VLAN Routing Using Cisco switches

I have a network with 5 locations. 4 locations are running Xfinity Fiber EVPL for connecting sites together. For Simplicity lets call them:

1. Main site
2. 2nd site
3. 3rd site
4. 4th site

The EVPL fiber uses VLAN's or CTAG's for routing between sites.

Main site = VLAN1
Main site wireless = VLAN101
2nd site = VLAN30
3rd site = VLAN40
4th site = VLAN50

All sites are OK to communicate with other sites. They are separated for routing purposes only not segregation.

Sites 2-4 all have Cisco SG300 switches. The uplink ports on the switches that connect to the Ciena devices (fiber modem/routers) are tagged with the VLAN according to their site.

The Ciena's are setup to route the 3 VLAN's back to the main site. The Ciena at the main site is plugged into a Cisco RV325. This router has a 14 port Gigabit switch built in. The RV325 is setup as each networks gateway as such:

Main site =
MS wireless =
2nd site =
3rd site =
4th site =

4 network wires are plugged into the RV325. 1 is for WAN (for the internet). 1 is for EVPL (traffic to and from 3 other sites). 1 is for Main site (local network that plugs into the first switch at the main site). 1 is for wireless POE switch (switch that only wireless AP's connect to. Uplink port tagged) All 4 sites internet traffic routes through the WAN at the main site.

At the main site everything is running on VLAN1 untagged except for the wireless switch. There are a total of 4 switches in the main site. 3 are Cisco SG300-52 and 1 Cisco SG200-8 (wireless). Lets call them:


So switch2 and switch3 are both plugged into switch1. Switch1 is plugged into RV325 untagged. WirelessSwitch is plugged into RV325 but it is tagged.

Right now everything is working fine. No dropped packets, no delays, it is great!

My question: So the client has decided they want to change the RV325 and put in something "better". More firewall features, SSL VPN, etc. I have been testing other products but the problems I am having is the routing of the VLANs. Here is how I have to change the scenario.

Since other firewall solutions do not have 14 port switches built in, I have to move wires. Here is how I am wiring it;
On new firewall, WAN port goes to WAN. LAN port goes to switch1. The EVPL from the Ciena now plugs into switch1. The WirelessSwitch also plugs into switch1. Now everything is going through switch1 to get to the new firewall and I am not able to communicate to any other VLAN. Even the wireless will not work. The internet works fine so I know the new firewall is setup semi-correctly at least.

Do I need to change the setup on switch1 somehow? I thought it would pass all tagged traffic no matter the VLAN, and the firewall/router would handle the rest. This isn't working so clearly my thought process is flawed. Should I change switch1 to layer3 and let it handle the routing of the VLANs? If so, would I setup the gateway IP's on switch1 or the new firewall?

Any help would be appreciated.
Who is Participating?
Darrell PorterConnect With a Mentor Enterprise Business Process ArchitectCommented:
All of those fine IP addresses you currently have set on the RV325 will need to be moved to Switch 1.

A new network will need to be defined on Switch 1 and the RV325 for traffic transitioning between the internal network and the Internet.

The default gateway for Switch 1 will need to point to the RV325.

Each remote switch should not need to be changed if their default gateway is currently set to the VLAN-specific IP address of the RV325, which will transition to Switch 1 once it gets properly configured.

The RV325 will have a default route pointed to the Ciena and static routes defined for the internal networks, all of which will point to the IP address of Switch 1 on the new network you're going to define between the RV325 and Switch 1.

Before even beginning any of this work, make absolutely sure you have backups of EVERY switch at the local and remote locations and the RV325.

You will be changing nothing on the Ciena, and those are likely managed by your service provider in any event, so you need not worry about these other than to ensure the physical connections to the Ciena actually relate to the type of traffic (Internet or internal) being routed.  The configuration of the RV325 will tell you how this is actually happening.
Darrell PorterEnterprise Business Process ArchitectCommented:
Have you enabled IP routing on Switch 1 via the config mode command IP Routing?
Have you changed Switch 1's system mode to Layer 3?
Are you running the latest firmware on the switch to ensure you have a full-featured Command Line Interface (CLI) ?
Bryant SchaperCommented:
Yes, switch1 will need to have routing and point the default route to the firewall.

A diagram could help, new vs old.  But your remote sites more than likely just have the their router pointing the route to the main office router, or to the carrier network who moves it along to your main office.  But now that the internet is on another IP/VLAN whatever, you need to tell the switch1 where it can find it, if it was a cisco router it would something like

ip route

Open in new window

assuming is the new firewall.
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

LuukerAuthor Commented:
Right now I do not think switch1 has the most recent update. It is also running in layer2 mode. I have not done command configuring to the switches before using CLI so I am not sure if they are functional or not. Is there a way to do it using the GUI?
Bryant SchaperCommented:
you may have to be in layer 3 mode, however it will clear out the existing config when you switch it so have a backup and plan accordingly.  Once you are in layer 3 it will probably have options to manage the route table.
Darrell PorterEnterprise Business Process ArchitectCommented:
The switch will 0) need to have the existing configuration backed up in a safe location you can access even if the network is down, 1) need to be updated to the latest firmware, 2) must be in layer 3 mode to perform routing (it has, from your description, now become the core router).

Routing can certainly be configured from the GUI, but if memory serves (I almost never use the GUI), the GUI, depending upon version, does not let you alter the layer capabilities nor enable routing - these two will have to be done from the CLI.

If you are more familiar with the GUI, I would HIGHLY recommend you create your configuration in the GUI and then dump it to a text file, step by step, so you can see what CLI commands are being put in place when you perform a particular change on the GUI.  This will improve your skills with this class of switch and help you more accurately and quickly troubleshoot issues when they arise.
LuukerAuthor Commented:
I put together some quick rough Visio maps. Here is what we are using now.
Current functioning layout
This is the way I changed the wiring for the test.
Setup as testedFrom the main site the internet works but I am unable to ping any other network. Also not able to ping wireless. From the other sites, they are not able to ping the main site or surf the web at all. I hope these images help my description.
LuukerAuthor Commented:
So what your telling me, is that where the RV325 is routing everything right now, Switch1 @ the main site will control the routing when the wiring is changed. Makes sense since everything is connected to it. So my question then becomes, where do I set the gateway addresses for each VLAN? Do I set them on the new firewall like it is now, or do I need to set those addresses on Switch1?

So a switch will not just "pass" tagged packets from a VLAN it does not belong to? I thought Switch1 would simply pass all tagged packets to the new firewall and let routing take place there using the gateway addresses. Based on the lack of traffic throughput, my thought processes were clearly incorrect.
Ian ArakelNetwork Lead: Data and SecurityCommented:
Hi There,

The reason why the experts are asking you to transition the L2 switch to a L3 role is so that you define the respective vlan gateways on the switch using SVI's since the RV325 is moving out.
The switch would have the routes to reach all its defined SVI's.
The default path for switch would be the firewall to route anything apart from its connected networks/networks learnt via routing protocols to the firewall.
This should address the concern.

Below link will guide you to change to l3 mode:
LuukerAuthor Commented:
I have another firewall and I found a Cisco SG300-10 that were not being used. I can configure these devices as seen in this drawing. Switch the firewall and switch with new devices for this test. That way all I have to do is switch the wires from one set of devices to the other without changing configurations on either of them.

So I have updated the firmware on the switch and converted it to a layer 3 device. I have configure the VLAN's on it as well as setup all the IP's for the VLAN gateways. Here is what I have setup right now:

What IP should be set on the firewall? Do I use a separate subnet between the switch and the firewall for internet traffic?
Darrell PorterConnect With a Mentor Enterprise Business Process ArchitectCommented:
Create a new IP subnet, for example, for the SG300-10 and for the firewall.  Assign them a currently-unused VLAN ID - 999 or 254, for example.  Only permit traffic on this VLAN on the two ports.  Require the traffic to be tagged and configure both devices' ports to discard all untagged traffic for all traffic on the segment between the switch and the firewall.

This may seem complex, but it will help to prevent leakage and unauthorized devices on the network between the switch and the firewall.
LuukerAuthor Commented:
Worked perfectly! Setting the new VLAN from the switch to the firewall was a little more complicated due to the gateway settings being removed once the switch went to layer 3, but the rest was spot on.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.