05-15-2013 08:33 AM - edited 03-07-2019 01:22 PM
I'm trying to set up per vlan routing on a 3560G switch but it's not performing as I would expect. I've got a server on the 109 vlan with a 10.1.9.100 address and a default gateway of 10.1.9.1 this address is an HSRP gateway and currently resides on 10.1.9.7. When I traceroute through to my user PC on the internal network it receives a response from 10.1.9.7 However, it is then denied by an ACL on the internal firewall which has been applied to interface Eth0/0. It should arrive at the firewall on Eth0/2.109 as it has the 10.1.9.4 address.
My goal here is to route traffic on the 101 vlan to a seperate interface on the internal firewall from 109 vlan traffic. I'm either doing something wrong or these routing commands aren't designed to work in the way I'm expecting (I couldn't find any documentation on the ip route command where it is followed by different gateways for different vlans)
I'd be grateful for any help
interface GigabitEthernet0/2
description Internal-FW Eth0/0
switchport access vlan 101
switchport mode access
!
interface GigabitEthernet0/12
description Internal-FW Eth0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 109
switchport mode trunk
!
interface Vlan1
no ip address
no ip mroute-cache
shutdown
!
interface Vlan101
ip address 10.1.1.7 255.255.255.0
standby 0 ip 10.1.1.1
standby 0 priority 90
!
interface Vlan109
ip address 10.1.9.7 255.255.255.0
standby 0 ip 10.1.9.1
standby 0 priority 110
no ip mroute-cache
!
ip route 0.0.0.0 0.0.0.0 Vlan101 10.1.1.2
ip route 0.0.0.0 0.0.0.0 Vlan109 10.1.9.50
ip route 192.168.0.0 255.255.0.0 Vlan101 10.1.1.4
ip route 192.168.0.0 255.255.0.0 Vlan109 10.1.9.4
!
DMZ-SW#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.1.9.50 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.1.9.50, Vlan109
[1/0] via 10.1.1.2, Vlan101
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Vlan101
L 10.1.1.7/32 is directly connected, Vlan101
C 10.1.9.0/24 is directly connected, Vlan109
L 10.1.9.7/32 is directly connected, Vlan109
S 192.168.0.0/16 [1/0] via 10.1.9.4, Vlan109
[1/0] via 10.1.1.4, Vlan101
DMZ-SW#
DMZ-SW#sh ver
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(2)SE, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sat 28-Jul-12 00:01 by prod_rel_team
ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
DMZ-SW uptime is 1 day, 2 hours, 34 minutes
System returned to ROM by power-on
System image file is "flash:/c3560-ipservicesk9-mz.150-2.SE.bin"
05-15-2013 10:10 AM
Per what I see in your diagram you should not need to do any routing. VLAN 101 can pass through the switch at layer 2 and go right into the firewall.
However, if you do feel you need to do this with routing, you will want to take a look at policy based routing. It is absolutely the correct tool for doing that. Essentially you will just match a class of traffic and set where you want it to go.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: