Solved: Re: Can vlan # change from device to device? - Page 4

fbeye · ‎09-25-2021

On Switch 1 I have 10.0.1.0 in vlan 10 and 10.0.2.0 vlan 11.

Can I, on Switch 2, have a vlan 25 10.0.1.0 and vlan 35 10.0.2.0 and 35 talk to 11 (obviously if connected from both switches via Ethernet) and have the [same] subnets communicate or does (for example) subnet 10.0.2.0 need to be same vlan on every Switch/device it’s connected to to see each other?

Richard Burts · ‎10-30-2021

I absolutely agree with this "For me I always need to recite what I want." It is very important to state (and to keep in mind) what are the requirements. Then as we think about potential solutions we can evaluate how well do they help achieve the requirements.

I believe that either of the scenarios that you mention could achieve the requirements. And both of them require PBR on your Catalyst switch. We do not know what model of Catalyst this is, or what version of code it is running, or what feature licensing it has, so it is not clear whether it does support PBR. A quick way to check on this would be on a vlan interface to enter ip policy ?. If the response indicates that a possibility is route-map then it does support PBR.

As for your Quick Note - you certainly need a GE interface for both connections. The important question would be what vlan/what subnet would those interfaces belong to? The easy solution would be to use 10/11. If you do not use 10/11 then what vlan - what subnet would those interfaces belong to?

HTH

Rick

fbeye · ‎10-31-2021

Morning

So when I am in vlan 1 interface this is what I get;

Switch(config-if)#ip policy ?
route-map Policy route map

I assume this is what we want.

My device is;

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C3750G-24PS 12.2(58)SE2 C3750-IPSERVICESK9-M

I agree about the vlans 10 and 11 as it is what we have been dealing with anyway, so 192.168.5.0 will become vlan 12.

I was unaware a GE Interface w/ an IP (L3 Mode) had to be a part of a vlan, only the vlan itself and a vlan interface. I assumed we would just use it as it's next-hop to it's Router but either way, I will have GE 1/0/1 192.168.1.5 and GE 1/0/2 10.10.2.5 and if they need vlans, then 10 and 11. Do we still need vlan interface IP if we already have such IP on the GE Interface? Or does PBR require vlan interface and not just GE Interface?

Richard Burts · ‎10-31-2021

It is good to know that the Catalyst is a 3750G with IPSERVICES. And the output on the vlan interface sure does look like PBR is supported.

Your statement "I was unaware a GE Interface w/ an IP (L3 Mode) had to be a part of a vlan" makes me realize that I was making assumptions that you would use vlan 10 and 11 for connecting to the D-Link and the ASA. And your point is quite valid - vlans 10 and 11 are not required. On this switch you can simply configure the interface as no switchport, which makes it operate as a Layer 3 interface and you simply configure its IP address and mask. No need for vlan 10 or 11. And no PBR does not require a vlan interface. It just requires some type of L3 interface - so configuring an IP address on the GE interface is good enough.

HTH

Rick

fbeye · ‎10-31-2021

Awesome!

Catalyst :

GE 1/0/1 192.168.1.5 255.255.255.0

GE 1/0/2 10.0.2.124 255.255.355.0

dhcp - 192.168.5.0. Do I need to run a DHCP Server or simply assign a range I want and manually configure each device.
PBR - From all my google searches I find myself confused as it mentions target IP from Source and that confuses me a bit. Is there any legitimate documentation on this? Surely it is more complicated “source 192.168.5.111 destination 10.0.2.124”. Or is it that simply? Will LAN (192.168.5.0) still know how to talk to each other but for internet will use the PBR?

Also thank you for clarifying no vlan needed. Initially it was as it was how we delve into this based on my description but as we have progressed I’ll just use GE Interfaces for routing.

Again with little to no knowledge of PBR I am hoping it isn’t PORT based (though I assume it could be as well) as I do not want to go based on port, but simply “this host goes to this interface or ip for internet” and it be done.
You are really inspiring me and activating a new mindset in me, this really seems promising!

Richard Burts · ‎10-31-2021

You are welcome about comments about vlan needed or not. Sometimes we need to be careful about assumptions that we are making - and this was certainly one of those times. Your point was spot on that vlans were not needed and an IP address configured on the switch interface (with no switchport) was sufficient.

I do not think that DHCP would be particularly helpful in what you are planning to do. With DHCP addresses are assigned dynamically and there is some chance that, over time, a device might get a different IP address from what it had before. You need to be clear which devices go to D-Link for Internet and which devices go to ASA for Internet. I believe that manual configuration of devices would be safer than DHCP.

I am not sure what documentation you have been looking at for PBR. Let me give you some explanation and if you need more than what I give I will find some documentation that might be more simple and helpful.

Basically PBR uses a Policy that provides an over ride of normal IP routing logic in the routing table. PBR uses a route map to identify traffic and to specify how to forward that traffic that is different from what is found in the ip routing table. The route map uses an access list to identify the traffic that is to have special forwarding. The route map is assigned to the interface where the traffic enters the switch/router (a very common mistake is to assign the route map to the exit interface, which seems logical since we want to change how the packet gets out of the router).

This is a brief example of what you would need to do:

1) create 2 extended access lists (one will identify traffic going to D-Link and the other will identify traffic going to ASA). In this case the access list will match on source address. For this example I will assume that devices going to D-Link are using IP addresses 192.168.5.1 through 192.168.5.15 and devices going to ASA are using IP addresses 192.168.5.32 through 192.168.5.47. Of course your situation will probably be different.

access-list 101 permit ip 192.168.5.0 0.0.0.15 any

access-list 102 permit ip 192.168.5.32 0.0.0.15 any

2) configure a route map that will identify traffic and will specify how to forward it

ip policy ToInternet permit 10

match ip address 101

set ip next-hop 10.0.2.1

ip policy ToInternet permit 20
match ip address 102
set ip next-hop 192.168.1.1

3) assign the route map to the vlan interface where traffic enters the switch

interface vlan 12

ip policy route-map ToInternet

That should do it. If you want additional documentation let me know.

HTH

Rick

fbeye · ‎10-31-2021

As soon as I am able to fiddle with the Network I will.

On ASA I would need 2 routes I assume?

10.0.2.0 255.255.255.0 192.168.1.5

193.168.5.0 255.255.255.0 192.168.1.5

On D-Lknk as well,

192.168.1.0 255.255.255.0 10.0.2.124

192.168.5.0 255.255.255.0 10.0.2.124

I assume because of Routing Logic the PBR finds the 10.0.2.1 through the 10.0.2.124 because of it being part of the same network?

Richard Burts · ‎10-31-2021

Yes both D-Link and ASA will need routes to 192.168.5.0. Don't know why D-Link needs a route to the ASA subnet or why ASA needs a route to the D-Link subnet.

Yes the PBR finds the 10.0.2.1 through the 10.0.2.124 because of it being part of the same network.

HTH

Rick

fbeye · ‎11-01-2021

You are correct, I have no idea why I mentioned the ASA needing to see the D-Link or D-Link see the ASA... Completely forgot about the whole concept of a new Subnet to eliminate that very need. /facepalm

I also had a concept question. From what I have gathered, most "inter-vlan" routing is done either #1 from it's source Internet/Router as in, Catalyst has 1 Internet Access and several vlans for security and privacy but inter-connect through permissions etc but still ass reside from that same Catalyst with the common Internet or #2 An Internet/ Router connecting to another Internet /Router through each WAN Access and then the Router directs traffic. I feel my scenario was unique cause I am connecting to 2 diff subnets on different Networks/Internets via LAN side. Could this be causing an issue or is this also indeed a common practice?

Richard Burts · ‎11-03-2021

No problem about mentioning D-Link and ASA needing routes to each other. You were simply thinking in terms of what has been discussed in this discussion rather than the most recent change in the environment. I recently made a similar mistake in making a suggestion about whether we need vlans 10 and 11. No harm done and the discussion continues.

