So a bit stuck and confused here, I have a firewall and a cisco 9300 connected to it. On the firewall I have multiple vlans setup and the same vlans setup on the switch. I can get VLAN 5 to reach the internet since the default gateway for the switch is set to the same subnet as it but the other VLANs don't communicate with the firewall and I believe this is the reason why. Would I need to route those vlans to the trunk port connected to the firewall so it can communicate? My gap in knowledge is here, I will attach a config for review as well. Any suggestions would be greatly appreciated!
I have just finished re-configuration according to your suggestions. I have deleted all VLANs on the router. I have changed the router LAN interface to 192.168.1.0/30. This interface is connected to the switch to the access port belonging to VLAN1. I have created VLAN 1 SVI 192.168.1.2, the router has 192.168.1.1. I have also created mentioned VLAN98 (192.168.98.0/24) on the switch. On the router, I had to add static routes to my switch VLANs 10, 20, and 98. On switch, I have added a default gateway too.
I have just two problems connected with a new scenario. One with IPv4, one with IPv6. Now I have to run the DHCP server on the switch. I would like the DHCP server to assign a DNS IP address for the clients which is the same as the clients's default gateway (switch SVI). So I want to set "global" DNS servers in the switch and use the switch just as a "DNS relay". I managed to set up some servers for DHCP, but it does not work as I want. When I was creating DHCP pools, for DNS there were options "None", "IP entered globally" and "Other" where I could specify DHCP pool-specific IP address. I gave up and set the global IP address of the router LAN interface (where it works as I want) for the clients behind the switch.
The IPv6 problem is a lack of knowledge of how IPv6 on such a switch works. It seems to me that it works totally differently compared to IPv4. I somehow set the IP address of VLAN1. I used fd00::/64 for VLAN1 and added a default route, so I could ping this interface from a different IPv6 subnet on the router (there is a tool for that). I have a /48 IPv6 prefix available through the tunnel from HE. The tunnel is set up on the router where I just set an IPv6 to the router interface and enabled RA to propagate prefixes and other info to clients behind that interface. On the switch, I was not able to create even an IPv6 SVI for other VLANs. I will need some tutorials or educational videos on how things work there.
I do not have a good understanding of your issue about DHCP and DNS. With inter vlan routing done on the switch it certainly makes sense to do DHCP for the vlans/subnets on the switch. You would configure a DHCP pool for each vlan/subnet. The pool would specify the subnet and mask and identify the DNS to be the address of the SVI for that vlan (was perhaps the "other" option how to do that?).
I do not have experience with IPv6 on that platform and do not have any advice about your IPv6 issue. Hopefully someone else in the community can address this.
Hello @Richard Burts,
Yes, based on community advice I got here, I want to do inter-VLAN routing on the switch and also run DHCP/DHCPv6/RA on the switch. I do it right now (that's why I had to reconfigure my network setup). The only issue is that I do not fully understand the switch GUI and I do not know how to configure what I want. The last thing I have not discovered yet is how/where to set the DNS IPv6 address for the DHCPv6 server or RA to be distributed to clients. This is just about a lack of knowledge of how to do this configuration. Right now everything is working with the only exception that clients are not provided with a DNS IPv6 address as I am not able to configure this on the switch.
Thanks for the update. Unfortunately I do not have experience or insight about IPv6 on these switches. Hopefully someone else in the community might be able to provide some suggestions.
Hello @Richard Burts,
I have done one experiment on my pfSense router where the server is connected to the dedicated physical router interface. The network is 192.168.99.0/24. This network is completely independent of the Cisco switch, so IPv6 settings must be done on the router. I have DHCPv6 and RA options on the router. I have observed that the server had two IP addresses and two DNS IPv6 addresses assigned. It turned out that it is not needed to run DHCPv6 and RA simultaneously. So I disabled DHCPv6 and restarted the server. IP config of the server after restart is enclosed. It is obvious that RA is capable of providing the client with and DNS IPv6 address, but actually we do not know where/how to configure this on the switch for networks/VLANs directly connected to this switch.
I have also enclosed two screens from pfSense GUI connected with RA settings which I actually missing on the Cisco switch.
Even for IPv4, I found out that the switch SVI is not listening on the standard DNS port, therefore for IPv4, I am using the IPv4 address of the router interface, where DNS settings work as expected. I tried to enable the DNS server on the switch, but it seems this does not work. Fortunately, as we discussed before, I can live with this for now. The IPv4 workaround was to set the router interface IP address as a DNS server for clients (No problem to set this for IPv4 DHCP).
Hopefully, someone will know better whether it is possible to set RA on the switch to provide a user-defined DNS IPv6 address to the clients. I tried to play with DHCPv4 options, but it turned out that option 6 for DNS is not configurable by the user.
I’ve looked at the IPv6 functionality on CBS350 out of curiosity. There is no DHCPIPv6 server or IPv6 RA there. However the switch does provide a DHCPIPv6 relay. So, if you still want to do inter-VLAN routing on the switch and have IPv6, you need to set up your own IPv6 DHCP server and use the relay on the switch.
You make a classic mistake by looking at CBS350 from the perspective of pfSense. These are two different product, each with its own strength and weaknesses. If you are after a one-box solution, go back to doing inter-VLAN routing on pfSense.
Thank you for your research. I agree with you that there is no DHCPv6 server available on the switch, only the DHCPv6 relay. But based on my experience with this switch I do not agree there is no support for RA, as my clients connected to the switch are able to get a prefix and default gateway, the only problem is the missing IPv6 DNS server. So right now, IPv6 is working somehow, the only disadvantage for me is the lack of an IPv6 DNS server, currently substituted by an IPv4 DNS server.
If Inter-VLAN routing is a standard and appreciated feature of managed L3 switch and this is the case, then I would expect full software support for this feature. I am so close to the ideal configuration, so I can not believe this feature is not there.
Before I revert my configuration, I will try to find out whether there is a package for the pfSense router that would enable DHCPv6 for remote VLANs with DHCPv6 relay enabled on the switch. The only disadvantage here will be that in case of router failure there will be no DHCP for IPv6 clients connected to the switch.