Solved: Re: Inter Vlan Routing problem

spokeskleff · ‎04-27-2023

I have a problem whereby my created vlan interfaces won't access internet from the Vlan trunk with internet link from Sophos firewall,

On catalyst c2960

Flavio Miranda · ‎04-27-2023

ip routing
interface Vlan 2
ip address 192.168.1.1 255.255.255.0
ip route 192.168.1.0 255.255.255.0 192.168.2.1

interfave vlan 200

ip 192.168.2.1 255.255.255.0
ip route 192.168.2.0 255.255.255.0 192.168.1.1

View solution in original post

MHM Cisco World · ‎04-27-2023

sorry can you more elaborate ?

Flavio Miranda · ‎04-27-2023

Hi

For access the internet from a 2960 behind the firewall you need to do some steps. First the 2960 is a layer2 switch, which means it will offer only layer2 connectivity for your hosts.

You need to trunk it to the firewall and create a layer3 interface vlan on firewall in order to be the gateway for your hosts.

And you have DHCP service available or put static IP on the hosts.

You need NAT on the firewall.

As I said, the switch you mentioned is just a layer2 device and most of the config should happen on the firewall.

spokeskleff · ‎04-27-2023

Hi on the firewall end all is good i was setup with dhcp

Actually Vlan 200 was created on the firewall

Vlan 200 was created on catalyst with 3 ports assigned to it port24 was set to trunk mode and rest of ports in vlan ports work and gives out dhcp address with just a laptop.

but vlans 2-6 dont accress the internet from the trunk

spokeskleff · ‎04-27-2023

Hi i am new to this so pls see below

ip routing
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.98.1 192.168.98.10
ip dhcp excluded-address 192.168.99.1 192.168.99.10
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool 2
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip dhcp pool 3
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
!
ip dhcp pool 4
network 192.168.98.0 255.255.255.0
default-router 192.168.98.1
!
ip dhcp pool 5
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
!
ip dhcp pool 6
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
!
!
!
!
crypto pki trustpoint TP-self-signed-2900048512
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2900048512
revocation-check none
rsakeypair TP-self-signed-2900048512
!
!
crypto pki certificate chain TP-self-signed-2900048512
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393030 30343835 3132301E 170D3933 30333031 30303031
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39303030
34383531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ED70 7E55A956 C84B6BD2 03B407FC FD37C50F A3363FE8 1B1BA6CE 9C9AA72E
3956932E 0EAC463E 4989FED5 97BEA767 4F6C9DF5 5B0A6384 F1CF4DBA 4461258C
52C90C05 38F6A2E6 C882A188 F3F643B7 1915AA38 236A7E4B 88AF7B38 ED7D933B
E278795B 9A4924BF B6434F94 36526D12 28A47BA5 35B76EB2 D775596E 9C066842
7B2B0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
551D1104 0E300C82 0A526F6F 53776974 63682E30 1F060355 1D230418 30168014
4E3CB604 2D68AAF8 84396736 223FFDC6 D48209BF 301D0603 551D0E04 1604144E
3CB6042D 68AAF884 39673622 3FFDC6D4 8209BF30 0D06092A 864886F7 0D010104
05000381 81004E01 3FF8A713 02E0D76B D4A32E79 39DA954C D712C133 81E84837
EB88953A 385AD256 AAE9DD2D 3CE06D29 E5325FD1 3DB77FD5 0D3A826E 72EBB47D
7B3D82E5 265E2A5C 045E6DA0 740D62D3 A4B93D78 34F449B3 58003AD0 8AA22CD2
480A02CA C8D0D4BC A76F85F3 BF94A2E9 EF004F77 7BB04096 70A0D37B BDE8601D
60AB8783 539F
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 6
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 6
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 3
!
interface FastEthernet0/14
switchport access vlan 3
!
interface FastEthernet0/15
switchport access vlan 3
!
interface FastEthernet0/16
switchport access vlan 3
!
interface FastEthernet0/17
switchport access vlan 3
!
interface FastEthernet0/18
switchport access vlan 3
!
interface FastEthernet0/19
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
switchport access vlan 200
switchport trunk native vlan 200
switchport mode trunk
!
interface FastEthernet0/24
switchport access vlan 200
switchport trunk allowed vlan 2-4094
switchport mode trunk
!
interface GigabitEthernet0/1
switchport access vlan 200
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 10.0.0.10 255.0.0.0
!
interface Vlan2
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
ip address 192.168.99.1 255.255.255.0
!
interface Vlan4
ip address 192.168.98.1 255.255.255.0
!
interface Vlan5
ip address 192.168.20.1 255.255.255.0
!
interface Vlan6
ip address 192.168.10.1 255.255.255.0
!
interface Vlan200
ip address 192.168.200.5 255.255.255.0
!
ip default-gateway 10.0.0.1
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.200.1
access-list 1 permit any
access-list 101 permit ip 0.0.0.1 255.255.255.0 any
access-list 102 permit ip 0.0.0.1 255.255.255.0 any
access-list 103 permit ip 0.0.0.1 255.255.255.0 any
access-list 104 permit ip 0.0.0.1 255.255.255.0 any

spokeskleff · ‎04-27-2023

Actually i created a vlan interface for the catalyst on The Sophos xg Vlan 200 the i dear is to send internet to the catalyst and the created vlans on catalyst access the vlan 200 trunk for internet

Also i am not able to ping from vlan 2 to any vlan on the catalyst

MHM Cisco World · ‎04-27-2023

we need to see config of SW

Flavio Miranda · ‎04-27-2023

When you mean send internet you are actually saying that the firewaill will your gateway. This can be easily achieve by puting the firewall as the gateway for your PC.

2960 is a layer2 switch and it is not meant to do routing. It seems, however, that is possible to enable Ip routing between vlan with the following commnads. I never tried, so, you need to test.

configure terminal
sdm prefer lanbase-routing
end
copy running-config startup-config
reload
!!! After reload:
configure terminal

ip routing
interface Vlan 2
ip address <address> <netmask>
ip route <address> <netmask> <next-hop-IP>

interfave vlan 200

ip address <address> <netmask>
ip route <address> <netmask> <next-hop-IP>

spokeskleff · ‎04-27-2023

Sorry please use an example with the syntax

thanks

Flavio Miranda · ‎04-27-2023

ip routing
interface Vlan 2
ip address 192.168.1.1 255.255.255.0
ip route 192.168.1.0 255.255.255.0 192.168.2.1

interfave vlan 200

ip 192.168.2.1 255.255.255.0
ip route 192.168.2.0 255.255.255.0 192.168.1.1