In terms of inter vlan routing and Internet routing you have identified 2 common approaches 1) routing on a locally connected gateway device (the Catalyst switch) 2) routing on gateway devices where the Internet connection is located (D-Link and ASA). At various points in our discussion we have suggested using either of those approaches (and I think that either might have worked). The current suggestion is a bit different and would have a single subnet on the Catalyst for all connected devices. So all host to host communication is local (there is not inter vlan routing). And based on host address the Catalyst would send some Internet bound traffic to one gateway device and would send other Internet bound traffic to another gateway device. I would say that what we are discussing is a fairly common practice.

HTH

Rick

fbeye · ‎11-06-2021

My friend, I think I am done. This is just not wanting to give me satisfaction.

I set it all up the way (i think) we mentioned. At this point I am not configuring D-Link (10.0.2.0) as I want to verify I can get onto the internet as is...

My PC obtains the correct IP address that the Catalyst is serving... But I can not ping 192.168.1.7 or get any internet access. I am posting my configurations. Does the Catalyst need any routing???

Windows PC;

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::94c1:dff4:2414:18b5%9
IPv4 Address. . . . . . . . . . . : 192.168.5.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.1

Catalyst;

Current configuration : 5415 bytes
!
! Last configuration change at 00:35:19 UTC Mon Mar 1 1993
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
username cisco privilege 15 password 0 cisco
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip routing
!
ip dhcp excluded-address 192.168.5.1
!
ip dhcp pool inside
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
!
!
!
!
crypto pki trustpoint TP-self-signed-29955072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-29955072
revocation-check none
rsakeypair TP-self-signed-29955072
!
!
crypto pki certificate chain TP-self-signed-29955072
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393935 35303732 301E170D 39333033 30313030 30323335
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323939 35353037
3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A65F
74202A89 76D25FA8 C7ED81DD 6800558E C377B8AD 0E9C26DD E23EFB16 13D19F33
E8B17063 CA28B794 5AF243D3 64EBBD2B 9E26BBCE 358DCA6C 0F540D6A F9F209AF
A59302E1 2A0C9E50 953DD959 1FF3F060 04A6BD71 4EE6E5E6 5E7B179E 36A7969E
7826FDE4 1A8879A7 413462E5 E37FADBC C6C103E4 495052BE 4F8CCA36 E3030203
010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104
0A300882 06537769 74636830 1F060355 1D230418 30168014 C03E07C1 6E991C9D
FAF8C1A0 2C538489 E1799507 301D0603 551D0E04 160414C0 3E07C16E 991C9DFA
F8C1A02C 538489E1 79950730 0D06092A 864886F7 0D010104 05000381 81007158
557FA90B E6464D11 282C34E9 EF3D24F4 4F06F775 40CCA7BB EB5FA251 F144D20E
1B4C2D3B AB3F203A C8E6B965 822B06AF A6E13E1B 42E98B41 967DC580 190261D0
EF46CEE6 08BBA7CA 574EC1FF 30CAB033 CF67AD86 4DB667C2 BC946BDF C41157FD
FCD076CA C317965B F51E7D4A DF3FC96A 0B1B8E3E 36CE5AFC 2D21CE07 5128
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.1.7 255.255.255.0
spanning-tree portfast
!
interface GigabitEthernet1/0/2
no switchport
ip address 10.0.2.124 255.255.255.0
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
no switchport
no ip address
!
interface GigabitEthernet1/0/21
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
!
interface Vlan12
ip address 192.168.5.5 255.255.255.0
ip policy route-map tointernet
!
ip http server
ip http authentication local
ip http secure-server
!
!
!
logging esm config
access-list 101 permit ip 192.168.5.0 0.0.0.15 any
access-list 102 permit ip 192.168.5.32 0.0.0.15 any
no cdp run
route-map tointernet permit 10
match ip address 101
set ip next-hop 192.168.1.1
!
route-map tointernet permit 20
match ip address 102
set ip next-hop 10.0.2.1
!
!
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end

Richard Burts · ‎11-06-2021

My friend you are very close. Here are a few observations and suggestions.

- you ask if the Catalyst needs any routing. If traffic arrives on a switch interface in 192.168.5.0 and wants to go out on an interface in 192.168.1.0 then yes the Catalyst does need routing. The good news is that in the posted config you already have ip routing. So routing is enabled on the Catalyst. This is not the issue.

- the most important issue is that the PC configuration says that its default gateway is 192.168.5.1. But the switch vlan interface for vlan 12 is given address 192.168.5.5. The easy solution is to change the switch vlan 12 interface to 192.168.5.1.

- there is a bit of an issue in your PBR. It has to do with how you try to get 192.168.5.32 to use D-Link 10.0.2.1. Your route map has 2 stanzas. The first stanza (using acl 101) matches any source in 192.168.5.0 and sends it to the ASA. The second stanza (using acl 102) matches the specific source address. But route maps execute the steps in order and operate on the first match. Since 192.168.5.32 will match acl 101 it will never to to acl 102. There are several ways to solve this.

1) change acl 101 so that 192.168.5.32 is not a match. It might look something like this

access-list 101 deny ip 192.168.5.32 0.0.0.0 any

access-list 101 permit ip 192.168.5.0 0.0.0.15 any

2) change the order of the stanzas so that what is currently

route-map tointernet permit 20

becomes

route-map tointernet permit 10

and what is currently

route-map tointernet permit 10

becomes

route-map tointernet permit 20

If you make those suggested changes I believe that it will work for you.

HTH

Rick

fbeye · ‎11-06-2021

When I get home I will try these.

For some reason I had assumed vlan ip couldn’t be 192.168.5.1 IP cause I thought that was the “main” IP for the dhcp server. But I will indeed change that.

I had assumed ;

access-list 101 permit ip 192.168.5.0 0.0.0.15 any (meant 192.168.5.1- 192.168.5.15 IP’s would be a part of the 101)

access-list 102 permit ip 192.168.5.32 0.0.0.15 any (meant 192.168.5.32-192.168.5.47

From what I read, by not “denying” 192.168.5.32 it is all meshing into the same range?

Also can you reiterate the stanza order? 10 comes before 20 and 10 is associating with 101 which is 192.168.5.0/15 which goes to 192.168.1.1 through 192.168.1.7.

Sorry if I am blind to something obvious.

Richard Burts · ‎11-06-2021

Actually you are not blind about something obvious. I did not read carefully enough and mis-understood what you were doing. I assumed that the reference to 192.168.5.0 was using a /24 mask and that would overlap with 192.168.5.32. Now that I read more carefully the access lists do refer to separate address ranges and are good as they appear in the post. My bad - and I apologize.

So there is really only 1 issue. The vlan interface needs to be 192.168.5.1. You say "For some reason I had assumed vlan ip couldn’t be 192.168.5.1 IP cause I thought that was the “main” IP for the dhcp server." If you think about it, the dhcp server is the Catalyst switch, and so the Catalyst switch needs to be 192.168.5.1.

As I think about the Catalyst switch being the DHCP server it does bring up a question. How will you arrange it that hosts that need to use the ASA are in the 192.168.5.0 block and hosts that need to use D-Link will be in the 192.168.5.32 block?

HTH

Rick

fbeye · ‎11-06-2021

I was going to manually make 192.168.5.2 - 192.168.5.15 the ASA IP’s and the 192.168.5.32 - 192.168.5.47 the DLink IP’s.
So PC would be 192.168.5.2 and NAS 1 192.168.5.33 and NAS 2 192.168.5.34z

If this is what you were asking..

And you totally answered the prior question.

Richard Burts · ‎11-06-2021

Thanks. The additional information is helpful. So now my question is that if you are going to manually manage the address assignments, why configure DHCP?

HTH

Rick