Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7974
Views
0
Helpful
11
Replies

using layer 2 and layer 3 switch to get communications

colinmcdonald
Level 1
Level 1

‎12-02-2013 05:20 AM - edited ‎03-07-2019 04:52 PM

hi

We have a layer 2 switch (cisco 2960) connected to a telecomms service to link a remote site to HQ.

And we have a layer 3 switch (cisco 3750) connected via fibre uplink (gbic transceivers) to that layer 2 switch.

We have 3 vlans set up at the two switches-   vlan 3 for the transist network to the telecomms service. vlan 2 for the users, vlan6 for the management vlan.

I need to know how to set up the two switches with VLAN config- so that a layer 2 switch will talk to the layer 3 switch (connected by fibre uplinks) to get it's routing and ACLs, because the layer 2 cannot have routing or ACLs.

so far, i can ping between the two switches ok, e.g. ping on same VLAN and between VLANs ok. The uplink port is the trunk port and is obviously allowing comms ok-  as the ping from one switch to the other proves that.

But i am not able to ping out of the two switches to anything on the telecomes service or beyound it.

Note: i have dedicated ports on the layer 2   2960 switch ok.  ports 1 to 3 are vlan 3 and ports 4 to 6 are vlan 6, ports 7 to 48 are the user vlan (vlan 2).

on the layer 3 switch (3750) all 24 ports (it's a 24 port switch) are on vlan 2.

Routing is enabled and there is static route  for 10.0.0.0  to go via the router on the comms service (on the transit).

ACLS are set up for appropriate inbound and outbound access ok.

Each of the two switches has a dedicated ip address for each VLAN.

Can anyone assist or provide guidance?

Colin

Labels:
0 Helpful
11 Replies 11

Jon Marshall
Hall of Fame
Hall of Fame

‎12-02-2013 05:29 AM

Colin

So your 3750 has a static route pointing to 10.0.0.0. Packets that take that route go from the 3750 to the 2960 and then off to HQ - is that correct ?

And there is a router connected to the WAN link to HQ that is connected to your 2960 on a port in vlan 3 ?

If so,  do you control that router ?

We need a bit more detail.

Jon

0 Helpful

colinmcdonald
Level 1
Level 1
In response to Jon Marshall

‎12-02-2013 07:26 AM

yes that is correct, the 2960 is at the location where the WAN router is.

And the 3750 is another part of the building and therefore too far away from the WAN router, hence the attempt to use the layer 2 2960 to link to that router and use the 3750 to route back etc etc.

But we don't control the router. It is company called Eircom who controls it.

The telecomms link via Eirom is fine- as i can plug a laptop directly into their router and ping back to servers in HQ ok.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to colinmcdonald

‎12-02-2013 07:30 AM

Colin

Couple of things. The 2960 maybe able to do L3 with basic static routing. That is more for your info than anything else.

Do you know if the router has routes back to your subnets ie. it should know about vlan 3 assuming it is on the same subnet but what about the other vlans/subnets.

Also how does HQ know about your subnets ? are you advertising them via a routing protocol on the WAN router or are there have static routes on the HQ router ?

0 Helpful

colinmcdonald
Level 1
Level 1
In response to Jon Marshall

‎12-02-2013 07:39 AM

the 2960 will not do any routing. Routing commands do not work on it. I tried them.

yes the Eircom WAN router has routing all set up for the subnets ok. Eircom have confirmed that.

That Eircom WAN router would not know anything about VLAN 2 or 3 etc. It is  a node on the same transit ip network as VLAN 3 IP addresses on each of the two switches. And it passes all traffic through irrespective of VLAN source.

HQ knows how to route to the subnets ok. It knows that via our Firewall which has the central routing table for that purpose.

Do i need to set up dedicated ports on both switches or just one? i.e. dedicated for the VLANs.

And would setting up both switches with the same IP address help, even if it were possible? (i have not tried it- thinking perhaps that it may cause a conflict).

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to colinmcdonald

‎12-02-2013 07:45 AM

Colin

You may not have the right feature set on the 2960 for routing.

That Eircom WAN router would not know anything about VLAN 2 or 3 etc. It is  a node on the same transit ip network as VLAN 3 IP addresses on each of the two switches. And it passes all traffic through irrespective of VLAN source.

I don't understand this. Assuming the vlans are using different IP subnets and the router is acting as a router it can just pass them through. Any device that is not part of vlan 3 ie. using a different IP subnet would have to be routed by that router ?

HQ knows how to route to the subnets ok. It knows that via our Firewall which has the central routing table for that purpose.

This is the first mention of a firewall. Where does that sit in relation to the switches and the router ?

Jon

0 Helpful

colinmcdonald
Level 1
Level 1
In response to Jon Marshall

‎12-02-2013 08:14 AM

yes the WAN knows what to do with the ip address subnet, i.e. both subnets, but  i did not have to tell Eircom about any VLAN id numbers. But perhaps that router knows automatically by examining each packet. I don't know the exact method it uses.

The firewall is at our HQ site only.

It is fine with regard to incoming and outgoing traffic  to /from the remote site.  This is proven via the test i did using the laptop directly on the the remote site Eircom managed router, ie. ping in and out worked fine to/from that laptop.

But when that laptop is given an ip address in the vlan 2 or vlan 3 ranges and actually plugged into the switches, it does not ping out.

Hope that clarifies your question.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to colinmcdonald

‎12-02-2013 08:33 AM

Colin

but  i did not have to tell Eircom about any VLAN id numbers.

Sorry i misunderstood. Routers don't care about vlan number usually, they just look at the IP address.

Can you post these commands from each switch -

1) sh ip route

2) sh vlan brief

3) sh int trunk

4) sh ip int br | include Vlan

Jon

0 Helpful

colinmcdonald
Level 1
Level 1
In response to Jon Marshall

‎12-02-2013 08:44 AM

yes , when i am next at the remote site will run the commands and screen dump the results.

Thanks.

0 Helpful

LUKASZ KITA
Level 1
Level 1

‎12-02-2013 09:38 AM

Sub intetfaces might solve on the router.

Sent from Cisco Technical Support Android App

0 Helpful

colinmcdonald
Level 1
Level 1
In response to LUKASZ KITA

‎12-03-2013 02:26 AM

luke ki

Would you please clarify that possible solution?

We have no access to the WAN router.

We just have access to the layer 2  2960 and layer 3 3750 switches.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to colinmcdonald

‎12-03-2013 08:35 AM

Colin

It isn't a solution because -

1) as you have already said you do not control the router

2) we should be able to get it to work anyway as you have a L3 capable switch

On the issue of L3 capable can you find out what feature set the 2960 is using. It should be able to do routing but it needs a specific feature set. I don't see why we cannot make it work off the 3750 but it is always handy to have a backup plan if needed.

Jon

0 Helpful
Customers Also Viewed These Support Documents