06-08-2022 01:02 PM - edited 06-08-2022 01:39 PM
Hi All!
I got dragged into a partly configured project & am trying to piece together what's needed
*UPDATE because I worded this poorly
Network:
Firewall -> Aggregate C3850-S
-> Trunk -> (A) C3850-S
-> Trunk -> (B) C3850-S
-> Trunk -> (C) C3850-S
A, B, & C contain many /30 Vlans connected to corresponding DHCP pools (They give out 1 specific IP)
Vlans are all configured with a INT address & only are populated on their corresponding switch
A is 192.168.5.0 - split into Vlan 2-20 all /30
B is 192.168.6.0 - split into Vlan 26-49 all /30
C is 192.168.7.0 - split into Vlan 50-73 All /30
The trouble, as always, is internet access. I've tried a lot of different route combinations on the Firewall & Switches but they never seem to pick up internet access
A buddy theorized I could make the interface on the firewall 192.168.4.1/16 & make that the default router for all the vlan (DHCP) but I cannot seem to get that to work
Any ideas? Struggling here
Solved! Go to Solution.
06-08-2022 02:48 PM - edited 06-09-2022 06:56 AM
Tried this - Using Vlan 99 instead of Vlan 1 per recommendation
Firewall - Vlan 99 - 192.168.99.1/24
Switches - Vlan 99 to all the switches & allowed on the trunk ports
The Switches would not apply default routes to 192.168.99.1 unless I had int vlan 99 set on each
Firewall 192.168.99.1
Agg. - 192.168.99.2
A - 192.168.99.3
B - 192.168.99.4
C - 192.168.99.5
Results:
Test Server (TS) received correct DHCP settings (192.168.5.53/30 - Gateway 192.168.5.54 - DNS 8.8.8.8)
The TS can ping 192.168.99.3 (the switch it is connected to), 192.168.99.2 & 192.168.99.1
No internet access is available
All the switches can ping each other & the FW
*Update
I added a route on the FW - 192.168.5.52/30 to 192.168.99.3 (the switch with the .5.X vlans/routes on it)
Using traceroute from the FW, the first hop to 192.168.99.3 works but all further hops fail.
The FW is correctly connecting to the SW then SW fails to route the packet to TS. Looking at the SW route table, everything is correct, all Vlans (including .5.52/30) are automatically in the table & healthy
*Update 2
Turns out the SWs just took a long time to propagate their routing tables
I gave it a night & it magically worked in the morning
Thank yall for the help!
06-08-2022 01:08 PM
Are SW is L3 or L2?
06-08-2022 01:13 PM
They are all layer 3
06-08-2022 01:14 PM - edited 06-08-2022 01:30 PM
Anyway
Config one vlan that found in all SW and allow in trunk end in IN of FW.
Config the
Ip defualt route point to end of this vlan in FW.
Now any SW receive traffic from any vlan will route it to this vlan.
But keep in mind if fw agg link fail then all sw will loss internet.
06-08-2022 01:49 PM
don't use VLAN1, for security.
06-08-2022 01:50 PM
So to double check
Vlan 1 on all of the switches
Set Vlan 1 GW (192.168.1.1) on the firewall
IP default route from the switches to the 192.168.1.1
Does that seem correct? I normally would set up all gateways on the firewall (router) so this config I am unfamiliar with
06-08-2022 02:01 PM
There are many things about this environment that we do not know and that impacts our ability to give good advice. While we wait for better information to be provided I will start with a few questions:
- can you confirm that the firewall does have IP access to Internet resources?
- does the firewall have address translation configured for the many inside vlans?
- can a device connected in one of those vlans ping its default gateway (and can you verify that this default gateway is the firewall)?
06-08-2022 02:07 PM
The firewall is an active production unit - Full internet access
There is no issue with Nat/pat
The firewall interface can be configured with any IP or as a VLAN trunk - the problem is getting the default gateway of the many Vlans to the firewall
06-08-2022 02:06 PM - edited 06-08-2022 02:10 PM
each host in VLAN have one Default GW which is SVI of VLAN.
in all SW you config VLAN 1 only "without SVI"
in FW config the IN interface with VLAN 1 IP "from your example 192.168.1.1"
config in all SW
ip route 0.0.0.0 0.0.0.0 192.168.1.1
for DHCP ??
you can config the DHCP relay in SVI in any VLAN you want to use DHCP for host ip assign.
06-08-2022 02:48 PM - edited 06-09-2022 06:56 AM
Tried this - Using Vlan 99 instead of Vlan 1 per recommendation
Firewall - Vlan 99 - 192.168.99.1/24
Switches - Vlan 99 to all the switches & allowed on the trunk ports
The Switches would not apply default routes to 192.168.99.1 unless I had int vlan 99 set on each
Firewall 192.168.99.1
Agg. - 192.168.99.2
A - 192.168.99.3
B - 192.168.99.4
C - 192.168.99.5
Results:
Test Server (TS) received correct DHCP settings (192.168.5.53/30 - Gateway 192.168.5.54 - DNS 8.8.8.8)
The TS can ping 192.168.99.3 (the switch it is connected to), 192.168.99.2 & 192.168.99.1
No internet access is available
All the switches can ping each other & the FW
*Update
I added a route on the FW - 192.168.5.52/30 to 192.168.99.3 (the switch with the .5.X vlans/routes on it)
Using traceroute from the FW, the first hop to 192.168.99.3 works but all further hops fail.
The FW is correctly connecting to the SW then SW fails to route the packet to TS. Looking at the SW route table, everything is correct, all Vlans (including .5.52/30) are automatically in the table & healthy
*Update 2
Turns out the SWs just took a long time to propagate their routing tables
I gave it a night & it magically worked in the morning
Thank yall for the help!
06-09-2022 12:41 AM
If the server can ping the firewall but the firewall can't ping the server check for a firewall on the server itself.
Are you sure the firewall is setup correctly in terms of NAT and acls as you have connectivity to it from the server.
Jon
06-09-2022 03:00 AM - edited 06-09-2022 03:31 AM
Tracroute is show first sw?
Here i stop because the traffic must Bridge not route in each SW until last sw that have this ip then it will be routing to it vlan.
I will make some analysis and retrun later.
06-09-2022 08:25 AM
thanks a lot for sharing info.
thanks a lot.
good job friend.
06-09-2022 09:52 AM
Thank you for the help!
06-08-2022 01:20 PM
If each switch has it's own vlans, then what vlan(s) are on the trunk links between the switches ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide