Cisco Catalysts switches equipped with the Enhanced Multilayer Image (EMI) can work as Layer 3 devices with full routing capabilities. Example switch models that support layer 3 routing are the 3550, 3750, 3560 etc.
On a Layer3-capable switch, the port interfaces work as Layer 2 access ports by default, but you can also configure them as “Routed Ports” which act as normal router interfaces. That is, you can assign an IP address directly on the routed port. Moreover, you can configure also a Switch Vlan Interface (SVI) with the “interface vlan” command which acts as a virtual layer 3 interface on the Layer3 switch.
On this post I will describe a scenario with a Layer3 switch acting as “Inter Vlan Routing” device together with two Layer2 switches acting as closet access switches. See the diagram below:
Interface Fa0/48 of the Layer3 switch is configured as a Routed Port with IP address 10.0.0.1. Two Vlans are configured on the L3 switch, Vlan10 and Vlan20. For Vlan10 we will create an SVI with IP address 10.10.10.10 and for Vlan20 an SVI with IP address 10.20.20.20. These two IP addresses will be the default gateway addresses for hosts belonging to Vlan10 and Vlan20 on the Layer2 switches respectively. That is, hosts connected on Vlan10 on the closet L2 switches will have as default gateway the IP address 10.10.10.10. Similarly, hosts connected on Vlan20 on the closet switches will have address 10.20.20.20 as their default gateway. Traffic between Vlan10 and Vlan20 will be routed by the L3 Switch (InterVlan Routing). Also, all interfaces connecting the three switches must be configured as Trunk Ports in order to allow Vlan10 and Vlan20 tagged frames to pass between switches. Let’s see a configuration snapshot for all switches below:
Cisco L2 Switch (same configuration for both switches)
! Create VLANs 10 and 20 in the switch database
Layer2-Switch# configure terminal
Layer2-Switch(config)# vlan 10
Layer2-Switch(config-vlan)# end
Layer2-Switch(config)# vlan 20
Layer2-Switch(config-vlan)# end
! Assign Port Fe0/1 in VLAN 10
Layer2-Switch(config)# interface fastethernet0/1
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 10
Layer2-Switch(config-if)# end
! Assign Port Fe0/2 in VLAN 20
Layer2-Switch(config)# interface fastethernet0/2
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 20
Layer2-Switch(config-if)# end
! Create Trunk Port Fe0/24
Layer2-Switch(config)# interface fastethernet0/24
Layer2-Switch(config-if)# switchport mode trunk
Layer2-Switch(config-if)# switchport trunk encapsulation dot1q
Layer2-Switch(config-if)# end
Cisco Layer 3 Switch
! Enable Layer 3 routing
Layer3-Switch(config) # ip routing
! Create VLANs 10 and 20 in the switch database
Layer3-Switch# configure terminal
Layer3-Switch(config)# vlan 10
Layer3-Switch(config-vlan)# end
Layer3-Switch(config)# vlan 20
Layer3-Switch(config-vlan)# end
! Configure a Routed Port for connecting to the ASA firewall
Layer3-Switch(config)# interface FastEthernet0/48
Layer3-Switch(config-if)# description To Internet Firewall
Layer3-Switch(config-if)# no switchport
Layer3-Switch(config-if)# ip address 10.0.0.1 255.255.255.252
! Create Trunk Ports Fe0/47 Fe0/46
Layer3-Switch(config)# interface fastethernet0/47
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end
Layer3-Switch(config)# interface fastethernet0/46
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end
! Configure Switch Vlan Interfaces (SVI)
Layer3-Switch(config)# interface vlan10
Layer3-Switch(config-if)# ip address 10.10.10.10 255.255.255.0
Layer3-Switch(config-if)# no shut
Layer3-Switch(config)# interface vlan20
Layer3-Switch(config-if)# ip address 10.20.20.20 255.255.255.0
Layer3-Switch(config-if)# no shut
! Configure default route towards ASA firewall
Layer3-Switch(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.2
Related posts:
- How to Configure VLANs on a Cisco Switch
- Cisco Router-on-a-stick with Switch
- How to Configure Cisco VTP – VLAN Trunk Protocol
- How to Configure VLAN subinterfaces on Cisco ASA 5500 Firewall
- Configuring a Cisco Catalyst Switch SPAN mirroring port
- Basic Cisco Switch Configuration
- Deleting the VLAN Database from a Cisco Switch
114 Responses to 'How to configure a Cisco Layer 3 switch-InterVLAN Routing'
Leave a Reply
Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus
CLICK HERE TO DOWNLOAD EBOOKS
Great article
Well done mate, well explained…..Thanks
thanks for this article , but i have some questions
in fact in this scenario the security access-lists will be performed on the layer 3 switch rather than the firewall right ?
2- what if i have a DMZ segment and i want grand access from DMZ to VLAN 10 ( servers VLAN )
3- if i wan’t a VPN remote access tunnel from internet to VLAN 10 how can i configure the routing ?
1) The layer 3 switch can have security access-lists for controlling traffic ONLY between the VLANs (e.g traffic from Vlan10 to Vlan20 and vica-versa). This is usually useful for providing internal LAN segmentation and traffic control.
2) If you have a DMZ on the firewall and want to grant access to vlan10, you need to allow this traffic on the ASA access-list and also configure the proper static nat on the ASA to allow access from lower security level (DMZ) to higher security level (vlan10). Note that vlan10 is still considered as inside zone (higher security level) for the ASA. The ASA also must have a static route pointing to internal vlan10 (route inside 10.10.10.0 255.255.255.0 10.0.0.1)
3) As explained above, you need to configure a static route on the ASA to be able to reach the vlan10 network. The Layer3 switch needs only to have a default route pointing to the ASA 10.0.0.2 .
Is it possible to communicate between two VLAN in different LAYER 3 switch and the same subnetwork.
bonez,
No, you can not have the same subnetwork spanning a Layer3 boundary. Once you introduce a Layer3 in your path, the subnetworks MUST be different. However, a Layer3 switch can work as Layer2 as well or a combination. If the VLAN you mention is pure Layer2 Vlan (i.e you have not configured an “Interface Vlan xxx”) then you can have hosts belonging in the same subnetwork and connected on two different switches (in the same Layer2 Vlan).
Please let me know if I’m not clear.
thank you sir.
On the inside interface of the ASA Ethernet0/1 the ip address should be 10.0.0.2 right?
Yes this is correct. This means also that the Cisco Layer3 switch should have a default route pointing to 10.0.0.2
ip route 0.0.0.0 0.0.0.0 10.0.0.2
Thanks a lot. I am going to try it tonight. So what is the ip address of the l3 switch? I mean if I want to telnet to the switch from Vlan10.
The IP of the switch if you are in Vlan 10 is 10.10.10.10. So if you telnet to that address it should work
Just a few more question:
1. In order to telnet to the l2 switches do I need to create VSI like:
layer2-switch (config)#interface vlan10
layer2-switch(config)#ip address 10.10.10.11 255.255.255.0
layer2-switch(config)no shut
2. If I put another cisco l3 switch (c3550), would I use the same configuration of the l2 switch?
Regards,
Nelson
Nelson,
For your first question: Normally for a Layer2 switch you use Vlan1 for management. So you configure an IP address under Vlan1
interface vlan1
ip address 192.168.1.1 255.255.255.0
However, you will need to have a management station in a Vlan1 port in order to telnet to the switch at 192.168.1.1. The other alternative is that you can configure Vlan10 lets say as a management Vlan and then configure an IP address in Vlan10 subnet space (e.g 10.10.10.11 as you describe above). However, only from PCs connected to Vlan10 ports will be able to Telnet to the switch. Also, you should shut down Vlan1 if you configure a Vlan10 SVI.
For you second question I did not understand what you want to achieve exactly. Can you please elaborate?
Thanks for the advise. I able to created the intervlan except for get into the internet. I tried to ping the inside interface of ASA 10.0.0.2 but it not goes through. Can you help me with this?
ASA should have the proper routing for 10.10.10.0 and 10.20.20.0 networks. You must configure a static route on ASA as following:
route inside 10.10.10.0 255.255.255.0 10.0.0.1
route inside 10.20.20.0 255.255.255.0 10.0.0.1
It worked. Thank you very much for your help.
Nelson
hi, i have 2 x 3750E switches connected via the gi1/0/25 interfaces as trunks. how do i enable the ip routing? the command “ip routing” is invalid.
thanks in advance…
Hello Mon,
By default, IP routing should be already enabled on the 3750E. See the following from Cisco site:
Therefore if you configure SVI interfaces (interface Vlan x) and configure an IP address on the SVI you should be able to implement Layer3 routing on the switch.
Let me know if you need any help on that.
Harris
Hi. Thanks for the post!
A little question:
what the Layer3-Switch(config-if)# no switchport
command actually does and why we need one?
Could we create just another vlan, set the helper-address on vlans 10-20 to point to the ASA for it to work as dhcp?
The command “no switchport” configures the specific interface as a Layer 3 routed interface. On a layer3 switch, interfaces can be configured in different modes of operation, such as pure layer 2 (switchport), pure layer3 (no switchport), trunk port etc.
hi? i have elementary question?
How can u create encapsulation dot1q on layer 2 switch, i tried it but it didn’t work.
Hi there,
If the switch is one of the newest models (e.g 2960 etc) the encapsulation dot1q is the default option (and the only option) so you don’t have to configure it. Just configure the port as a trunk port and thats it.
What configs setting can you put on a 2611 router as a firewall instead of Cisco ASA firewall:
regards
A Cisco IOS Router can work as a firewall as well. It is called Cisco IOS Firewall or CBAC (Context Based Access Control). You should get a specific IOS software image version which supports this functionality. Basically you use “ip inspect” commands to apply inspection for certain protocols and also using dynamic access lists. Do a search on Cisco website about CBAC for more information.
VERY NICE DOCUMENT FOR EVERY END USER
THX
Im doing router on a stick with 2950 and 1721. I have the 1721 connected to a home linksys WRT54GL. Lsys=192.168.1.1 — 1721 =192.168.1.2 . R.O.S. is 10.100.20 / .30 and so on. 1721 has DNS entry of my ISP. I can ping google from 1721 but not from switch. from pc on vlan 20 I can ping 10.100.20.254 or 30.254 (DG’s) and 192.168.1.2 but not 192.168.1.1 or Google.
Todd,
The problem seems to be on the Linksys. It does not have the proper static routes to reach the ROS subnets (10.100.20 etc). You must configure static routes on Linksys to reach 10.100.20 /.30 subnets via gateway 192.168.1.2 (which is the 1721 router).
Thanks, I was hoping to make this for someone who wouldnt have to touch the Linksys and be plug and play. I will use this to examine config options on the cisco side.
Excellent article.
If I wanted to add an additional couple of L2 switches, say for expansion or growth purposes, do I just connect them to the layer 3 switch via trunk ports and then set new vlans on the L2 switches?
Yes, you can do it like you said.
Very nice article.
I have a question, in this case you have only one link between the L3 switch and the ASA and default route its fine, how would you do it in case you have two ASAs pointing to a two different ISPs but you want that users in all vlans use both links,ex: one link is internet and the other is a MPLS to a remote location, all user need access to both locations, when they require access to internet use the internet link, when they require access to a database or any service in the remote location using the MPLS link?, its that possible without using any routing protocol?, can i use static routes base in destination IP address?
MPLS : 10.10.10.0/29
Internet: 20.20.20.0/29
ex:
ip route 10.10.10.0 255.255.255.248 interface 0/23 Inte
ip route 20.20.20.0 255.255.255.248 interface 0/24 MPLS
Thanks in advance.
Elegua,
Yes, this is the way to do it. However, instead of pointing the static route to an outgoing interface, I would use the internal IP address of the proper ASA. Also, for the internet, you must use a default static route.
e.g
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 20.20.20.0 255.255.255.248 10.1.1.2
(10.0.0.2 = IP address of ASA connecting to internet)
(10.1.1.2 = IP address of ASA connecting to MPLS network)
My problem is that I can not config a ip address on the ASA interface e0/1. its say that this command is just for Vlan interfaces. Any ideas? I even did no ip default gateway. my asa is the dhcp server. ASA 5505 basic license. I hope i dont have to have security plus license for the ASA.
Thanks for you help
Edgard,
On ASA 5505 models, all interfaces are Layer2 interfaces which belong to a certain Vlan (Vlan 1 for ports 1 to 7 and Vlan 2 for port 0). So you assign the IP address to the “interface Vlan 1″ command.
I think you’ve made an error in response 4 above, which I’ve found is a common misconception regarding L3 switches. You cannot apply standard layer 3 ACL’s to control inter-vlan routing in your scenario. Traffic entering the L3 switch on a trunk port are already members of the vlan they are tagged with. Therefore inbound ACL’s do not apply to that traffic. You must use the more complicated Cisco’s VLAN MAPs in this instance to secure traffic from one vlan to another within the switch. If you don’t take this step, then all traffic can travel between vlans unrestricted, so what’s the point in segmenting to begin with? It’s a subtle point, but not trivial with Cisco L3 switches.
Steve,
Using layer3 access lists to control traffic between vlans on a Layer3 switch is something that I have done several times in the past. Basically the ACL is applied on the SVI interface in the “in” direction to control which traffic can exit this specific vlan for other vlans as destination. This is something that I have simulated also a few minutes ago on my Cisco packet tracer and works fine. As I have said, traffic within the same vlan is not affected by the ACL, but traffic between vlans is controlled by the ACL.
So 10.0.0.2 should be my interface ip address that will be my route set up to pass traffic?
“On the inside interface of the ASA Ethernet0/1 the ip address should be 10.0.0.2 right?”
and route 0.0.0.0 0.0.0.0 10.0.0.2
on the asa I need to create the route also?
route inside 10.10.10.0 255.255.255.0 10.0.0.1
route inside 10.20.20.0 255.255.255.0 10.0.0.1
Yes, thats correct. However, if the ASA is model 5505, the IP address 10.0.0.2 must be assigned to interface vlan 1.
I have another question. I have another scenario, if i have two vlan on the on the L3 Switch and I connect two interfaces to form the 3550 to the ASA 0/1 and 0/2, been 0/1 for vlan 1 on the asa and 0/2 for the dmz vlan, this will be to segment the network no just in the LAN but also in the asa. its that possible? and if its what should be the better way to configured this scenario? my big problem should be the loops. any suggestions on this one?
Thank you very much for your help.
I did the config as you explain before with the vlan ip as 10.0.0.2 for vlan1 inside but i have no ip address on host for SVI as should have it for that vlan3.
The ASA is running on router firewall mode and running DHCP with scope 192.168.1.100 – 192.168.1.200.
ping from switch and asa are reply from vlan1 inside to vlan3 on the switch.
what colud be the problem? I’m using Polycom for the IPphones on the vlan3 and they get the configuration from outside server on the cloud, I think this could be a DHCP issue since IPPhones can not get ip even when they are on switchport access and switchport access vlan 3.
Int f0/7
description IP Phone
switchport access
switchport access vlan 3
L3 switch:
interface Vlan3
ip address 192.168.3.1 255.255.255.0
int f0/3
description link to asa – router port
no switchport
ip address 192.168.1.2 255.255.255.0
route 0.0.0.0 0.0.0.0 192.168.1.1 (Vlan1 on asa)
ASA 5505:
route inside 192.168.3.0 255.255.255.0 192.168.1.2
route outside 0.0.0.0 0.0.0.0 x.x.x.x (outside ip internet)
Thanks again.
What if we dont want ACLs on the Layer3 switch, we want all that on the ASA only. What would the config look like?
Rich,
The link connecting the switch with ASA must be a trunk port. Then, you configure the ASA physical interface with subinterfaces, with each subinterface being one vlan coming from the switch. Only Layer2 vlans must be configured on the switches without any layer 3.
Any Ideas on this one? it may be the DHCP that is not giving ips? how we setup the dhcp server from the L3, on mine I have it from the asa but hosts are not getting ip.
Int f0/7
description IP Phone
switchport access
switchport access vlan 3
L3 switch:
interface Vlan3
ip address 192.168.3.1 255.255.255.0
int f0/3
description link to asa – router port
no switchport
ip address 192.168.1.2 255.255.255.0
route 0.0.0.0 0.0.0.0 192.168.1.1 (Vlan1 on asa)
ASA 5505:
route inside 192.168.3.0 255.255.255.0 192.168.1.2
route outside 0.0.0.0 0.0.0.0 x.x.x.x (outside ip internet)
Thanks again.
edgard,
you confused me big time. Anyway, I believe the issue is that the DHCP server is not on the same layer3 subnet as the phones (as I understand from your description). You will need to configure DHCP forwarding using ip helper-address. Research this on Google for more information.
Im sorry, i’m going to try to be more specific.
im using the same topology that you have here in your blog. I have Vlan 2 192.168.2.1 – Vlan 3 192.168.3.1. The DHCP Server is running on the ASA with a range of 192.168.1.100 – 200 but as you see the Vlan3 is not in the same subnet as the dhcp, so my question is that when i have f0/7 on switchport access vlan3 for my ipphone the phone get a 10.x.x.x ip and not 192.168.3.x from vlan3.
Should I have a dhcp disable on the asa?
Is the vlan 3 acting as dhcp server for that vlan3?
Do I need a dhcp server for each vlan?
Int f0/7
description IP Phone
switchport access
switchport access vlan 3
L3 switch:
interface Vlan3
ip address 192.168.3.1 255.255.255.0
int f0/3
description link to asa – router port
no switchport
ip address 192.168.1.2 255.255.255.0
route 0.0.0.0 0.0.0.0 192.168.1.1 (Vlan1 on asa)
ASA 5505:
route inside 192.168.3.0 255.255.255.0 192.168.1.2
route outside 0.0.0.0 0.
0.0.0 x.x.x.x (outside ip internet)
Thanks and let me know if I can be more specific, thanks.
DHCP is a Layer2 broadcast protocol and therefore can not pass through layer3 borders. You need to use “ip helper-address” command on the layer3 switch in order to transfer the DHCP request from vlan 3 towards the ASA firewall which works as DHCP server.
see this link for more info:
http://www.networkstraining.com/forwarding-a-dhcp-request-using-cisco-ip-helper-address-command/
Yes, seems like that was the problem, I was reading about it, I need to test tonight and let you know.
thanks
I figure out, the problem is that the SVI need not just the ip helper but also a pool of network to work by each vlan. so it will be like this for each vlan you have.
ip dhcp pool XBOX_NETWORK
network 10.200.70.0 255.255.255.252
default-router 10.200.70.1
dns-server 192.168.1.1
! ip dhcp pool PC_NETWORK
network 10.200.60.0 255.255.255.248
default-router 10.200.60.1
dns-server 192.168.1.1
interface Vlan60
ip address 10.200.60.1 255.255.255.248
! interface Vlan70
ip address 10.200.70.1 255.255.255.252
Please let me know if anybody need helps.
thanks for your help.
Hello,
Great article. I was able to follow and actually get intervlan routing to work but none of my pcs in the new vlan can connect to the internet. Would appreciate any ideas.
Here is my setup
two 3750s and a sonicwall router
router address 10.0.0.1
vlan 1 on 3750 10.0.0.180
vlan 2 on 3750 10.0.2.0
As mentioned above, pcs can communicate on both networks but pcs from vlan 2 cannot connect to internet. From vlan 2 I can ping the router. The router also has a static route for vlan 2.
When I tracert from a pc in vlan 2, I get a reply from 10.0.2.1 (vlan 2) destination host unreachable.
Thanks.
Soyful,
Did you configure a default route on the Layer3 3750 switch. This default route should point to your Sonicwall router:
Layer3-Switch(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.1
The Layer3 switch knows how to send packets to your Sonicwall because it is directly attached to it, but it does not know how to send packets to the internet, hence you need the default route.
Thank you. You sir are a genius. That worked.
Had to wait a some time because of the production environment.
Can I link L3 interface in switch to a subinterface of router directly
Very nice article,
I do not have a firewall. Refer to your diagram, let’s say I have an internet connection plugging to the layer 3 switch. How do I configure NAT for VLAN 10 and VLAN 20. I have a cisco layer 3 switch 3560.
Encapsulation protocol specified must be on top of trunking statement config, bcz sometimes a need you to define encapsulation trunking protocol.
Trunking will accept “switchport mode trunk” only if you execute “switchport trunk encapsulation dot1q” command first.Configurations as follows:-
switch#conf t
switch(config)#host SW1
SW1(config)#inter fa0/47
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
yeah, thats correct, depends on the switch software IOS version though.
You will need to use the commands “ip nat inside” and “ip nat outside” on the vlan interfaces. Then use the command “ip nat inside source list xxx” to select which traffic will be nated
Really good job Admin..
I am working on a academic project which deals with the vlan and the attacks that are possible on it. During my search I found that most of the vlan attacks are already patched in the CISCO switches and the rest that are still possible can be due to misconfiguration of the vlan or the ACL that we use for it. So can there be still vulnerabilities existing in the vlan security, or all are patched. What can be the state of art of the security of the vlan and the attacks on it?
Layer 2 Vlans provide excellent security, especially from remote attacks. Now, if the attacker has physical access to the switch, there could be also some vlan security issues (e.g on ports configured as trunks etc). Overall, vlan segmentation of subnets is considered good security practice.
Hi,
I have a new switch 2960 connected to 1841 Router.
No DHCP server installed.
I hv created DHCP service on 2960
Created switch telnet service on vlan1 — 10.25.19.2 255.255.255.0
I am being able to have IP leased to my pcs
can ping default gateway 10.25.19.1
can ping Printer 10.25.19.3
==> unable to ping 10.25.19.2 (telnet Ip) from WAN side
==> not a single pc can ping any one
==> no internet through .1
Cld u please help. Thanks a lot in advance.
==> pls find my config script.
# Int vlan 2
# ip address 10.25.19.2 255.255.255.0
no shut
Service dhcp
ip dhcp pool
network 10.25.19.0 /24
dns-server 10.25.19.1
default-router 10.25.19.1
lease 7
domain-name
exit
ip dhcp excluded-address 10.25.19.1
ip dhcp excluded-address 10.25.19.2
ip dhcp excluded-address 10.25.19.3 [.1 : router / .2 – switch / .3 Printer]
exit
Switch(config)# interface range fa0/1 – 24
Switch(config-if-range)# switchport host
Any help would be highly appreciated.
…Few update :
from Lan –> can ping 10.25.19.1 & .2 & .3
from WAN side –> can ping .1(GWay) & .3 [but NOT .2]
No Internet/Intranet connection through .1 (from LAN)
No pc can ping any other.
Where is the issue ?
Thanks a lot in advance.
Hi,I tryed to do this topology at Packet Trace, but, i can’t set “switchport trunk encapsulation dot1q”. I don’t know why, but, the switch don’t agree this command…
Do you have any idea for issue it?
Later I’ll try use another simulator…
great article!
Nathan,
Newest IOS versions have the switchport trunk as dot1q by default, so you don’t need to specify this anymore. In the past you had the option to set the trunk to “isl” encapsulation which was Cisco proprietary but is not used anymore.
Rahul
too much and confusing information. Be more clear. How is the exact topology? what do you want to achieve?
well, i just need to set “switchport mode trunk native” then(?), because I get two options…native and allowed.
PS: I’m starting now at ciscos worlds, so, my question could be not make sense xD
You don’t need to configure native. Just do the following:
“switchport mode trunk”
and thats it.
Blog, I want all the dhcp leased host to browse Internet
GWay is connected to the switch
Switch is leasing the IPs to the host
Host can ping GW
Printer can be pinged through the gateway
I want Hosts to browse Internet
Thanks
Blog …this is the pic
Internetgateway (ROUTER) connected to the backbone VPN network and is up. this is WAN side
LAN side : I don’t have any DHCP server
One switch 2960 connected to the above ROUTER/GW and all the computers and printer are connected to the SWITCH.
configured DHCP on the SWITCH and is leasing IP.
Can PING GW from the host
but no internet connection thru the GW to the backbone network/VPN
I hv shared the script above.
OBJECTIVE : Internet connection and communicatin amongst all the PCs.
Thanks.
Admin :
I am created a VLAN 1 for the switch IP address and due to which the IPs are getting leased properly, however they cannot talk to any of the IPs…due to segmentation. Do you think I should use ‘default-gateway’ inside the vlan-1 and ‘ip routing’ to route all the traffics thru the GW in/out ?
Thanks a lot for ur help.
Hi Admin
My objective is to ensure all PCS are browsing Internet and other sites through the Gateway Router.
Currently no name resolution is being performed..however dns is assigned correctly. Hope there is a clarity now.
Please help. Thanks in advance.
Is your Gateway router configured correctly? Did you configure NAT on the router? Does the router have proper routing and default route?
Hey, good article, very handy.
On a 3560 I’ve configured 3 svi’s on different IP’s. However this means that I can telnet into the Switch on ALL 3 svi IP’s.
How can I lock this down so access is granted from only one of these IP’s?
Soryy if it’s a basic question, my knowledge is not great on this.
Thanks for any help.
Chris,
You need to configure the access-class command and apply that to the telnet ports (vty 0 to 4). The access class controls which IP addresses are allowed to telnet to the switch:
example:
access-list 23 permit 10.10.10.0 0.0.0.255
line vty 0 4
access-class 23 in
From example above, only network 10.10.10.0/24 will be allowed to telnet to the switch.
Hi BlogAdmin,
Very handy and excellent article, thanks for this. I have some question, i had setup the following devices:
- ASA5510
- 3750 L3 as my core switch with 3 with 3 different SVI
VLAN10 (192.168.10.x); VLAN20(20.x); VLAN30(30.x)
- 2960 L2 SW (port 1 on vlan 10; port 5 on vlan 20; port 10 on Vlan 30 and port GE0/2 is my trunk
- 1 AP the will authenticating via Radius server.
A snapshot on the config as below:
ASA5510:
interface ethernet 0/1
description Inside Network
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface ethernet0/0
description ISP
nameif outside
security-level 0
ip address 192.168.2.12 255.255.255.0
dns domain-lookup outside
dns server-group DefaultDNS
name-server 203.113.131.1
name-server 203.113.131.2
name-server 203.162.0.181
access-list Internal_access_in extended permit ip 192.168.5.0 255.255.255.0 any
access-list Internal_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list Internal_access_in extended permit ip 192.168.20.0 255.255.255.0 any
access-list Internal_access_in extended permit ip 192.168.30.0 255.255.255.0 any
access-list External_access_in extended permit ip any 192.168.5.0 255.255.255.0
access-list External_access_in extended permit icmp any any echo-reply
access-list External_access_in extended permit icmp any interface outside time-exceeded
access-list acl_out extended permit gre any interface outside
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Internal_access_in in interface inside
access-group External_access_in in interface outside
route inside 192.168.10.0 255.255.255.0 192.168.10.254 1
route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
route inside 192.168.30.0 255.255.255.0 192.168.10.254 1
route outside 0.0.0.0 0.0.0.0 192.168.2.12 1
3750 L3 Config:
ip routing
ip dhcp pool vlan10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.253
ip dhcp pool vlan20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
dns-server 192.168.10.253
ip dhcp pool vlan30
network 192.168.20.0 255.255.255.0
default-router 192.168.30.254
dns-server 192.168.10.253
interface gigabitethernet1/0/47
description to2960
switchport mode trunk
switchport trunk encapsulation dot1q
interface gigabitethernet 1/0/48
descrioption toasa
switchport mode trunk
switchport trunk encapsulation dot1q
interface vlan1
ip address 192.168.5.2 255.255.255.0
interface vlan10
ip address 192.168.10.254 255.255.255.0
interface vlan20
ip address 192.168.20.254 255.255.255.0
interface vlan30
ip address 192.168.30.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.5.1
2960 L2 config:
interface fastethernet0/1
switchport mode access
switchport access vlan 10
interface fastethernet0/2
switchport mode access
switchport access vlan 20
interface fastethernet0/10
switchport mode access
switchport access vlan 30
interface gigabitethernet0/2
switchport mode trunk
Here is the issue i encounter:
1.) From 3750 switch i can ping all VLAN and host and also can go to internet except in vlan 10 when the host get an ip address automatically from vlan 10 it wont be able to go to internet but if u assign a static ip address which is on the same segment with vlan 10 it will be able to go to the internet. Also telnetting from vlan10 ang ping to internet is ok. (this is very weird). I tried the following
- i connect a host from vlan 10 – ping from vlan 10 to vlan 20 its ok; ping from vlan 10 to vlan 30 its ok; ping to internet its not ok, but if u assign a static ip to the host under vlan 10 it will be able to ping to the internet. (Pretty weird)
- connect a host from vlan 20 – ping from vlan 20 to vlan 10 its ok; ping from vlan 20 to vlan 30 its ok; ping to internet its ok.
- i connect a host from vlan 30 – ping from vlan 30 to vlan 10 its ok; ping from vlan 30 to vlan 20 its ok; ping to internet its ok.
2.) From 2960 switch, i connect an AP(which use radius authentication) to the port 1 which belongs to VLAN 10, the host can successfully authenticate to the raidus server, go to the internet and will successfully ping both vlan 20 and vlan 30.
3.) From 2960 switch, i transfer the AP(which use radius authentication) to the port 5 which belong to vlan 20, the host wont be able to authenticate to the radius server.
4.) From 2960 switch, i transfer the AP(which use radius authentication) to the port 10 which belong to vlan 30, the host can successfully authentticate to the radius server, go to internet and can ping vlan 10 and vlan 20.
Appreciate if someone can explain to me this weird things happening…
Thanks in advance admin,
This is brilliant. Did consider ACL’s as the key, and this does the trick for devices I have on VLan5. I’ve got it set up so the 3560 trunks to a Foundy Fastiron which has a Vlan 5 (192.168.240.x /24) and the 3560 has its own VLAN 10 SVI (10.172.248.x/24) & a Vlan 5 SVI (192.168.240.254) and performs L3 routing. Effectivley its a router on a stick sort of arrangement.
However devices on vlan 5 (192.168.240.x) can still telnet to the Cisco 3560 by putting in the telnet address of the Vlan 5 SVI (192.168,240.254).
Is there a way of closing off this SVI IP (192.168.240.254) from telnet access, so that telnet access is restricted to the other SVI IP only (VLan 10 10.172.248.254)?
At the momoent I can still telnet to both SVI’s from VLAN 10, although using the ACL you kindly suggested means that devices on the Foundry (Vlan 5) with its switch IP of 192.168.240.1 cannot telnet to this address.
Thanks for any info you may have. Much appreciated, as I’ve searched around for a way of doing this, but I’m not an expert by any means at this!!
Hi i have a 3560 that i have to connect to a VSAT dish via ethernet and connect ip phones on the other side, do i go about this? i plan to create two vlans, one for voice and the other for data, and i also have to prioritize the voice over the data traffic too.
@Blog Admin: What’s yo take on these set of configs?
CISCO-PHONE INTERFACES
Switch(config)#mls qos
Switch(config)# interface gigabitethernet0/1 or interface range gig 0/1-4
Switch(config-if)#description IP-Phones
Switch(config-if)#no switchport
Switch(config-if)# mls qos trust cos
Switch(config-if)#mls qos trust device cisco-phone
Switch(config-if)# switchport voice vlan 20
Switch(config-if)# switchport voice vlan dot1p
Switch(config-if)# end
VLANS
#config t
(config)#vlan 10
(config-vlan)#name data-vlan
(config-vlan#exit
(config)#vlan 20
(config-vlan)#name voice-vlan
VSAT INTERFACE
3. Setting up the VSAT interface
(config)#interface Ethernet 0
(config-if)#no switchport
(config-if)#Description VSAT-DISH link
(config-if)#ip nat inside
(config-if)#ip address X.X.X.X subnetmask
(config-if)#no shut
(config-if)#exit
The IP-phones and PC’s get internet from the VSAT satellite, that receives from another satellite point to point.
April,
You don’t expect me to answer all of your questions right
Anyhow, the problem is the link between your Layer3 switch to the ASA inside interface. This link must be a layer 3 link with a subnet within 192.168.5.0/24 (since the inside interface of ASA is 192.168.5.1). Lets say that this Layer3 link on your L3 switch is 192.168.5.2. The static routes on your ASA must be:
route inside 192.168.10.0 255.255.255.0 192.168.5.2 1
route inside 192.168.20.0 255.255.255.0 192.168.5.2 1
route inside 192.168.30.0 255.255.255.0 192.168.5.2 1
Chris,
You can use an ACL applied on the inbound direction of Vlan 5 SVI. e.g, create an ACL that denies all telnet access towards 192.168.240.254 and then permit everything else. Then apply this ACL (as an access-group) in the “in” direction on the SVI.
Kim,
You don’t have any control on the VSAT link so your Qos will not work. You did some QoS configuration on the switch but that does not mean that you will have an “end-to-end” Quality of service over the VSAT link.
Thanks Blog Admin,i have control over the VSAT link as it is within my boundary, i want to know if the set of config’s there are well setup, and if i need to change something on the config’s and if my setup of having two vlans for voice and data will workout fine.
Your setup looks fine from a quick glance. Having two vlans for voice and data is recommended actually.
Once Again, Thank-you! Brilliant blog!
@Admin Blog
U’re damn great i just changed my home page from cisco.com to your url, that should mean something in terms of recognition for your work.
Hi Blog Admin,
I have a problem with my Config. This is the Scenario:
I have an Aztech Router- 192.168.1.2 and is connected to Cisco 3560 Giga0/48- 192.168.1.1
VLAN10- Servers
VLAN20-USERS
VLAN30-WIFI
VLAN40-VOICE
My Cisco3560 serves as the DHCP. All Vlans can communicate to each other if you ping.
I can connect to the internet if i directly connected to the Aztech internet router. The problem is I cannot connect to the internet from all the workstations even it is directly connected to the switch or through Wireless.
1. Am I supposed to ping the IP address of the Aztech Router?
2. I already run this command:
interface GigabitEthernet0/48
description “Connected to Aztech Router Fa0/1″
no switchport
ip address 192.168.1.1 255.255.255.0
and
ip route 0.0.0.0 0.0.0.0 192.168.1.2
3. Is it because of my DNS entries? I use dns-server 192.168.1.1. Is it correct? What should be my dns-server ip address?
Appreciate your kind response for this. Badly needed. Thank you in advance!
June,
First of all, the DNS should be either the Aztech router IP (192.168.1.2) or your ISP public DNS. Also, the Aztech router must have static routes configured for your internal Vlan subnets. e.g if VLAN10 is subnet 192.168.10.0/24 then the router must have a static route for 192.168.10.0/24 to point to 192.168.1.1 (your layer3 switch)
Thanks for your reply Admin Blog:
1. Please tell me if this config is correct for the static route:
ip route 192.168.10.0 255.255.255.0 192.168.1.1
ip route 192.168.20.0 255.255.255.0 192.168.1.1
ip route 192.168.30.0 255.255.255.0 192.168.1.1
ip route 192.168.40.0 255.255.255.0 192.168.1.1
Another question:
2.How about I created a VLAN80 to connect to the Aztech router configured in Gi0/48,how can workstations connect to the internet without using the “no switchport” command? Can you please give me the config for this?
Apologize, I’m a newbie in this configuration that’s why I’m asking these questions.
Thank you.
Yes they are correct. Configure an interface vlan 80 and then configure the port Gi0/48 as switchport access which will belong in vlan 80
Hi Blog Admin, thanks for the article. Any help would be appreciated …Slightly different config, if you had a layer 3 switch as above connected to 2 different ASA5505 each one connected to a different ISP connection. How would you configure to route and load balance between the 2?
Many Thanks!
To GDHUK:
First of all you can not have two Cisco ASA on two different ISP connections and do load balancing. You must have one of the two as active and the other as backup. You will have to configure two default static routes on the Layer3 switch pointing to the two ASA firewalls. The backup route must have higher metric than the active route.
Thanks for the info, much appreciated. In that case would it be simpler just utilising one ASA with the 2 isp connections as per your other blog? i can’t see the benefit of using 2 if one can do the same thing
Thanks again
Yeah thats correct. Its much more simple and cost effective to utilize one ASA for 2 ISP connections.
Hello,
I was just handed a Cisco Catalyst 6509 to do the following without using a router.
Create 50 VLAN that are isolated from each other (one for each tenant).
Prevent tenants from placing a switch or router down stream and creating additional Internet access points in their office.
Each VLAN must have Internet connectivity.
Each VLAN must have access to a shared network printer.
Any input or guidance is greatly appreciated.
AAMM
Hi,
Actually i am facing some problem while implementing ws-c3750g-12s Switch with 2960 series switches, and they all
linked with fiber and configure as trunk ports,
what i am facing is unable communication between two diffrent vlan’s is they any think to keep in mind even i enable eigrp on L3 switch and advertisement it show ip route, like all vlan’s are connected not D just C,
and bu default 3750 should support routing, but it not
how is it if i configure from beginning,
and help highly appreciated,
i have a small doubt the ip is in class A range then why we are using 255.255.255.0 subnet range
Layer3-Switch(config)# interface vlan20
Layer3-Switch(config-if)# ip address 10.20.20.20 255.255.255.0
Layer3-Switch(config-if)# no shut
Nikhil,
This is called “subnetting”. Means to split a bigger network range into smaller subnets. So we split the class A network address into a class C subnet address
I just wanted to say I just bought your ebook and it’s hands down the best out there. I do have a question regarding this scenario. What would be your config for this ASA as far as IP addressing and vlans if it was 5505 with a base license.
For example
interface Vlan10
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x (outside IP)
!
interface Vlan20
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
!
interface Vlan30
no forward interface Vlan20
nameif dmz
security-level 50
!
interface Ethernet0/0
description TO INTERNET
switchport access vlan 10
speed 100
duplex full
!
interface Ethernet0/1
description TO L3SWITCH
switchport access vlan 20
speed 100
duplex full
Do the vlan 20 on the ASA have anything to do with the vlan 20 on the L3 switch?
Hi Edwin,
I’m glad you liked my ASA ebook.
Regarding your questtion, vlan 10 and 20 on the Layer3 switch have nothing to do with the ASA. The interface connecting the L3 switch with the inside interface of ASA is a normal routed interface, so you can leave Ethernet0/1 of ASA as normal vlan1 (untagged) interface.
interface Ethernet0/1
description TO L3SWITCH
switchport access vlan 1
speed 100
duplex full
Then assign an IP address to interface vlan1:
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
thank u very much sir….
Hi there. I am running a similar topology in a non-production network that is going live next week. Instead of a default route going to a single internet connected ASA/Router, we’ll be using two ASA 5510s connected to two internet edge routers running BGP outside and iBGP between them. I was wondering how you might configure the two ASAs for maximum availability and load balancing. In particular i am not sure whether to put them in active/active failover or active/passive and leave the load balancing to the iBGP session. Any advice would be greatly appreciated.
Thanks!
Will,
The best thing to do is to configure the ASA as active/standby and leave the load balancing on the iBGP between the routers. The default gateway of the Layer3 switch will point to the ASA Active inside IP. However, you will need to provide a default gateway address for the ASA outside because ASA5510 does not support BGP.
Thanks for the advice! Correct me if i am wrong, but the plan will be to create an additional VLAN and SVI for both ASA inside interfaces and set my default route through this SVI (and not a router port)? Also for my active/passive config, will it be possible to use a single physical link for both LAN and stateful failover links (two subIFs)? And if so, will i need to connect these links via switch or will a crossover/straight through work?
Yes you should create a vlan for the inside interfaces and create an SVI in the same subnet as the inside IP subnet of ASA. For the failover, a single physical interface is enough for both stateful and failover links (you don’t even need subifs). A direct crossover cable is ok also.
Hi All,
I’ve set up laboratory for vlan, What i want to achieve share the internet connection to the following vlans, vlan1,vlan2,vlan3.The vlan 1 can able to access internet connection but the other vlans vlan2,vlan3 can’t access the internet. Here’s my configuration
CISCO 2800 Series
interface FastEthernet0/0
ip address 192.168.1.40 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.99
no ip http server
no ip http secure-server
!
!
ip nat inside source list internet interface FastEthernet0/0 overload
!
ip access-list extended internet
permit ip 192.168.2.0 0.0.0.255 any
permit ip 20.20.20.0 0.0.0.255 any
permit ip 30.30.30.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
logging synchronous
login
!
scheduler allocate 20000 1000
end
!
hostname Switch
!
enable password cisco
!
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip subnet-zero
ip routing
ip name-server 213.42.20.20
ip dhcp excluded-address 20.20.20.1
ip dhcp excluded-address 30.30.30.1
!
–More–
01:01:36: %SYS-5-CONFIG_I: Configured from console
ip dhcp pool pool1
network 20.20.20.0 255.255.255.0
dns-server 213.42.20.20
default-router 20.20.20.1
!
network 30.30.30.0 255.255.255.0
default-router 30.30.30.1
dns-server 213.42.20.20
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
ip address 20.20.20.1 255.255.255.0
!
interface Vlan3
ip address 30.30.30.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password cisco
logging synchronous
login
line vty 5 15
login
!
end
———————————-
—- ——————————– ——— ——————————-
1 default active Gi1/0/1, Gi1/0/4, Gi1/0/5
Gi1/0/6, Gi1/0/7, Gi1/0/8
Gi1/0/9, Gi1/0/10, Gi1/0/11
Gi1/0/12, Gi1/0/13, Gi1/0/14
Gi1/0/15, Gi1/0/16, Gi1/0/17
Gi1/0/18, Gi1/0/19, Gi1/0/20
Gi1/0/21, Gi1/0/22, Gi1/0/23
Gi1/0/24, Gi1/0/25, Gi1/0/26
Gi1/0/27, Gi1/0/28
2 test1 active Gi1/0/2
3 test2 active Gi1/0/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
1 enet 100001 1500 – – – – – 0 0
2 enet 100002 1500 – – – – – 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
—- —– ———- —– —— —— ——– —- ——– —— ——
3 enet 100003 1500 – – – – – 0 0
1002 fddi 101002 1500 – – – – – 0 0
1003 tr 101003 1500 – – – – – 0 0
1004 fdnet 101004 1500 – – – ieee – 0 0
1005 trnet 101005 1500 – – – ibm – 0 0
Remote SPAN VLANs
——————————————————————————
Primary Secondary Type Ports
——- ——— —————– ——————————————
You need to create a routed port on the switch connected to inside of router. Remove vlan1 and put an IP address on the interface connected to inside of router (e.g make interface GigabitEthernet1/0/1 a “no switchport” port and then assign an IP address of 192.168.2.2).
Thanks for the article, but i have some questions.
1- If i want to connect host remotely from out side network on vlan 10 , then what is suggested configuration?
2- if i want to enable hsrp for vlan 10 , then which ip address next of stanby ip will be use?
Thanks
1- Do a remote access VPN or create a static NAT mapping of vlan10 host to an outside address
2- HSRP is used when having two layer3 devices as gateways. In our scenario above (only one layer3 device) there is no point to do HSRP
sir i have question.
i have created 4 vlans on cisco catalyst L3 3550 switch and i have configured thier default gateways on other cisco L3 3550.
i have enabled ip roting over the second switch and applied ACL on default gateways.
Is this scenario is possible without a router????
when i am trying to ping other pc in second vlan it is not working but i m able to ping default gateway of ather vlas..
please provide me some solution…
Arun:
1) all vlans must be created on all switches as Layer2 vlans
2) remove all ACLs and try again.
3) remove windows firewall (if any) from PC
sir i am trying to create inter vlan communication for that ACLs must be there.
and i have already removed windows firewall.
sir,
is intervlan communication possible with L3 switch without using a router.
arun,
Yes ofcourse you can do intervlan communication with a L3 switch. This is what is supposed to do actually.