Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
10
Replies

Mutliple VLANS - Default route to internet

ckeyy
Level 1
Level 1

‎10-17-2024 09:08 AM

Has anyone experience configuration of mutiple vlans in core switch to reach the internet but using default route?

(Currently issue is that only one vlan can access the internet, if I configured also the rest of the vlans by default route, it cannot access the internet)

My setup are

- SVI core switch using .1

-Firewall subinterface using .2

-Core and Firewall are in port-channel

-Nat all Vlans network

-inside to outside

 

Labels:
0 Helpful
10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

‎10-17-2024 09:13 AM - edited ‎10-17-2024 09:15 AM

what is the default route point to from CORE Switch ? how is your network diagram looks like

Access Switch --- Core ---FW ---ISP ? then below assumptions should work.

If the Switch have ip route 0.0.0.0 0.0.0.0 x.x.x.2 ( all the traffic will go to Firewall)

Firewall should have route back to switch all the Multiple VLAN IP back to x.x.x.1 for that to work on the return traffic.

Make sure Firewall also do the NAT for all the RFC 1918 address while going to internet.

Currently issue is that only one vlan can access the internet

can you provide the working and not working vlan information and also other information requested below.

Note  : this is based on the information provided, you need to tell us what switch, what SVI VLAN,. and ip route information from Switch and Firewall./

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ckeyy
Level 1
Level 1
In response to balaji.bandi

‎10-17-2024 10:49 AM - edited ‎10-17-2024 11:23 AM

 

ckg_0-1729186928727.png

Core config:
-SVI (using .1) ex. 192.168.10.1 for vlan 10

-ACL Standard for vlan segmentation (permit ip any at last and ip access-group _ out) (acl is used for vlan restriction to other vlans)
-Port channel of uplink to firewall

-default route (ip route 0.0.0.0 0.0.0.0 192.168.10.2) it basically accesses the internet (can going ping 8.8.8.8 and isp gateway.

But other vlans can not since there's no route. I tried to create a default route for each vlan (I have 10 vlans, so 10 default route)

ex. 

ip route 0.0.0.0 0.0.0.0 192.168.10.2 - vlan 10

ip route 0.0.0.0 0.0.0.0. 192.168.20.2 - vlan 20

ip route 0.0.0.0 0.0.0.0 192.168.30.2 - vlan 30

ip route 0.0.0.0 0.0.0.0. 192.168.40.2 - vlan 40   and so on....

, but I experienced inconsistent pinging 8.8.8.8 and cannot ping isp gateway. Like I ping it first but when I changed my IP to test other VLANS, it said RTO. 

Firewall config via GUI:

-Created port-channel and subinterfaces (using .2) ex. 192.168.10.2

-Dynamic nat (created nat for each vlans)

-policy (inside to outside) (created zones for each vlans)

0 Helpful

Flavio Miranda
VIP
VIP

‎10-17-2024 09:28 AM

@ckeyy 

 The port-channel is layer2 or layer3? Probably it is a layer2 (have no IP on it). If that is the case, you need to first allow all vlans on the port channel and you need to create interface vlans on the firewall for each vlans.  Or subinterfaces as it seems to be your case.

The reason that one vlan is working is probably because this is allowed on the port-channel or this is a native vlan and the firewall have IP address on this vlan. 

If the port-channel were a layer3 , meaning, a transit network between the core and the firewall, it would work. 

0 Helpful

ckeyy
Level 1
Level 1
In response to Flavio Miranda

‎10-17-2024 10:55 AM

I allowed all vlans in port-channel using switchport mode trunk and switchport trunk allowed vlan all. Created also subinterfaces in firewall. I'm using ".2" for firewall subinterfaces, while in core is ".1"

 

I tested also the layer 3 port channel in which I assigned IP to firewall port channel (ex. 10.10.1.2) and core switch port-channel (10.10.1.1), but still didnt't work.

The default route in core switch is ip route 0.0.0.0 0.0.0.0 10.10.1.2

0 Helpful

Flavio Miranda
VIP
VIP
In response to ckeyy

‎10-17-2024 11:32 AM

Whch switch is it? Does it have the command "ip routing" on it?

Which license are you using?

If L3 port-channel, if you add a default route on the code sending all to the firewall side, it should work, unless you need to do something else on the firewall side.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-17-2024 09:46 AM

"Has anyone experience configuration of mutiple vlans in core switch to reach the internet but using default route?"

Some.  ; )

"(Currently issue is that only one vlan can access the internet, if I configured also the rest of the vlans by default route, it cannot access the internet)"

Need more info, but routing is two way.  Does FW "know" all the subnets on the core switch?

0 Helpful

ckeyy
Level 1
Level 1
In response to Joseph W. Doherty

‎10-17-2024 10:58 AM

I configured SVI in core switch using .1

Configured subinterfaces in firewall using .2

tried to ping if svi can reach subinterfaces (ex. ping 192.168.10.2 source 192.168.10.1) it's pingable.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ckeyy

‎10-17-2024 11:37 AM

Are you saying, FW has a subinterface, i.e. .2, in each core VLAN?

0 Helpful

ckeyy
Level 1
Level 1
In response to Joseph W. Doherty

‎10-17-2024 11:40 AM

yup

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to ckeyy

‎10-17-2024 01:22 PM

I would suspect your issue is on the FW.

BTW, the usual configuration I've seen with FWs, they have a routed link to the internal subnets, not having a foot in multiple internal subnets.

0 Helpful
Customers Also Viewed These Support Documents