06-11-2016 05:23 AM - edited 03-08-2019 06:09 AM
am trying to set up several VLAN's on a Cisco 3560 switch. These new segments should be able to communicate with VLAN 1 and even access the Internet. I managed to add the VLAN's and have network connectivity between the new VLAN's. However, routing from these VLAN's to VLAN1 has not been working correctly. Definitely something is missing or correct in this configuration. It would be much appreciated if someone can shed some lights. Thanks in advance.
Basic IP information:
What's working:
What's not working:
Mollom blocks my post if I include the config. Sorry that I have to include it as an attachment.
Solved! Go to Solution.
06-11-2016 09:44 AM
We have no information on the DG - what it is, how it is configured. It likely:
1. Does not know about vlan2 and vlan3 subnet ranges. Therefore can't return packets to them.
2. The default gateway for vlan1 clients is 10.1.1.2, so when vlan1 clients try to reply to vlan 2,3, packets get directed to DG, which probably ONLY has a default route to the Internet.
3. Once that's somehow resolved (additional statics on the DG), Internet for vlan 2,3 will require NAT rules same as for vlan 1.
06-11-2016 06:12 PM
Hmmm... Not really. You could put the static route as a "superset" of 10.1.0.0 255.255.0.0, as technically those routes aren't supposed to hit the Internet anyway; although I presume they are nat'd going in the outbound direction anyway. I think you'd have to make NAT changes as well.
If you had used a proxy server, then internal routing matters less (you only have to worry about the subnet of the proxy); but this isn't necessarily a good justification for a proxy.
06-11-2016 09:44 AM
We have no information on the DG - what it is, how it is configured. It likely:
1. Does not know about vlan2 and vlan3 subnet ranges. Therefore can't return packets to them.
2. The default gateway for vlan1 clients is 10.1.1.2, so when vlan1 clients try to reply to vlan 2,3, packets get directed to DG, which probably ONLY has a default route to the Internet.
3. Once that's somehow resolved (additional statics on the DG), Internet for vlan 2,3 will require NAT rules same as for vlan 1.
06-11-2016 11:23 AM
Thanks for the reply. You have pointed out the exact cause of the problem. Following your advice, I added two static routes on the router (which is the DG of LAN1) and now all VLAN's can route to each other.
The configuration I used was adapted from some layer 3 routing conf samples. They have no mention of the static routes as a requirement. I have been thinking that the layer 3 switches can handle all the routing without involving changes on the router.
Is there any way to get the routes to work without modification the production router? Say, by adding another L3 switch on top?
Thanks again.
06-11-2016 06:12 PM
Hmmm... Not really. You could put the static route as a "superset" of 10.1.0.0 255.255.0.0, as technically those routes aren't supposed to hit the Internet anyway; although I presume they are nat'd going in the outbound direction anyway. I think you'd have to make NAT changes as well.
If you had used a proxy server, then internal routing matters less (you only have to worry about the subnet of the proxy); but this isn't necessarily a good justification for a proxy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide