Inter VLAN routing on 3560 switch, and connection to router

nbhpro111 · ‎04-26-2015

Hi all

I'm working towards a CCNA certification and have been sitting a playing around wiht a single Catalyst 3560 24 port switch, with (C3560-IPSERVICESK9-M), Version 15.0(2)SE2, RELEASE SOFTWARE (fc1), software on it.

I wanted to try and create a network for a virtualized environment, and have only started out with the most basic so far, but still can't get it to work.

I have created the following VLAN's:

VLAN 1, Router, IP network 192.168.1.x/24

VLAN 10, Management, IP network 192.168.10.x/24

VLAN 20, vMotion, IP network 192.168.20.x/24

VLAN 30, iSCSI, IP network 172.16.30.x/24

VLAN 40, VMnetwork, IP network 192.168.40.0/24

VLAN 50, ILO, IP network 10.0.50.0 - 9/24

I have enabled "IP routing", and I have only created the first two vlan interfaces for vlan 1 and vlan 10 so far, so not using the other vlan's until I can get the first two to work.

So my setup is as follows: I have a TP-LINK ADSL router for Internet access (192.168.1.1), which connects with a straight through cat 5 cable to port gi0/1 on the 3560 switch (set for 192.168.1.2 on interface vlan 1), on port gi0/2 I have my PC connected, and am using 192.168.10.1 as the default gateway from my PC.

As you can see below, I can ping both vlan 1 and vlan 10 interfaces, but I can also ping my TP-LINK router on 192.168.1.1 from the switch.

Switch3560#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Switch3560#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Switch3560#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

From my PC (192.168.10.61), I can ping the vlan 10 interface 192.168.10.1, and I can ping vlan 1 interface 192.168.1.2, but I can't get the connection to work from the switch to the router. So even though I can ping the router on 192.168.1.1 from the switch, I can't get my PC on vlan 10 to route through vlan 1 and out through my router.

Shouldn't I be able to do that ?, or am I completely missing something ?.

If I configure both port gi0/1 and gi0/2 to belong to vlan 1, I have no problems, everything is working.

PS: I have attached the running config.

Any kind of help will be appreciated.

Charles Hill · ‎04-26-2015

TP-Link may not be accepting the dot1q tags.

I would delete vlan 1 on the 3560 and created a routed port facing the tp-link router.

Assign 192.168.1.2 to the physical /route port facing the tp-link router.

Create a default route on the 3560 switch

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Since ip routing is enabled, you should have access to the tp-link from the other vlans on the 3560.

Hope this helps,

Please rate helpful posts.

Thanks.

nbhpro111 · ‎04-27-2015

Hi Charles

I'm sorry but I won't be able to test your suggestion tonight, I've been using all night trying to get home from work, due to some person jumping in front of a train, which caused complete traffic caos, because all other trains were cancelled as well, so I desparately need sleep now. The joy of public transport, how I utterly hate it.

I don't think it's the dot1q tag that's the issue, because if I put the PC in gi0/2, and also make that a member of vlan 1, it all works perfectly. But I have a very strong feeling that you hit the sweet spot with the default route. But I will test it tomorrow night, and will get back to you.

Kind regards

Niels

allen.mike · ‎04-27-2015

I am eager to know more about this. I mainly work with Cisco SG300 Series switches. We have multiple VLAN's for different solutions. CCTV on one, Access Control on another, etc. Easy to get each VLAN talking to each other, but when a client asks me to set their crappy ADSL Router modem to the VLANS (Or at least 1 VLAN) but doesn't want me to change and settings on the ADSL Router other than port forwarding.... Well so far I have not been able to make it work unless I change the ADSL modems IP to match the VLAN that I want to port forward to.

Need this to work so that the client can use a Mobile Phone App to access CCTV cameras. Do you think this solution would work for this purpose, and on a SG300 switch?

Charles Hill · ‎04-28-2015

Sounds like it may have been a nat issue.

nbhpro111 · ‎04-28-2015

Hi Charles

I don't think it's a NAT issue, but I could of course be wrong. If I have both port gi0/1 and gi0/2 in vlan 1, it works perfectly. So I have a gut feeling it might be as you say, that it needs a routed port in order to come from another vlan than vlan 1, and reach the router.

I will let you know, if I can get it to work.

Kind regards

Niels

Jon Marshall · ‎04-29-2015

Niels

Your ADSL router needs a route back to 192.168.10.0/24 because it is not directly connected.

So if you use a routed port on the 3560 it would be something like -

ip route 192.168.10.0 255.255.255.0 <IP address of L3 port on 3560>

note the above is Cisco syntax but you should get the idea.

You would need to add routes for all non directly connected subnets to the ADSL router.

However you may face a couple of issues -

1) your ADSL router might not allow you to add routes

2) your ADSL router might only do NAT for directly connected networks

it depends on the features it has but a lot of them are quite limited.

The usual workaround if you are using a router is to do NAT on your device ie. you NAT all your IPs to the IP address on the L3 port and then the ADSL router would know where to send the return traffic.

Unfortunately NAT is not supported on most switches and yours doesn't support it so if the ADSL router does not support both of the above then you won't be able to get this to work.

Jon

mfurnival · ‎04-29-2015

This was my feeling too when I read this as I have faced the same problem at home with my generic ISP broadband router. They usually have no facility to add static routes so your ADSL router only knows about it LAN subnet and can't NAT anything else outside of this range because it does not know where to route the return traffic.

My solution (and it is a bit convoluted but works) is to perform NAT on something else before it reaches the router - like a small Linux host.

So for example you would have all of your internal hosts on 10.0.0.0/24 with 10.0.0.1 as a gateway (your linux host) that would have two interfaces, one at 10.0.0.1/24 and one in the 192.168.0.0/24 range. The linux host would NAT all traffic onto the 192.168.0.0/24 subnet where your ADSL router sits.

Or buy a proper router :)

nbhpro111 · ‎04-28-2015

Hi Allen

If you look at the response I got from "CHARLES HILL" and my reply to him, that might give you an idea at least. After Charles mention the routed port, I found the following video on youtube

Learn how to create a routed switchport command on Cisco IOS from ccieadvisor.com
https://www.youtube.com/watch?v=e1h4VpPGvi0

Wether this configuration will work on an SG300 switch, I'm not the right guy to ask, since I have never seen or touched one. I know it's small business kind of switch, so I don't know if it has a full IOS CLI interface, or something similar can be configured through a GUI. But if you can wait until I have tested Charles suggestion with a routed port, I will let you know if it works on a C3560 switch.

Niels

nbhpro111 · ‎04-28-2015

Hi Charles

I tried to ad the default route, but that didn't unfortunately change anything, it still doesn't work. Since my PC can ping both 192.168.10.1 (it's own vlan 10 interface and default gateway), and the 192.168.1.2 (vlan 1 interface), I thought maybe the default route you suggested was what it needed to make the jump, from 192.168.1.2 to 192.168.1.1 (the router). But obviously not.

To the best of my knowledge, you can't either delete, nor rename vlan 1 or the other 4 reserved vlan's.

I have however looked into the router port you mentioned, and found some interesting material about it on youtube from a group called ccieadvisor. It looks pretty simple, so I will give that a try a bit later on. Might first be in the weekend before I got time for it.

But thank you very much for your help so far, I could look like the default route and the routed port you mention is just what the doctor ordered. Will let you know as soon as I have had a chance to test it further

Thank you very much for your kind help, very much appreciated.

Niels

Charles Hill · ‎04-28-2015

The pc's default gateway should be the router's ip as long as the router will be doing the routing. If the switch is doing the routing, the switch ip should be the pc's default gateway.