cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
449
Views
10
Helpful
14
Replies

Static Route cannot Reach Next Hop

PolarPanda
Beginner
Beginner

i have a 3850 that directly connect to a firewall. i configured a default static route to the next hop ip which i configured on the firewall interface. I have ip routing enable. i configured "swichport mode trunk" on the cisco interface. I have multiple vlans.

I cannot ping the firewall interface. I can see the route in "show ip route". if i put the cisco interface that connect to the firewall in access mode for one particular vlan that includes the ip of firewall interface, then i can ping the firewall interface ip. if it's access mode, other vlan cannot pass the traffic to the firewall. 

Does anyone know what's issue with the config? 

2 Accepted Solutions

Accepted Solutions

With the 3850 you have a couple of options of how to connect multiple vlans to the firewall.

One option is to configure a layer 3 interface on the 3850 and connect it to the firewall. If you do this you would need to enable ip routing on the 3850. Each vlan on the switch would need an SVI with an appropriate IP address and subnet. The devices connected in the vlans would use the SVI address of their vlan as their default gateway. The switch would route traffic that was between one vlan and another vlan. And the 3850 would need a static default route to forward traffic to the firewall that was going to the Internet. The firewall would need an IP address on the interface connecting to the 3850 that is in the same subnet as the switch interface address. The firewall would need ip routes for the subnets of the vlans on the 3850 with the switch interface address as the next hop. And the firewall would need to do address translation for the subnets on the 3850.

The other option would be to configure the interface on the 3850 connecting to the firewall as a trunk allowing the vlans on the 3850 to communicate directly with the firewall. The vlans would not have any SVI on the 3850 (if you want to manage the 3750 remotely then one SVI would have an ip address). You would not enable ip routing on the 3850 in this option. The firewall interface would need to be configured to connect to a trunk and to recognize the various vlans used on the 3850. The firewall would route traffic between hosts in the various vlans of the 3850 and would route traffic to the Internet. Devices connected in the vlans of the 3850 would use the address on the firewall for their vlan as their default gateway. The firewall would need to do address translation for the devices in the vlans of the 3850.

Either approach would work. You can choose which one to implement.

HTH

Rick

View solution in original post

Yes I believe that you missed that part and that part explains why you are not able to ping using one of the vlan gateways. Let me explain it this way. Let us assume that one of your vlans uses subnet 10.1.1.0 and the gateway address is 10.1.1.1. You ping the firewall, the destination address is the firewall address and the source address is 10.1.1.1. The ping reaches the firewall. The firewall needs to send a response to 10.1.1.1. But how does the firewall know where 10.1.1.1 is? The firewall needs a route for 10.1.1.0 and the next hop of that route needs to be the switch interface address.

If the firewall needs to send traffic to any address in a subnet that is on the 3850 then the firewall needs a route for that subnet and the next hop of that route needs to be the address of the switch interface that connects to the firewall.

HTH

Rick

View solution in original post

14 Replies 14

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

do you allow vlan in trunk ?

yes, i tried that. Didn't work either. i believe if i don't config any allowed vlan, it means to allow all vlans. 

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

If we had more detail about your configuration we could give you better advice. But based on what we know so far, the good news is that when configured as access port you are able to ping the firewall. If in trunk mode you can not ping the firewall then it suggests that the vlan that has the IP address you use for the access port is not the native vlan on your trunk. 

Can you tell us about these:

- what vlan was the access port configured in?

- is there an SVI configured for that vlan?

- how many vlans are on the trunk?

- what vlan is the native vlan for your trunk?

HTH

Rick

Yes, i have both l2 and l3 vlan config, total 3 vlans. they all have command "no shutdown". i didn't config native vlan

It is not necessary to configure a native vlan. On Cisco switches when you configure a trunk the native vlan is vlan 1. You only need to configure the native vlan if you want the native vlan to be something other than 1.

So what are the vlans in your trunk? If the native vlan is vlan 1 then is there a vlan interface for vlan 1?

HTH

Rick

To help us understand the issue please post the output of these commands on the switch:

show interface status

show interface trunk

show ip interface brief

show ip route

HTH

Rick

sorry, i just changed the interface from L2 to L3 and gave it an Ip address. i have no problem to route the traffic via firewall anymore from switch itself.

but i'm not able to route traffic from other vlans

Does it mean if i need to route traffic from other vlan, i cannot use L3 interface to connect firewall interface?

Sorry to ask another question. if the answer is no, i cannot. i will go ahead roll back to the original config witch switchport and share the output here. 

With the 3850 you have a couple of options of how to connect multiple vlans to the firewall.

One option is to configure a layer 3 interface on the 3850 and connect it to the firewall. If you do this you would need to enable ip routing on the 3850. Each vlan on the switch would need an SVI with an appropriate IP address and subnet. The devices connected in the vlans would use the SVI address of their vlan as their default gateway. The switch would route traffic that was between one vlan and another vlan. And the 3850 would need a static default route to forward traffic to the firewall that was going to the Internet. The firewall would need an IP address on the interface connecting to the 3850 that is in the same subnet as the switch interface address. The firewall would need ip routes for the subnets of the vlans on the 3850 with the switch interface address as the next hop. And the firewall would need to do address translation for the subnets on the 3850.

The other option would be to configure the interface on the 3850 connecting to the firewall as a trunk allowing the vlans on the 3850 to communicate directly with the firewall. The vlans would not have any SVI on the 3850 (if you want to manage the 3750 remotely then one SVI would have an ip address). You would not enable ip routing on the 3850 in this option. The firewall interface would need to be configured to connect to a trunk and to recognize the various vlans used on the 3850. The firewall would route traffic between hosts in the various vlans of the 3850 and would route traffic to the Internet. Devices connected in the vlans of the 3850 would use the address on the firewall for their vlan as their default gateway. The firewall would need to do address translation for the devices in the vlans of the 3850.

Either approach would work. You can choose which one to implement.

HTH

Rick

thank you!!

i will choose first option since it's 90% done except when i ping firewall interface by using one of the vlans gateway, it doesn't work. but from switch itself without specific source, it works. When i tried to ping the L3 interface ip with source vlan and i can ping it. So vlan gateway can reach L3 interface ip, and L3 interface can reach firewall. but vlan cannot reach firewall. 

Can you please explain more details about this statement? The firewall would need ip routes for the subnets of the vlans on the 3850 with the switch interface address as the next hop.

i think i might miss this part. 

Yes I believe that you missed that part and that part explains why you are not able to ping using one of the vlan gateways. Let me explain it this way. Let us assume that one of your vlans uses subnet 10.1.1.0 and the gateway address is 10.1.1.1. You ping the firewall, the destination address is the firewall address and the source address is 10.1.1.1. The ping reaches the firewall. The firewall needs to send a response to 10.1.1.1. But how does the firewall know where 10.1.1.1 is? The firewall needs a route for 10.1.1.0 and the next hop of that route needs to be the switch interface address.

If the firewall needs to send traffic to any address in a subnet that is on the 3850 then the firewall needs a route for that subnet and the next hop of that route needs to be the address of the switch interface that connects to the firewall.

HTH

Rick

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

i have vlan 1 shutdown.

i tried to config allowed all three vlans specific and just "swtichport mode trunk" alone without any other command

neither works. 

PolarPanda
Beginner
Beginner

so i changed the cisco interface from L2 to L3, and config the interface with an ip address

Then i can reach the firewall interface, and as well as other vlans if i use "source vlan" keyword in ping

Does anyone know why?

i had another site which has same config, but it's working. Cisco interface use switchport mode trunk, and default static route, then the route ip which is same as the firewall interface

small lab explain that in detail 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers