Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
0
Helpful
7
Replies

VTP between CAT3750-X and CAT4500-X

Go to solution
supertonyhuang888
Level 1
Level 1

‎03-23-2015 03:20 PM - edited ‎03-07-2019 11:13 PM

Hi,

I have a 3750 and a 4500 that are trunked together to share vlan 10 and vlan 100 through a VTP domain - test. The VLAN 100 on my 4500 has an IP of 192.168.3.1 and the VLAN 100 on my 3750 has an IP of 192.168.3.5. Is this do-able? For some reason I can't ping itself 192.168.3.5 locally from my 3750, but I could ping it from my 4500 or any other workstations on vlan 100. I can ping 192.168.3.1 (4500) from 3750.

Why is this the case?

I have created VLAN 10 on the 4500 with an IP of 192.168.2.249/30 so it can be an interface to connect to the next hop of 192.168.2.250/30 to my inside interface of my firewall. Again, I can ping 192.168.2.249 from my 4500, but I can't ping it from my 3750.

Any help or pointer would be greatly appreciated!

thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to supertonyhuang888

‎03-24-2015 05:42 AM

It's up to really as to how you do it.

There are two main options -

1) have everything in vlan 100 and use the firewall as the default gateway.

The 4500 and the 3750 do not need to do any L3.  You can create SVIs for them in vlan 100 and give them IPs and if you want set the default gateway to be the ASA.

All clients would use the ASA as their default gateway.

Any traffic between clients and servers would not go to the ASA because they are all in the same vlan/IP subnet.

or

2) leave it is as it and set the default gateway for all clients to be the vlan 100 interface on the 4500. The 4500 needs to have routing enabled and a default route pointing to the ASA.

The ASA needs a route back which you have

The 3750 does not need routing enabled and can just be configured with a default gateway the same as the clients ie. the vlan 100 interface IP on the 4500.

You don't need vlan 10 on the 3750, only vlan 100.

If you are going to be creating more vlans in future it makes sense to go with the second option.

Otherwise it doesn't really matter to be honest.

Really it's up to you as either will work.

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-23-2015 03:29 PM

Not sure why you can't the SVI locally but that aside if vlan 10 is used to connect to the firewall you don't need vlan 10 on the 3750.

And does the firewall have a route back to 192.168.3.0/24 ie. assuming an ASA -

route inside 192.168.3.0 255.255.255.0 192.168.2.249

Jon

0 Helpful

Go to solution
supertonyhuang888
Level 1
Level 1
In response to Jon Marshall

‎03-23-2015 03:38 PM

Hi Jon,

It is an ASA5525 and it does have a route back to 192.168.3.0/24. Is it okay to have an IP for vlan 100 on both 4500 (192.168.3.1) and 3750 (192.168.3.5) under the same VTP domain?

It troubles me when I can't ping my vlan 100 (192.168.3.5) and the router interface IP (192.168.2.249) from my 3750.

thanks!

 

--Tony

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to supertonyhuang888

‎03-23-2015 03:42 PM

Is it okay to have an IP for vlan 100 on both 4500 (192.168.3.1) and 3750 (192.168.3.5) under the same VTP domain?

Yes, it's absolutely fine.

In fact if you couldn't do that you would never be able to setup a switch management vlan.

Is the 3750 acting as a L2 or L3 switch ie. it is going to be routing between vlans or not ?

If not have you set the default gateway to be 192.168.3.1 ?

If it is L3 have you set the default route to be 192.168.3.1 ?

Jon

0 Helpful

Go to solution
supertonyhuang888
Level 1
Level 1
In response to Jon Marshall

‎03-23-2015 03:52 PM

Can I have the default route for both 4500 and 3750 all point to the IP address of the firewall's inside interface?

I just have one vlan 100 on both switches that need to go out through the firewall. The firewall inside interface can be connected to either 4500 or 3750.

Thanks again!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to supertonyhuang888

‎03-23-2015 03:58 PM

Are you routing any other vlans internally ?

Or do you just have vlan 100 and that is it ?

If there are other vlans can you answer the question as to where the routing for vlans is happening and then I can help you with what you need to do.

Jon

0 Helpful

Go to solution
supertonyhuang888
Level 1
Level 1
In response to Jon Marshall

‎03-23-2015 04:06 PM

Hi Jon,

I only have one vlan in a small network and it is vlan 100. The reason I have 4500 and a 3750 is because I have some workstations and servers that are connected at 10Gb speed to the 4500, but both switches are on the same VTP domain.

I need all outgoing traffic to go through the ASA 5525 firewall, but I don't care if it is connected to 4500 or 3750. I was going to make a port on any switch a routed port, but I was told it is probably better to create a SVI (vlan 10) and assign a port for connecting to the ASA firewall.

Thanks for your guidance!

 

--Tony

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to supertonyhuang888

‎03-24-2015 05:42 AM

It's up to really as to how you do it.

There are two main options -

1) have everything in vlan 100 and use the firewall as the default gateway.

The 4500 and the 3750 do not need to do any L3.  You can create SVIs for them in vlan 100 and give them IPs and if you want set the default gateway to be the ASA.

All clients would use the ASA as their default gateway.

Any traffic between clients and servers would not go to the ASA because they are all in the same vlan/IP subnet.

or

2) leave it is as it and set the default gateway for all clients to be the vlan 100 interface on the 4500. The 4500 needs to have routing enabled and a default route pointing to the ASA.

The ASA needs a route back which you have

The 3750 does not need routing enabled and can just be configured with a default gateway the same as the clients ie. the vlan 100 interface IP on the 4500.

You don't need vlan 10 on the 3750, only vlan 100.

If you are going to be creating more vlans in future it makes sense to go with the second option.

Otherwise it doesn't really matter to be honest.

Really it's up to you as either will work.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card