cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
822
Views
5
Helpful
10
Replies

Trouble forwarding VLAN traffic to gateway on different router

bforgeron
Level 1
Level 1

We have a private 10.54.66.0/24 network where the gateway is on a router beyond our control at 10.54.66.1.  We have an uplink coming directly from a L2 switch also beyond our control which we've put on GigE 0/0 and given the IP address 10.54.66.5.  We can ping the gateway and vice versa through the GigE 0/0 interface.

The problem we're facing is that we have been unable to get any of our switches and hosts behind our 10.54.66.5 router (3945 ISR) to ping our own 10.54.66.5 address.  We've setup our own VLAN 101 and tried setting up a PBR as shown below to ensure traffic for this VLAN is pushed to our GigE 0/0 interface.  As you'll see from the ip route we do have another private /24 which we have going through a port channel, but that is a stub network and we are able to have the gateway (10.23.144.1) on our router which works well.

interface GigabitEthernet0/0
description IT-NGLD-10.54.66.0/24
ip address 10.54.66.5 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
interface Vlan101
no ip address
ip nat outside
ip virtual-reassembly in
ip policy route-map PBR-IT-NGLD-10.54.66.0/24
ip access-list extended MATCH-PBR-IT-NGLD-10.54.66.0/24
permit ip any any
route-map PBR-IT-NGLD-10.54.66.0/24 permit 10
match ip address ip access-list extended MATCH-PBR-IT-NGLD-10.54.66.0/24
set ip next-hop 10.54.66.1
set interface GigabitEthernet0/0
Gateway of last resort is 10.23.39.177 to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 10.23.39.177
    10.0.0.0/8 is variably subnetted, 21 subnets, 4 masks
C        10.23.39.176/29 is directly connected, Port-channel64.500
L        10.23.39.180/32 is directly connected, Port-channel64.500
C        10.23.144.0/24 is directly connected, Vlan100
L        10.23.144.1/32 is directly connected, Vlan100
C        10.54.66.0/24 is directly connected, GigabitEthernet0/0
L        10.54.66.5/32 is directly connected, GigabitEthernet0/0
C        10.100.80.0/24 is directly connected, Vlan180
L        10.100.80.1/32 is directly connected, Vlan180
C        10.100.86.0/24 is directly connected, Vlan186
L        10.100.86.1/32 is directly connected, Vlan186
C        10.100.87.0/24 is directly connected, Vlan187
L        10.100.87.1/32 is directly connected, Vlan187
C        10.100.88.0/24 is directly connected, Vlan188
L        10.100.88.1/32 is directly connected, Vlan188
C        10.100.89.0/24 is directly connected, Vlan189
L        10.100.89.1/32 is directly connected, Vlan189
C        10.100.90.0/24 is directly connected, Vlan190
L        10.100.90.1/32 is directly connected, Vlan190
C        10.100.95.0/24 is directly connected, Vlan195
L        10.100.95.1/32 is directly connected, Vlan195
S        10.212.0.0/16 is directly connected, Null0
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet2/0
L        192.168.0.2/32 is directly connected, GigabitEthernet2/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet3/0
L        192.168.1.2/32 is directly connected, GigabitEthernet3/0
1 Accepted Solution

Accepted Solutions

Sorry I am not following.

Do you mean the switches are acting as L2 but the L3 SVIs are on the router ?

I am trying to work out whether you can just connect the link directly into a port on the switch in the chassis rather than to a routed port.

Then you can simply assign the IP directly to the SVI for vlan 101.

It woud mean slightly asymmetric routing when you went via the other router to get to anything but then so would anything to be honest.

Jon

View solution in original post

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

It's not clear why you need PBR but more importantly the SVI for vlan 101 does not have an IP address so nothing is going to route through it.

What device is vlan 101 on ?

Can you draw a quick diagram showing the layout and fill in the details ?

Jon

Thanks Jon for your response.  I don't believe we have a need for PBR, but it was something that was recently tried to ensure any VLAN 101 traffic was routed to GigE 0/0.

We have the IP address 10.54.66.5 on our GigE 0/0, and if we try to put say IP address 10.54.66.6 on VLAN 101 we get an error that it overlaps with GigE 0/0 and won't allow us to do it.  

If we just wanted to use the 10.54.66.0/24 as a stub network and then for VLAN 101 use for example 10.100.79.1 it would work fine, but our goal is to have hosts within our network that use IP addresses in the 10.54.66.0/24 range so they are routable outside of our router (10.54.66.5) to the rest of our corporation.

Here is a poor mans diagram to give you a sense.

IT router/gateway (10.54.66.1) ßà IT L2 switch ßà Our router gigE 0/0 (10.54.66.5) and dhcp server for 10.54.66.0/24 ßà private vlan 101 ßà Our switches with VTP ßà hosts needing to have routable IP address on 10.54.66.0/24 to reach IT router/gateway 10.54.66.1

Okay I understand now.

You can't do that because your SVI for vlan 101 would need to have an IP from the same subnet and the router won't let you do that.

There are a couple of options but do those hosts need to talk to any of the other subnets on your router or do they just need to talk to the gateway router ?

Jon

Our goal is to allow any of our hosts with an IP on 10.54.66.0/24 to be able to hit the 10.54.66.1 gateway and our private 10.100.0.0 subnets.  Traffic to/from our 10.23.144.0/24 network is ok to traverse the 10.54.66.1 gateway in order to get to our 10.54.66.0/24 configured hosts.

Actually I may be missing something obvious here but you have SVIs on your ISR.

Does this mean you have a L3 switch installed in your router ?

Jon

Our 3945 chassis has two etherchannel 24 port gigE 3760 modules, but they are not operating at L3.  Our uplinks for both the 10.23.144.0/24 stub network and the 10.54.66.0/24 are going directly to interfaces on our 3945 chassis.  We use one of the 3750 modules currently as a distribution switch to hit each of our rack switches.

Edit: 24 port modules, not 48

Sorry I am not following.

Do you mean the switches are acting as L2 but the L3 SVIs are on the router ?

I am trying to work out whether you can just connect the link directly into a port on the switch in the chassis rather than to a routed port.

Then you can simply assign the IP directly to the SVI for vlan 101.

It woud mean slightly asymmetric routing when you went via the other router to get to anything but then so would anything to be honest.

Jon

Yes that's right, switches are L2 and L3 SVI's on router.  Will try your suggesiton, thanks.

Moving the uplink from our 3945 routed port to a switch access port on one of our 3560 modules did the trick, just tagged it with our vlan 101 and gave the 10.54.66.5 IP to our vlan 101 interface.  

We're no having trouble getting DHCP to work from the 3945.  Is it correct that we'll need to have the gateway owners of 10.54.66.1 set an ip helper address to our 10.54.66.5 so DHCP requests get relayed back to our DHCP server?

I thought you were doing DHCP on your router ?

Clients in vlan 101 will simply send a DHCP request for an IP in vlan 101 and if  you have a DHCP pool on the router for that subnet it should work.

If it doesn't then adding an "ip helper-address .." command to the other router will do nothing at all.

Which IP address you use as the default gateway makes a difference.

If you use the SVI IP for vlan 101 then all traffic is routed on your router which means if there are any subnets that can only be reached via the other router you need to add routes to your router for them.

If you make the other router the default gateway then all traffic to any other subnets on your router will need to be routed back from the other router which means it needs to know about those routes.

It's not entirely clear how you want the routing to work ?

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card