[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

InterVLAN routing not Happening to Firewall Interface

Posted on 2009-05-16
14
Medium Priority
?
728 Views
Last Modified: 2012-06-27
Hi ,
My management has asked to add upcountry locations to the firewall thru Cisco 3560.
I have created two VLAN's with each assigned pool of IP address. All the restrictions are handled at firewall, Hence I need to route the traffic from Loc A & B to firewall.

I am able to reach from the default VLAN, but from the created VLAN, it is not reaching the destination.

The results are
NEWVENDSW#ping 172.30.100.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
NEWVENDSW#ping 172.30.100.100 source vlan 25

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.26.179.62
.....
Success rate is 0 percent (0/5)
NEWVENDSW#


REquest Help
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NEWVENDSW
!
enable password ********
!
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 switchport access vlan 21
!
interface GigabitEthernet0/2
 switchport access vlan 21
!
interface GigabitEthernet0/3
switchport access vlan 25
!
interface GigabitEthernet0/4
switchport access vlan 25
!
interface GigabitEthernet0/5
switchport access vlan 26
!
interface GigabitEthernet0/6
switchport access vlan 26
!
interface GigabitEthernet0/7
!
.
.
.
.
.
.
.
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface Vlan1
 no ip address
!
interface Vlan21
 ip address 172.30.100.102 255.255.255.248
!
interface Vlan25
 description VENDOR-A-LOCATION
 ip address 10.0.0.10 255.255.255.192
!
interface Vlan26
 description VENDOR-B-LOCATION 
 ip address 10.0.0.20 255.255.255.192
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.100.100
 
ip http server
!
!
control-plane

Open in new window

Network-Proposed.jpg
0
Comment
Question by:vkraaman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
14 Comments
 

Author Comment

by:vkraaman
ID: 24402640
I am getting the interface for Firewall whether it is trunk or in access. It is Fortigate 200A.
0
 

Author Comment

by:vkraaman
ID: 24402645
Pls Help
0
 
LVL 4

Expert Comment

by:nasirsh
ID: 24402701
Your ping from vlan25 is not working because it isnt in the same network ID. and you have connected via L2 Switch. L2 switch do not support routing. Either connect all the Networks to the 3560 including the OLD one and then try to communicate with each other.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 4

Expert Comment

by:nasirsh
ID: 24402718
Configure it for access port.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24402836
You have a couple things going on here:

interface Vlan25   ip address 10.0.0.10 255.255.255.192
interface Vlan26   ip address 10.0.0.20 255.255.255.192

Both of these layer 3 interfaces are in the same network. This will cause all sorts of weird behavior.

With a /26 mask, your valid IP addresses for the first subnet would be 10.0.0.1-62. The second subnet would have addresses 10.0.0.65-126.

I suggest fixing your IP addresses first.

Then you can move to the second problem. You're using a static default route on the 3560 to get to the firewall. The firewall, in turn, needs a route to the two new subnets that point to the 3560.
0
 
LVL 7

Expert Comment

by:diepes
ID: 24405608
It looks workable.

FW -> connects to Gig 0/1 or 0/2  vlan 21 ?

Q2"I am getting the interface for Firewall whether it is trunk or in access. It is Fortigate 200A."
for 802.1Q trunk this would be correct, as vlan1 would be native vlan, connected to access port on 3650 vlan21.

Problem number one, your subnets overlap on vlan 25 and 26
These are in the same subnet 10.0.0.0 255.255.255.192
ip address 10.0.0.10 255.255.255.192
ip address 10.0.0.20 255.255.255.192

I would suggest you keep it simple put each customer in it's own Class C (255.255.255.0)
e.g
vlan25  10.0.25.1 255.255.255.0   -> Client use 10.0.25.10 -> 254 mask 255.255.255.0  
vlan26  10.0.26.1 255.255.255.0   -> Client use 10.0.26.10 -> 254 mask 255.255.255.0

Ensure you have routes on the FW pointing to the 3650 GW(172.30.100.102) for the client subent's
0
 
LVL 5

Expert Comment

by:devangshroff
ID: 24405776
vlan 2 and 3 in same subnet
chek the return route in frewall,]
add ip routing commmand in switch.
also check the trun k port
0
 

Author Comment

by:vkraaman
ID: 24409181
Thanks for your comments
As per suggestion
Vlan 25 10.0.0.10/26     Ip range from 10.0.0.1 to 10.0.0.62
Vlan 26 10.0.0.200/26   ip range from 10.0.0.193 to 10.0.0.254

Interface Vlan 25 Ip : 10.0.0.62 255.255.255.192
Interface Vlan 26 Ip ; 10.0.0.254 255.255.255.192

!

New configuration


version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NEWVENDSW
!
enable password ********
!
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 switchport access vlan 21
!
interface GigabitEthernet0/2
 switchport access vlan 21
!
interface GigabitEthernet0/3
switchport access vlan 25
!
interface GigabitEthernet0/4
switchport access vlan 25
!
interface GigabitEthernet0/5
switchport access vlan 26
!
interface GigabitEthernet0/6
switchport access vlan 26
!
interface GigabitEthernet0/7
!
.
.
.
.
.
.
.
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface Vlan1
 no ip address
!
interface Vlan21
 ip address 172.30.100.102 255.255.255.248
!
interface Vlan25
 description VENDOR-A-LOCATION
 ip address 10.0.0.62 255.255.255.192
!
interface Vlan26
 description VENDOR-B-LOCATION
 ip address 10.0.0.254 255.255.255.192
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.100.100

ip http server
!
!
control-plane
!
!
!



Network-Proposed.jpg
0
 
LVL 7

Accepted Solution

by:
diepes earned 2000 total points
ID: 24409312

Ok, next step is to ensure the FW knows it should route these subnets back to the 3560-L3-Switch.
You need routes for the 2 subnets or a route for all of 10.0.0.0/24 to the 3560.

On FW add routes
ip route 10.0.0.10/26 via 172.30.100.102
ip route  10.0.0.200/26 via 172.30.100.102

Now your pings from the switch should work to the FW for both interfaces.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24410770
I still don't see a trunk from the 3560 to the Layer 2 switch.

On the 3560 use the "show int trunk" command to verify a trunk exists.

You'll also need a trunk between the Layer 2 switch and the Firewall.
0
 
LVL 5

Expert Comment

by:devangshroff
ID: 24410798
interface Vlan25
 description VENDOR-A-LOCATION
 ip address 10.0.0.62 255.255.255.192
!
interface Vlan26
 description VENDOR-B-LOCATION
 ip address 10.0.0.254 255.255.255.192

again subnet is same

0
 
LVL 5

Expert Comment

by:devangshroff
ID: 24410803
plx enter IP routing command in switch
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 24410833
>again subnet is same

10.0.0.62 and 10.0.0.254 are NOT in the same subnet.

These are both valid IP addresses for two different networks.
0
 

Author Closing Comment

by:vkraaman
ID: 31582222
Thanks, after adding the routes it started working fine.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question