Multiple switch vlan routing, almost there!

Similar Messages

• Switch VLANs/Routing

  I'm interested in best practice design for the following:
  lan1 --- switch1 --(g1/0/28)-- GigaMAN Link --(g1/0/28)-- switch2 --- lan2
  lan1 and lan2 are different subnets. I would like to know the best way to configure the ports/VLANS/etc so that traffic can be routed between them. both switch1 and switch2 support routing.

  Treat the sw1 and sw2 just like a router. Make the link between them a L3 interface and then you can use routing to get the lan 1 talking to lan 2. For example:
  sw1:
  conf t
  int g 1/0/1 >> to a PC in lan 1
  switchport
  interface g 1/0/28
  no switchport
  ip address 10.1.1.1 255.255.255.252
  interface vlan 1
  ip address 1.1.1.1 255.255.255.0
  ip route 2.1.1.0 0.0.0.255 10.1.1.2
  sw2:
  conf t
  interface gig 1/0/1 >> to PC in Lan2
  switchport
  inter gig 1/0/28
  ip address 10.1.1.2 255.255.255.252
  inter vlan 1
  ip address 2.1.1.1 255.255.255.0
  ip route 1.1.1.0 0.0.0.255 10.1.1.1

• Link Aggregation ... almost there!

  Hi all
  After struggling with Link Aggregation on Mac OS X Server to Extreme X450 switches we are almost there. We've now managed to get a live working link where the Ethernet 1 and 2 arew green and the Bond0 shows both links as active, and finally the Bond0 interface picks up a DHCP address.
  So that's great, but no Network connection which is weird because it got an IP address.
  Do we have to route the traffic over one of the other interfaces or something?
  Any suggestions at all?
  Cheers
  C

  Camelot wrote:
  The first, or at least - most obvious, problem is that you have IP addresses assigned to each of en0 and en1.
  This should not be the case. Only the bond0 network should have an IP address assigned.
  The other interfaces should not be configured at all. That's almost certainly the issue since your machine has three IP addresses in the same subnet - one on each of en0, en1 and bond0. It's no wonder things are confused
  Thanks that now works a treat!
  Was hoping you could help on another set of ports again being configured for Link Aggregation. We have tried to set it up in exactly the same way but again its not working. The ifconfig returns back the following:
  lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  inet6 ::1 prefixlen 128
  gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
  stf0: flags=0 mtu 1280
  en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  inet6 fe80::219:e3ff:fee7:5706%en0 prefixlen 64 scopeid 0x4
  inet 169.254.102.66 netmask 0xffff0000 broadcast 169.254.255.255
  ether 00:19:e3:e7:57:07
  media: autoselect (1000baseT <full-duplex,flow-control>) status: active
  supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control>
  en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  inet6 fe80::219:e3ff:fee7:5707%en1 prefixlen 64 scopeid 0x5
  inet 169.254.102.66 netmask 0xffff0000 broadcast 169.254.255.255
  ether 00:19:e3:e7:57:07
  media: autoselect (1000baseT <full-duplex,flow-control>) status: active
  supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control>
  fw0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 2030
  lladdr 00:1b:63:ff:fe:6e:6c:8a
  media: autoselect <full-duplex> status: inactive
  supported media: autoselect <full-duplex>
  bond0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  ether 00:19:e3:e7:57:07
  media: autoselect status: inactive
  supported media: autoselect
  bond interfaces: en1 en0
  When I compared this to the working Link Aggregation ifconfig output I noticed this one has the line "media: autoselect status: inactive" as appose to active. Could this be the cause and how do I rectify it?
  Thanks

• VLAN inter communication - almost there!

  I have been working on this for a few days.  Im almost there!
  I want my Management Vlan to be able to ping Computers in the DMZ vlan.   Im not sure if its NAT issue or ACL issue.
  Specifically im ping from 192.168.0.5(management comp) to 10.10.10.5(DMZ comp)
  Packet tracer shows no errors and says it should be working.
  I pick up a weird error in the log that says: Routing failed to locate next hop for ICMP from Management:192.168.0.5/256 to inside:10.10.10.5/0
  Why is it saying the 10.10.10.5 is on the inside, when its on the DMZ?
  name 10.10.10.0 DMZ description Public Computers
  name 192.168.10.0 Inside description CPL Staff Network
  name 192.168.0.0 Management description Cisco equipment  Access only
  name 192.168.1.0 default description Not in use
  name 192.168.10.2 CPLServer description win3k server
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport trunk allowed vlan 11-13
  switchport mode trunk
  interface Ethernet0/2
  switchport access vlan 11
  interface Ethernet0/3
  switchport access vlan 12
  interface Ethernet0/4
  switchport access vlan 13
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  shutdown
  nameif default
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan11
  description Inside
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan12
  description DMZ
  nameif DMZ
  security-level 100
  ip address 10.10.10.1 255.255.255.0
  interface Vlan13
  description Management
  nameif Management
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name CPL
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network obj-10.0.1.0
  object-group network obj-10.0.2.0
  access-list DMZtoInside extended permit ip host DMZ host CPLServer
  access-list InsidetoDMZ extended permit ip Inside 255.255.255.0 host DMZ
  access-list ManagementtoDMZ extended permit ip Management 255.255.255.0 DMZ 255.255.255.0
  pager lines 24
  logging enable
  logging timestamp
  logging asdm-buffer-size 512
  logging buffered debugging
  logging asdm debugging
  mtu default 1500
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu Management 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any DMZ
  icmp permit any Management
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  global (inside) 1 interface
  global (DMZ) 1 interface
  global (Management) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,Management) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
  static (inside,DMZ) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Management 255.255.255.240 Management
  http Management 255.255.255.0 Management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  anyconnect-essentials
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

  Hi,
  I think the problem most likely is the NAT configuration.
  Is there a specific reason you are using Dynamic PAT from one interface to another ("nat" and "global" between local interfaces)? If this is not required I would suggest a different type of configuration for the whole NAT if you want to try it out. This would involve removing some of the existing configurations and will naturally effect the network operation while you do it.
  Removing old ones
  no global (inside) 1 interface
  no global (DMZ) 1 interface
  no global (Management) 1 interface
  no static (inside,Management) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
  no static (inside,DMZ) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
  Adding new configurations
  Existing ones
  !global (outside) 1 interface
  !nat (inside) 1 0.0.0.0 0.0.0.0
  access-list INSIDE-NAT0 remark NO NAT between Local Networks
  access-list INSIDE-NAT0 permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list INSIDE-NAT0 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NAT0
  access-list DMZ-NAT0 remark NO NAT between Local Networks
  access-list DMZ-NAT0 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list DMZ-NAT0 permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
  nat (DMZ) 0 access-list DMZ-NAT0
  access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
  access-list MANAGEMENT-NAT0 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list MANAGEMENT-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
  nat (Management) 0 access-list MANAGEMENT-NAT0
  And naturally attach ACLs to interfaces to control traffic if needed
  Hope this helps
  - Jouni

• How to configure switch to route ISP ethernet handoff? (L3 or VLAN routing)

  I have an ISP providing a redundant internet circuit through Ethernet handoff, and I need to route their border network to my firewall which will hold the public IP address block.  The handoffs will go into 2 3750 switches stacked, which in turn will be uplinked to an ASA active/standby pair.  How do I configure the switches to handle the traffic?  The equipment isn't in place yet so I can't test the configuration; just trying to validate the plan.  I'm not sure of the pros/cons of using L3 switchport vs VLAN routing.
  Example, ISP provides 2 drops, 10.10.10.1/29 and 10.10.10.2/29, and a virtual gateway to route traffic out to the internet, 10.10.10.3/29 (FYI - in reality these are public IP's, just using privates for example).  Assume the public block is 192.168.0.0/24.  I need to configure the 3750 switches with interfaces of 10.10.10.4/29 and 192.168.0.1/24.  The ASA firewall outside interface will be 192.168.0.2/24.
  The ISP routes everything destined for 192.168.0.0/24 to 10.10.10.4/29.  I need to route all outbound internet traffic to 10.10.10.3/29.
  So the 3750 would have a layer 3 port-channel with IP 10.10.10.4/29 to uplink to the ISP drops.  It will also have another layer 3 port-channel with IP 192.168.0.1 (or should I use a VLAN interface for both or either?).  The ASA outside interface will be 192.168.0.2.  On the ASA my default route out is 0.0.0.0 0.0.0.0 192.168.0.1.  The default route on the 3750 stack will be 0.0.0.0 0.0.0.0 10.10.10.3.
  Thoughts?
                                                                               [ISP-BORDER1-10.10.10.1]
  [INTERNET]----[ISP-BORDER-VIP-10.10.10.3]                                                 [3750-L3-PORT-10.10.10.4/192.168.0.1]----------[ASA-192.168.0.2]
                                                                              [ISP-BORDER2-10.10.10.2]

  Hi,
  Any update on above queries.
  Need Solution.

• Creating multiple vlans across multiple switches

  Hi All,
  How should I create multiple vlans across multiple switches?
  For instance, I have two (primary/redudant) layer 3 (core) switches and four layer 2 access switches (Cisco 2960) for the hosts, and given these are the vlans/subnets to be created. Should I do it in the core switches only and it would just propagate through the access via VTP?  Just trying to practice and learn.. Any help will be greatly appreciated:)
  VLAN 100: [DHCP-workstations]
  172.26.4.0/24
  172.26.5.0/24
  VLAN 200: [Servers]
  172.16.1.0/24
  172.16.2.0/24
  VLAN 300: [Printers]
  192.168.129.0/24
  192.168.130.0/24
  VLAN 800: [Management for switches/routers]
  10.160.1.0/24

  Hi
  You will have the SVI on the core. Set a VTP domain, make one of the cores as VTP server and rest of the switches as VTP clients. Once you do this, you won't have to login into each switch and create a vlan locally. The vlans will be automatically advertised from the VTP server to all the VTP clients.
  Thanks
  Ankur
  "Please rate the post if found useful"

• Flexconnect - local-switching - Interface Groups - multiple subnets/vlans

  So I'm trying to setup an "interface-group-like" configuration on some Flexconnect APs with local switching enabled in order to support multiple subnets/VLANs linked to a single SSID.
  Does anyone know if this is possible or have any suggestions?
  I've tried:
  AP Groups - One SSID which would require central switching for it to be of use (I think).
  AP Groups - Creating an additional SSID and then placing the APs in a group per site. This works but is going to be difficult to manage if I have 400+ sites running this sort of setup.
  For reference, my end goal is to have multiple (400+) branch sites with the same WLAN mapped to 3 or 4 different VLANs in order to split the subnets up into smaller chunks (/23s or /24s). These VLANs are all switched locally and are uniform in numbering across all the sites from a layer 2 perspective.
  Thanks,
  Ric

  Interface groups is not an available feature on FlexConnect. FlexConnect doesn't support layer 3 roaming if devices roam from one FlexConnect ap to another and the wlan to vlan mappings are different. This is a limitation to FlexConnect along with a few others listed in the FlexConnect deployment guide.
  -Scott

• Which Switch and Router to choose?

  I am interested in purchasing a Cisco Switch and Router, or possible a Cisco Switch Router.
  However, I am not sure of what model to go with.
  Currently, we have a network with about 200 Workstations and 30 Servers for our Corporation Infrastructure.
  Also, for our lab, we have about 50 Linux Based Servers, and 30 Solaris Based Servers, that are part of our Network. We are a Research and Development Company, and we have had issues with the Lab machines bringing down our network, as well as our corporate network adversely affecting the lab machines. What we would like to do is segment the network so that the different areas will be isolated. However, we also would like to have a lot of control over the traffic that will be able to cross from our network into the lab so that users will still be able to run their tests.
  Security is also an issue, and it would be great to have more control, and a better view of what kind of traffic is running through our network.
  Currently, we have about 8 Gigabyte Switches which are unmanaged (Linksys and NetGear). Our idea was to get a 1 or 2 Cisco Switch Routers, and then split them up into VLANS and cascade our current switches so that we can still make use of them. The other ideas was to just get a Cisco Switch and use our CheckPoint Router/Firewall to do the routing.
  Can you give me any advice as to what model of Cisco Product you would recommend?
  Is it better to go with a Switch Router, or simply get a separate Switch and Router?
  Please note that all of our Machines have 10/100/1000 NICs, so the device will need to be Gigabyte.
  Thanks you so much!

