03-30-2012 07:20 AM - edited 03-07-2019 05:52 AM
I have 2 vlans for practical purposes 10 - 10.10.10.x/24 and 20 10.10.20..x/24. I have each vlan connected to my firewall with a gateway on each port to its corresponding vlan - eg
10.10.10.1/24 (Vlan10) and my FW interface (10.10.10.254)
10.10.20.1/24 (Vlan20) and my FW interface (10.10.20.254)
I have each port set up facing the FW as static access vlan xx - no trunking
I had removed the Default-Gateway because both vlans need to go to its respecting interface without trunking. In packet tracer using an older switch this works without any issue. On these switches C3560X w IOS 12.2(55)SE3 It is not, So I had added the following routes:
0.0.0.0 0.0.0.0 10.10.10.254
0.0.0.0 0.0.0.0 10.10.20.254
I thought this would basically push the packets to their respective gateways but this did not work as expected and it kept creating 10.10.20.254 as the gateway. This configuration would allow vlan 20 out to internet and vlan 10 would keep going to wrong interface. I had removed the last route but this did not allow vlan 10 out.
Gateway of last resort is 10.10.20.254 to network 0.0.0.0
10.0.0.0/24 is subnetted, 3 subnets
C 10.10.10.0 is directly connected, Vlan10
C 10.10.20.0 is directly connected, Vlan20
C 10.10.50.0 is directly connected, Vlan50
S* 0.0.0.0/0 [1/0] via 10.10.20.254
IS there a way on this OS to statically define routes so that Vlan 20 only goes out to gateway 10.10.20.254 and Vlan 10 to 10.10.10.254? I had thought by default the switch would allow this but it would appear as if I am missing something with this IOS version.
I tried to add routes and it did not work - see below
(config)#ip route 10.10.10.1 255.255.255.0 10.10.10.254
%Inconsistent address and mask
I thought default behavior on Vlans were to communicate within its own subnet which would explain why this does not work. So without sounding redundant- by vlans are not going out through the respected ports. I do have Vlan 10 set up with Spanning_Tree as it is the Mangement network -however it has a server on it that needs access to internet (jump box). I had made sure that the outbound port was not disabled by STP. Any help would be appreciated.
03-30-2012 08:39 AM
Hi Anthony
0.0.0.0 0.0.0.0 10.10.20.254 this is your default route ideally you are only going to have one Default route.
If you know the destination address you can force the traffic through the second hop 10.10.20.254
Using the command IP route 192.168.1.1 255.255.255.255 10.10.10.254 (try using this one)
Another way of doing that is to create the VLAN on your firewall (which means the firewall will be the Gateway anf you would have same vlan ID configured on your switch as L2) would normally use this design for DMZ.
I hope this answers your question
03-30-2012 09:29 AM
Ideally I wanted to skip having any type of gateway of last resort or routes entirely and just have 2 collision domains Vlan 10 and 20 only commuicating with their respective gateways on the firewall. I have noticed that using that configuration does not produce the results I was expecting with older OS's. Can I be missing something, I thought that this is basic switching 101
Vlan 10 - ip addr 10.10.10.1 255.255.255.0 communicates with firewall gateway 10.10.10.254
Vlan 20- ip addr 10.10.20.1 255.255.255.0 communicates with firewall gateway 10.10.20.254
This would eliminate packets going to the wrong interface by having a dedicated interface on the same subnet as the next highest number, but it seems to not be working as expected. What do you think could be causing this issue?
03-31-2012 03:25 AM
I am bit confused here
1> If not wrong you can ping 10.10.10.254 and 10.10.20.254 from the switch ? if yes proceed to option 2
2> If you are trying to ping the firewall 10.10.10.254 from source address 10.10.10.1 you are only going to go over the interface that connects to the firewall that is tagged with vlan ID 10
3> If you are trying to ping the firewall 10.10.20.254 from source address 10.10.10.1 there is a possibility you will see traffic on both interfaces as you can see some broadcast traffic generated.
To Chose the soure address (when pinging from the switch)
Example
ping 10.10.10.254 source 10.10.10.1
03-31-2012 04:13 AM
Do the hosts on the Vlans have the proper gateway set? That's really the question. The firewall should route for you.
Sent from Cisco Technical Support iPad App
03-31-2012 04:17 AM
The default gateway is used to route administrative packets from the switch. You don't have to set default routes if the 3560 isn't routing for you (which it can), but you should set a default gateway in the same subnet as the administrative interface of the switch. If you want to make sure the 3560 doesn't route issue no ip routing at the global config level.
Sent from Cisco Technical Support iPad App
04-02-2012 10:44 AM
It would stand to reason that pinging to an unknown destination of 8.8.8.8 would force the traffic through a different interface because of the following route
0.0.0.0 0.0.0.0 10.10.20.254
Vlan 10 is set up and directly connected to 10.10.10.254 on the firewall and why it wont route out must be because of the Gateway of Last Resort.
1. I am thinking of putting a next-hop ACL on vlan 10 forcing all its traffic through 10.10.10.254
2. I would like to have static routes defined but with having the below routes the packets seem to hit through both interfaces
0.0.0.0 0.0.0.0 10.10.10.254
0.0.0.0 0.0.0.0 10.10.20.254
--Any idea's on how to approach this - Everything was working well when I had created a seperate Vlan and trunked it into one interface on the FIrewall. From a security standpoint seperating server traffic and management traffic (avoid vlan hopping or forged vlan packets) was good but so far has been daunting, I am thinking it could be the firewall but then again probably because my routes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide