add layer 3 switches to existing network

tech44048 · ‎12-23-2020

Hi

We need to add layer 3 switch (MS-250 Meraki) to perform intervlan

we have SAS 5506 That connect to vpn (Anyconnect) in vlan 1 ip 192.168.1.1

all connection go from this vlan 1 to the server,workstation,printer,vpn......

we need to divide our network to intervlan 20,30 and keep vlan 1 manage our server and printer

Vlan 1 for server and printer 192.168.1.0/24(because we can not change server and printer ips)

intervlan for workstation 192.168.20.0/24

intervlan for wifi 192.168.30.0/24

we alredy create the intervlan interface in the switch and the scope in dhcp server

Name	Subnet	IP interface	VLAN id	DHCP Settings
Mangement vlan	192.168.1.0/24	192.168.1.3	1	off
workstation vlan	192.168.20.0/24	192.168.20.3 20	20	Relay to dhcp server
wifi vlan	192.168.30.0/24	192.168.30.3 30	30	Relay to dhcp server

Dhcp server 2016 : 192.168.1.10

we create scope using the switch's routing interface for each VLAN as the gateway

192.168.1.1 for scope 1

192.168.20.3 for scope 20

192.168.30.3.for scope 30

topologie

Problem:

we start move same workstation to vlan 20 for test

Device in vlan 20 Take adress in vlan 20 , DHCP work fine , but no internet to this device

I can not ping any address from vlan 1 when i'm using vlan 20 or 30 to , but ping work fine between vlan 20 and 30

Questions:

1/haw we can configure our firewall (with static rout for each intervlan )?

2/just add static rout for each intervlan(20,30)?

acampbell · ‎12-23-2020

Hi,

You need to point a default route out to the firewall interface on VLAN 1

DEST/SUBNET MASK NEXT HOP
ip route 0.0.0.0 0.0.0.0 192.168.1.1 for_DEFAULT_ROUTE_TO-ASA

***************

On
ASA F/WALL

You need to point straic routes to the user vlans at the L£ switch VLAN 1 interface.

DEST/SUBNET MASK NEXT HOP
ip route 192.168.20.0 255.255.255.0 192.168.1.3 for_vlan_20
ip route 192.168.30.0 255.255.255.0 192.168.1.3 for_vlan_30

Regards, Alex. Please rate useful posts.

tech44048 · ‎12-23-2020

Hi Alex

by adding a default rout out of firewall

this not affected our server, printer,

we need to keep them in vlan 1 ,

Tank you

Mondher

Reza Sharifi · ‎12-23-2020

Hi,

Adding a default route will send all traffic destined for the Internet to the firewall. It does not change the vlan for any device.

HTH

tech44048 · ‎12-24-2020

Hi Reza,

how to have traffic between my Layer 3 intervlans .Vlan 20 , vlan 30 and vlan 1(native vlan)
until now my pings are succesfull between vlan 20 and 30 but unseccesful when trying to ping vlan 1(native vlan that have all my servers) from vlan 20 and 30

Thank you

acampbell · ‎12-24-2020

Hi,

If your printer & server are using the ASA as their default gateway (IE 192.168.1.1) the ASA will not send traffic back over an ingress interface.

Change the printer & server to use the L3 switch as their default gateway 192.168.1.3

You could test this with a pc or laptop in the first instance

Seasons Greetings.

Regards, Alex. Please rate useful posts.

tech44048 · ‎12-24-2020

Hi Alex,

Our server and printer manage by our DHCP Server(DHCP give the address to those )

in this case, we change the scope option in the DHCP server Vlan 1 from 192.168.1.1 to 192.168.1.3 ??

and add

DEST/SUBNET MASK NEXT HOP
ip route 0.0.0.0 0.0.0.0 192.168.1.1 for_DEFAULT_ROUTE_TO-ASA

***************

On
ASA F/WALL

You need to point static routes to the user VLANs at the L£ switch VLAN 1 interface.

DEST/SUBNET MASK NEXT HOP
ip route 192.168.20.0 255.255.255.0 192.168.1.3 for_vlan_20
ip route 192.168.30.0 255.255.255.0 192.168.1.3 for_vlan_30

Thank you

acampbell · ‎12-24-2020

Hi,

You will need to add the route I mentioned on the L3 switch to point at the ASA

DEST/SUBNET MASK NEXT HOP
ip route 0.0.0.0 0.0.0.0 192.168.1.1 for_DEFAULT_ROUTE_TO-ASA

If your DHCP server is on vlan 1 using d/gateway 192.168.1.1 change that to be 192.168.1.3 (And any scope for 192.168.1.0/24 to use d/gateway 192.168.1.3 ) so that all devices use the L3 switch to route inter vlan and the L3 switch will pass any destination addresses not in your vlans to the ASA.

Regards, Alex. Please rate useful posts.

tech44048 · ‎12-24-2020

Hi Alex

Thank you a lot for your help, we will test this solution, and we let you know

tech44048 · ‎12-28-2020

Hi Alex,

static rout commanded in this case ,outside or inside?

rout inside 192.168.1.20.0 255.255.255.0 192.168.1.3

or

rout outside 192.168.20.0 255.255.255.0 192.168.1.3

or both

Thank you

acampbell · ‎12-28-2020

Hi,

We want the ASA to send traffic for vlans 20 & 30 to the L3 switch so this is the ASAs "inside" network

route inside 192.168.20.0 255.255.255.0 192.168.1.3
route inside 192.168.30.0 255.255.255.0 192.168.1.3

Regards, Alex. Please rate useful posts.