Inter-VLAN routing plus Internet with L3 Switch

dkellyusi · ‎06-07-2017

Hello all,

I'm running all Allen Bradley Stratix Industrial switches, which are essentially rebranded Cisco IE switches. But, the principles should still be the same.

Here's my topology:

1x Stratix 5410 (Cisco IE 4010) Layer 3 switch as Core Switch (ESXC101)

Several Stratix 5700 (Cisco IE 2000-series) L2 Switches (ESXM1101, etc.)

I have a Management VLAN (10) that I want to be able to communicate to all other VLAN's and the Internet via the Corporate Gateway.

All the other VLAN's need to stay isolated (no route to other VLANs except management).

Do I need to add a Router between the Corporate Network and the L3 Switch? I was to understand that the L3 Switch could do all the routing.

Should I be using a Routed port or some other method?

Thanks in advance for your help!

Jon Marshall · ‎06-07-2017

Haven't used those switches but I'll take your word for it that they are just like any other Catalyst switch.

So the L3 switch can do all the routing between vlans and you can use acls on the L3 vlan interfaces (SVIs) to control what can talk to what. Note the routing table will have all the routes but with acls you can still limit the communication.

And then yes if it is a single connection to the gateway then a routed port on the L3 switch is the way I would do it.

Presumably the gateway handles the NAT for internet access ?

Jon

Reza Sharifi · ‎06-07-2017

Hi,

I am not familiar with these type of switches but if the core switch (ESXC101) works just like a Cisco layer-3 switch, you just create vlan 10 (192.168.10.0/24) on the core and, add a static route to corporate network device to use 192.168.1.100 to reach 192.168.10.0/24. ( ip route 192.168.10.0 255.255.255.0 192.168.1.100) Also, not sure what device is doing the NAT, but if it is the corporate network device, than you need to add 192.168.10.0/24 to the NAT statements, so it can reach the Internet.

HTH

dkellyusi · ‎06-07-2017

Also, not sure what device is doing the NAT, but if it is the corporate network device, than you need to add 192.168.10.0/24 to the NAT statements, so it can reach the Internet.

Yes, the Corporate Network Gateway handles the NAT. With most of my customers, adding a static route to my management network will be no problem. With some others, they either won't want to, or won't know how to do so.

Is there any way for my Management network to access the internet (via the Corp Network GW) without a static route? Can I use NAT on my L3 switch to avoid adding a static route?

I assume an ISP isn't adding a static route to my home subnet when I install a router. How does this differ?

Thanks again!

Reza Sharifi · ‎06-07-2017

Is there any way for my Management network to access the internet (via the Corp Network GW) without a static route? Can I use NAT on my L3 switch to avoid adding a static route?

You have a layer-3, routed port between the core and the corporate device, so there is no way to extend 192.168.10.0 subnet to corporate. Maybe what you can do is to add a separate physical link between the 2 devices (layer-2) and just use that link to extend vlan 10 to corporate device, so there would be no need for static route.

I assume an ISP isn't adding a static route to my home subnet when I install a router. How does this differ?

No, the ISP only cares about reaching the public IP. Once NATed, you can add whatever device you want..

HTH