cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
965
Views
0
Helpful
5
Replies

routeing to remote vlan

daimk2020
Level 1
Level 1

Dear 

 

 

i have Cisco 3 layer switch  connect to firewall which do routing to destination lan

 

this configuration for 3 layer switch :-

no aaa new-model
switch 1 provision ws-c3750g-24ts
!

shutdown vlan 43

ip subnet-zero
ip routing

 


no file verify auto
spanning-tree mode pvst
spanning-tree portfast default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id

vlan internal allocation policy ascending
vlan dot1q tag native


interface GigabitEthernet1/0/1
switchport access vlan 8
switchport mode access

interface GigabitEthernet1/0/2

interface GigabitEthernet1/0/3
switchport access vlan 301
switchport mode access

interface GigabitEthernet1/0/4

interface GigabitEthernet1/0/5

interface GigabitEthernet1/0/6

interface GigabitEthernet1/0/7

interface GigabitEthernet1/0/8

interface GigabitEthernet1/0/9

interface GigabitEthernet1/0/10

interface GigabitEthernet1/0/11

interface GigabitEthernet1/0/12

interface GigabitEthernet1/0/13

interface GigabitEthernet1/0/14
switchport access vlan 41
switchport trunk native vlan 41
switchport trunk allowed vlan 1-500

interface GigabitEthernet1/0/15
switchport access vlan 45
switchport mode access

interface GigabitEthernet1/0/16

interface GigabitEthernet1/0/17

interface GigabitEthernet1/0/18

interface GigabitEthernet1/0/19
switchport access vlan 49
switchport mode access

interface GigabitEthernet1/0/20

interface GigabitEthernet1/0/21

interface GigabitEthernet1/0/22

interface GigabitEthernet1/0/23
switchport access vlan 49
switchport trunk encapsulation dot1q
switchport mode access

interface GigabitEthernet1/0/24
switchport access vlan 254
switchport trunk native vlan 49
switchport trunk allowed vlan 1
switchport mode access
spanning-tree portfast

interface GigabitEthernet1/0/25

interface GigabitEthernet1/0/26

interface GigabitEthernet1/0/27

interface GigabitEthernet1/0/28

interface Vlan1
ip address 10.20.3.1 255.255.255.240 secondary
ip address 10.20.4.1 255.255.255.240 secondary
ip address 10.20.7.1 255.255.255.240 secondary
ip address 10.20.42.1 255.255.255.0 secondary
ip address 10.20.40.1 255.255.255.0
ip helper-address 10.20.40.2

interface Vlan8
ip address 10.20.8.1 255.255.255.240

interface Vlan41
ip address 10.20.41.1 255.255.255.0
ip helper-address 10.20.40.2

interface Vlan43
ip address 192.168.40.1 255.255.252.0

interface Vlan44
no ip address

interface Vlan45
ip address 10.20.44.1 255.255.252.0
ip helper-address 10.20.45.2

interface Vlan49
ip address 10.20.49.1 255.255.255.0

interface Vlan140
no ip address

interface Vlan254
description "Perimeter Services"
ip address 10.20.254.5 255.255.255.248

interface Vlan301
ip address 10.20.253.26 255.255.255.248

ip default-gateway 10.20.40.1
ip classless
ip route 0.0.0.0 0.0.0.0 Vlan1
ip route 10.18.3.50 255.255.255.255 10.20.253.25
ip route 10.20.0.0 255.255.0.0 10.20.253.25
ip route 10.20.40.0 255.255.252.0 Vlan43
ip route 10.20.40.0 255.255.252.0 Vlan301
ip route 10.20.40.0 255.255.255.0 10.20.253.25
ip route 10.20.41.0 255.255.255.0 Vlan41
ip route 10.20.41.0 255.255.255.0 Vlan1
ip route 10.20.41.0 255.255.255.0 Vlan8
ip route 10.20.41.0 255.255.255.0 Vlan254
ip route 10.20.41.0 255.255.255.0 Vlan301
ip route 10.20.41.0 255.255.255.0 10.20.90.1
ip route 10.20.41.0 255.255.255.0 10.20.70.1
ip route 10.20.41.0 255.255.255.0 10.20.111.1
ip route 10.20.41.0 255.255.255.0 10.20.50.1
ip route 10.20.41.0 255.255.255.0 Vlan43
ip route 10.20.42.0 255.255.255.0 10.20.8.0
ip route 10.20.49.0 255.255.255.0 Vlan1
ip route 10.20.49.0 255.255.255.0 Vlan49
ip route 10.20.90.0 255.255.255.0 10.20.253.25
ip route 10.20.91.0 255.255.255.0 10.20.253.25
ip route 10.20.112.0 255.255.255.0 10.20.253.25
ip route 10.20.114.0 255.255.255.0 10.20.253.25
ip route 10.26.1.19 255.255.255.255 10.20.253.25
ip route 10.26.10.6 255.255.255.255 10.20.253.25
ip route 10.50.0.0 255.255.0.0 10.20.253.25
ip route 10.147.134.0 255.255.255.0 10.20.253.25
ip route 10.166.44.0 255.255.255.0 10.20.253.25
ip route 10.177.11.0 255.255.255.0 10.20.253.25
ip route 10.177.254.0 255.255.255.0 10.20.253.25
ip route 10.177.254.0 255.255.255.0 10.20.251.9
ip route 10.177.254.0 255.255.255.0 10.20.251.5
ip route 212.72.1.186 255.255.255.255 10.20.8.5
no ip http server


ip access-list standard MOH
permit 10.177.254.1
permit 10.20.254.1

access-list 11 permit 0.0.0.0 10.20.90.0
access-list 12 permit 0.0.0.0 10.20.70.0
access-list 14 permit 0.0.0.0 10.20.50.0
access-list 15 permit 0.0.0.0 10.20.111.0
access-list 16 permit 0.0.0.0 10.20.41.0
access-list 17 permit 0.0.8.0 10.20.49.0

control-plane

 

================================================

i have remote location connected by mpls line in that location i have lan 10.20.90/24 and valn 10.20.91.0/24

am able to  reach lan gatway(10.20.90.1) and host (10.20.90.2)

but am not able to reach the other vlan 10.20.91.1 or any other host in that valn 

gateway to firewall is 10.20.253.25

 

 

what i miss in this configuration

 

 

thanks 

5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @daimk2020 ,

on the L3 switches you have the correct configuration

>> ip route 10.20.90.0 255.255.255.0 10.20.253.25
ip route 10.20.91.0 255.255.255.0 10.20.253.25

 

You should verify that the firewall is correctly configured for subnet 10.20.91.0/24 both at routing level and at firewall / ACL level.

 

In simple words either the FW does not know how to route packets to 10.20.91.0/24 to remote location via MPLS or it does not allow traffic to that subnet.

 

Hope to help

Giuseppe

 

thanks

i try removing both without luck and already the defualt gateway for all(ip route 10.20.0.0 255.255.0.0 10.20.253.25) 

i remove both ip route 10.20.90.0/24 ,ip route 10.20.91.0/24 

i do trace route both lan and vlan

Martin L
VIP
VIP

 

problem could be the "other side".   can you do trace to destination.

 

Regards, ML
**Please Rate All Helpful Responses **


on side note: what is purpose of access list 11 thru 17 ? those look weird, don't they?

just on fun side, can add access-list 18 permit 0.0.0.0 10.20.91.0

see my previous replay i attached trace