Solved: We have no information on the

peterpan8383 · ‎06-11-2016

am trying to set up several VLAN's on a Cisco 3560 switch. These new segments should be able to communicate with VLAN 1 and even access the Internet. I managed to add the VLAN's and have network connectivity between the new VLAN's. However, routing from these VLAN's to VLAN1 has not been working correctly. Definitely something is missing or correct in this configuration. It would be much appreciated if someone can shed some lights. Thanks in advance.

Basic IP information:

Gateway 10.1.1.2
VLAN1: 10.1.1.1/24
VLAN2: 10.1.2.1/24
VLAN3: 10.1.3.1/24

What's working:

Hosts in VLAN 1 one can ping the DG and access the internet
LAN 2 & 3 are communicating with each other. Hosts in VLAN2 (e.g. 10.1.2.2) can ping hosts in VLAN3 (e.g. 10.1.3.2) on the same switch
Hosts in VLAN 2 & 3 can ping the interface IP of VLAN1 (10.1.1.1)

What's not working:

Hosts in VLAN 2 & 3 cannot ping the hosts in VLAN 1 on the same switch, or vice versa.
Hosts in VLAN 2 & 3 cannot even ping the DG.

Mollom blocks my post if I include the config. Sorry that I have to include it as an attachment.

pwwiddicombe · ‎06-11-2016

We have no information on the DG - what it is, how it is configured. It likely:

1. Does not know about vlan2 and vlan3 subnet ranges. Therefore can't return packets to them.

2. The default gateway for vlan1 clients is 10.1.1.2, so when vlan1 clients try to reply to vlan 2,3, packets get directed to DG, which probably ONLY has a default route to the Internet.

3. Once that's somehow resolved (additional statics on the DG), Internet for vlan 2,3 will require NAT rules same as for vlan 1.

View solution in original post

pwwiddicombe · ‎06-11-2016

Hmmm... Not really. You could put the static route as a "superset" of 10.1.0.0 255.255.0.0, as technically those routes aren't supposed to hit the Internet anyway; although I presume they are nat'd going in the outbound direction anyway. I think you'd have to make NAT changes as well.

If you had used a proxy server, then internal routing matters less (you only have to worry about the subnet of the proxy); but this isn't necessarily a good justification for a proxy.

View solution in original post

pwwiddicombe · ‎06-11-2016

We have no information on the DG - what it is, how it is configured. It likely:

1. Does not know about vlan2 and vlan3 subnet ranges. Therefore can't return packets to them.

2. The default gateway for vlan1 clients is 10.1.1.2, so when vlan1 clients try to reply to vlan 2,3, packets get directed to DG, which probably ONLY has a default route to the Internet.

3. Once that's somehow resolved (additional statics on the DG), Internet for vlan 2,3 will require NAT rules same as for vlan 1.

peterpan8383 · ‎06-11-2016

Thanks for the reply. You have pointed out the exact cause of the problem. Following your advice, I added two static routes on the router (which is the DG of LAN1) and now all VLAN's can route to each other.

The configuration I used was adapted from some layer 3 routing conf samples. They have no mention of the static routes as a requirement. I have been thinking that the layer 3 switches can handle all the routing without involving changes on the router.

Is there any way to get the routes to work without modification the production router? Say, by adding another L3 switch on top?

Thanks again.

pwwiddicombe · ‎06-11-2016

Hmmm... Not really. You could put the static route as a "superset" of 10.1.0.0 255.255.0.0, as technically those routes aren't supposed to hit the Internet anyway; although I presume they are nat'd going in the outbound direction anyway. I think you'd have to make NAT changes as well.

If you had used a proxy server, then internal routing matters less (you only have to worry about the subnet of the proxy); but this isn't necessarily a good justification for a proxy.

Problem with VLAN Routing