Solved: C3850 Layer 2 to Layer 3 - Route between VLANs

stownsend · ‎11-28-2017

I have a C3850 that has Multiple VLANs on it. I need it to become the Gateway Router between the VLANs to the Firewall. Ive done this on Several of the SG300/SG500 units, though not on the C3850. Its running 15.2 (Which I cannot Change)

Below is the config from the Switch. I will need to Route between VLAN 20 and 100 and Add a New VLAN 99 that will Connect to a Firewall.

I will also need an Access List to only allow Specific Hosts on VLAN 20 to have Access to VLAN 99.

Any Assistance would be Appreciated.

Thank you,

!
! Last configuration change at 09:36:29 UTC Tue Dec 13 2016 by admin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW-01PCS
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network default local 
!
!
!
!
!
!
aaa session-id common
switch 1 provision ws-c3850-24t
switch 2 provision ws-c3850-24t
!
qos queue-softmax-multiplier 100
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 20 priority 8192
spanning-tree vlan 100 priority 4096
hw-switch switch 1 logging onboard message level 3
hw-switch switch 2 logging onboard message level 3
!
redundancy
 mode sso
!
!
!
class-map match-any non-client-nrt-class
!
policy-map port_child_policy
 class non-client-nrt-class
  bandwidth remaining ratio 10
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 negotiation auto
!
interface GigabitEthernet1/0/1
 description OIT-01
 switchport access vlan 20
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/2
 description OIT-04
 switchport access vlan 20
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/3
 description WS-01-0/1
 switchport access vlan 20
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/4
 description WS-01-1/1
 switchport access vlan 100
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/5
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet1/0/6
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet1/0/7
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet1/0/8
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet1/0/9
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet1/0/10
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/11
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/12
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/13
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/14
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/15
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/16
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/17
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/18
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/19
 switchport access vlan 100
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/20
 switchport access vlan 100
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/21
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet1/0/22
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet1/0/23
 switchport trunk allowed vlan 100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/24
 description Management
 switchport access vlan 100
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/1/1
 switchport trunk allowed vlan 20,100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface GigabitEthernet1/1/2
 switchport trunk allowed vlan 20,100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface GigabitEthernet1/1/3
 switchport trunk allowed vlan 20,100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface GigabitEthernet1/1/4
 switchport trunk allowed vlan 20,100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface GigabitEthernet2/0/1
 switchport access vlan 20
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/2
 switchport access vlan 20
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/3
 switchport access vlan 20
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/4
 switchport access vlan 100
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/5
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet2/0/6
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet2/0/7
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet2/0/8
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet2/0/9
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet2/0/10
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/11
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/12
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/13
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/14
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/15
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/16
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/17
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/18
 switchport trunk allowed vlan 20,200
 switchport mode trunk
 switchport nonegotiate
 no vtp
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/19
 switchport access vlan 100
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet2/0/20
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet2/0/21
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet2/0/22
 switchport access vlan 20
 switchport mode access
 no vtp
!
interface GigabitEthernet2/0/23
 switchport trunk allowed vlan 100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface GigabitEthernet2/0/24
 description Management
 switchport access vlan 100
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet2/1/1
 switchport trunk allowed vlan 20,100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface GigabitEthernet2/1/2
 switchport trunk allowed vlan 20,100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface GigabitEthernet2/1/3
 switchport trunk allowed vlan 20,100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface GigabitEthernet2/1/4
 switchport trunk allowed vlan 20,100
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface TenGigabitEthernet2/1/3
!
interface TenGigabitEthernet2/1/4
!
interface Vlan1
 no ip address
!
interface Vlan100
 ip address 10.10.10.10 255.255.0.0
!
ip default-gateway 10.10.10.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
wsma agent exec
 profile httplistener
 profile httpslistener
!
wsma agent config
 profile httplistener
 profile httpslistener
!
wsma agent filesys
 profile httplistener
 profile httpslistener
!
wsma agent notify
 profile httplistener
 profile httpslistener
!
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
!
ap group default-group
end

Rich Uline · ‎11-28-2017

Stownsend,

There are some key pieces of information missing if you want a helpful answer, but I will give it a shot anyway. Let's address these issues one by one. First, you stated that you need to route between VLANs. To do this, you first need to enable routing on the device.

Switch#(config) ip routing

After you enable routing, you need to configure your routing. You can use a routing protocol (EIGRP, OSPF, etc.), or static routes. You should ensure you have a default route as well. I see you have a device in VLAN 100 set as the default gateway. Is this another router? Which interface is your firewall going to be connected to? What is the full scope of your LAN IP addressing? There really are a lot of questions here which need answering in order to provide a workable solution. However - as an example - let's say we are using EIGRP, the default gateway is another router running EIGRP, we are using the 10.0.0.0 /8 network, and the firewall is connected to gi2/0/1. You might use something like the following then.

! Create missing VLANs
Switch#(config) vlan 20
Switch#(config-vlan) vlan 99
Switch#(config-vlan) name FIREWALL

! Create missing SVIs for routing
Switch#(config) interface vlan20
Switch#(config-if) ip address 10.2.2.254 255.255.0.0
Switch#(config-if) no shut
Switch#(config) interface vlan99
Switch#(config-if) ip address 10.99.99.254 255.255.0.0
Switch#(config-if) no shut

! Configure firewall interface
Switch#(config) interface gi2/0/1
Switch#(config-if) switchport access vlan 99

! Change default gateway to default route
Switch#(config) no ip default-gateway 10.10.10.254
Switch#(config) ip route 0.0.0.0 0.0.0.0 gi2/0/1 10.99.99.253

! Configure routing protocol
Switch#(config) router eigrp 10
Switch#(config-router) network 10.0.0.0 255.0.0.0
Switch#(config-router) passive-interface default
Switch#(config-router) no passive-interface vlan 100

The next issue is an ACL to allow specific hosts from VLAN 20 to access VLAN 99. You might use something like this.

! Create ACL
Switch#(config) ip access-list extended 20_TO_99
Switch#(config-ext-nacl) 10 deny ip host 10.2.2.10 10.99.99.254 0.0.255.255
Switch#(config-ext-nacl) 2000 permit ip any any

! Apply ACL
Switch#(config) int vlan 20
Switch#(config-if) ip access-group 20_TO_99 in

Good luck!

View solution in original post

Flavio Miranda · ‎11-28-2017

Hi @stownsend

Make sure switch is not missing the command ip routing. And try to attach the config in txt file so that it easier to read.

-If I helped you somehow, please, rate it as useful.-

stownsend · ‎11-28-2017

Attached is the Current Config.

I'm not familiar with the 3850 enough to know what else is needed. I know I need to Assign an IP to each VLAN Interface, Define a route for 0.0.0.0 0.0.0.0 pointing to the Gateway/Firewall IP.

I know with the SG series Small Business Switches you need to Setup Layer 3 vs Layer 2 up front and when you change from one to the other it wipes the config.

I looked for a Config Guide, but didn't see something specific to enabling Layer 3 and Using an Access List to permit traffic from one VLAN to another.

Thanks!

Rich Uline · ‎11-28-2017

Stownsend,

There are some key pieces of information missing if you want a helpful answer, but I will give it a shot anyway. Let's address these issues one by one. First, you stated that you need to route between VLANs. To do this, you first need to enable routing on the device.

Switch#(config) ip routing

After you enable routing, you need to configure your routing. You can use a routing protocol (EIGRP, OSPF, etc.), or static routes. You should ensure you have a default route as well. I see you have a device in VLAN 100 set as the default gateway. Is this another router? Which interface is your firewall going to be connected to? What is the full scope of your LAN IP addressing? There really are a lot of questions here which need answering in order to provide a workable solution. However - as an example - let's say we are using EIGRP, the default gateway is another router running EIGRP, we are using the 10.0.0.0 /8 network, and the firewall is connected to gi2/0/1. You might use something like the following then.

