cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9609
Views
0
Helpful
7
Replies

Inter VLAN Routing on layer 3 switch

chadbooth
Level 1
Level 1

I have a Catalyst 3560G layer 3 switch, I am trying to configure the switch to route traffic between vlans without using our Watchguard firebox to route between them. The WG also currently gives all devices DHCP and this device must be the default gateway for all hosts. The layer 3 switch sits between the hosts and the WG. Can this be configured to route the packets without being the default gateway?

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Chad,

>> Can this be configured to route the packets without being the default gateway?

user PCs will use their default gateway, that must be a device with an ip address in the same subnet.

So you can deploy inter vlan routing in parallel with the other box but DHCP clients will not use it unless they add a route in the OS shell pointing to the L3 switch ip address in their subnet.

Be aware that this can create security holes if all traffic is supposed to go via the other device that may be implementing security policies.

if you want to keep the WG for internet traffic you need to add a specific route for all the private network pointing to the L3 switch in all devices or you need to have the L3 switch takes the ip address that WG advertises in the DHCP leases.

Hope to help

Giuseppe

View solution in original post

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Chad,

>> Can this be configured to route the packets without being the default gateway?

user PCs will use their default gateway, that must be a device with an ip address in the same subnet.

So you can deploy inter vlan routing in parallel with the other box but DHCP clients will not use it unless they add a route in the OS shell pointing to the L3 switch ip address in their subnet.

Be aware that this can create security holes if all traffic is supposed to go via the other device that may be implementing security policies.

if you want to keep the WG for internet traffic you need to add a specific route for all the private network pointing to the L3 switch in all devices or you need to have the L3 switch takes the ip address that WG advertises in the DHCP leases.

Hope to help

Giuseppe

Looks like im going to need a new DHCP server

chadbooth wrote:

Looks like im going to need a new DHCP server

Chad

Can the WG only hand out DHCP addresses to clients connected to it ? ie. if the WG can hand out addresses for subnets that the WG has no interfaces in then you don't need a new DHCP server.

You could leave the WG handing out addresses for a subnet but have the DG for that subnet be the 3560G. Then on the 3560G you just have a default-route pointing to the WG. On the WG you would need a route for the new subnet pointing to the 3560G.

If you must have the WG as the DG then a new DHCP server will make no difference so not sure what you mean ?

Jon

The WG currently supplies addresses for multiple vlans through a single interface, But it only provides the option for itself to be the default gateway for addresses it hands out.

Currently I have a layer 2 switch that forwards all vlan traffic to the WG and the watchgaurd handles the routing, I do not want any traffic going to the WG unless it is destined for the Internet. That is why I purchased the L3 switch.

Any help is appreciated.

attached is a diagram of my current network.

chadbooth wrote:

The WG currently supplies addresses for multiple vlans through a single interface, But it only provides the option for itself to be the default gateway for addresses it hands out.

Currently I have a layer 2 switch that forwards all vlan traffic to the WG and the watchgaurd handles the routing, I do not want any traffic going to the WG unless it is destined for the Internet. That is why I purchased the L3 switch.

Any help is appreciated.

attached is a diagram of my current network.

Okay, then you will need a DHCP server.

On the 3560G you would create the L2 vlans + the L3 vlan interfaces for each vlan. The DHCP server would hand out addresses for each subnet and the DG would be the corresponding L3 vlan interface on the 3560G.

Then you can connect the WG to the 3560G on it's own P2P link.

On the 3560G

int gi0/1  <--- this connects to the WG

no switchport

ip address 192.168.5.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 <192.168.5.2>

on the watchguard you need to add routes for each of the 3560G vlans (or run a routing protocol between the WG and the 3560G). The next-hop for the routes would be 192.168.5.1

Don't forget that on each L3 vlan interface you will need to configure an "ip helper-address "

Jon

Thank you for the help, I'm getting a better understanding on how things are going to have to work, I have over 200 machines that I currently have IP address reservations binded to mac addresses, and from what i can see, the Cisco switch will make this task difficult, Should I use something else as the DHCP server?

chadbooth wrote:

Thank you for the help, I'm getting a better understanding on how things are going to have to work, I have over 200 machines that I currently have IP address reservations binded to mac addresses, and from what i can see, the Cisco switch will make this task difficult, Should I use something else as the DHCP server?

Chad

Yes i would recommend using a server as a DHCP server such as Windows or Unix/Linux variant. Personally i don't like using switches/routers as DHCP servers as they are limited and the devices are not really designed to do that.

Jon

Review Cisco Networking for a $25 gift card