Configuring InterVLAN Routing on a Layer 3 Switch and providing DHCP to multiple subnets Part 2

In part 2 of this topic, I will show how to configure the Switch Virtual Interfaces and IP Helper addresses on the Cisco 3750G EMI:

L3Switch(config)#interface vlan 20
L3Switch(config-if)# ip address 10.0.2.1 255.255.255.0 (Configure IP Address on the vlan 20 interface)
L3Switch(config)# exit

It is not necessary to specify an IP Helper address for the Interface vlan 20, because the DHCP server is in the same subnet as this vlan.

L3Switch(config)#interface vlan 30
L3Switch(config-if)# ip address 10.0.3.1 255.255.255.0 (Configure IP Address on the vlan 30 interface)
L3Switch(config-if)# ip helper-address 10.0.2.14 (Configures DHCP IP Helper address for devices on vlan 30 subnet)
L3Switch(config)# exit

L3Switch(config)#interface vlan 40
L3Switch(config-if)# ip address 10.0.4.1 255.255.255.0 (Configure IP Address on the vlan 40 interface)
L3Switch(config-if)# ip helper-address 10.0.2.14 (Configures DHCP IP Helper address for devices on vlan 40 subnet)
L3Switch(config)# exit

The IP Helper address configured on the vlan interfaces, directs dhcp request packets to the specified DHCP server ip address. Without going into details in this post, the dhcp scope for each subnet should have been created on the Microsoft DHCP server as shown below:

Capture1

A number of Microsoft documentations instruct that you create the scope for each subnet within a superscope. In my experience, that is not necessary.
The Switch Virtual Interfaces will serve as the gateway for the hosts/devices in each subnet. In the Scope Option for each subnet in the DHCP server, the Router option with code 003 will be configured with the SVI ip address.Scope options configuration for vlan 30 is shown in the screen shot:

Capture2

The next line will configure 2 switchports on the C3750G as trunk ports between this switch and the C2960 Access switches:

L3Switch(config)#interface GigabitEthernet1/0/1
L3Switch(config-if)#description Connection to Accounting Switch .
L3Switch(config-if)#switchport trunk encapsulation dot1q
L3Switch(config-if)#switchport mode trunk

L3Switch(config)#interface GigabitEthernet1/0/2
L3Switch(config-if)#description Connection to HR Switch .
L3Switch(config-if)#switchport trunk encapsulation dot1q
L3Switch(config-if)#switchport mode trunk

In the next post, I will show my config for the Access switches directly connected to the end/user devices.

Advertisements
This entry was posted in Cisco, DHCP, IOS, Router, svi, Switch, Switch Virtual Interface, vlan and tagged , , . Bookmark the permalink.

13 Responses to Configuring InterVLAN Routing on a Layer 3 Switch and providing DHCP to multiple subnets Part 2

  1. chan says:

    what if i want to route between the 192.168.1.0 and 10.1.1.0 subnet on the 3750g running ip services image?
    both subnets have their own firewall for external client pc access?
    would i need to amend the current:
    ip default-gateway 192.168.1.10
    ip route 0.0.0.0 0.0.0.0 192.168.1.10

    or is is better to add a route on both firewalls to show how to reach the other subnet via the 3750g SVI.

    thanks!

  2. jbernec says:

    Hello Chan,
    Thank you for the comment. In response to your question, your current setup might work, but this is what I propose considering you did not provide more details :
    1) Configure SVIs on the C3750G for each subnet.
    2) Let these SVI IP Addresses be the gateway for clients in each subnet. The Layer 3 switch will route between each subnet since they are directly connected networks.
    3) As best practice, internal subnet/vlan routing should be configured on your Layer 3 switch C3750G or router.
    4) Since you want two different firewalls for internet access for each subnet, I suggest configuring Policy Based routing on your Layer 3 switch C3750G. I have a post on Policy Based Routing and the steps are pretty straight forward. It will enable you route internet traffic to a specific firewall depending on the source subnet. The C3750 IP Services switch supports Policy Based Routing.
    5) You should still configure your subnets routing on the Firewalls, but this should be mainly for any services and NAT hosted on your internal network.

    I hope this makes sense and helps point you in the right direction for your design. Thanks again.

  3. hi,
    1. I have my default vlan500 where all all my clients going out to internet via gateway 172.19.96.10
    2. I have a group of people joining us today and I have created new VLAN601 as well as INTERFACE VLAN601 with IP 192.19.96.20.1/24. I also create DHCP server on this INTERFACE VLAN601 with all the parameters (GA-192.168.20.1, subnet 255.255.255.0 DNS and etc).
    3. IP routing is enable on my L3-3750G.
    4. II have 2 unit of 2960 in different locations and have created one port on each switch and make it member of vlan601.
    5. Trunk has been able to carry the traffic between the two L2-2960 and L3-3750. Prove of this is that when i connect a laptop to each of the port on L2-2960, the two laptops gets IP addresses from the DHCP server configured on INTERFACE VLAN601 and also they can ping each other.
    6. Since default vlan500 is going out to internet via 172.19.96.10 (within vlan500), can you tell me why I can not connect internet from network in vlan601?

    Help please.

  4. so rry to add.
    7. I cannot ping any devices from computer/pc from vlan601.

  5. jbernec says:

    Hello Ulderico,
    Here are a few quick thoughts:
    1) Check that Vlan 500 and it’s subnet are directly connected to your Layer 3 switch or configured on your Layer 3 switch. Make sure Vlan 601 subnet has a route to Vlan 500 subnet on your Layer 3 switch if not directly connected. You did not mention how your Vlan 500 subnet connects to your Layer 3 switch.
    2) As you correctly indicated, the gateway for the Vlan 601 subnet should be the interface Vlan 601 Switch Virtual Interface(192.19.96.20.1/24). Make sure you also have a default route set on your Layer 3 switch to the internet. It should look like: ip route 0.0.0.0 0.0.0.0 x.x.x.x (where x.x.x.x is your next hop address to the internet).
    3) Is the Vlan 500 Gateway IP: 172.19.96.10, the Switch Virtual Interface for the Vlan 500 subnet ? If not, if it’s your gateway/firewall to the internet, then you should configure that IP as your default route as indicated in point 2 above.

    I hope this helps point you in the right direction as I don’t have enough information . Good luck.

  6. thanks mate for your explanation.
    1. Yes, vlan 500 is also VSI on L3 and vlan 601 is also VSI on the same L3 3750G.
    Now to route the vlan 601 with vlan500? please see the ‘ sh ip route’ on L3 below.
    3. vlan 500 gateaway IP 172.19.96.10 is configured on proprietary Firewall/router (MSS-II) by external company.

    I just wanted the vlan 601 and 500 to communicate each other and using 172.19.96.10 to get to internet.

    do yo have email that I can contact?

    Thanks

    ++++++++++ sh ip route ++++++++++++
    Gateway of last resort is not set

    10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
    C 10.10.10.0/24 is directly connected, Vlan350
    L 10.10.10.1/32 is directly connected, Vlan350
    C 10.10.20.0/24 is directly connected, Vlan666
    L 10.10.20.1/32 is directly connected, Vlan666
    172.19.0.0/16 is variably subnetted, 4 subnets, 2 masks
    C 172.19.96.0/24 is directly connected, Vlan500
    L 172.19.96.99/32 is directly connected, Vlan500
    C 172.19.99.0/24 is directly connected, Vlan555
    L 172.19.99.200/32 is directly connected, Vlan555
    192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
    C 192.168.20.0/24 is directly connected, Vlan601
    L 192.168.20.1/32 is directly connected, Vlan601

    ++++++++++

    ++++++++ vlan interface ++++++++

    interface GigabitEthernet1/1/4
    !
    interface TenGigabitEthernet1/1/1
    !
    interface TenGigabitEthernet1/1/2
    !
    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan350
    ip address 10.10.10.1 255.255.255.0
    ip helper-address 172.19.96.9
    !
    interface Vlan500
    ip address 172.19.96.99 255.255.255.0
    ip helper-address 172.19.96.22
    !
    interface Vlan555
    ip address 172.19.99.200 255.255.255.0
    !
    interface Vlan601
    ip address 192.168.20.1 255.255.255.0
    ip helper-address 172.19.96.22
    !
    interface Vlan666
    ip address 10.10.20.1 255.255.255.0
    !
    ip default-gateway 172.19.99.10
    ip forward-protocol udp 12223
    ip forward-protocol udp 5246
    ip http server
    ip http secure-server
    !
    ip route 192.168.20.0 255.255.255.0 172.19.96.0

    ++++++++++++++++++++++++++++

  7. jbernec says:

    Hello,
    Your ip route config doesn’t seem right to me though. I think you should have a default route of : ip route 0.0.0.0 0.0.0.0 172.19.96.10 .

  8. I have done that before but is does not work.
    ip route 0.0.0.0 0.0.0.0 172.19.96.10
    that is why I request for help. If you wanted to more information, please let me know.

  9. Ak says:

    where is the configuration of access switches

  10. stoneditch says:

    Hello,

    I hope you don’t mind me asking you the question below. I have been through your post above, and part 1 too.

    We have a Cisco WS-C3750G-24WS-S50 (Switch with integrated WLC) which is currently our core and Wireless controller. there are a number of interfaces defined on it…
    ap-manager (vlan 50), 192.168.20.252
    management (vlan 50), 192.168.20.253
    staff-wifi (vlan 10), 10.1.2.253
    byod-wifi (vlan 90), 192.168.27.253

    and a couple of WLANS…
    staff-wifi which uses the staff-wifi (vlan 10 interface) and byod-wifi which uses the byod (vlan 90 interface)
    There is an MS AD integrated DHCP server serving scopes for vlan 10 and 90. Right now I have Wifi devices conected to vlan 10 (staff-wifi) and they happily pickup an ip address and are able to get to our transparent bridge to get to the internet 10.0.0.253. Also I have devices on the byod vlan which are able to pickup up an address from their dhcp pool but, they are unable to get to the internet. they can ping server/printers on the local network and can also ping a mail gw (10.0.0.11) but they can’t ping 10.0.0.253. Why?

    There is a gateway of last resort configured on the core ip route 0.0.0.0 0.0.0.0 10.0.0.254 10 (10.0.0.254 is our FW)

    !
    interface Vlan10
    description Main-network
    ip address 10.100.254.254 255.0.0.0
    !
    interface Vlan90
    description byod-wifi
    ip address 192.168.27.254 255.255.252.0
    !

    Essentialy, if I have a machine on vlan 10 it works fine, if I put a machine on vlan 90 it’s able to get a dhcp address from 10.254.254.1 but is unable to ping 10.0.0.253 and therefore get to the outside world?

    I’m sure that this is something simple. I guess that I have been looking at it for too long. Happy to supply some more info if you need it.

    Thank you

  11. jbernec says:

    Hello Stoneditch,
    Thanks for stopping by. Please check to make sure you have the route back to the byod-wifi subnet set on the firewall (.254) or the 10.0.0.253 device. It seems you have the .254 and .253 mixed up or maybe it’s just me.But I would start there.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s