VLAN on Cisco 3560G Switch

sg2009
sg2009 used Ask the Experts™
on
I am trying to do the setup as shown. It seems very simple but somehow its not working. Can you please check my configuration and suggest what else I need to do. I can ping inter vlan but it says "Destination Hose Unreachable" when I try to ping 192.168.3.1 or intrnet. Do I have to do anything on Firewall as well? Please check my setup and configuration and lt me know any changes. I will highly appreciate your step by step detailed guidance.
Lab_Test_Setup#sh run
Building configuration...
no aaa new-model
vtp domain Cisco
vtp mode transparent
ip subnet-zero
ip routing
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 4-10,100
!
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/4
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/7
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/8
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/9
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/10
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/11
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/12
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/13
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/14
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/15
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/16
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/17
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/18
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/19
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/20
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/21
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/22
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/23
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/24
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/25
 switchport access vlan 5
 switchport mode access
!
interface GigabitEthernet0/26
 switchport access vlan 6
 switchport mode access
!
interface GigabitEthernet0/27
 switchport access vlan 6
 switchport mode access
!
interface GigabitEthernet0/28
 switchport access vlan 6
 switchport mode access
!
interface GigabitEthernet0/29
 switchport access vlan 6
 switchport mode access
!
interface GigabitEthernet0/30
 switchport access vlan 6
 switchport mode access
!
interface GigabitEthernet0/31
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/32
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/33
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/34
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/35
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/36
 switchport access vlan 8
 switchport mode access
!
interface GigabitEthernet0/37
 switchport access vlan 8
 switchport mode access
!
interface GigabitEthernet0/38
 switchport access vlan 8
 switchport mode access
!
interface GigabitEthernet0/39
 switchport access vlan 8
 switchport mode access
!
interface GigabitEthernet0/40
 switchport access vlan 9
 switchport mode access
!
interface GigabitEthernet0/41
 switchport access vlan 9
 switchport mode access
!
interface GigabitEthernet0/42
 switchport access vlan 9
 switchport mode access
!
interface GigabitEthernet0/43
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/44
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/45
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/46
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/47
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/48
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/49
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/50
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/51
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/52
 switchport access vlan 10
 switchport mode access
!
interface Vlan1
 no ip address
!
interface Vlan4
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan5
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
 ip address 192.168.6.1 255.255.255.0
!
interface Vlan7
 ip address 192.168.7.1 255.255.255.0
!
interface Vlan8
 ip address 192.168.8.1 255.255.255.0
!
interface Vlan9
 ip address 192.168.9.1 255.255.255.0
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
!
ip default-gateway 192.168.3.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip http server
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 password cisco
 no login
line vty 5 15
 password cisco
 no login
!
end

Open in new window

vlan-firewall.JPG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,
There is no vlan to coinnectr directly to 192.168.3.0/24 that is the problem!
Your default gayeway IP address must be same network which is connected interface. you have to create vlan interface for 192.268.3.0 network on 3560 switch.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
For example:

create vlan 3

int vlan 3
 ip address 192.168.3.2 255.255.255.0

or

at the connected port to firewall:
no switchport
 ip address 192.168.3.2 255.255.255.0

Best Regards,
Istvan

Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Instructor
Top Expert 2015
Commented:
Insufficient information to know for certain, but I'll go out on a limb and say the switch doesn't have a layer 3 connection to the firewall (you don't have a 192.168.3.0 address on the switch).

Whichever interface connects to the firewall needs the following config:

int g0/x
 no switchport
 ip address 192.168.3.2 255.255.255.0
 no shut

Then you'll have to deal with routes. Since you're not running a routing protocol on the 3560, you'll need static routes on the firewall. i.e.:

ip route 192.168.4.0 255.255.255.0 192.168.3.2
ip route 192.168.5.0 255.255.255.0 192.168.3.2
 

Author

Commented:
Hi Experts, thanks for your suggestions. I don't want to disconnect the firewall and try it before it actually works. So, I have connected a Router which will act as a gateway. Now, I can ping to 192.168.3.1 but it says "Reply from 192.168.3.1 : TTL expird in Transit" when I try to ping Inter-VLAN. I can not ping from the router to VLANs. Please see my router config below:

c2811#sh run
Building configuration...
hostname c2811
!
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.23.200.137 255.255.254.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
ip default-gateway 172.23.200.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.23.200.1
ip route 192.168.4.0 255.255.255.0 192.168.3.2
ip route 192.168.5.0 255.255.255.0 192.168.3.2
ip route 192.168.6.0 255.255.255.0 192.168.3.2
ip route 192.168.7.0 255.255.255.0 192.168.3.2
ip route 192.168.8.0 255.255.255.0 192.168.3.2
ip route 192.168.10.0 255.255.255.0 192.168.3.2
!
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
END
Istvan KalmarHead of IT Security Division
Top Expert 2010
Commented:
try my sollution:

For example:

create vlan 3

int vlan 3
 ip address 192.168.3.2 255.255.255.0

or

at the connected port to firewall:
no switchport
 ip address 192.168.3.2 255.255.255.0

Best Regards,
Istvan

Don JohnstonInstructor
Top Expert 2015

Commented:
You don't have to disconnect the firewall. But you MUST have a connection to it at layers1 - 3. Just do as I said in post # 24902946 and it will work.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial