How can I achieve reachability from vlan terminated on the L3 switch to routed port on the router, FW?
F.E
int vlan 10,50 are the SVI's on L3 switch
vlan 10 - 10.0.10.254 /24 vlan 50 - 10.0.50.254 /24
vlan 50 is the native vlan on trunk link towards (router, FW)
Routed port is configured on the physical interface with 10.0.50.1/24
Problem is that I can reach routed port sourcing from both SVI's but no from the device being inside vlan 10
Taking tcpdump on the routed interface i can see only icmp requests but no replies. Switch does have default gateway set to 10.0.50.1
I've enabled ospf on FW and switch but with no luck.
Thanks @Zac67 for the hint, maybe I wasn't clear what I try to achieve.
I want to have few vlans terminated on the L3 switch, some of them on the FW to have visibility in them. Problem is that I would like to use physical interface on the FW to be their DG to reach outside world or route to the vlans terminated on the FW.
It looks like router on the stick but with usage of physical interface by putting ip address on it.
So vlans 5,10,15.20 terminating on the L3 switch so they have SVI's created on it. Vlans 30,40,50 just existing on the switch and going to the router thru trunk and they have their own subinterfaces created.
I am looking for a way to use another vlan just for connectivity between SVI and router physical interface.
What I did until now is let's say create SVI for vlan 100 put ip on it - set vlan 100 as a native vlan on the trunk to reach the router untagged.
But it doesn't work unfortunately... Jbbattery portugal
==========================================================
First of all sorry for all the mistakes I made and making in this question - this is first time posting on stack. Thank you all who is trying to help solve this problem. Please find the topology and configs below:
Switch config
Current configuration : 3350 bytes ! ! Last configuration change at 06:18:12 UTC Thu Aug 26 2021 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname Switch ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 media-type rj45 negotiation auto ! interface GigabitEthernet0/1 switchport access vlan 20 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet0/2 media-type rj45 negotiation auto ! interface GigabitEthernet0/3 switchport trunk encapsulation dot1q switchport trunk native vlan 40 switchport mode trunk media-type rj45 negotiation auto ! interface GigabitEthernet1/0 switchport access vlan 30 media-type rj45 negotiation auto ! interface GigabitEthernet1/1 media-type rj45 negotiation auto ! interface GigabitEthernet1/2 media-type rj45 negotiation auto ! interface GigabitEthernet1/3 media-type rj45 negotiation auto ! interface Vlan20 ip address 10.0.20.254 255.255.255.0 ! interface Vlan40 ip address 10.0.40.254 255.255.255.0 ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ! ! ! ! ! control-plane ! banner exec ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner incoming ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner login ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C ! line con 0 logging synchronous line aux 0 line vty 0 4 login ! ! end
Router config
Router#sh run Building configuration... Current configuration : 3144 bytes ! ! Last configuration change at 06:18:16 UTC Thu Aug 26 2021 ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ethernet lmi ce ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface GigabitEthernet0/0 ip address 10.0.40.1 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/0.30 encapsulation dot1Q 30 ip address 10.0.30.1 255.255.255.0 ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! ! ! ! control-plane ! banner exec ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner incoming ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner login ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C ! line con 0 line aux 0 line vty 0 4 login transport input none ! no scheduler allocate ! end
Sourcing from VPC10 I can ping
VPCS> ip 10.0.30.100 /24 10.0.30.1 Checking for duplicate address... PC1 : 10.0.30.100 255.255.255.0 gateway 10.0.30.1 VPCS> ping 10.0.30.1 84 bytes from 10.0.30.1 icmp_seq=1 ttl=255 time=16.253 ms VPCS> ping 10.0.40.1 84 bytes from 10.0.40.1 icmp_seq=1 ttl=255 time=8.569 ms VPCS> ping 10.0.40.254 84 bytes from 10.0.40.254 icmp_seq=1 ttl=254 time=12.776 ms VPCS> ping 10.0.20.254 84 bytes from 10.0.20.254 icmp_seq=1 ttl=254 time=15.602 ms VPCS> ping 10.0.20.100 10.0.20.100 icmp_seq=1 timeout VPCS> ping 3.3.3.3 84 bytes from 3.3.3.3 icmp_seq=1 ttl=255 time=11.675 ms Only device which is not pingable is other VPCS 10.0.20.100 **But from VPC which is terminated on the switch only SVI's on the switch** VPCS> ip 10.0.20.100 /24 10.0.20.254 Checking for duplicate address... PC1 : 10.0.20.100 255.255.255.0 gateway 10.0.20.254 VPCS> ping 10.0.20.254 84 bytes from 10.0.20.254 icmp_seq=1 ttl=255 time=25.344 ms VPCS> ping 10.0.30.1 10.0.30.1 icmp_seq=1 timeout VPCS> ping 10.0.40.254 84 bytes from 10.0.40.254 icmp_seq=1 ttl=255 time=7.528 ms
