07-08-2020 03:20 AM
Dear
i have Cisco 3 layer switch connect to firewall which do routing to destination lan
this configuration for 3 layer switch :-
no aaa new-model
switch 1 provision ws-c3750g-24ts
!
shutdown vlan 43
ip subnet-zero
ip routing
no file verify auto
spanning-tree mode pvst
spanning-tree portfast default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan dot1q tag native
interface GigabitEthernet1/0/1
switchport access vlan 8
switchport mode access
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
switchport access vlan 301
switchport mode access
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
interface GigabitEthernet1/0/8
interface GigabitEthernet1/0/9
interface GigabitEthernet1/0/10
interface GigabitEthernet1/0/11
interface GigabitEthernet1/0/12
interface GigabitEthernet1/0/13
interface GigabitEthernet1/0/14
switchport access vlan 41
switchport trunk native vlan 41
switchport trunk allowed vlan 1-500
interface GigabitEthernet1/0/15
switchport access vlan 45
switchport mode access
interface GigabitEthernet1/0/16
interface GigabitEthernet1/0/17
interface GigabitEthernet1/0/18
interface GigabitEthernet1/0/19
switchport access vlan 49
switchport mode access
interface GigabitEthernet1/0/20
interface GigabitEthernet1/0/21
interface GigabitEthernet1/0/22
interface GigabitEthernet1/0/23
switchport access vlan 49
switchport trunk encapsulation dot1q
switchport mode access
interface GigabitEthernet1/0/24
switchport access vlan 254
switchport trunk native vlan 49
switchport trunk allowed vlan 1
switchport mode access
spanning-tree portfast
interface GigabitEthernet1/0/25
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
interface Vlan1
ip address 10.20.3.1 255.255.255.240 secondary
ip address 10.20.4.1 255.255.255.240 secondary
ip address 10.20.7.1 255.255.255.240 secondary
ip address 10.20.42.1 255.255.255.0 secondary
ip address 10.20.40.1 255.255.255.0
ip helper-address 10.20.40.2
interface Vlan8
ip address 10.20.8.1 255.255.255.240
interface Vlan41
ip address 10.20.41.1 255.255.255.0
ip helper-address 10.20.40.2
interface Vlan43
ip address 192.168.40.1 255.255.252.0
interface Vlan44
no ip address
interface Vlan45
ip address 10.20.44.1 255.255.252.0
ip helper-address 10.20.45.2
interface Vlan49
ip address 10.20.49.1 255.255.255.0
interface Vlan140
no ip address
interface Vlan254
description "Perimeter Services"
ip address 10.20.254.5 255.255.255.248
interface Vlan301
ip address 10.20.253.26 255.255.255.248
ip default-gateway 10.20.40.1
ip classless
ip route 0.0.0.0 0.0.0.0 Vlan1
ip route 10.18.3.50 255.255.255.255 10.20.253.25
ip route 10.20.0.0 255.255.0.0 10.20.253.25
ip route 10.20.40.0 255.255.252.0 Vlan43
ip route 10.20.40.0 255.255.252.0 Vlan301
ip route 10.20.40.0 255.255.255.0 10.20.253.25
ip route 10.20.41.0 255.255.255.0 Vlan41
ip route 10.20.41.0 255.255.255.0 Vlan1
ip route 10.20.41.0 255.255.255.0 Vlan8
ip route 10.20.41.0 255.255.255.0 Vlan254
ip route 10.20.41.0 255.255.255.0 Vlan301
ip route 10.20.41.0 255.255.255.0 10.20.90.1
ip route 10.20.41.0 255.255.255.0 10.20.70.1
ip route 10.20.41.0 255.255.255.0 10.20.111.1
ip route 10.20.41.0 255.255.255.0 10.20.50.1
ip route 10.20.41.0 255.255.255.0 Vlan43
ip route 10.20.42.0 255.255.255.0 10.20.8.0
ip route 10.20.49.0 255.255.255.0 Vlan1
ip route 10.20.49.0 255.255.255.0 Vlan49
ip route 10.20.90.0 255.255.255.0 10.20.253.25
ip route 10.20.91.0 255.255.255.0 10.20.253.25
ip route 10.20.112.0 255.255.255.0 10.20.253.25
ip route 10.20.114.0 255.255.255.0 10.20.253.25
ip route 10.26.1.19 255.255.255.255 10.20.253.25
ip route 10.26.10.6 255.255.255.255 10.20.253.25
ip route 10.50.0.0 255.255.0.0 10.20.253.25
ip route 10.147.134.0 255.255.255.0 10.20.253.25
ip route 10.166.44.0 255.255.255.0 10.20.253.25
ip route 10.177.11.0 255.255.255.0 10.20.253.25
ip route 10.177.254.0 255.255.255.0 10.20.253.25
ip route 10.177.254.0 255.255.255.0 10.20.251.9
ip route 10.177.254.0 255.255.255.0 10.20.251.5
ip route 212.72.1.186 255.255.255.255 10.20.8.5
no ip http server
ip access-list standard MOH
permit 10.177.254.1
permit 10.20.254.1
access-list 11 permit 0.0.0.0 10.20.90.0
access-list 12 permit 0.0.0.0 10.20.70.0
access-list 14 permit 0.0.0.0 10.20.50.0
access-list 15 permit 0.0.0.0 10.20.111.0
access-list 16 permit 0.0.0.0 10.20.41.0
access-list 17 permit 0.0.8.0 10.20.49.0
control-plane
================================================
i have remote location connected by mpls line in that location i have lan 10.20.90/24 and valn 10.20.91.0/24
am able to reach lan gatway(10.20.90.1) and host (10.20.90.2)
but am not able to reach the other vlan 10.20.91.1 or any other host in that valn
gateway to firewall is 10.20.253.25
what i miss in this configuration
thanks
07-08-2020 04:20 AM
Hello @daimk2020 ,
on the L3 switches you have the correct configuration
>> ip route 10.20.90.0 255.255.255.0 10.20.253.25
ip route 10.20.91.0 255.255.255.0 10.20.253.25
You should verify that the firewall is correctly configured for subnet 10.20.91.0/24 both at routing level and at firewall / ACL level.
In simple words either the FW does not know how to route packets to 10.20.91.0/24 to remote location via MPLS or it does not allow traffic to that subnet.
Hope to help
Giuseppe
07-08-2020 09:20 PM
07-08-2020 04:26 AM
problem could be the "other side". can you do trace to destination.
Regards, ML
**Please Rate All Helpful Responses **
07-08-2020 04:48 AM - edited 07-08-2020 04:54 AM
on side note: what is purpose of access list 11 thru 17 ? those look weird, don't they?
just on fun side, can add access-list 18 permit 0.0.0.0 10.20.91.0
07-08-2020 09:24 PM - edited 07-08-2020 11:28 PM
see my previous replay i attached trace
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide