Solved: Catalyst 3560 - L3 Inter Vlan Routing - No connectivity to firewall

steve_deboeck · ‎07-08-2018

Hello,

I've been working on my home lab and can't seem to figure out what I'm doing wrong.

I have multiple VLAN's:

10: USERS

20: SERVERS

30: WIFI

100: MANAGEMENT

200: INTERCO

My C3560 switch is connected to a Zyxel USG60 Firewall. The point is to do the inter vlan routing on the Switch of course and the Firewall doesn't need to do anything else but be a way out to the internet.

The LAN port of my Firewall has IP: 10.5.200.1 255.255.255.252

I configured this on my Switch:

ip routing

vlan10

name users

int vlan 10

ip add 10.5.10.2 255.255.255.0

vlan 20

name servers

int vlan 20

ip add 10.5.20.2 255.255.255.0

vlan 100

name management

int vlan 100

ip add 10.5.100.1 255.255.255.0

vlan 200

name: interco

int vlan 200

ip add 10.5.200.2 255.255.255.252

ip dhcp pool VLAN10_USERS

network 10.5.10.0 /24

default-gateway 10.5.10.2

dns-servers 8.8.8.8 8.8.4.4

ip dhcp excluded-address 10.5.10.1 10.5.10.29

int gi0/2

desc My PC

switchport mode access

switchport access vlan 10

My PC got IP 10.5.10.30 /24 with gateway 10.5.10.2 I can ping my switch correctly

The routing between vlans works. I can access my server on vlan 20

My switch can also access my firewall on IP 10.5.200.1

My PC can't access my firewall.

A traceroute stops at my switch.

I saw a similar (but not entirely same) case on these forums and someone suggested to add:

ip route 0.0.0.0 0.0.0.0 vlan200 10.5.200.1

I tried this. Didn't change anything.

I also saw someone proposing to do L3 connectivity between switch and router (by doing no switchport and adding an IP on the interface itself) but I haven't tried this yet.

Is there like a best practice in this kind of case? What is the ideal configuration? What am I doing wrong?

I added my network topology so you can visually understand what I'm saying here :-)

I would appreciate if you could share some of your wisdom with me.

Kind regards,

Steve

dbeattie · ‎07-09-2018

Has your firewall got an internal-facing route? It will need to know how to get back to your PC. Should look like:

Route to 10.0.0.0/8 via 10.5.200.2

(or similar e.g. 10.5.0.0/16 or all of your /24s)

Regards,

Dave

View solution in original post

dbeattie · ‎07-09-2018

Has your firewall got an internal-facing route? It will need to know how to get back to your PC. Should look like:

Route to 10.0.0.0/8 via 10.5.200.2

(or similar e.g. 10.5.0.0/16 or all of your /24s)

Regards,

Dave

steve_deboeck · ‎07-09-2018

Hey Dave,

That is one of the possibilities I also considered but I figured since it was working when using only VLAN1, I presumed it had an implicit route but I guess it makes sense that if I introduce a new "router" (L3 switch), I have to tell my firewall how to get to those other networks (VLAN's).

So I should create a policy route using following info (see screenshot as example of the Zywall interface)

Incoming: interface
member: any
Source: any
Destination: 10.5.0.0/16

next-hop
type: interface
interface: lan1

I don't think I have the possibility to choose an IP as next-hop but sending it out of the LAN port should be fine I guess. The L3 switch will handle it.

I'll definitely try this tonight and will mark your answer as solution if it works :-)

Thanks

Steve

a.alekseev · ‎07-09-2018

https://www.manualslib.com/manual/363461/Zyxel-Communications-Zywall-Usg-20.html?page=308

steve_deboeck · ‎07-09-2018

Even better. Thanks :-)

Richard Burts · ‎07-09-2018

It is certainly important for your firewall to have a route for your additional subnets. Another question to consider is about address translation. I would expect your firewall to perform address translation for the subnet of its lan interface. But will your firewall also perform address translation for the additional subnets you have configured on the switch?

HTH

Rick

HTH

Rick

steve_deboeck · ‎07-09-2018

Adding the route immediately worked. No need to some NAT explicit NAT.

Thank you very much.