Subscribe RSS 2.0 feed. Leave a response, or Trackback from your own site.

18 Responses to 'How to configure a Cisco Layer 3 switch-InterVLAN Routing'

1. Walt - October 17th, 2009 at 4:09 am

   Great article

2. patice - October 17th, 2009 at 5:12 pm

   Well done mate, well explained…..Thanks

3. Unes - November 3rd, 2009 at 10:44 pm

   thanks for this article , but i have some questions

   in fact in this scenario the security access-lists will be performed on the layer 3 switch rather than the firewall right ?
   2- what if i have a DMZ segment and i want grand access from DMZ to VLAN 10 ( servers VLAN )
   3- if i wan’t a VPN remote access tunnel from internet to VLAN 10 how can i configure the routing ?

4. BlogAdmin - November 4th, 2009 at 2:05 am

   1) The layer 3 switch can have security access-lists for controlling traffic ONLY between the VLANs (e.g traffic from Vlan10 to Vlan20 and vica-versa). This is usually useful for providing internal LAN segmentation and traffic control.
   2) If you have a DMZ on the firewall and want to grant access to vlan10, you need to allow this traffic on the ASA access-list and also configure the proper static nat on the ASA to allow access from lower security level (DMZ) to higher security level (vlan10). Note that vlan10 is still considered as inside zone (higher security level) for the ASA. The ASA also must have a static route pointing to internal vlan10 (route inside 10.10.10.0 255.255.255.0 10.0.0.1)
   3) As explained above, you need to configure a static route on the ASA to be able to reach the vlan10 network. The Layer3 switch needs only to have a default route pointing to the ASA 10.0.0.2 .

5. bonez - March 2nd, 2010 at 11:57 pm

   Is it possible to communicate between two VLAN in different LAYER 3 switch and the same subnetwork.

6. BlogAdmin - March 3rd, 2010 at 1:35 am

   bonez,
   No, you can not have the same subnetwork spanning a Layer3 boundary. Once you introduce a Layer3 in your path, the subnetworks MUST be different. However, a Layer3 switch can work as Layer2 as well or a combination. If the VLAN you mention is pure Layer2 Vlan (i.e you have not configured an “Interface Vlan xxx”) then you can have hosts belonging in the same subnetwork and connected on two different switches (in the same Layer2 Vlan).

   Please let me know if I’m not clear.

7. bonez - March 4th, 2010 at 1:18 am

   thank you sir.

8. nelson - April 20th, 2010 at 7:21 am

   On the inside interface of the ASA Ethernet0/1 the ip address should be 10.0.0.2 right?

9. Blog Admin - April 20th, 2010 at 3:24 pm

   Yes this is correct. This means also that the Cisco Layer3 switch should have a default route pointing to 10.0.0.2

   ip route 0.0.0.0 0.0.0.0 10.0.0.2

10. nelson - April 20th, 2010 at 5:10 pm

    Thanks a lot. I am going to try it tonight. So what is the ip address of the l3 switch? I mean if I want to telnet to the switch from Vlan10.

11. Blog Admin - April 20th, 2010 at 6:37 pm

    The IP of the switch if you are in Vlan 10 is 10.10.10.10. So if you telnet to that address it should work

12. nelson - April 20th, 2010 at 9:16 pm

    Just a few more question:
    1. In order to telnet to the l2 switches do I need to create VSI like:
    layer2-switch (config)#interface vlan10
    layer2-switch(config)#ip address 10.10.10.11 255.255.255.0
    layer2-switch(config)no shut

    2. If I put another cisco l3 switch (c3550), would I use the same configuration of the l2 switch?

    Regards,
    Nelson

13. Blog Admin - April 21st, 2010 at 11:53 am

    Nelson,

    For your first question: Normally for a Layer2 switch you use Vlan1 for management. So you configure an IP address under Vlan1

    interface vlan1
    ip address 192.168.1.1 255.255.255.0

    However, you will need to have a management station in a Vlan1 port in order to telnet to the switch at 192.168.1.1. The other alternative is that you can configure Vlan10 lets say as a management Vlan and then configure an IP address in Vlan10 subnet space (e.g 10.10.10.11 as you describe above). However, only from PCs connected to Vlan10 ports will be able to Telnet to the switch. Also, you should shut down Vlan1 if you configure a Vlan10 SVI.

    For you second question I did not understand what you want to achieve exactly. Can you please elaborate?

14. nelson - April 21st, 2010 at 12:20 pm

    Thanks for the advise. I able to created the intervlan except for get into the internet. I tried to ping the inside interface of ASA 10.0.0.2 but it not goes through. Can you help me with this?

15. Blog Admin - April 21st, 2010 at 1:49 pm

    ASA should have the proper routing for 10.10.10.0 and 10.20.20.0 networks. You must configure a static route on ASA as following:

    route inside 10.10.10.0 255.255.255.0 10.0.0.1
    route inside 10.20.20.0 255.255.255.0 10.0.0.1

16. nelson - April 22nd, 2010 at 6:08 am

    It worked. Thank you very much for your help.
    Nelson

17. mon - May 28th, 2010 at 5:00 pm

    hi, i have 2 x 3750E switches connected via the gi1/0/25 interfaces as trunks. how do i enable the ip routing? the command “ip routing” is invalid.
    thanks in advance…

18. Blog Admin - May 28th, 2010 at 6:38 pm

    Hello Mon,

    By default, IP routing should be already enabled on the 3750E. See the following from Cisco site:

    The Cisco Catalyst 3750-E Series is orderable with two feature sets:

    * IP Base: Includes advanced quality of service (QoS), security, and basic routing functionality
    * IP Services: Also includes advanced hardware-based IP unicast and multicast routing, as well as Virtual Route Forwarding (VRF), and policy-based routing (PBR).

    Therefore if you configure SVI interfaces (interface Vlan x) and configure an IP address on the SVI you should be able to implement Layer3 routing on the switch.

    Let me know if you need any help on that.

    Harris

Leave a Reply

Name

Email (will not be published)

Website