cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1133
Views
5
Helpful
10
Replies
tech44048
Beginner

add layer 3 switches to existing network

Hi

 

We need to add layer 3 switch (MS-250 Meraki)  to perform intervlan

we have SAS 5506 That connect to vpn (Anyconnect) in vlan 1 ip 192.168.1.1

all connection go from this vlan 1 to the server,workstation,printer,vpn......

we need to divide our network to  intervlan 20,30 and keep vlan 1 manage our server and printer

Vlan 1 for server and printer 192.168.1.0/24(because we can not change server and printer  ips)

intervlan for workstation 192.168.20.0/24

intervlan for wifi 192.168.30.0/24

we alredy create the intervlan interface in the switch and the scope in dhcp server 

Name   

Subnet 

IP interface

VLAN id 

DHCP Settings

Mangement vlan 

192.168.1.0/24

192.168.1.3

1

off

workstation vlan

192.168.20.0/24

192.168.20.3 20

20

Relay to dhcp server

wifi vlan

192.168.30.0/24

192.168.30.3 30

30

Relay to dhcp server

 

Dhcp server 2016 : 192.168.1.10

we create scope using the switch's routing interface for each VLAN as the gateway

192.168.1.1 for scope 1

192.168.20.3 for scope 20

192.168.30.3.for scope 30

 

topologie

innn.png

 

Problem:

we start move same workstation to vlan 20 for test

Device in vlan 20 Take adress in vlan 20 , DHCP work fine , but  no internet to this device 

I can not ping any address from vlan 1 when i'm using  vlan 20 or 30 to , but ping work fine between vlan 20 and 30

 

Questions:

 

1/haw we can configure our firewall (with static rout for each intervlan )?

2/just add static rout for each intervlan(20,30)? 

 

 

 

 

 

 

10 REPLIES 10
acampbell
Advocate

Hi,

 

You need to point a default route out to the firewall interface on VLAN 1

DEST/SUBNET MASK NEXT HOP
ip route 0.0.0.0 0.0.0.0 192.168.1.1 for_DEFAULT_ROUTE_TO-ASA

***************


On
ASA F/WALL

You need to point straic routes to the user vlans at the L£ switch VLAN 1 interface.

DEST/SUBNET MASK NEXT HOP
ip route 192.168.20.0 255.255.255.0 192.168.1.3 for_vlan_20
ip route 192.168.30.0 255.255.255.0 192.168.1.3 for_vlan_30

 

 

Regards, Alex. Please rate useful posts.

Hi Alex

by adding a default rout out of firewall 

this not affected our server, printer,

we need to keep them in vlan 1 , 

 

Tank you 

Mondher

Hi,

Adding a default route will send all traffic destined for the Internet to the firewall. It does not change the vlan for any device.

HTH

Hi Reza,

 

how to have traffic between my Layer 3 intervlans .Vlan 20 , vlan 30 and vlan 1(native vlan)
until now my pings are succesfull between vlan 20 and 30 but unseccesful when trying to ping vlan 1(native vlan that have all my servers) from vlan 20 and 30

 

Thank you

Hi,

If your printer & server are using the ASA as their default gateway (IE 192.168.1.1) the ASA will not send traffic back over an ingress interface.

Change the printer & server to use the L3 switch as their default gateway 192.168.1.3

You could test this with a pc or laptop in the first instance

 

Seasons Greetings.

Regards, Alex. Please rate useful posts.

Hi Alex,

 

Our server and printer manage by our DHCP Server(DHCP give the address to those )

in this case, we change the scope option in the DHCP server Vlan 1 from 192.168.1.1 to 192.168.1.3 ??

and add

DEST/SUBNET MASK NEXT HOP
ip route 0.0.0.0 0.0.0.0 192.168.1.1 for_DEFAULT_ROUTE_TO-ASA

***************


On
ASA F/WALL

You need to point static routes to the user VLANs at the L£ switch VLAN 1 interface.

DEST/SUBNET MASK NEXT HOP
ip route 192.168.20.0 255.255.255.0 192.168.1.3 for_vlan_20
ip route 192.168.30.0 255.255.255.0 192.168.1.3 for_vlan_30

 

 

Thank you

Hi,

 

You will need to add the route I mentioned on the L3 switch to point at the ASA

 

DEST/SUBNET MASK NEXT HOP
ip route 0.0.0.0 0.0.0.0 192.168.1.1 for_DEFAULT_ROUTE_TO-ASA

 

If your DHCP server is on vlan 1 using d/gateway 192.168.1.1 change that to be 192.168.1.3 (And any scope for 192.168.1.0/24 to use d/gateway 192.168.1.3 ) so that all devices use the L3 switch to route inter vlan and the L3 switch will pass any destination addresses  not in your vlans to the ASA.

 

 

Regards, Alex. Please rate useful posts.

Hi Alex 

 

Thank you a lot for your help, we will test this solution, and we let you know 

 

 

Hi Alex,

 

static rout commanded in this case ,outside or inside?

 

rout inside 192.168.1.20.0 255.255.255.0 192.168.1.3

or

rout outside 192.168.20.0 255.255.255.0 192.168.1.3

or both

 

Thank you

Hi,

We want the ASA to send traffic for vlans 20 & 30 to the L3 switch so this is the ASAs "inside" network

 

 

route inside 192.168.20.0 255.255.255.0 192.168.1.3
route inside 192.168.30.0 255.255.255.0 192.168.1.3

Regards, Alex. Please rate useful posts.