  You have two choices. Either to use a chassis based solution or to use stacable switches such as a 3750. Are all the cat 5(or 5e,6) runs coming into one centralized location ? Or are there separate wiring closets that you plan to put. If then we need to put separate switches at those locations and run fiber back to the central location which has a chassis based or stackable switch.
  If using a chassis based solution, you can get a 4506 (4507 for redundancy, with a redundant supervisor engine). Supervisor engine is nothing but the CPU of the switch. 4506 is a 6 slot modular switch with 2 power supplies for redundancy. You cannot add two Supervisor engines on a 4506 (4507 can).
  Slot 1 is always for supervisor engine, the remaining 5 slots you can fill using 48 port 10/100/1000 modules.(48 * 5 = 240). So your maximum port density is 240 ports on a 4506. (Note that there are 4507, 4510 which are similar models with more slots)
  If using 3750, you can stack upto 9 switches in a stack using stacking cables on the back side of the switch. Each switch will have 48 ports (10/100/1000) and you can stack 5 switches to get 240 ports.
  For the firewall I would recommend using a PIX 515E, (Why go for Checkpoint firewall when you can use all Cisco). For routing between the vlans, the switches that I recommended above are all Layer 3 switches. They will route between the different vlans. You can also configure ACLs to restrict traffic between multiple vlans.
  HTH

• Dynamic vlans with multiple fallback-vlans?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  I've got a problem with dynamic vlans. Trying to figure out configuration for the topology similar to the one in the picture.
  I’ve got four vlans for PCs, one vlan per department. I have to add fifth vlan (50) for devices that can be connected to any of the three switches: A, B, C. these devices need to be on their own vlan, no matter to which switch they are connected to. On the other hand, PCs connected to any port on those switches should be assigned to appropriate vlan (10,20,30 or 40).
  I was thinking about using dynamic vlans with list of mac addresses of devices that need to be on vlan 50 but not sure what to do with PCs. I don’t think I can use fallback vlan as I can set up only one fallback vlan for whole network and not per switch or port.
  I cannot use list of mac addresses of all pcs as there’s simply too many of them (my network is way bigger than in the picture, I simplified it only to present the idea). I imagine I would need multiple fallback vlans for different switches.
  Has anyone got any idea that could help me please? Maybe there’s some other and easier way?

  In new software (for Cisco switches) we provide multiple fallbacks for MAC authentication (MAB):
  1. 802.1x
  2. web authentication
  3. guest vlan (if no supplicant on the PC)
  4. auth fail vlan (if radius denies you access)
  So you could keep a list of MAC addresses for vlan 50 and do MAB for these devices if MAB fails you can use 802.1x for your PCs.
  This will require configuring 802.1x supplicants on all PC (Windows comes preloaded with one) and maintaining a radius of users who are able to log into the network. A lot of people use their Active directory pre-existing database as a backend to store their usernames and passwords for user authentication with dot1x.
  With using both dot1x and MAB you can now distinguish easily between two different processes and use your radius server to assign vlans based upon almost anything you can think of.
  -Elly

• Is Multiple Compliant VLAN Possible with NAP 802.1x Enforcement?

  Multiple Compliant VLANs for 802.1x NAP Enforcement
  <small class="single-by" style="font-family:Arial, Helvetica, sans-serif;font-size:0.9em;line-height:1.5em;color:#777777;text-transform:capitalize;"></small>
  Hello Dear,
  I am implementing NAP with 802.1x enforcement type. but it is an existing network where the organisation already has the network segmented into about 7 VLANs based on the departments in the organisation and the VLANs equally have IP interfaces on them (meaning
  they are subnets).
  By design NAP with 802.1x enforcement supports 2 VLANs: Compliant and Non-Compliant VLANs apart from the GuestVlan which the switch uses for 802.1x pre-authentication.
  In my test lab, authenticated clients are pushed to Compliant VLAN if they meet SHV set. Also,if they don’t meet the SHV they are moved to Non-Compliant VLAN.
  How do I apply this type of enforcement for multiple VLANs belonging to the organisation’s different Departments? Assuming I decide to create a single Non-Compliant VLAN this may cater for non-compliant clients but what VLAN among the 7 existing VLAN will compliant
  clients be pushed into?
  How will the switch know the VLAN a member of a particular department should be moved to since there are more than one Compliant VLAN assuming I configured ” NPS Network Policy” for more than one compliant VLAN?
  Please your help is very important.
  Thanks.
  Alex.

  Thanks Greg.
  That works. But I have two other big challenges:
  1st Challenge:
  I have close to 50 VoIP devices as well as printers that must be exempted from NAP and the position of the 802.1x enabled switch is such that it is the Distribution switch to which Access Switches tied to each VLANs are connected(each access switch connect
  to an authenticating port on the Distribution Switch) and IP Phones,data points and printers are then connecting to the Access Switches.  
  There is the limitation of how many MAC addresses can be exempted even when pattern matching is used in NPS(256 characters maximum) and this cannot cater for over 50 non-NAPcapable devices in this network. Should I create
  several exemption policies using the pattern matching to accommodate the 50+ non-NAPcapable devices? Please advise.
  2nd Challenge:
  In this existing Network, there are branch offices that communicate with this HQ over a dedicated WAN connection(NOT VPN over internet). Please how do I ensure routing communication between HQ and branches is not hampered at the introduction of 802.1x NAP
  enforcement at this HQ network? Your prompt response will be highly appreciated...
  Thanks a great deal.
  Alex.

• Vlan routing questions on the 6509

     We have a 6509 VSS at our main site and one vlan (an IP class C size) is comprised of a large number of servers with single Gb interfaces. These are connected to the 6509 via various methods - blade centers with GB portchannels, some directly attached to the core, and some via 4948s with 10Gb trunk uplinks. My question is this...I know we have way too many servers in one subnet (this is not all of our servers) and I know that all broadcasts will hit every individual server but how does the 6509 ASICs handle the packets in and out of the vlan with multiple connections to that vlan on the 6509s?  Can packets get routed through that 6509 vlan router interface simultaneously from the multiple layer 2 connections on the 6509s? What I am asking is if the 6509 vlan routing interface throttles all the Gb interfaces into a single GB interface through the vlan routing interface? What about the few servers on the 10Gb interfaces - are they throttled to a single routing 10Gb interface or does each connection have it's own connection to the routing interface?  What I want to know is if the 6509 acts as though it was like a single separate (1G and 10Gb) router attached to the vlan  - like a bunch of switches connected together with a single separate router attached to one of the interfaces for routing out of the vlan. Thanks

  Packet switching within the vlan is not what I am asking about. I want to understand the process the 6509s use when they route from a vlan (one subnet) to another vlan (subnet) - L3 routing out of the vlan.
  It's pretty much the same thing which is what Reza was explaining.
  It can be helpful sometimes in terms of design etc. to think of a L3 switch as you would if it was a physical router and L2 switches but in terms of forwarding thinking of it like that is misleading.
  In terms of forwarding L3 traffic the SVI does not correspond to the physical interface of the router. The actual interfaces used would, in the case of the 6500, be the physical port connections for the source and destination devices on their corresponding linecards.
  If the linecards did not have DFCs then a part of the packet is sent by the linecard to the PFC for a forwarding decision. If they do have DFCs then they can make the forwarding decision locally.
  Either way the forwarding decision is made by looking at the FIB (Forwarding Information Base) which is stored on the PFC and on each DFC if the linecards have them. The FIB should have entries for connected and remote networks (learnt via the IP routing table), the next hop IP and it's L2 mac address so all the information needed to forward the packet at L3 is there.
  So, as Reza says, the packet is then switched either locally on the linecard from one port to another or is sent from the ingress linecard to the linecard with the egress port via the switch fabric.
  Any bottlenecks within the chassis apply to both L2 and L3 forwarding eg oversubscription etc.
  The above is a very high level view of how it works. If you want to understand it in greater detail it would be worth having a read of the link Reza provided.
  Jon

• Branch office setup with L3 switch and router with IOS security

  Hello,
  I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
  I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
  Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
  I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
  If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
  Any input would be appreciated.
  Thanks,
  Austin

  Thanks for the input.
  1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
  2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
  3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
  Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

• RV130W Inter-VLAN Routing occurs even when disabled

  On my RV130W I have two VLANs set up:
  VLAN1:
  VLAN100:
  Inter-VLAN Routing is NOT enabled:
  Why then am I able to ping hosts in a different VLAN?
  Does this require a bug fix?

  I put my theory to the test and it worked as I thought
  which is that vlan 101 could get to vlan 102 and vice versa
  but vlan 1 could get to either and vice versa
  I take it that this is probably due to how the router os is setup and hardware options on it
  based on that there is probably only a couple of real interfaces
  and that the vlan 1 is assigned to the one of them or to the switch interface
  and the other vlans are just attached to it, 
  vlan 1 has to be able to cross communicate due to my guess that there aren't enough real interfaces
  in that vlan is the end gateway and the other vlans are just virtual gateways if you will
  This is what I did with the ports
  In my lab I actually don't assign vlan 1 to any ports at all, nothing is on it except that actual router
  but I left it on a port for you to see, as it might be handy to connect to in worst case scenarios
  which works because of routing
  as to whether its a feature or a bug or a limitation is hard to say without more info from cisco

• Problem in switching vlan

  Hello gentlemen,
    I have a problem in my topology, one at a time about if there is no traffic on the vlan, router R2 fails to ping the ip of the remote end svi, issu cause disorders seen everything so normalizes after I ping from (Vlan10)-R1 to ip in svi R2 - (Vlan10). when the problem another vlan trunk occurs at the same link with the switching hub continues normally. the arp table set out their macs and addresses. In troubleshooting at layer 2 and not detected any problems. Someone already I witness such a problem?
  I am using switch module in any senario model HWIC-4ESW.

  Hi,
  Can you post "sh run" from all 3 routers?
  Are you using separate subnet for each vlan?
  Are all 1841 routers have the same module installed?
  What version of IOS are you running.

• Route-map, vlan routing

  I have a 6509 that I've setup with route-maps in order to route VLANs in different ways. For example, if we wanted some vlans to get out to the internet we would route them to a certain address. Then there is another vlan that we route to another internet gateway. It was all working pretty good until we swapped out another switch gateway in the network and every since things have been wonky. It seems as though the switch is routing packets that would normally stay on that switch out of the switch then back in, even though my access-list are set to deny the traffic. Here are the access-list and route-maps:
  access-list 10 permit 192.168.24.101
  access-list 10 permit 192.168.24.102
  access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
  access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.10 eq www
  access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.11 eq www
  access-list 104 permit ip host 172.16.4.11 host 65.54.150.19
  access-list 104 permit tcp host 172.16.4.20 any eq www
  ip access-list extended BITCENTRAL_INTERNET
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.1.170 any
   permit ip host 172.16.1.150 any
  ip access-list extended EDIT_BAYS
   deny   ip any 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 any
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 192.168.25.2 any
   permit ip host 192.168.26.80 any
   permit ip host 192.168.25.104 any
   permit ip host 192.168.25.3 any
   permit ip host 192.168.26.69 any
   permit ip host 192.168.26.71 any
   permit ip host 192.168.27.33 any
  ip access-list extended ENPS
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 192.168.24.101 any
   permit ip host 192.168.24.102 any
   permit ip host 192.168.24.103 any
  ip access-list extended ENTRIQ
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
   deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip 172.16.8.0 0.0.0.255 any
  ip access-list extended MISC
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
   deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip 172.16.11.0 0.0.0.255 any
  ip access-list extended Omneon
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.2.11 any
   permit ip host 172.16.2.2 any
  ip access-list extended ROSS-VLAN
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.4.20 any
   permit ip host 172.16.4.32 any
   permit ip host 172.16.4.31 any
   permit ip host 172.16.4.29 any
   permit ip host 172.16.4.30 any
   permit ip host 172.16.4.28 any
  vlan internal allocation policy ascending
  vlan access-log ratelimit 2000
  interface Vlan1
   no ip address
   shutdown
  interface Vlan10
   ip address 172.16.1.1 255.255.255.0
   ip policy route-map BITCENTRAL
  interface Vlan20
   ip address 172.16.2.1 255.255.255.0
   ip policy route-map OMNEON
  interface Vlan30
   ip address 172.16.3.1 255.255.255.0
  interface Vlan40
   ip address 172.16.4.1 255.255.255.0
   ip policy route-map ROSS-VLAN
  interface Vlan50
   ip address 172.16.5.1 255.255.255.0
  interface Vlan60
   ip address 172.16.6.1 255.255.255.0
  interface Vlan70
   ip address 172.16.7.1 255.255.255.0
  interface Vlan80
   ip address 172.16.8.1 255.255.255.0
   ip policy route-map ENTRIQ
  interface Vlan100
   ip address 192.168.27.1 255.255.252.0
   ip helper-address 192.168.7.255
   ip policy route-map OMNIBUS-VLAN
  interface Vlan110
   ip address 172.16.11.1 255.255.255.0
   ip helper-address 192.168.27.200
   ip policy route-map MISC
  interface Vlan120
   ip address 172.16.10.1 255.255.255.240
   ip policy route-map EDIT_BAYS
  interface Vlan140
   ip address 192.168.4.15 255.255.255.0
   ip directed-broadcast 10
  interface Vlan500
   ip address 192.168.1.19 255.255.255.224
  ip classless
  ip route 172.22.0.0 255.255.255.248 192.168.4.1
  ip route 192.168.0.0 255.255.255.224 192.168.4.254
  ip route 192.168.5.0 255.255.255.0 192.168.4.1
  route-map BITCENTRAL permit 60
   match ip address BITCENTRAL_INTERNET
   set ip next-hop 192.168.4.1
  route-map EDIT_BAYS permit 50
   match ip address EDIT_BAYS
   set ip next-hop 192.168.4.1
  route-map ENTRIQ permit 80
   match ip address ENTRIQ
   set ip next-hop 172.16.8.254
  route-map MISC permit 40
   match ip address MISC
   set ip next-hop 192.168.4.1
  route-map MSN permit 10
   match ip address 104
   set ip next-hop 192.168.4.1
  route-map OMNEON permit 20
   match ip address Omneon
   set ip next-hop 192.168.4.1
  route-map OMNIBUS-VLAN permit 30
   match ip address EDIT_BAYS
   set ip next-hop 192.168.4.1
  route-map OMNIBUS-VLAN permit 40
   match ip address ENPS
   set ip next-hop 192.168.4.1
  route-map ROSS-VLAN permit 70
   match ip address ROSS-VLAN
   set ip next-hop 192.168.4.1
  route-map SEC-VLAN permit 30
   match ip address SEC-VLAN
   set ip next-hop 192.168.4.1
  Here is how we tested the system and found the error. We cut the connection to 192.168.4.1 router, and when we try to ping a host on the 100 VLAN with the ip address of 192.168.24.101 from the MISC vlan with a ip address of 172.168.11.9 the ping just fails. When we enable the connection to the 192.168.4.1 router the pings go through again.  What in my route-map is causing this, I thought I setup the deny rules pretty good?

  Hi Mike,
  Between you and me, this is a lengthy config you have there.
  Next don't forget that a route-map doesn't apply to traffic originated or destined to the self-device, unless you use ip local policy in which might work, but there I have seen some nasty bugs.
  So if you can shorten your config to one example, then do the tests :
   - sourced from device A (it can be the SVI of another switch)
   - through your 6509 
   - destined to device B (it also can be the SVI of another switch, or even simpler some loopback inteface).