My guess is that you should be having a router with 2 subinterfaces in each VLAN range, and the default gateway for the machines should be the fastethernet subinterface, that way they could access the internet through the router and the router would do the intervlan routing

Hi Logic2,

No. We do not have a router with 2 subinterfaces in each VLAN range.

We only have the default gateway ( physically connected to 3560 sw1) which is 10.102.1.254 as shown in the config file for 3560 sw1.

Both 3560G switches is connected via a Gigabit link ( 802.1q Trunk )

Is there any other way then to install a router as CISCO 3560 is also a Layer 3 switch?
I was thinking that i have missed out certain configuration in-order for the routing to function.

Cheers

If it is a layer 3 switch then i guess we wont need a router
Let me check more and i'll get back to you later today

You need to do a "show ver" on the switch to see if it's running the SMI or EMI image. If it's running EMI, you can turn on IP routing and that will fix your problem. If you're running SMI, then you need to find an alternative or upgrade to EMI image.

If you have the EMI image installed, you need to put in a default route and issue the command "ip routing" which will turn on routing on the switch.

Do the PC's on VLAN 5 have their default-gateway set to 10.102.2.1?

Not that it matters, but why do you have an etherchannel with only one port?

I just looked in your config and ip routing is already turned on. The users on vlan 5 should have a gateway ip of 10.102.2.1 according to your config, correct? Can they ping the IP of VLAN1? If they can, can they ping the default route on the switch of 10.102.1.254? If they can, then you're running into a problem with what is on the other side of  your gateway not having a route back to your 10.102.2.0 network.

Your VLAN 5 users can not access the internet, because you dont have a return path for users in VLAN 5.

To fix this, you should divide your allocated subnet to 10.102.1.0/25 and 10.102.1.128/25.

Hi,

Sorry for the late reply.

The sh version command results

3560-48-IDF#sh version
Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(25)SEB4, RELEA
SE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 30-Aug-05 14:19 by yenanh

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SE1, RELEASE SOFTWAR
E (fc)

 3560-48-IDF uptime is 5 weeks, 2 hours, 43 minutes
System returned to ROM by power-on
System image file is "flash:c3560-ipbase-mz.122-25.SEB4/c3560-ipbase-mz.122-25.S
EB4.bin"

cisco WS-C3560G-48TS (PowerPC405) processor (revision C0) with 118784K/12280K by
tes of memory.
Processor board ID FOC1035Z691
Last reset from power-on
4 Virtual Ethernet interfaces
52 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

Hi Predragpetrovic,

I have configured the 3560 SW1 as follow:

Building configuration...

Current configuration : 3540 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
no aaa new-model
!
ip subnet-zero
ip routing
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/5
 switchport access vlan 5
!
interface Vlan1
 ip address 10.102.1.1 255.255.255.0
!
interface Vlan5
 ip address 10.102.2.1 255.255.255.0
!
interface GigabitEthernet0/51
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet0/52
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.102.1.254


*The config for 3560 SW2 is only to enable 1 of the port for VLAN 5 (Server) as follow:

!
interface GigabitEthernet0/5
 switchport access vlan 5
!

I have set the user work station to point to 10.102.2.1 (VLAN 5) as gateway.
But, the users on 3560 SW1 & Server on 3560 SW2 are still unable to surf internet.

We have a CheckPoint appliance as ourGateway Firewall affect the routing?
Will we need to create any special routing on Check point?

From 3560 SW1 console, i can ping both subnet machine including the gateway on VLAN 1.
But, user machine on VLAN 5 are unable to ping the gateway on VLAN 1.

Cheers,

Believe me, just change you IP addressing scheme to 10.102.1.0/25 and 10.102.1/128/25 will fix your problem.

Let me explain you what's wrong with your configuration:

You're allocated one subnet, that's 10.102.1.0/24. So when you try to use 10.102.2.0/24, your gateway doesnt recognize this subnet and so it just ignore packets from this network,

The only solution is to change your IP addressing scheme. You must devide your allocated IP address into 2 part. You cannot use other subnet.

Lets say you have 1 client in VLAN5. This client has IP address, 10.102.2.3, for example

When this client want to reach the internet, it send IP packet to its defautl gateway, that's 10.102.2.1

Then your multilayer switch lookup the routing table, found the static route 0.0.0.0 0.0.0.0 10.102.1.254.

This next hop on VLAN 1. So it forward packet from VLAN5 to VLAN1, destination is 10.102.1.254.

If security settings is loose, the gateway at 10.102.1.254 forward the packet to the internet.

If security setting on the gateway is strict, it will drop all packet from 10.102.2.0/24, because your gateway knows that it connected to 10.102.1.0/24, and it doesnt know about 10.102.2.0/24. Then it could think that the packet from 10.102.2.0/24 is a fake packet, an attact from the internet,... Invalid source IP address.

From the gateway perspective, 10.102.2.0/24 is invalid. So when a packet from outside world want to reach 10.102.2.0/24, the gateway just send it to the default route, usually to null0, which means that your packet will be discarded

Can any device on either switch access the internet?

@mikerc: Oh sorry I forgot to say. I assume that we can not add a return route to our new subnet because the gateway is not under our control.

If we can add a return route, that would be great

That's probably why it's not working is because your gateway doesn't know how to get back to that network. Check with whomever takes care of it and let them know of your new subnet and have them check their stuff to allow access.

Hi Predragpetrovic & mikecr,

Thanks for your help & suggestion.
The problem is re-solved.

We got the guys in-charge of the gateways to add the new network in to the gateway appliance config & allow the new VLAN 5 subnet to access internet.
And now we are able to surf internet from the new VLAN 5 network.
Also, both VLAN 1 & VLAN 5 users are un-able to access each other network which was what we want to achive.

I will divide the points between the both of u guys.

Predragpetrovic for giving us the correct configuration method and solution (Vlan Config).

Mikecr for guiding us on the correct path to troubleshoot the issues (Gateway policy).

Cheers!