Solved: L3 Switch routing logic

lukedp · ‎11-07-2012

I am having some difficulty setting up a lab utizling a layer 3 switch as an intrem solution to a network problem i am having.

What I would like to do is move the ISP (100.10.10.*) endpoint ip address, to a routed port on the WAN Switch C3750G, then I want to leave the current ip addresses 200.20.20.0 on the router and ASA, and have them route their traffic to the routed interface on the switch - then out to the ISP etc

L3 Switch:

hostname Switch

!

ip routing

!

spanning-tree mode pvst

!

interface FastEthernet0/1

switchport access vlan 200

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/2

switchport access vlan 200

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface FastEthernet0/3

no switchport

ip address 100.10.10.1 255.255.255.252

duplex auto

speed auto

interface Vlan1

no ip address

shutdown

!

interface Vlan200

ip address 200.20.20.1 255.255.255.252

!

router eigrp 100

network 200.20.20.0 0.0.0.15

network 100.20.20.0 0.0.0.3

auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 100.10.10.2

!

Router:

interface FastEthernet0/0.200

encapsulation dot1Q 200

ip address 200.20.20.2 255.255.255.240

John Blakley · ‎11-08-2012

Okay. You'll need to nat on your switch. It's going to depend on what type of switch you have if you're even able to do it....

The problem is that your 100.10.10.2 device doesn't know how to get back to the 200.20.20.0 subnets, so the traffic is dropping.

*** Edit ***

I saw that you have a 3750 switch, and according to the below link, NAT isn't supported:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a008011c629.shtml

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎11-08-2012

The first thing that I notice, and probably doesn't have anything to do with the problem, is that the mask doesn't match between vlan 2 and the router's subinterface. What is the actual problem though?

HTH, John *** Please rate all useful posts ***

lukedp · ‎11-08-2012

Yes realised that was wrong mistake when chaning details.

I am finding that i am unable to route between the 200.x.x.x network and the 100.0.0.0 network. i can ping the routed interface on the switch but traffic will not pass beyond it.

John Blakley · ‎11-08-2012

Can you post the following?

From the switch:

sh ip route

ping 100.10.10.2

ping 200.20.20.2

ping 200.20.20.3

From the 2811:

sh ip route

ping 200.20.20.1

ping 100.10.10.1

ping 100.10.10.2

From the ASA:

sh route

ping ISP 100.10.10.1

ping ISP 100.10.10.2

ping isp 200.20.20.1

HTH,

John

HTH, John *** Please rate all useful posts ***

milan.kulik · ‎11-08-2012

Hi,

are both your 2811 and ASA having a default route configured pointing to 200.20.20.1?

And the ISP a static route for 200.20.20.0/28 pointing to 100.10.10.1?

HTH,

Milan

lukedp · ‎11-08-2012

switch:

Show ip route:

100.0.0.0/30 is subnetted, 1 subnets

C 100.10.10.0 is directly connected, FastEthernet0/3

200.20.20.0/30 is subnetted, 1 subnets

C 200.20.20.0 is directly connected, Vlan200

S* 0.0.0.0/0 [1/0] via 100.10.10.2

Ping:

can pin 200.20.20.1

can ping 200.20.20.3

can ping 100.10.10.1

can ping 100.10.10.2

router:

can not ping 100.10.10.1

can ping 200.20.20.1

can ping 200.20.20.3

ASA:

cannot ping 100.10.10.1

can ping 200.20.20.1

can ping 200.20.20.2

John Blakley · ‎11-08-2012

Does your router know how to get to the 100.10.10.0 subnet? Can you post the routing table from the router and the ASA? Also, from the switch, can you post "sho ip eigrp neigh"?

HTH, John *** Please rate all useful posts ***

lukedp · ‎11-08-2012

In this instance i have not allowed routing protocols to exchange between the switch router and ASA,

i have place a static route on both devices pointing toward in intervlan interface of 200.20.20.2 i can now ping the 100.10.10.1 interface but not the 100.10.10.2 interface.

John Blakley · ‎11-08-2012

Okay. You'll need to nat on your switch. It's going to depend on what type of switch you have if you're even able to do it....

The problem is that your 100.10.10.2 device doesn't know how to get back to the 200.20.20.0 subnets, so the traffic is dropping.

*** Edit ***

I saw that you have a 3750 switch, and according to the below link, NAT isn't supported:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a008011c629.shtml

HTH, John *** Please rate all useful posts ***

lukedp · ‎11-08-2012

Thankyou for your assitance, i will keep working at it until i figure something out.

John Blakley · ‎11-08-2012

What's the driving decision to connect your ISP directly to the switch? What connects to the other side of the ASA and the routers? Is there a way to rearrange this where your router connects to the ISP instead and then you can configure natting easily enough. If you're not natting on the router now, you could connect the 200.20.20.0 subnet as a routed port and replace the router with the switch, and then put your 100.10.10.1 address on the router and then configure nat. I'm not sure if that would work for you:

Something like:

ISP

| 100.10.10.0

Router

| 200.20.20.0

Switch--------------ASA

|

200.20.20.0

HTH,

John

HTH, John *** Please rate all useful posts ***

lukedp · ‎11-08-2012

i am using it as temporary solution while migrating over to new equipment , current equipment is being replaced and awaiting for new equipment to arrive needed a solution that would fill in as a WAN switch until such time

John Blakley · ‎11-08-2012

Do you have another router that you can throw in between the switch and the ISP? If so, that would be your best bet. You could create a /30 between the switch's routed port and the router, and then configure nat there and have your 100.10.10.1 address on the wan side of the router.

John

HTH, John *** Please rate all useful posts ***

lukedp · ‎11-08-2012

Unfortunatley that is what i am wating on.