cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6195
Views
4
Helpful
17
Replies

How to enable VLAN Routing

adam.weight
Level 1
Level 1

Hello,

I have a layer 3 Cisco switch (SG300-52) that I am trying to get setup and functioning, but am having problems with getting DHCP to work on multiple VLAN's.

I have 3 vlans (VLAN1 management) VLAN 2 and VLAN 3. I am currently using DHCP on our firewall device which is on VLAN 1. When I connect a computer to a port on VLAN 1, the device is able to pull a DHCP lease from the firewall. If I connect a device to a port on VLAN 2 or 3, it cannot find the firewall to obtain a DHCP lease.

I am assuming this has to do with routing. I believe that VLAN2 and VLAN3 don't know how to get to the firewall on VLAN 1, but I've been looking around for hours and trying different commands to get the routing to work but nothing so far.

Basically what I am looking to do is have 3 VLAN's. DHCP is on VLAN1, and all 3 vlans should be able to pull a DHCP lease from that DHCP server (firewall). I do not however, want the VLAN's communicating with each other in any other way. So basically what I want is the following:

VLAN 1 obtain DHCP from firewall on VLAN1 and access to Internet through firewall on VLAN 1

VLAN 2 obtain DHCP from firewall on VLAN 1 and access to Internet through firewall on VLAN 1 - no other communication with VLAN 1, and no communication with VLAN 3

VLAN 3 obtain DHCP from firewall on VLAN 1 and access to Internet through firewall on VLAN 1 - no other communication with VLAN 1, and no communication with VLAN 2

I can get DHCP to work on all VLAN's if I create a routing policy on my firewall, but then all 3 vlans are able to communicate with each other. For security purposes, this will not work. I need them to pull DHCP without talking to each other.

Any ideas on how I can get this to work? Been working on this for several days with no luck.

Thanks,

Adam.


2 Accepted Solutions

Accepted Solutions

Hi,

1) for vlan 2 host the default gateway is vlan2 interface Ip and same for vlan3 hosts

2) to filter communication

ip access-list extended VLAN2

deny ip 10.0.108.0 0.0.0.255 10.0.109.0 0.0.0.255

permit ip any any

ip access-list extended VLAN3

deny ip 10.0.109.0 0.0.0.255 10.0.108.0 0.0.0.255

permit ip any any

int vlan2

ip acces-group VLAN2 in

int vlan3

ip access-group VLAN3 in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Hi,

ok so I was presuming this was IOS CLI syntax on this model but I was wrong.

to apply the ACL under the interface : service acl-input "name of ACL"  default-action deny-any| permit-any.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

17 Replies 17

acampbell
VIP Alumni
VIP Alumni

Adam,

You will need to enable dhcp-relay in oreder for your dhcp discovers etc to cross vlans.

Look at the config guide section 16

http://www.cisco.com/en/US/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

I've already done that. I've enabled DHCP relay on the switch and set the helper address to the DHCP server. Still nothing. The only device that gets an IP address are devices on VLAN 1.


You need the dhcp-relay with the destination ip address of the firewall/dhcp-server.

The firewall will ip routes back the switch layer 3 intefaces (VLAN SVIs) via a next hop of the  switch layer3 (SVI) address on its VLAN1.

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

Yes, and I believe I've done that as well, unless I'm doing something wrong. Basically what happens is I can get DHCP to work if I put a route in the firewall for all 3 vlans pointing to the switch as the next hop. The problem is as soon as I do that, VLAN 2 and VLAN 3 can communicate with each other as well. For security reasons I can't have this happen. I need to be able to route the traffic to DHCP requests without having the VLAN's capable of inner-communication.

My firewall (DHCP Server, and Internet gateway) is 10.0.105.1

Here is the basic config I have right now on the switch.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

config-file-header

CSW1

v1.2.9.44 / R750_NIK_1_2_584_002

CLI v1.0

file SSD indicator excluded

@

vlan database

vlan 2-3

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

ip dhcp relay address 10.0.105.1

ip dhcp relay enable

ip dhcp information option

bonjour interface range vlan 1

hostname DCSW1

username cisco password encrypted 43b085f3d6a61583689378eedbbbc222c32a364b privilege 15

ip name-server  66.28.0.45 66.250.64.15 8.8.8.8

ip telnet server

!

interface vlan 1

ip address 10.0.105.2 255.255.255.0

no ip address dhcp

ip dhcp relay enable

!

interface vlan 2

name Review1

ip address 10.0.108.2 255.255.255.0

ip dhcp relay enable

!

interface vlan 3

name Review2

ip address 10.0.109.2 255.255.255.0

ip dhcp relay enable

!

interface gigabitethernet1

spanning-tree portfast

switchport mode access

!

interface gigabitethernet2

spanning-tree portfast

switchport mode access

switchport access vlan 2

!

interface gigabitethernet3

spanning-tree portfast

switchport mode access

switchport access vlan 3

!

interface gigabitethernet52

spanning-tree portfast

spanning-tree guard root

switchport trunk allowed vlan add 2-3

!

ip helper-address all 10.0.105.1 37 42 49 53 137 138

ip route 0.0.0.0 0.0.0.0 10.0.105.1 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Using this as is, computers on VLAN 2 and VLAN 3 do not receive DHCP. If I add the following routes on my firewall:

Source                    Destination                    Service                    Gateway

Any                         10.0.108.0/24                    Any                         10.0.105.2

Any                         10.0.109.0/24                    Any                         10.0.105.2

DCHP then works for VLAN 2 and VLAN 3, but when I run a ping test from a computer on VLAN 2 to a computer on VLAN 3 I receive valid responses. This is not good for security purposes. I want to have VLAN 2 and VLAN 3 have no communication with each other, and have VLAN 2 or VLAN 3 pull DHCP from the firewall, but have no other communication with other devices on VLAN 1.

Am I doing something wrong?

glen.grant
VIP Alumni
VIP Alumni

  I'm no FW guy but you are going to have to rules in the FW blocking all traffic on those vlan interfaces except the subnet you want on there .

Yeah, I actually tried that too. I set up rules in the FW to block all traffic between 10.0.108.0 and 10.0.109.0, but it doesn't seem to do anything. Communication still happens even though I specifically put a denial statement in the FW between those two networks.

Hi Adam,

just simply add a host route for each VLAN interface where you have the ip helper-address command configured instead of subnet routes for each of these VLANs.Your DHCP server needs to reply with unicast to the gia address for DHCP relay to work but it doesn't need to route back to the entire VLAN subnet.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I appologize, I'm still fairly new to Cisco routing. I have done some work but not very much. Can you please explain a bit more?

So you are talking about putting in a static IP route on the Cisco switch itself to route from the DHCP server to the IP of the VLAN?

would it be something like

ip route 10.0.108.2 255.255.255.255 10.0.105.2

I'm still a bit confused I guess. Or were you talking about a route on the firewall pointing to just the IP of the VLAN on the switch rather than the entire vlan subnet?

Thank you for your help, don't know why I didn't think of that earlier.

I made some changes on my firewall and added host routes to point from the DHCP (Firewall) to the Switch for routes just to the IP of the VLAN instead of the whole subnet.

DHCP is working now, but I found two other problems as soon as I did this.

  1. Computers on VLAN 2 and VLAN 3 are pulling DCHP but cannot access the internet. They can see the primary VLAN IP, but cannot reach the firewall (gateway of last resort)
  2. VLAN 2 and VLAN 3 are now communicating with each other (even though no route exists for it) I need them to not communicate with each other.

Problem 1

-----------------------------------------------------------------------------------------------------------------------------

DCHP is working as you can see:

C:\Users\Adam>ipconfig /all

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   IPv4 Address. . . . . . . . . . . : 10.0.108.216(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Lease Obtained. . . . . . . . . . : Wednesday, October 30, 2013 11:22:54 AM

   Lease Expires . . . . . . . . . . : Thursday, October 31, 2013 11:22:54 AM

   Default Gateway . . . . . . . . . : 10.0.108.2

   DHCP Server . . . . . . . . . . . : 10.0.105.1

   DNS Servers . . . . . . . . . . . : 216.136.95.2

                                       68.105.28.15

                                       68.105.9.16

   NetBIOS over Tcpip. . . . . . . . : Enabled

I can ping the local VLAN interface, as well as the management VLAN interface, but cannot ping the Firewall, and so cannot get to the Internet.

C:\Users\Adam>ping 10.0.105.2

Pinging 10.0.105.2 with 32 bytes of data:

Reply from 10.0.105.2: bytes=32 time=1ms TTL=64

Reply from 10.0.105.2: bytes=32 time=1ms TTL=64

Reply from 10.0.105.2: bytes=32 time=1ms TTL=64

Reply from 10.0.105.2: bytes=32 time=1ms TTL=64

Ping statistics for 10.0.105.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\Users\Adam>ping 10.0.105.1

Pinging 10.0.105.1 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 10.0.105.1:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

To try and solve this, I attempted to enter a static route for the firewall, but was given an error:

DCSW1#conf t

DCSW1(config)#ip route 10.0.105.1 255.255.255.255 10.0.105.2

Gateway cannot be one of the addresses configured on this device.

DCSW1(config)#

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Problem 2, I am not sure how to fix since I do not have any routing on the firewall that points to these subnets, and therefore is not performing this routing. This routing must be happening on the Cisco switch itself.

I need to set this up to where VLAN 2 and VLAN 3 cannot talk to each other.

Below is an example of a ping test from a computer on VLAN 2 to a computer on VLAN 3

C:\Users\Adam>ping 10.0.109.208

Pinging 10.0.109.208 with 32 bytes of data:

Reply from 10.0.109.208: bytes=32 time=5ms TTL=127

Reply from 10.0.109.208: bytes=32 time<1ms TTL=127

Reply from 10.0.109.208: bytes=32 time=1ms TTL=127

Reply from 10.0.109.208: bytes=32 time<1ms TTL=127

Ping statistics for 10.0.109.208:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 5ms, Average = 1ms

C:\Users\Adam>

-----------------------------------------------------------------------------------------------------------------------------------------------------------

Any help with either of these problems would be appreciated. Thank you.

Hi,

ok what I proposed indeed will prohibit your vlans to talk with the firewall and the internet, I didn't read carefuly you post and I answered too quickly.

Now you have a L3 switch so the intervlan routing should be done on it and if you want your vlans not to talk with each other except vlan 1 to get to the firewall you can put an ACL inbound on the vlan interfaces and deny communication to other vlan and permit communication to vlan 1.

just put back a subnet static route for each vlan on the firewall and it should be working then if this time I understood your problem correctly.

put your vlan interface on the switch as the default gateway for hosts in each corresponding vlan and put a static default route to the firewall on the switch.

If you want the configs then post  then ask and I'll provide it.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thank you so much, if you could help me with the configs that would be awesome. I'm still fairly new to Cisco and have only worked on them minimally. This is my first time with a Layer 3 routing. I've only worked with layer 2 Cisco switches in the past.

Again thank you.

Hi,

1) for vlan 2 host the default gateway is vlan2 interface Ip and same for vlan3 hosts

2) to filter communication

ip access-list extended VLAN2

deny ip 10.0.108.0 0.0.0.255 10.0.109.0 0.0.0.255

permit ip any any

ip access-list extended VLAN3

deny ip 10.0.109.0 0.0.0.255 10.0.108.0 0.0.0.255

permit ip any any

int vlan2

ip acces-group VLAN2 in

int vlan3

ip access-group VLAN3 in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks so much for the help, but now I have another problem. The command to assign the access group does not work. I was able to create the access lists (although it would not take numbers so I had to use vltwo for the name instead). But when I go to add the access-group I get the following:

DCSW1(config-if)#

DCSW1#conf t

DCSW1(config)#int vlan 2

DCSW1(config-if)#ip access-group vltwo in

% Unrecognized command

DCSW1(config-if)#

Any ideas? Is it just this model that can't perform that function? I'm using an SG300-52.

Thanks.

Hi,

ok so I was presuming this was IOS CLI syntax on this model but I was wrong.

to apply the ACL under the interface : service acl-input "name of ACL"  default-action deny-any| permit-any.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card