! Create missing VLANs
Switch#(config) vlan 20
Switch#(config-vlan) vlan 99
Switch#(config-vlan) name FIREWALL

! Create missing SVIs for routing
Switch#(config) interface vlan20
Switch#(config-if) ip address 10.2.2.254 255.255.0.0
Switch#(config-if) no shut
Switch#(config) interface vlan99
Switch#(config-if) ip address 10.99.99.254 255.255.0.0
Switch#(config-if) no shut

! Configure firewall interface
Switch#(config) interface gi2/0/1
Switch#(config-if) switchport access vlan 99

! Change default gateway to default route
Switch#(config) no ip default-gateway 10.10.10.254
Switch#(config) ip route 0.0.0.0 0.0.0.0 gi2/0/1 10.99.99.253

! Configure routing protocol
Switch#(config) router eigrp 10
Switch#(config-router) network 10.0.0.0 255.0.0.0
Switch#(config-router) passive-interface default
Switch#(config-router) no passive-interface vlan 100

The next issue is an ACL to allow specific hosts from VLAN 20 to access VLAN 99. You might use something like this.

! Create ACL
Switch#(config) ip access-list extended 20_TO_99
Switch#(config-ext-nacl) 10 deny ip host 10.2.2.10 10.99.99.254 0.0.255.255
Switch#(config-ext-nacl) 2000 permit ip any any

! Apply ACL
Switch#(config) int vlan 20
Switch#(config-if) ip access-group 20_TO_99 in

Good luck!

stownsend · ‎11-28-2017

This is Great, Thank you...

Just to Close the loop and answer some Questions...

I see you have a device in VLAN 100 set as the default gateway. Is this another router?

It was a Placeholder until the customer decided what they needed. The default route will be to a Firewall.

Which Interface is your firewall going to be connected to?

I believe will will be connected to: gi1/0/22

What is the full scope of your LAN IP addressing?

There will be 5 VLANs in total.

10.<VLAN ID>.X.Y

10 - Only Needs access to VLAN 20

20 - Needs specific Host Access to VLAN 99

99 - VLAN that Has the Firewall

100 - VLAN needs access to 10, 20, 99 Though only in 100-> 10,20,99 Direction.

200 - Isolated, no access to anything but itself

Routing Type?

To Keep it simple, this is the only layer 3 'router' in the mix and we have the 1 Firewall on VLAN 99.

Can I get some Clarification on the Access Lists? If I want only Specific Hosts to have access to the firewall and the rest of the hosts would have no access. Can I just Permit the few hosts, and is there an Implicit deny all at the end?

Also Anything from the 100 VLAN can access the Gateway or any other VLAN, Should I bother with an Access List?

Here are the changes I was going to make:

!
interface GigabitEthernet1/0/22
 switchport access vlan 99
 switchport mode access
 no vtp
 spanning-tree portfast
 spanning-tree bpduguard enable
!

interface Vlan10
 description PLC-Network
 ip address 10.10.15.212 255.255.0.0
 ip access-group 10_TO_20 in
!
!
interface Vlan20
 description Management
 ip address 10.20.15.212 255.255.0.0
 ip access-group 20_TO_99 in
!
interface Vlan99
 description Management
 ip address 10.99.15.212 255.255.0.0
!
interface Vlan100
 description Management
 ip address 10.100.15.212 255.255.0.0
 ip access-group 100_TO_OTHERS in
!
ip routing
ip route 0.0.0.0 0.0.0.0 gi1/0/22 10.99.15.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended 10_TO_20
deny ip 10.10.0.0 0.0.255.255 10.99.0.0 0.0.255.255
deny ip 10.10.0.0 0.0.255.255 10.100.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255
!
ip access-list extended 20_TO_99
permit ip host 10.20.15.101 10.99.15.254 0.0.255.255
permit ip host 10.20.15.102 10.99.15.254 0.0.255.255
permit ip host 10.20.15.103 10.99.15.254 0.0.255.255
!
ip access-list extended 100_TO_OTHERS
permit ip 10.100.0.0 0.0.255.255 10.10.0.0 0.0.255.255
permit ip 10.100.0.0 0.0.255.255 10.20.0.0 0.0.255.255
permit ip 10.100.0.0 0.0.255.255 10.99.0.0 0.0.255.255

Thank you,