Solved: Re: layer 2 layer 3 vlan cisco 3750 - Page 2

amit bhatnagar · ‎03-05-2014

hello we have a 3750 cisco switch , need to built a setup with 2 vlans

vlan 10 with subnet 172.16.20.0/24 gateway ip address is 172.16.20.1 which is on firewall which is connected to uplink port eth 1/1 on 3750

vlan 20 10.10.10.0/24 with gateway 10.10.10.1 on this 3750 switch .

I understand we need to create Layer 2 vlan for Vlan 10 and layer 3 vlan for Vlan 20 , but was not sure what config i need to put if any one can help will be great

Jon Marshall · ‎03-05-2014

Amit

No problem.

The gi0/0 interface should be in vlan 10 ie.

int gi0/0

switchport

switchport mode access

switchport access vlan 10

Jon

amit bhatnagar · ‎03-05-2014

thanks allot Jon appreciate your time

regards

amit

srprasaad_nj · ‎03-05-2014

Hi Jon,

It looks like amit may be looking for config which is simialr to RoA,. Instead of router they have got firewall here.

Amit, you may need to use the belwo cinfig on your switch and needto check with your FW team on the config at their end.

vlan 10

vlan 20

interface Ethernet1/1

description ** Trunk, to FW Inside interface**

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20

switchport mode trunk

speed 100

duplex full

ip default-gateway 172.16.20.1 or ip route 0.0.0.0 0.0.0.0 172.16.20.1

on Firewall end

And they need to have L3 SVI interface cretaed , config to be checkd with FW team as it may chnage according to vendor.

int e1/1.10 -->

encap dot1q 10

ip add 172.16.20.1/24

int e 1/1.20

encap dot1q 20

ip add 10.10.10.1/24

By the above config routing of VLAN's will happen at forewall.

Hope this hleps.

Jon Marshall · ‎03-05-2014

vlan 10 with subnet 172.16.20.0/24 gateway ip address is 172.16.20.1 which is on firewall which is connected to uplink port eth 1/1 on 3750

vlan 20 10.10.10.0/24 with gateway 10.10.10.1 on this 3750 switch

If you look at the above from the original post it clearly states that vlan 20 should be routed on the L3 switch.

Jon

srprasaad_nj · ‎03-05-2014

Then it hsould work in theb elwo way

vlan 10

vlan 20

create L3 SVIs for both vlans

int vlan 10

ip address 172.16.20.x254255.255.255.0

int vlan 20

ip address 10.10.10.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.20.1

If firewall is connected to G0/0 then

int g 0/0

switchport

switchport mode access

switchport access vlan 10

This should work for amit as he has got all vlan 10 pc's with DG as firewall and VLAN 20 Pc's wiill have routign in L3 switch itself.

Any inter vlan routing between vlan 10 and vlan 20 will happen within L3 switch itself. Corretc me if I am wrong.

Jon Marshall · ‎03-05-2014

Any inter vlan routing between vlan 10 and vlan 20 will happen within L3 switch itself.

No it won't and that wasn't what was asked for.

The requirement was to have vlan 10 routed on the firewall and vlan 20 routed on the L3 switch.

So the default gateway for vlan 10 clients is the firewall and the default gateway for vlan 20 clients is the L3 switch.

The routing between the vlans has to go via the firewall and is not done directly on the L3 switch.

Jon

srprasaad_nj · ‎03-05-2014

Sorry it's my bad...I am confused. you are right . If my understanding is correct in this scenarion , any PC in vlan 20 wants to commnicate with PC in vlan 10. The packet and process flow will be as belwow:. Correct , me If iam wriong

Step 1: PC in VLan 20 will build the arp request with src ip (10.10.10.10) , src mac (abcd.efgh.xyzq), dest ip (172.16.20.20) and dest mac (ffff.ffff.ffff/).

Step 2: As PC in vlan 20 does it calculation and undertsands that the dest IP is not in it's subnet and it forwards the packet to it's default gateway which is 10.10.10.1. An arp reply will be sent from the rotuer with dest mac as router interface mac in this case SVI(int VLan 20) will respond and the packet is forwarded to next hop based on routing table entry. In this case it will take default gateway which is 172.16.20.1.

Step 3: As the packet reaches firewall or another router , in this case it's firewall the packet is decpasulated and checks for the dest ip in the routing table entry. And it chekcs the arp table and it follwos the same process till it reahces the destination pc in vlan 20.

Is my udnerstanding correct ?

Jon Marshall · ‎03-05-2014

Is my udnerstanding correct ?

Almost.

Step 1 and 2 are mixed up though ie. -

PC in vlan 20 does it's calculation and realises the dst IP is in a different subnet. So it then builds the ARP request for it's default gateway (assuming it doesn't already have it which it probably will).

So the vlan 20 PC's ARP request will never have the dst IP of 172.16.20.20 ie. it must be 10.10.10.1 (the vlan 20 SVI IP address) as the PC is simply trying to get a mac address for the default gateway. When the packet is sent from the PC it will be -

src mac = PC in vlan 20

dst mac = vlan 20 SVI

src IP = PC1 IP address

dst IP = PC in vlan 10

Does this make sense ?

Jon

srprasaad_nj · ‎03-05-2014

Yeah...you are right. Here in this case the ARP table for PC's in VLAN 20 is managed/maintained in L3 switch , MAc-address-table is also manaitinaed in L3 switch (3750).

If my undertsandign is correct, for PC's in VLan 10, the entire arp table is manged by Firewall but the CAM table (Mac addresseS) is manged by L3 switch.

Is my above understanding correct ?

In this case , does the L3 SVI of VLAN 20 knows to reach the Firewall by default rotue and reverse path for firewall is know throgu teh static route ? Is it right, correct me if i am wrong again ?

Jon Marshall · ‎03-05-2014

Actually no, it won't work like that because traffic will be routed by the switch directly to the vlan 10 clients.

So my mistake, and i can understand where your confusion is coming from.

So if a PC in vlan 20 sends a packet to a PC in vlan 10 it will be routed directly to the client in vlan 10 and not via the firewall.

The return traffic will be routed via the firewall because that is the default gateway for the vlan 10 clients.

Good spot and i need to update this thread.

The only way to get this to work in terms of all traffic going via the firewall for vlan 10 is to not have a vlan 10 SVI on the switch which means you need subinterfaces on the firewall because you need a new subnet to route between the firewall and the switch which is not in vlan 10.

Let me update the thread and then if you still have any other queries i'll address those.

Thanks for all the questions, it has made me realise the solution i proposed won't work as well as intended.

Jon

Jon Marshall · ‎03-05-2014

Amit

Apologies but the solution i proposed doesn't work as intended. The problem is traffic from a PC in vlan 20 to a PC in vlan 10 will be routed directly by the switch and will not go to the firewall.

The return traffic would go via the firewall because that is the default gateway of the vlan 10 clients.

So you can either -

1) route both vlans off the firewall

or

2) if you still want to route only vlan 20 on the L3 switch but make sure any traffic both ways between vlan 10 and vlan 20 go via the firewall then you need to -

1) remove the SVI for vlan 10 from the L3 switch

2) create a new vlan/IP subnet used for the L3 switch to ASA connection

3) if you have a spare interface on the firewall run a new connection back to the L3 switch and allocate the port on the L3 switch into the new vlan

if you do not have a spare interface on the firewall then you will need to use subinterfaces on the firewall interface and make the link to the 3750 a trunk link which allows only vlan 10 and the new vlan

4) create an SVI for the new vlan on the L3 switch and give it an IP.

5) allocate the an IP to new interface or subinterface on the firewall

6) point the default route on the L3 switch to the IP in 5)

7) add a route for vlan 20 on the firewall pointing to the IP in 4)

this way all traffic between vlan 10 and vlan 20 will have to go via the firewall in both directions.

Once again apologies for the mistake.

Jon