Switch VLANs/Routing

Similar Messages

• Multiple switch vlan routing, almost there!

  Hello,
  I'm hoping this is a blatantly obvious issue, but we all know how late night thinking tends to be fairly foggy!
  Anyway, I have 3 3400cl HP switches and a 2610 Poe switch.  One of the 3400's is acting as the core, with the other 3 switches lacp trunked into it.
  Currently trying to get vlan 40 traffic properly routed for internet access.  This is a leap into vlan configs, so the existing domain traffic is still on vlan 1 (yes I know, not ideal).
  The config so far successfully allows clients on vlan 40 to receive DHCP addresses via the ip helper, but no access to internet sites.  I can resolve a dns address just can't see any hopes beyond the vlan 40 IP.
  Two other points if anyone wishes to comment:
  The HP 2610 is slotted to be replaced with a Cisco 3750 Poe switch. Any comments and making cisco and HP play nicely together?
  And second, if anyone wants to suggest best practice words of wisdom for migrating existing services into a more detailed vlan setup, please type away!
  Here is the config:  The 'lower' named switch will mirror the 3rd 3400 so I didn't see the need to include that one.
  hostname "NHB-Core"
  interface 19
     no lacp
  exit
  interface 20
     no lacp
  exit
  interface 21
     no lacp
  exit
  interface 22
     no lacp
  exit
  interface 23
     no lacp
  exit
  interface 24
     no lacp
  exit
  trunk 19-20 Trk1 LACP
  trunk 21-22 Trk2 LACP
  trunk 23-24 Trk3 LACP
  ip routing
  snmp-server community "public" Unrestricted
  vlan 1
     name "DEFAULT_VLAN"
     untagged 1-18,Trk1-Trk3
     ip address 10.10.4.59 255.255.255.0
     exit
  vlan 40
     name "VLAN40"
     ip address 10.10.10.1 255.255.255.0
     ip helper-address 10.10.4.29
     tagged Trk1-Trk3
     exit
  ip route 0.0.0.0 0.0.0.0 10.10.4.98
  spanning-tree Trk1 priority 4
  spanning-tree Trk2 priority 4
  spanning-tree Trk3 priority 4
  hostname "NHB-Poe"
  trunk 25-26 Trk1 LACP
  ip default-gateway 10.10.4.59
  snmp-server community "public" Unrestricted
  vlan 1
     name "DEFAULT_VLAN"
     untagged 1,3-24,27-28,Trk1
     ip address 10.10.4.62 255.255.255.0
     no untagged 2
     exit
  vlan 40
     name "VLAN40"
     untagged 2
     tagged Trk1
     exit
  spanning-tree Trk1 priority 4
  hostname "NHB-lower"
  interface 23
     no lacp
  exit
  interface 24
     no lacp
  exit
  trunk 23-24 Trk1 LACP
  ip default-gateway 10.10.4.59
  snmp-server community "public" Unrestricted
  vlan 1
     name "DEFAULT_VLAN"
     untagged 1-22,Trk1
     ip address dhcp-bootp
     exit
  vlan 40
     name "VLAN40"
     tagged Trk1
     exit
  spanning-tree Trk1 priority 4

  I am sorry, but to get your issue more exposure, I would suggest posting it in the commercial forums, since this is a commercial product. You can click here for the link.
  TwoPointOh
  I work on behalf of HP
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the bottom to say “Thanks” for helping!

• How to configure switch to route ISP ethernet handoff? (L3 or VLAN routing)

  I have an ISP providing a redundant internet circuit through Ethernet handoff, and I need to route their border network to my firewall which will hold the public IP address block.  The handoffs will go into 2 3750 switches stacked, which in turn will be uplinked to an ASA active/standby pair.  How do I configure the switches to handle the traffic?  The equipment isn't in place yet so I can't test the configuration; just trying to validate the plan.  I'm not sure of the pros/cons of using L3 switchport vs VLAN routing.
  Example, ISP provides 2 drops, 10.10.10.1/29 and 10.10.10.2/29, and a virtual gateway to route traffic out to the internet, 10.10.10.3/29 (FYI - in reality these are public IP's, just using privates for example).  Assume the public block is 192.168.0.0/24.  I need to configure the 3750 switches with interfaces of 10.10.10.4/29 and 192.168.0.1/24.  The ASA firewall outside interface will be 192.168.0.2/24.
  The ISP routes everything destined for 192.168.0.0/24 to 10.10.10.4/29.  I need to route all outbound internet traffic to 10.10.10.3/29.
  So the 3750 would have a layer 3 port-channel with IP 10.10.10.4/29 to uplink to the ISP drops.  It will also have another layer 3 port-channel with IP 192.168.0.1 (or should I use a VLAN interface for both or either?).  The ASA outside interface will be 192.168.0.2.  On the ASA my default route out is 0.0.0.0 0.0.0.0 192.168.0.1.  The default route on the 3750 stack will be 0.0.0.0 0.0.0.0 10.10.10.3.
  Thoughts?
                                                                               [ISP-BORDER1-10.10.10.1]
  [INTERNET]----[ISP-BORDER-VIP-10.10.10.3]                                                 [3750-L3-PORT-10.10.10.4/192.168.0.1]----------[ASA-192.168.0.2]
                                                                              [ISP-BORDER2-10.10.10.2]

  Hi,
  Any update on above queries.
  Need Solution.

• Branch office setup with L3 switch and router with IOS security

  Hello,
  I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
  I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
  Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
  I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
  If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
  Any input would be appreciated.
  Thanks,
  Austin

  Thanks for the input.
  1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
  2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
  3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
  Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

• Vlan routing with Linksys sge2000

  hi I have a Linksys sge2000 with two vlans, one has interface 192.168.50.10 /18 and the second has 192.168.30.10 /24, I need to get communication between these networks, because few computers must access to other network,  so that’s why I ask you for some help, because  until now I couldn’t  find if its possible in this switch thank you in advanceDaniel

  it is not possible for those 2 vlans to communicate with each other unless you hook up a router to those 2 vlans. the device is not capable for inter vlan routing alone so you will need to use layer 3 device.

• RV130W Inter-VLAN Routing occurs even when disabled

  On my RV130W I have two VLANs set up:
  VLAN1:
  VLAN100:
  Inter-VLAN Routing is NOT enabled:
  Why then am I able to ping hosts in a different VLAN?
  Does this require a bug fix?

  I put my theory to the test and it worked as I thought
  which is that vlan 101 could get to vlan 102 and vice versa
  but vlan 1 could get to either and vice versa
  I take it that this is probably due to how the router os is setup and hardware options on it
  based on that there is probably only a couple of real interfaces
  and that the vlan 1 is assigned to the one of them or to the switch interface
  and the other vlans are just attached to it, 
  vlan 1 has to be able to cross communicate due to my guess that there aren't enough real interfaces
  in that vlan is the end gateway and the other vlans are just virtual gateways if you will
  This is what I did with the ports
  In my lab I actually don't assign vlan 1 to any ports at all, nothing is on it except that actual router
  but I left it on a port for you to see, as it might be handy to connect to in worst case scenarios
  which works because of routing
  as to whether its a feature or a bug or a limitation is hard to say without more info from cisco

• Problem in switching vlan

  Hello gentlemen,
    I have a problem in my topology, one at a time about if there is no traffic on the vlan, router R2 fails to ping the ip of the remote end svi, issu cause disorders seen everything so normalizes after I ping from (Vlan10)-R1 to ip in svi R2 - (Vlan10). when the problem another vlan trunk occurs at the same link with the switching hub continues normally. the arp table set out their macs and addresses. In troubleshooting at layer 2 and not detected any problems. Someone already I witness such a problem?
  I am using switch module in any senario model HWIC-4ESW.

  Hi,
  Can you post "sh run" from all 3 routers?
  Are you using separate subnet for each vlan?
  Are all 1841 routers have the same module installed?
  What version of IOS are you running.

• Which Switch and Router to choose?

  I am interested in purchasing a Cisco Switch and Router, or possible a Cisco Switch Router.
  However, I am not sure of what model to go with.
  Currently, we have a network with about 200 Workstations and 30 Servers for our Corporation Infrastructure.
  Also, for our lab, we have about 50 Linux Based Servers, and 30 Solaris Based Servers, that are part of our Network. We are a Research and Development Company, and we have had issues with the Lab machines bringing down our network, as well as our corporate network adversely affecting the lab machines. What we would like to do is segment the network so that the different areas will be isolated. However, we also would like to have a lot of control over the traffic that will be able to cross from our network into the lab so that users will still be able to run their tests.
  Security is also an issue, and it would be great to have more control, and a better view of what kind of traffic is running through our network.
  Currently, we have about 8 Gigabyte Switches which are unmanaged (Linksys and NetGear). Our idea was to get a 1 or 2 Cisco Switch Routers, and then split them up into VLANS and cascade our current switches so that we can still make use of them. The other ideas was to just get a Cisco Switch and use our CheckPoint Router/Firewall to do the routing.
  Can you give me any advice as to what model of Cisco Product you would recommend?
  Is it better to go with a Switch Router, or simply get a separate Switch and Router?
  Please note that all of our Machines have 10/100/1000 NICs, so the device will need to be Gigabyte.
  Thanks you so much!

  You have two choices. Either to use a chassis based solution or to use stacable switches such as a 3750. Are all the cat 5(or 5e,6) runs coming into one centralized location ? Or are there separate wiring closets that you plan to put. If then we need to put separate switches at those locations and run fiber back to the central location which has a chassis based or stackable switch.
  If using a chassis based solution, you can get a 4506 (4507 for redundancy, with a redundant supervisor engine). Supervisor engine is nothing but the CPU of the switch. 4506 is a 6 slot modular switch with 2 power supplies for redundancy. You cannot add two Supervisor engines on a 4506 (4507 can).
  Slot 1 is always for supervisor engine, the remaining 5 slots you can fill using 48 port 10/100/1000 modules.(48 * 5 = 240). So your maximum port density is 240 ports on a 4506. (Note that there are 4507, 4510 which are similar models with more slots)
  If using 3750, you can stack upto 9 switches in a stack using stacking cables on the back side of the switch. Each switch will have 48 ports (10/100/1000) and you can stack 5 switches to get 240 ports.
  For the firewall I would recommend using a PIX 515E, (Why go for Checkpoint firewall when you can use all Cisco). For routing between the vlans, the switches that I recommended above are all Layer 3 switches. They will route between the different vlans. You can also configure ACLs to restrict traffic between multiple vlans.
  HTH

• Layer3 switch and router

  I have a network that I need to connect to the internet. All internal vlans point to a couple of layer 3 switches. On the layer 3 switch I connected a router for internet access.
  On the inside interface of the router I gave it an ip address of 10.1.0.1 - this is the ip address I want all my lan traffic to route to for internet access.
  1. Do I have to give the layer 3 switch interface port a static ip address or just connect it with a cable (the other side is the internal interface of the router 10.1.0.1)?
  2. On the layer 3 switch what command do I use to forward all lan traffic to this router, is it "ip route 0.0.0.0. 0.0.0.0 10.1.0.1?
  3. Do I use that above command on both of my layer 3 switches or just the one connected directly to the router?
  Thanks.                 

  I cant even ping the router, not sure what else to do. To make it even simpler I removed the layer 3 switch connected to the router above and now have only one layer 3 switch (10.1.0.6) and still cant ping the router. All internal hosts can communicate with each other, just need to get all the vlans routed to the internet.
  Below I pasted the show run from the layer 3 switch connected to the router and the show ip route and show ip int brief from the router.
  Layer 3 switch:
  hostname Switch
  ip routing
  spanning-tree mode pvst
  interface FastEthernet0/1
  switchport mode access
  interface FastEthernet0/24
  switchport mode access
  interface GigabitEthernet0/1
  switchport access vlan 100
  interface GigabitEthernet0/2
  switchport access vlan 100
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface Vlan1
  no ip address
  shutdown
  interface Vlan10
  description SERVERS_VLAN
  ip address 10.1.10.1 255.255.255.0
  interface Vlan20
  description SALES_VLAN
  ip address 10.1.20.1 255.255.255.0
  interface Vlan30
  description ACCOUNTING_VLAN
  ip address 10.1.30.1 255.255.255.0
  interface Vlan40
  description IT_VLAN
  ip address 10.1.40.1 255.255.255.0
  interface Vlan50
  description VOICE_VLAN
  ip address 10.1.50.1 255.255.255.0
  interface Vlan100
  ip address 10.1.0.6 255.255.255.0
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.1.0.1
  line con 0
  line aux 0
  line vty 0 4
  login
  end
  ROUTER:
  interface GigabitEthernet0/0
  ip address 10.1.0.1 255.255.255.0
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  shutdown
  interface FastEthernet0/0/0
  switchport mode access
  shutdown
  interface FastEthernet0/0/1
  switchport mode access
  shutdown
  interface FastEthernet0/0/2
  switchport mode access
  shutdown
  interface FastEthernet0/0/3
  switchport mode access
  shutdown
  interface Serial0/1/0
  no ip address
  shutdown
  interface Serial0/1/1
  no ip address
  show IP route
  Router#show ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
         * - candidate default, U - per-user static route, o - ODR
         P - periodic downloaded static route
  Gateway of last resort is not set
       10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C       10.1.0.0/24 is directly connected, GigabitEthernet0/0
  L       10.1.0.1/32 is directly connected, GigabitEthernet0/0
  Show ip int brief
  Router#show ip int brief
  Interface              IP-Address      OK? Method Status                Protocol
  GigabitEthernet0/0     10.1.0.1        YES manual up                    up
  GigabitEthernet0/1     unassigned      YES unset  administratively down down
  FastEthernet0/0/0      unassigned      YES unset  administratively down down
  FastEthernet0/0/1      unassigned      YES unset  administratively down down
  FastEthernet0/0/2      unassigned      YES unset  administratively down down
  FastEthernet0/0/3      unassigned      YES unset  administratively down down
  Serial0/1/0            unassigned      YES unset  administratively down down
  Serial0/1/1            unassigned      YES unset  administratively down down
  Vlan1                  unassigned      YES unset  administratively down down

• Migrating: Collo being difficult :( need some simple vlan/routing answers)

  Hello,
  I just purchased 2xc2950's, and a 515E.
  One 2950 is for outside, one inside, with the 515E protecting the inside.
  We have been renting these devices from our collocation, and the lease is up. So we've decided to manager our own, BUT, now they're being difficult with giving me ANY kind of information, (like configs, etc).
  What I do know, is that the outside switch has at least 4 vlans.
  With the 515E having settings such as:
  nat from xxx.xxx.43.xxx to {inside}
  nat from xxx.xxx.42.xxx to {inside}
  What I would like to know, is what would be the best way to "migrate" everything over.
  1. We have a redundant internet feed, is this possible with vlans?
  2. What is it called, where all the vlans route traffic to the single port (firewall)? interVLAN?
  3. Is it possible to link our 2950 internal to their internal? and slowly move the connections over?
  4. would I need their routing tables to set things up properly?
  Any help would be appreciated!
  ps. anyone from the toronto area who's a cisco export that I can pick their brain for a day $$$ of course, let me know.

  yes, it is possible to have a redundant internet feed, and it is possible with vlans. All the vlans route traffic to the single port (firewall)? interVLAN and this intervaln routing is same as normal one. Is it possible to link your 2950 internal to their internal but different network IP and VLANS may be assigned.

• Route-map, vlan routing

  I have a 6509 that I've setup with route-maps in order to route VLANs in different ways. For example, if we wanted some vlans to get out to the internet we would route them to a certain address. Then there is another vlan that we route to another internet gateway. It was all working pretty good until we swapped out another switch gateway in the network and every since things have been wonky. It seems as though the switch is routing packets that would normally stay on that switch out of the switch then back in, even though my access-list are set to deny the traffic. Here are the access-list and route-maps:
  access-list 10 permit 192.168.24.101
  access-list 10 permit 192.168.24.102
  access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
  access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.10 eq www
  access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.11 eq www
  access-list 104 permit ip host 172.16.4.11 host 65.54.150.19
  access-list 104 permit tcp host 172.16.4.20 any eq www
  ip access-list extended BITCENTRAL_INTERNET
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.1.170 any
   permit ip host 172.16.1.150 any
  ip access-list extended EDIT_BAYS
   deny   ip any 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 any
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 192.168.25.2 any
   permit ip host 192.168.26.80 any
   permit ip host 192.168.25.104 any
   permit ip host 192.168.25.3 any
   permit ip host 192.168.26.69 any
   permit ip host 192.168.26.71 any
   permit ip host 192.168.27.33 any
  ip access-list extended ENPS
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 192.168.24.101 any
   permit ip host 192.168.24.102 any
   permit ip host 192.168.24.103 any
  ip access-list extended ENTRIQ
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
   deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip 172.16.8.0 0.0.0.255 any
  ip access-list extended MISC
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
   deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip 172.16.11.0 0.0.0.255 any
  ip access-list extended Omneon
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.2.11 any
   permit ip host 172.16.2.2 any
  ip access-list extended ROSS-VLAN
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.4.20 any
   permit ip host 172.16.4.32 any
   permit ip host 172.16.4.31 any
   permit ip host 172.16.4.29 any
   permit ip host 172.16.4.30 any
   permit ip host 172.16.4.28 any
  vlan internal allocation policy ascending
  vlan access-log ratelimit 2000
  interface Vlan1
   no ip address
   shutdown
  interface Vlan10
   ip address 172.16.1.1 255.255.255.0
   ip policy route-map BITCENTRAL
  interface Vlan20
   ip address 172.16.2.1 255.255.255.0
   ip policy route-map OMNEON
  interface Vlan30
   ip address 172.16.3.1 255.255.255.0
  interface Vlan40
   ip address 172.16.4.1 255.255.255.0
   ip policy route-map ROSS-VLAN
  interface Vlan50
   ip address 172.16.5.1 255.255.255.0
  interface Vlan60
   ip address 172.16.6.1 255.255.255.0
  interface Vlan70
   ip address 172.16.7.1 255.255.255.0
  interface Vlan80
   ip address 172.16.8.1 255.255.255.0
   ip policy route-map ENTRIQ
  interface Vlan100
   ip address 192.168.27.1 255.255.252.0
   ip helper-address 192.168.7.255
   ip policy route-map OMNIBUS-VLAN
  interface Vlan110
   ip address 172.16.11.1 255.255.255.0
   ip helper-address 192.168.27.200
   ip policy route-map MISC
  interface Vlan120
   ip address 172.16.10.1 255.255.255.240
   ip policy route-map EDIT_BAYS
  interface Vlan140
   ip address 192.168.4.15 255.255.255.0
   ip directed-broadcast 10
  interface Vlan500
   ip address 192.168.1.19 255.255.255.224
  ip classless
  ip route 172.22.0.0 255.255.255.248 192.168.4.1
  ip route 192.168.0.0 255.255.255.224 192.168.4.254
  ip route 192.168.5.0 255.255.255.0 192.168.4.1
  route-map BITCENTRAL permit 60
   match ip address BITCENTRAL_INTERNET
   set ip next-hop 192.168.4.1
  route-map EDIT_BAYS permit 50
   match ip address EDIT_BAYS
   set ip next-hop 192.168.4.1
  route-map ENTRIQ permit 80
   match ip address ENTRIQ
   set ip next-hop 172.16.8.254
  route-map MISC permit 40
   match ip address MISC
   set ip next-hop 192.168.4.1
  route-map MSN permit 10
   match ip address 104
   set ip next-hop 192.168.4.1
  route-map OMNEON permit 20
   match ip address Omneon
   set ip next-hop 192.168.4.1
  route-map OMNIBUS-VLAN permit 30
   match ip address EDIT_BAYS
   set ip next-hop 192.168.4.1
  route-map OMNIBUS-VLAN permit 40
   match ip address ENPS
   set ip next-hop 192.168.4.1
  route-map ROSS-VLAN permit 70
   match ip address ROSS-VLAN
   set ip next-hop 192.168.4.1
  route-map SEC-VLAN permit 30
   match ip address SEC-VLAN
   set ip next-hop 192.168.4.1
  Here is how we tested the system and found the error. We cut the connection to 192.168.4.1 router, and when we try to ping a host on the 100 VLAN with the ip address of 192.168.24.101 from the MISC vlan with a ip address of 172.168.11.9 the ping just fails. When we enable the connection to the 192.168.4.1 router the pings go through again.  What in my route-map is causing this, I thought I setup the deny rules pretty good?

  Hi Mike,
  Between you and me, this is a lengthy config you have there.
  Next don't forget that a route-map doesn't apply to traffic originated or destined to the self-device, unless you use ip local policy in which might work, but there I have seen some nasty bugs.
  So if you can shorten your config to one example, then do the tests :
   - sourced from device A (it can be the SVI of another switch)
   - through your 6509 
   - destined to device B (it also can be the SVI of another switch, or even simpler some loopback inteface).

• SF 300-24 inter VLAN routing

  I have a CISCO SF 300-24, layer 2 switch. I have configured first 10 ports as VLAN 10, second 10 as VLAN 20 and rest as VLAN 30. There are three PCs on VLAN 10 and three on VLAN 20. I want one PC on VLAN 10 (IP: 193.156.26.111 mask: 255.255.255.0) to be able to communicate with one on VLAN 20, so I added the IP of the PC on VLAN 20 to access list with following settings:
  ACL name: ACL1
  priority: 1
  action: permit
  protocol: Any (IP)
  source address: User defined
  source IP address value: 193.156.26.111
  source wild card mask: 0.0.0.0
  Destination IP address: Any
  Type of service: Any
  Then I bound this ACL to the interface of the PC on VLAN 10 with following settings:
  permit any: Enable
  But still I cannot ping one PC from another. What else do I need to do to make them both communicate with each other..?!

  Hi Amna, the VLANS will not communicate with each other on the switch in layer 2 mode. This will require layer 3 mode on the switch OR whatever connects to the switch to route the VLANS for you.

• Two quick VLAN routing questions

  lets say I have a L3 switch routing 4 VLANs
  VLAN 1 is 192.168.10.0/24, the switch's virtual interface is 192.168.10.254 inside this vlan
  VLAN 2 is 192.168.20.0/24, the switch's virtual interface is 192.168.20.254 inside this vlan
  VLAN 3 is 192.168.30.0/24, the switch's virtual interface is 192.168.30.254 inside this vlan
  VLAN 4 is 192.168.40.0/24, the switch's virtual interface is 192.168.40.254 inside this vlan
  there is only one router going out from this switch to the net, and lets say it is in VLAN 1 and it's address is 192.168.10.1
  first question-- inside of the L3 switch I will need to add a default route of 0.0.0.0 0.0.0.0 192.168.10.1
  so that all traffic not corresponding to a 192.168.x.x address knows where to get out to the net, correct?
  secondly- when configuring that router, is there a difference if I use the following static route:
  192.168.20.0 255.255.255.0 192.168.10.254
  instead of
  192.168.20.0 255.255.255.0 192.168.20.254
  either way, the packet gets to the L3 switch, but in one case it gets there via the VLAN interface inside of VLAN 1, and in the other case, it gets there via the VLAN interface inside of the VLAN for which the traffic is destined anyway. what im trying to figure out is, will this make any difference at all? especially in terms of broadcast packets?
  if it makes no difference, then is it safe to say that the following static route would be optimal?
  192.168.0.0 255.255.0.0 192.168.10.254
  Solved!
  Go to Solution.

  Re "firstly". Correct. The L3 switch will route traffic according to its routing table. By default it knows all IP subnets to which it is directly connected to, i.e. all the VLAN subnets. If you have to add a default route manually or not depends on the exact implementation. It may well be that the L3 switch will use the any default gateway for routing which you use for the IP settings of the switch itself (if there is an option in the web interface to set a default gateway). If you cannot define a default gateway on the L3 switch you probably have to add a static route manually. The easiest way should be to check the current routing table and see if there is a default gateway or not.
  Re "secondly". A router can only forward packets to the next hop router. The next hop router must be connected to that router. The route "192.168.20.0 255.255.255.0 192.168.10.254" is correct for a router with IP address 192.168.10.1 and subnet mask 255.255.255.0 as 192.168.10.254 is connected to the router. "192.168.20.0 255.255.255.0 192.168.20.254" is not correct. The router cannot learn the path to a specific subnet 192.168.20.0/255.255.255.0 by using a gateway in that subnet. It is not correct to use that kind of a route and you should not use it even if it might even work (because the router does a plain ARP request to find the MAC address of 192.168.20.254 and your L3 switch will respond to the ARP request even if it is on the internet of 192.168.10.254). The very moment when there would be another router between the 10 and 20 subnets it would not work anymore...
  Re your conclusion: I would recommend to keep four static routes for the existing subnets on the L3 switch instead of putting everything into a larger single subnet which includes a lot of addresses which are not connected there. Technically it works if you only use working IP addresses. But you will see some loops if you send something to 192.168.55.50 or similar. The gateway router will send it to the L3 switch which will send it back to the gateway. They should figure it's a loop but still I would not recommend this kind of setup... Add routes for each of the L3 switch subnet...

• Inter VLAN Routing for IEC 61850

  Hello,
  Hoping someone can help me with this query.  I'm in the process of configuring two CGS2520 switches located in two electrical substations.  Each of these switches have Protection Relays and Remote Terminal Units (RTUs) connected to them.  These devices communicate with each other as follows:
  IEC 61850 GOOSE: http://en.wikipedia.org/wiki/Generic_Substation_Events
  IEC 61850 MMS: http://en.wikipedia.org/wiki/IEC_61850
  - Protection Relay to Protection Relay communication within either substation (Using IEC 61850 GOOSE - VLAN 11 and VLAN 21)
  - Protection Relay to Protection Relay communication between substations (Using IEC 61850 GOOSE - VLAN 50)
  - RTU to Protection Relay (Using IEC 61850 MMS - VLAN 10 and VLAN 20)
  I've attached an image (hope that clears things out).  Basically GOOSE traffic is VLAN tagged and and the MMS traffic is untagged.
  I need to be able to route between VLAN 10 and VLAN 20 between the substations and I want to allow VLAN 50 between the substations.  How do I go about configuring this?
  So far I've configured the interfaces as follows:
  Switch A2:
  Fa0/5 and Fa0/7 (Protection Relay Ports)
  port type nni
  switchport trunk native vlan 10
  switchport trunk allowed vlan 11, 50
  switchport mode trunk
  Fa0/3 (RTU Port)
  port type nni
  switchport access vlan 10
  Switch B1
  Fa0/4 and Fa0/5 (Protection Relay Ports)
  port type nni
  switchport trunk native vlan 20
  switchport mode allowed vlan 21, 50
  switchport mode trunk
  Fa0/3 (RTU Port)
  port type nni
  switchport access vlan 20
  Locally at each substation this seems to work (I can ping the Protection Relays from the RTU port and the Protection Relays send each other GOOSE messages).  However I don't know how to configure the inter vlan routing (I want to be able to ping a Protection Relay Substation B from the RTU Port at Substation A) at  and how to configure the switch interfaces that connect to each other?
  Any help is much appreciated.
  Thanks
  Darsh

  Hello DarshanaD,
  Could you fix this? Im asking because I have the same problem right now.
  I'll appreciated if you can tell me how did you configure the inter VLAN routing.
  Thanks
  Ali

• Inter-VLAN routing, Auto-Voice VLAN and IP Address-Helper

  Hope that somebody can help me with the setup in the screenshot. 
  Planning to use Auto-Voice VLAN and Smartports to configure VOIP
  LLDP-MED will be enabled on the switch to detect the IP phones so they will be moved to the Voice VLAN (If not the first 6 signs will be added to the OID table). The Voice VLAN ID will be 2 >> Voice VLAN will be automatically enabled once a device is recognized as a IP phone right? 
  Workstations will be connected to the Cisco switch, VLAN data will be untagged and will remain on the native VLAN.
  Smartports will be used to configure the ports (Macro's) >> Should configure the ports as trunks as assigns the correct VLANs right?
  But how do i configure the IP Helper-Address? Do i have to create the Voice VLAN on both switches and then run the command "IP Helper Address" to specify a DHCP server? From what i've been reading it's required, when using Inter-VLAN routing, to configure the VLAN interface with an IP address. But it's going to give problems when both switches are connected to eachother and both have the same VLAN configured including the same IP address assigned to their VLAN interface?
  Normal data should pass  the ASA firewall, VOIP traffic should go through the Vigor modem to a hosted VOIP provider. The best way, i assume, is to configure 2 separate scopes on the DHCP server?
  Still confused on how to set it up, hope that someone can point me in the right direction

  If you're sending voice to only the Vigor modem then there is no need for a trunk between the SF-300 and the Vigor modem. You can just set that to an untag packet for the VLAN 2 between that switch and the Vigor modem.
  On the 'edge' SF300 where the IP phone/PC is it is obviously going to interoute there and of course the phone port is tagged and PC port is untagged.
  For the IP helper, it uses UDP-RELAY and it should be enabled on the port itself and enabled on the global configuration. You may also need option 82. Also keep in mind, depending how your DHCP server works, it may need option 82 configured as well or at least a route to understand the subnets in the layer 3 environment to get traffic across the VLANS.