Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
20488
Views
41
Helpful
18
Replies

Connectivity from Layer 3 Switch to Firewall

Go to solution
Anup Sasikumar
Level 1
Level 1

‎11-30-2012 04:12 AM - edited ‎03-07-2019 10:20 AM

Hi Experts,

Sim.png

      

RACK 1 is the old rack and NEW RACK is the rack which is going to be procurred for some new Servers. All the Servers in the RACK 1 has a default gateway as PIX Inside IP. As of now the 3560 Switches acts as Layer 2 and does not have L3 IP routing enabled. Could you please suggest on how can I enable conenctivity between 192.168.36.0 range and 192.168.57.0 range wihtout making any change to current PIX inside IP address 192.168.57.1?

Is it possible that I can enable IP routing on the 3560 Switches , create interface VLAN 36 and since already Switch 2 has it 's default gateway as 192.168.57.1 , Would the traffic from 192.168.36.0 be routed to 192.168.57.1 ? Or do I need to create static route for that ?

Since L3 Routing is not enabled and since the 3560 Switches are just acting as L2 , the  VLAN 2 - 192.168.57.0 range does not have any interface VLAN configured. Please correct me if I am wrong , so when it is changed I would need to create interface VLAN 2 on 3560 Switches , right ?

Please help !!!

Regards,

Anup

Regards,
Anup
1 person had this problem
Labels:
139250-Sim.png
Preview file
283 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Anup Sasikumar

‎12-01-2012 08:02 AM

Hi,

on the switch f0/1:

no switchport

ip add 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.254

on the router end:

int f0/1

ip add 192.168.1.254 255.255.255.0

ip route 192.168.1.36.0 255.255.255.0 192.168.1.1

ip route 192.168.1.57.0 255.255.255.0 192.168.1.1

for the Pix do the same with 2 route inside ( one for each VLAN) and one default route outside to get to internet

don't forget to NAT and apply access-list inbound on outside to permit icmp  back in

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

18 Replies 18

Go to solution
Raju Sekharan
Cisco Employee
Cisco Employee

‎11-30-2012 04:29 AM

yes. if you have to enable routing on the 3560 switches

1. you need to enable ip routing. You need it only on one of the switch

2. You need to create interfae VLAN for both Vlan 2 and Vlan 36

3. Your default-gateway need to be reaplced with static default-route  pointing to 192.168.57.1

If you need to have communication between Vlan 2 and Vlan 36, you need to  configure the default-gateway of devices in Vlan 2 poitning to interface Vlan 2 IP of Layer 3 switch and devices in Vlan 36 pointing to interface vlan 36 of switch

Note: A better design will be  to move you PIX to different VLAN  to avoid ICMP redirection which can happen in VLAN 2

Thank you

Raju

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to Raju Sekharan

‎11-30-2012 04:41 AM

Thanks for the suggestions, Raju

Could you please help me with what exactly is the difference between Default Gateway and Default Static Route ?

Thanks,

Anup

Regards,
Anup
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Anup Sasikumar

‎11-30-2012 04:46 AM

Hi,

default gateway only used when not doing ip routing and default static route is only used when doing ip routing

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to cadet alain

‎11-30-2012 05:04 AM

Thanks Alain , for the information !

So the default static route that I would need to create is ip route 0.0.0.0 0.0.0.0 192.168.57.1 , right ?

Would there be any connecitvity issues if I enable IP routing and make it as Layer 3 ?

I was trying with Cisco packet tracer and I could not get connectivity established to the PIX internal. I used a Router interface to simulate the same , as PIX 515E has router ports I believe ? 

Regards,
Anup
0 Helpful

Go to solution
Raju Sekharan
Cisco Employee
Cisco Employee
In response to Anup Sasikumar

‎11-30-2012 05:16 AM

From your previous scenario, the deault route should look same

ip route 0.0.0.0 0.0.0.0 192.168.57.1

Did you configure " ip routing"

In the simulator how is your subnets configured

Raju

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Anup Sasikumar

‎11-30-2012 06:00 AM

Hi,

did you set the corresponding SVI on the L3 switch as the default gateway for hosts ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to cadet alain

‎11-30-2012 06:21 AM

Raju, Alain,

Yes, IP routing was enabled globally.

Yes . Correponding SVIs were also created

I configured a test network to see if I can statically route using a default static route to 192.168.57.1 . A router was configured with IP address 192.168.57.1  on fa0/1 interface (As PIX ports are router ports in which IP address can be configured and ot like ASA 5505 which has switch ports)  and was placed ahead of a 3560 Switch  configured with VLAN 2 and VLAN 36 SVIs. But still I couldn't get connectivity established .

Many Thanks,

Anup

Regards,
Anup
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Anup Sasikumar

‎11-30-2012 07:10 AM

Hi,

Can you ping an SVI from the other ?

Have you got a corresponding route on the router for return traffic ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
Anup Sasikumar
Level 1
Level 1

‎11-30-2012 08:25 AM

Alain,

Yes. The corresponding SVIs can be pinged from test PCs on each VLAN. The test PCs can also ping each other which suggests the intervlan routing is working fine , Right ?

A route on the router for the return traffic , Yeah, Thats where I missed out , Thanks ! So what route should I be configuring on the router ?

ip route 192.168.0.0 255.255.0.0 fa0/1
(As I have both 36.0 and 57.0 as destination networks on 3560 and the exit interface is fa0/1 of the router which is the interface configured with the IP 192.168.57.1 )

Please correct me if I am wrong , Alain.

Moreover , Can I ask you Alain , Is it necessary that a router port be configured with sub interfaces, and encapsulation be set if it is connected to a trunk carrying different VLAN traffic? Or is it only used when we want to have intervlan routing using router on a stick method instead of using a L3 switch. How does it work ? I am confused. Could you please help me with the anwers.

Thanks,
Anup


Sent from Cisco Technical Support Android App

Regards,
Anup
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Anup Sasikumar

‎11-30-2012 11:18 AM

Hi,

static route pointing out exit interface are highly discouraged when the exit interface is multipoint( like ethernet) so you should use the nex-hop IP which will be 192.168.57.x( address on the L3 switch) and you should do 2 routes( one to vlan 2 subnet and one to vlan 36 subnet) because 192.168.0.0/16 encompasses 256 /24 subnets and some may be added to the router or behind another device with another next-hop and in which case you'll have unreachability problem for those subnets). If you use subinterfaces on ethernet interfaces then you need to do dot1q encapsulation.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to cadet alain

‎12-01-2012 02:21 AM

Alain , Mahmood

I have added the routes for return traffic and still can 't get it to work :-(

Could you please help me on the following

1. As the link from 3560 to Router is a trunk link and is carrying traffic from VLAN 2 and VLAN 36 , would I need to sub intrefaces to get this to work ?

2. If so , how should I be creating the subinterfaces , as it wont let me create sub interfaces in the same range  (fa0/1 and fa0/0.1 or fa0/0.2 in the same range )

3.Moreover ,as it 's just a simulation , and the real scenerio is a PIX , how can I accomplish the same ? How can I route different VLAN traffic to PIX internal IP address without having to create sub intrefaces. As far as I know , I think PIX doesn't allow you to create sub interfaces on inside interface , even though it 's a router port .

The Packet tracer PKT file is uploaded for reference . It would be great if you could please have a look

http://www.mediafire.com/download.php?boldcwvd8d1mgnw

Many Thanks ,

Anup

Regards,
Anup
0 Helpful

Go to solution
Abzal
Level 7
Level 7
In response to Anup Sasikumar

‎12-01-2012 07:42 AM

Hi Anup,

If we want route traffic from different VLANs to PIX you have two options here:

1. You don't need to create subinterfaces on PIX, instead you can create one more VLAN assign to port connected to PIX. Then point default route to that port.

int vlan 10 (e.g)

ip add 192.168.100.1 255.255.255.252

int f0/1 (e.g.)

description Link to PIX

switchport mode access

switchport access vlan 10

2. Or you can make port connected to PIX as routed port.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml

int f0/1

no switchport

ip add 192.168.100.1 255.255.255.252

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.100.2

Hope it will help.

Best regards,
Abzal

Go to solution
mahmoodmkl
Level 7
Level 7

‎11-30-2012 08:47 AM

Hi
i suggest to use ip instead of interfcae in the static route.

no u need not configure the port connecting to u r router if u are not passing multiple vlans to it,if it is going to carry multiple vlans n doing routing thnu need.

Sent from Cisco Technical Support iPhone App

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to mahmoodmkl

‎12-01-2012 03:11 AM

Mahmood,

Regarding the packet tracer simulation ,

I have tried adding two routes on the router to get the retrun traffic back to 3560 Switch

ip route 192.168.36.0 255.255.255.0 192.168.36.1 (SVI configured on 3560 for VLAN 36)

ip route 192.168.57.0 255.255.255.0 192.168.57.2 (SVI configured on 3560 for VLAN 2)

Is it because I m not configuring sub intrefaces on Router fa0/1 ?

Many Thanks,

Anup

Regards,
Anup
0 Helpful
Top