Passing multiple vlans through a single vlan

kpulford2 · ‎09-28-2015

Hi everyone,

I have the following:

2 x 3850's stacked into one backplane with ipbase on them.

3 x 2960x stacked into a separate single backplane, with lanbase.

I have a pair of 10g ports - port-channeled and trunked between the 2960x's and the 3850's.

I am using the following vlan's: Vlan 98 , 142, 202

Vlan 98 is what I am using as my exit Vlan from my 3850's to my firewall.

Vlan 142 is my access layer (workstation Vlan)

Vlan 202 is my Voice Vlan.

I have a pair of 1g interfaces port-channeled and trunked to the firewall. And the Firewall is a CheckPoint appliance model 2200. I have two 1g ports on the checkpoint bonded with an ip address of the vlan98 Vlan range. (172.30.255.1 to be exact)

On the 3850's I have a layer 2 Vlan 98 and a layer 3 interface Vlan 98. The layer 3 interface has an ip address of 172.30.255.254 on it.

On the 2960x's I have a layer 2 Vlan 98 created but unassigned to anything specific.

Now I have static routes on the 3850 to route 0.0.0.0 0.0.0.0.0 to 172.30.255.1

My port-channel to the checkpoint has a native Vlan set to Vlan 98.

From the 3850's I can ping the firewall. and the firewall can ping the 3850's.

However, my 2960x's or a workstation attached to the 2960x on Vlan 142 can not ping 172.30.255.1, but it can ping 172.30.255.254. Which makes sense as the 3850 is also the default gateway for Vlan 142.

My problem is I think I need to be able to ping all the way through in both directions, and can't seem to be able to.

I checked the firewall to make sure I was allowing ping from any internal subnets and it shows that it is.

I don't do this sort of thing often enough to remember what I am missing here. It seems that there is something in either the port-channel setup or the trunking. (I do not have and native Vlan setup between the 2960x and the 3850's.)

What I want to do, and maybe this is where I am going about this wrong. I want to send all traffic the 3850 doesn't know about up to the firewall ideally over Vlan 98. Is this even possible?

Thank you all so much in advance for any help you can offer.

Sincerely,

Kevin Pulford

Systems Adminstrator

Jon Marshall · ‎09-28-2015

Add a route to the firewall for the vlan 142 IP subnet eg.

"ip route <vlan 142 IP subnet> 255.255.255.0 172.30.255.254"

note the above is Cisco syntax so you would need to modify for the firewall, and assumes a /24 subnet mask but that should give you the idea.

Also you say the native vlan on the port channel to the firewall is vlan 98 which suggests it is a trunk link but it doesn't need to be ie. it could just be in vlan 98.

Will work either way though.

Jon

kpulford2 · ‎09-29-2015

Jon,

I wanted to respond to this as well. I am not exactly sure which order the suggestions came in.

I do have route statements in the firewall to return 192.168.3.0 and 192.168.4.0 to the 3850 ip address of 172.30.255.254.

These are specifically for vlan 142 and 202.

Though the firewall does not have the concept of the vlan tags for these, just ip route statements.

Thank you so much for your help..

Kevin

Jon Marshall · ‎09-28-2015

Kevin

Just to be clear, I am assuming you want to route the internal vlans on the 3850 and only send internet traffic to the firewall.

If you want to firewall between internal subnets as well then you need to do something different than I suggested previously.

Let me know.

Jon

kpulford2 · ‎09-29-2015

Thank you for your replies Jon,

Yes I want to have my 3850's be my core Router for all of my internal networks. Only sending the traffic bound for the Internet to the firewall over vlan 98 ideally.

I have the following route statements in my 3850:

ip route 0.0.0.0 0.0.0.0 172.30.255.1 (172.30.255.1 is the check point ip address for the vlan98 vlan)

And the 3850 has vlan interfaces for vlan 142 and vlan 202 that act as the gateways for those specific vlans.

I also have no acl's or vlan acl's in place at this time.

Thank you again for any help you can offer.

Sincerely,

Kevin