Solved: InterVLAN communication not using a router

Chris Pohlad-Thomas · ‎08-30-2012

We are trying to figure out how to configure this properly and so far we are stuck. We have a VMWare server with two different vmnics each on a different VLAN. We have each of these vmnics connected into their own switch port on a 3560G along with the appropriate VLAN membership for said ports. We have an additional port on this same switch in trunking mode connected to our firewall to a NIC that has an IP address in the respective VLAN networks. This port is also set for dot1q encapsulation. Each VLAN also has an IP set on the switch that is in the appropriate VLAN. We are having issues in this configuration getting the one VLAN to talk to another.

I know if we were in all Cisco mode then we would use ROAS to do this inter-vlan communication. Does anyone have any ideas on how to make this happen short of changing hardware?

juan-ruiz · ‎08-30-2012

yes the default gateway for the VMs.

there is a command on a layer 3 switch called ip routing that ones enabled it will allow your layer 3 switched Vlan Interfaces to talk to each other in routed mode.

here is an example below of a basic l3 switch setup.

ip routing

!

vlan 2

name vmnic-1

exit

vlan 3

name vmnic-2

exit

int vlan 2

ip address 192.168.25.1 255.255.255.0

exit

int vlan 3

ip address 192.168.26.1 255.255.255.0

exit

int g0/1

switchport access vlan 2

description vmnic-1

exit

int g0/2

switchport access vlan 3

description vmnic-2

exit

On the VMWARE side if you are dedicating one phy nic to each vlan then you do not need to do any vlan tagging it should assume the network since it is configured as untagged for that port

View solution in original post

juan-ruiz · ‎08-30-2012

hi Chris,

is the default gateway the switch or the firewall?

Why not enable ip routing on the switch and do the inter-vlan routing on the switch?

What kind of firewall are you working with?

Chris Pohlad-Thomas · ‎08-30-2012

The default gateway for the VMs?

So setup an ip route for each external IP on the firewall and have it route out the same interface?

juan-ruiz · ‎08-30-2012

yes the default gateway for the VMs.

there is a command on a layer 3 switch called ip routing that ones enabled it will allow your layer 3 switched Vlan Interfaces to talk to each other in routed mode.

here is an example below of a basic l3 switch setup.

ip routing

!

vlan 2

name vmnic-1

exit

vlan 3

name vmnic-2

exit

int vlan 2

ip address 192.168.25.1 255.255.255.0

exit

int vlan 3

ip address 192.168.26.1 255.255.255.0

exit

int g0/1

switchport access vlan 2

description vmnic-1

exit

int g0/2

switchport access vlan 3

description vmnic-2

exit

On the VMWARE side if you are dedicating one phy nic to each vlan then you do not need to do any vlan tagging it should assume the network since it is configured as untagged for that port

Chris Pohlad-Thomas · ‎08-30-2012

The 3560 though is only a layer 2 switch though isn't it?

Julio Carvajal · ‎08-30-2012

Hello Chris,

The 3560 is a layer 3 device, so you need to perform the routing between vlans on the switch, then point a default route to the firewall.

In order to enable the layer 3 funcionatlity add the following command:

-Ip routing

The devices on each vlan should point to the 3560 as their default gateway.

Remember to rate all the helpful posts, that is as important as a thanks.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Chris Pohlad-Thomas · ‎08-30-2012

And if I only wanted those VLANs to be able to talk to each other and not to the other VLANs on the switch?

Julio Carvajal · ‎08-30-2012

Hello Chris,

You can configure Private vlans or the easy way configure an acl and apply it to each SVI.

Remember to rate all the helpful posts, that is as important as a thanks.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC