Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

InterVlan routing using a Cisco 3750

Posted on 2006-11-14
4
Medium Priority
?
2,945 Views
Last Modified: 2013-11-16

I am trying to route communications between two vlans. Vlan10 is a DMZ and only accepts http traffic to the reverse proxy. VLAN4 is internal and only houses my webservers. Now I need to route data between the two VLANs to make the reverse proxy feature work. I know that VLANs as a standard do not route between each other without a router. My question is can the 3750 route the VLANs w/o a router and if so how? Also if this can be accomplished using the PIX that would be even better.

I have enabled ip routing and configured the VLANs with addresses. I can ping the VLANs from the switch but cannot ping VLAN10 from VLAN4 or VLAN4 from VLAN10 using the webservers. I used the sh ip route command and can see the routes.

This is what the environment looks like:

        PIX 506E
              |
       CISCO 3750
    |                  |
VLAN10         VLAN4
0
Comment
Question by:a_pereira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17939157
>the 3750 route the VLANs w/o a router and if so how?
Yes. The 3750 is a full L3 switch:

interface vlan 10
  ip address 10.10.100.1 255.255.255.0
interface vlan 4
  ip address 192.168.104.1 255.255.255.0
interface vlan 1
  ip address 192.168.101.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.101.1  <== points to PIX

Servers in vlan 10 point to 10.10.100.1 (switch) as their default gateway
Users in vlan 4 point to 192.168.104.1 (switch) as their default gateway
Switch forwards everything else to PIX
(unless you have created a vlan interface on the PIX and are using it for all L3)
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 1500 total points
ID: 17939183
To enable the switch to do the routing:
after enableing routing on the cisco 3750, set an ip address on each vlan interface of the switch, also set a default route on the switch to point to your pix 506E
ip routing
int vlan 10
ip addr x.x.x.x x.x.x.x   (ip and subnet of vlan 10)
int vlan 4
ip addr y.y.y.y y.y.y.y  (ip and subnet of vlan 4)
ip route 0.0.0.0 0.0.0.0 z.z.z.z    (ip address of pix)

on the pix 506 add a route to the vlan that it does not reside on
ip route  x.x.x.x x.x.x.x y.y.y.y

also check to be sure you have a nat command and/or static commands to handle the new subnet

then change default gateways on equipment to point to the ip addresses on the 3750 switch.  Switch will handle routing between the two subnets, and the pix will know how to communicate with both


using the pix 506e
see this link:  http://www.experts-exchange.com/Networking/Q_21818768.html?query=pix+vlan+506&clearTAFilter=true
and http://www.experts-exchange.com/Networking/Q_21399915.html?query=pix+vlan+506&clearTAFilter=true


0
 

Author Comment

by:a_pereira
ID: 17940270
Do I need to enable routing on all of my switches (15) or just the switch I have the webserver and PIX connected to?
0
 

Author Comment

by:a_pereira
ID: 17941816
The PIX is the gateway of the Reverse Proxy. (PIX address 10.10.10.1)
Now I have tried both suggestions and can only ping from the switches and firewall as before. I cannot ping from a client machines still. Not sure what I am doing wrong.

Changes made:

3750
interface Vlan4                                  (VLAN4 address on switch)
 ip address 10.10.4.1 255.255.255.0  
!
interface Vlan10                                 (VLAN10 address on switch)
 ip address 10.10.10.2 255.255.255.0
 no ip redirects
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1 (pix address)

PIX
ip route 10.10.10.1 255.255.255.0 10.10.4.1 (route on PIX)
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question