gateway. What role does core 2 play in this? Might it be possible that the switches use HSRP so that both of them might provide routing for the subnet? And we do not know whether core 2 also connects to Sonicwall. And we do not know if there is any configuration on Sonicwall that relates to core 2.

HTH

Rick

neil6 · ‎08-16-2021

Hi Rick,

Firstly a huge thanks for your reply, extremely helpful. Secondly, apologies for my delayed reply but I have spent the last week recovering from Covid kindly bought home by my teenage step-daughter.

You totally grasped the setup from my explanation which is great and I will try to clear-up the questions you have.

With regard to the gateway for VLAN10 I am not aiming to make any changes here as this is all working as needed but your response has helped me to provide some clarity with regard to the current configuration. As I suspected, but wasn’t 100% sure, using the SVI’s as the DG’s helps keep inter VLAN routing nice and simple. If I start to use the Sonicwall’s interface as the DG then I’ve got to consider the routing plus the extra hop.

Your assessment of VLAN20 is spot-on, however if I do use the VLAN20 SVI of the core switch (192.168.2.1) as the DG then currently the traffic gets no further than the DG. Somehow I need to configure my route to the internet (via the Sonicwall) from there.

You mentioned “The thing to be aware of (and is perhaps not so simple) is that now the Sonicwall be start receiving traffic with source address in 192.168.2.0 subnet and forwarding it to the Internet. So Sonicwall will need to be configured to perform address translation for that address in addition to the translation it is currently doing for 192.168.1.0”. This shouldn’t really be an issue and I’ve already configured a 192.168.2.0 subnet interface on it which, as far as the phone system servers were concerned, provided internet connectivity however it did mess with my inter VLAN routing as you’d pointed out “That is to be expected because the Sonicwall has not been configured to do inter vlan routing”.

Finally, considering the VLAN subinterfaces on the Sonicwall you’re right again. As far as VLAN10 is concerned the Sonicwall is connected to an interface configured as a trunk on the Core switch. As for the interface on the Core switch being connected to an interface on the Sonicwall that’s configured as a trunk the answer is “I think so”. This is the point at which I’m coming unstuck and figuring this out is likely to provide the answer but this is more my lack of familiarity with Sonicwall now.

As mentioned previously VLAN10 is working as needed. It has Inter VLAN routing (I suspect because it uses the VLAN10 SVI of the Core switch as it’s DG) and internet. It is the internet connectivity I’m less sure about and believe if I could fully understand how this is being achieved at the moment then I could do exactly the same for VLAN20 and would be good to go.

I think my big question is, if the SVI address of the Core Switch on VLAN10 is 192.168.1.1 and the VLAN subinterface of the Sonicwall has an IP address of 192.168.1.254 how is the traffic getting from the Core Switch to the Sonicwall an out to the internet. Is it simply because these interfaces are configured as a trunk? Am I relying on NAT on the Sonicwall to do the rest or is a static route needed?

Certainly, in my attempt to configure a physical interface on the Sonicwall as a DG for VLAN 20 I was using the interface as an ‘access’ port, so no trunking. This provided the internet ‘route’ but lost my Inter VLAN connectivity (plus the phones dropped their call connectivity).

It certainly seems as though the solution stems around correctly configuring an interface on the Sonicwall to handle the VLAN20 traffic destined for the internet but also setting up a ‘trunk’ interface for this VLAN on the Core switch. I guess this is what you were saying here “….you could just add VLAN 20 to the trunk on the switch and configure another vlan subinterface on Sonicwall and not need the separate physical connection between core switch and Sonicwall”. The chances are once I understand how to implement this I’ll have the working solution.

You’ve been a huge help so far and your advice and guidance is greatly appreciated.

Many thanks

Neil

Richard Burts · ‎08-16-2021

Neil

I am sorry to hear about your experience with Covid. Glad that you are recovering and hope that you will not have long lasting symptoms (when my son came down with Covid in the spring it took several months to get over the fatigue and the brain fog that he was experiencing).

There are several things I would like to address. First is some comments about routing for vlan 10 and Internet access. This is my understanding of routing for vlan 10, and if there is anything I say here that does not seem right please clarify and correct it. You have several access switches and 2 core switches with hosts connected in vlan 10. The devices in vlan 10 are configured with the core switch IP address in vlan 10 as their default gateway. When a device in vlan 10 wants to communicate with something outside of vlan 10 (might be vlan 20 or might be Internet) then the device forwards the packet to its default gateway (the core switch). The core switch evaluates the packet and looks in its routing table to determine what to do. If the destination is vlan 20 then the destination is locally connected and the core switch forwards the packet on to its destination. If the destination is Internet then the core switch uses a default route and determines that the next hop should be Sonicwall and forwards the packet to the Sonicwall. Sonicwall receives a packet with source address in vlan 10 and prepares to forward that packet on to the Internet. As part of that process the Sonicwall will do address translation so that the packet being forwarded will have a Public IP as its source address in the Internet. The output of show ip route from your core switch could help verify that my understanding is correct that the core switch sees vlan 20 as a locally connected subnet and has a default route for Internet access with Sonicwall as its next hop. Hope you agree that this is right. If you have any questions about it then just ask.

Then I have some comments about vlan 20 and possible Internet access for that vlan. You have configured vlan 20 on access switches and on the core switches. You have configured a vlan interface on the core switch for vlan 20. Since the devices in vlan 20 are currently getting Internet access via the phone provider I assume that all these devices have their default gateway set to be the phone provider router/switch. Since you are able to access the servers in vlan 20 from your PC in vlan 10 I am assuming that the phone provider must have configured routing to be able to forward traffic to vlan 10 (probably a static route) from their router/switch. The results of traceroute from a server in vlan 20 to your PC in vlan 10 would help demonstrate if this is the case. I hope you agree that this is right. If you have any questions about it then just ask.

Now there is a request for a change that would allow a single server in vlan 20 to have Internet access via your network. Here are the things that I think should be done to achieve this:

- change the default gateway of that server to be the vlan 20 interface address of your switch.

- the core switch already has what it needs to be able to route for vlan 20. (the core switch already considers vlan 20 to be a locally connected network and already has a default route0

- on the Sonicwall you will need to add a static route for the subnet of vlan 20. And you will need to add address translation for the subnet of vlan 20.

I would comment on this in your recent post "if I do use the VLAN20 SVI of the core switch (192.168.2.1) as the DG then currently the traffic gets no further than the DG". I believe that this is not correct. I believe that the traffic is forwarded to Sonicwall but Sonicwall does not recognize the source address and has no way to respond to that traffic.

I would also comment on having a separate physical interface on Sonicwall vs using the core switch interface to Sonicwall. It might be possible to operate this using a separate physical interface on Sonicwall. But I believe that it would be better (more simple) to use the existing core switch connection as a transit link and not have vlan 20 directly connected to Sonicwall.

HTH

Rick