cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
847
Views
15
Helpful
17
Replies

Layer 3 /30 Vlans Daisy Chain help

BrianOver
Level 1
Level 1

Hi All!

I got dragged into a partly configured project & am trying to piece together what's needed

*UPDATE because I worded this poorly

Network:

Firewall -> Aggregate C3850-S

                  -> Trunk -> (A) C3850-S 

                  -> Trunk -> (B) C3850-S 

                  -> Trunk -> (C) C3850-S

 

A, B, & C contain many /30 Vlans connected to corresponding DHCP pools (They give out 1 specific IP) 

Vlans are all configured with a INT address & only are populated on their corresponding switch

A is 192.168.5.0 - split into Vlan 2-20 all /30

B is 192.168.6.0 - split into Vlan 26-49 all /30

C is 192.168.7.0 - split into Vlan 50-73 All /30

 

The trouble, as always, is internet access. I've tried a lot of different route combinations on the Firewall & Switches but they never seem to pick up internet access

 

A buddy theorized I could make the interface on the firewall 192.168.4.1/16 & make that the default router for all the vlan (DHCP) but I cannot seem to get that to work

 

Any ideas? Struggling here

 

 

 

 

1 Accepted Solution

Accepted Solutions

Tried this - Using Vlan 99 instead of Vlan 1 per recommendation 

Firewall - Vlan 99 - 192.168.99.1/24

Switches - Vlan 99 to all the switches & allowed on the trunk ports

 

The Switches would not apply default routes to 192.168.99.1 unless I had int vlan 99 set on each

Firewall 192.168.99.1

Agg. - 192.168.99.2

A - 192.168.99.3

B - 192.168.99.4

C - 192.168.99.5

 

Results:

Test Server (TS) received correct DHCP settings (192.168.5.53/30 - Gateway 192.168.5.54 - DNS 8.8.8.8)

The TS can ping 192.168.99.3 (the switch it is connected to), 192.168.99.2 & 192.168.99.1

No internet access is available 

All the switches can ping each other & the FW

 

*Update

I added a route on the FW - 192.168.5.52/30 to 192.168.99.3 (the switch with the .5.X vlans/routes on it)

Using traceroute from the FW, the first hop to 192.168.99.3 works but all further hops fail.

The FW is correctly connecting to the SW then SW fails to route the packet to TS. Looking at the SW route table, everything is correct, all Vlans (including .5.52/30) are automatically in the table & healthy

 

*Update 2

Turns out the SWs just took a long time to propagate their routing tables

I gave it a night & it magically worked in the morning

 

Thank yall for the help!

View solution in original post

17 Replies 17

Are SW is L3 or L2?

They are all layer 3

Anyway

Config one vlan that found in all SW and allow in trunk end in IN of FW.

Config the 

Ip defualt route point to end of this vlan in FW.

Now any SW receive traffic from any vlan will route it to this vlan.

But keep in mind if fw agg link fail then all sw will loss internet.

don't use VLAN1, for security. 

So to double check

Vlan 1 on all of the switches

Set Vlan 1 GW (192.168.1.1) on the firewall

IP default route from the switches to the 192.168.1.1

 

Does that seem correct? I normally would set up all gateways on the firewall (router) so this config I am unfamiliar with

There are many things about this environment that we do not know and that impacts our ability to give good advice. While we wait for better information to be provided I will start with a few questions:

- can you confirm that the firewall does have IP access to Internet resources?

- does the firewall have address translation configured for the many inside vlans?

- can a device connected in one of those vlans ping its default gateway (and can you verify that this default gateway is the firewall)?

HTH

Rick

The firewall is an active production unit - Full internet access

There is no issue with Nat/pat

The firewall interface can be configured with any IP or as a VLAN trunk - the problem is getting the default gateway of the many Vlans to the firewall 

each host in VLAN have one Default GW which is SVI of VLAN.
in all SW you config VLAN 1 only "without SVI"
in FW config the IN interface with VLAN 1 IP "from your example 192.168.1.1"
config in all SW
ip route 0.0.0.0 0.0.0.0 192.168.1.1

for DHCP ??
you can config the DHCP relay in SVI in any VLAN you want to use DHCP for host ip assign.

Tried this - Using Vlan 99 instead of Vlan 1 per recommendation 

Firewall - Vlan 99 - 192.168.99.1/24

Switches - Vlan 99 to all the switches & allowed on the trunk ports

 

The Switches would not apply default routes to 192.168.99.1 unless I had int vlan 99 set on each

Firewall 192.168.99.1

Agg. - 192.168.99.2

A - 192.168.99.3

B - 192.168.99.4

C - 192.168.99.5

 

Results:

Test Server (TS) received correct DHCP settings (192.168.5.53/30 - Gateway 192.168.5.54 - DNS 8.8.8.8)

The TS can ping 192.168.99.3 (the switch it is connected to), 192.168.99.2 & 192.168.99.1

No internet access is available 

All the switches can ping each other & the FW

 

*Update

I added a route on the FW - 192.168.5.52/30 to 192.168.99.3 (the switch with the .5.X vlans/routes on it)

Using traceroute from the FW, the first hop to 192.168.99.3 works but all further hops fail.

The FW is correctly connecting to the SW then SW fails to route the packet to TS. Looking at the SW route table, everything is correct, all Vlans (including .5.52/30) are automatically in the table & healthy

 

*Update 2

Turns out the SWs just took a long time to propagate their routing tables

I gave it a night & it magically worked in the morning

 

Thank yall for the help!

 

If the server can ping the firewall but the firewall can't ping the server check for a firewall on the server itself. 

 

Are you sure the firewall is setup correctly in terms of NAT and acls as you have connectivity to it from the server. 

 

Jon

Tracroute is show first sw? 

Here i stop because the traffic must Bridge not route in each SW until last sw that have this ip then it will be routing to it vlan.

I will make some analysis and retrun later.

thanks a lot for sharing info.
thanks a lot.
good job friend.

Thank you for the help!

Jon Marshall
Hall of Fame
Hall of Fame

 

If each switch has it's own vlans, then what vlan(s) are on the trunk links between the switches ? 

 

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco