Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2201
Views
0
Helpful
4
Replies

Intervlan routing not working on VLAN 1

Patrick Hanifee
Level 1
Level 1

‎08-12-2016 04:09 PM - edited ‎03-08-2019 06:59 AM

We were just using VLAN 1 for everything, but now need to segment things better by adding vlans.  Our core switch is a Cisco 3850 with Cisco 2960s hanging off of it.

I setup the VLANs and allowed them through all of the trunks.  I created the VLAN interfaces.  the current default gateway is 10.0.8.1, which is the internal port on the firewall server

!
interface Vlan1
 ip address 10.0.8.201 255.255.248.0
!
interface Vlan20
 ip address 10.0.20.1 255.255.255.0
!
interface Vlan30
 ip address 10.0.30.1 255.255.255.0
!
interface Vlan40
 ip address 10.0.40.1 255.255.255.0
!
interface Vlan50
 ip address 10.0.50.1 255.255.255.0
!
interface Vlan70
 ip address 10.0.70.1 255.255.255.0
!
interface Vlan90
 ip address 10.0.90.1 255.255.255.0

I made sure the 3850 has the IP Routing statement

ip default-network 10.0.8.0
ip route 0.0.0.0 0.0.0.0 10.0.8.1

devices on the new VLANs can ping each other.  I can ping 10.0.8.201, which is the IP of the 3850.  I can't ping anything else on VLAN1

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override
Gateway of last resort is 10.0.8.1 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 10.0.8.1
      10.0.0.0/8 is variably subnetted, 15 subnets, 4 masks
S        10.0.0.0/8 [1/0] via 10.0.8.0
C        10.0.8.0/21 is directly connected, Vlan1
L        10.0.8.201/32 is directly connected, Vlan1
C        10.0.20.0/24 is directly connected, Vlan20
L        10.0.20.1/32 is directly connected, Vlan20
C        10.0.30.0/24 is directly connected, Vlan30
L        10.0.30.1/32 is directly connected, Vlan30
C        10.0.40.0/24 is directly connected, Vlan40
L        10.0.40.1/32 is directly connected, Vlan40
C        10.0.50.0/24 is directly connected, Vlan50
L        10.0.50.1/32 is directly connected, Vlan50
C        10.0.70.0/24 is directly connected, Vlan70
L        10.0.70.1/32 is directly connected, Vlan70
C        10.0.90.0/24 is directly connected, Vlan90
L        10.0.90.1/32 is directly connected, Vlan90

I can't figure out why I'm not routing to VLAN1.  What am I missing?

Labels:
0 Helpful
4 Replies 4

ahmedshoaib
Level 4
Level 4

‎08-12-2016 04:48 PM

Hi;

What is your default gateway its 10.0.8.1 or it's 10.0.8.201.

If it's 10.0.8.1 then you have 2 option either change your default gateway 10.0.8.201 (Switch that having all new vlan) or configure the static route on firewall for all new subnet (10.0.20.0, 10.0.30.0 & so on) with next hop 10.0.8.201.

Thanks & Best regards;

0 Helpful

Patrick Hanifee
Level 1
Level 1
In response to ahmedshoaib

‎08-13-2016 10:53 AM

Ok, so I'm not sure how I go about doing what you've suggested. 

10.0.8.1 is the current default gateway on vlan1, its the internal port on the firewall and I don't want to change that IP address.

10.0.8.201 is the 3850 IP address, I would like to move that eventually to vlan 40, which is going to be my management network

the firewall is plugged into Gi1/0/1, this will be the way out to the internet

Should I put an IP address on Gi1/0/1, for instance 10.0.8.3, and make that my default gateway?

How do I ensure that internet traffic still goes out to 10.0.8.1?

0 Helpful

ahmedshoaib
Level 4
Level 4
In response to Patrick Hanifee

‎08-13-2016 02:44 PM

Hi;

As I understand, your default gateway is firewall (10.0.8.1) and Firewall is connected to your core (cisco 3850 – 10.0.8.201) via Gi 1/0/1

Now you need to make sure the link between Firewall & Core 3850 should be trunk and all vlan should be allowed (vlan 1, vlan 20, vlan 30, vlan 40, vlan 50, vlan 70, vlan 90)

You already have the default route toward Firewall on Core Switch.

On your firewall you should have following routes:

1 – default-route toward your internet service provider.

2 – 10.0.20.0, 10.0.30.0, 10.0.30.0, 10.0.40.0, 10.0.50.0, 10.0.70.0, 10.0.90.0 toward Core Switch via 10.0.8.201.

Last but not least you should have natting on you firewall for those entire network those want to access internet.

Thanks & Best regards;

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ahmedshoaib

‎08-15-2016 07:17 AM

It seems to me that there are several things going on which might be contributing to this issue.

- the original poster says he can not ping 10.0.8.201 but does not tell us where he is pinging from. Can we get clarification on that?

- there seems to be confusion about where intervlan routing should be done. If all the devices have their default gateway as the firewall IP then it suggests that the firewall is doing the intervlan routing. If the 3850 should be doing the intervlan routing then it should be the default gateway for the hosts in the new vlans.

- it is not clear how the devices in the new vlans are configured, especially in terms of their default gateway. If a device in subnet 10.0.20.0 has its gateway set as 10.0.8.1 then it will attempt to arp for that address. Except that some OS will not arp for addresses that are outside their own subnet (this is reasonable since arp is intended to be a function on the local network and not for remote addresses).

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents