Configuring InterVLAN Routing on a Layer 3 Switch and providing DHCP to multiple subnets Part 2

In part 2 of this topic, I will show how to configure the Switch Virtual Interfaces and IP Helper addresses on the Cisco 3750G EMI:

L3Switch(config)#interface vlan 20
L3Switch(config-if)# ip address (Configure IP Address on the vlan 20 interface)
L3Switch(config)# exit

It is not necessary to specify an IP Helper address for the Interface vlan 20, because the DHCP server is in the same subnet as this vlan.

L3Switch(config)#interface vlan 30
L3Switch(config-if)# ip address (Configure IP Address on the vlan 30 interface)
L3Switch(config-if)# ip helper-address (Configures DHCP IP Helper address for devices on vlan 30 subnet)
L3Switch(config)# exit

L3Switch(config)#interface vlan 40
L3Switch(config-if)# ip address (Configure IP Address on the vlan 40 interface)
L3Switch(config-if)# ip helper-address (Configures DHCP IP Helper address for devices on vlan 40 subnet)
L3Switch(config)# exit

The IP Helper address configured on the vlan interfaces, directs dhcp request packets to the specified DHCP server ip address. Without going into details in this post, the dhcp scope for each subnet should have been created on the Microsoft DHCP server as shown below:


A number of Microsoft documentations instruct that you create the scope for each subnet within a superscope. In my experience, that is not necessary.
The Switch Virtual Interfaces will serve as the gateway for the hosts/devices in each subnet. In the Scope Option for each subnet in the DHCP server, the Router option with code 003 will be configured with the SVI ip address.Scope options configuration for vlan 30 is shown in the screen shot:


The next line will configure 2 switchports on the C3750G as trunk ports between this switch and the C2960 Access switches:

L3Switch(config)#interface GigabitEthernet1/0/1
L3Switch(config-if)#description Connection to Accounting Switch .
L3Switch(config-if)#switchport trunk encapsulation dot1q
L3Switch(config-if)#switchport mode trunk

L3Switch(config)#interface GigabitEthernet1/0/2
L3Switch(config-if)#description Connection to HR Switch .
L3Switch(config-if)#switchport trunk encapsulation dot1q
L3Switch(config-if)#switchport mode trunk

In the next post, I will show my config for the Access switches directly connected to the end/user devices.

This entry was posted in Cisco, DHCP, IOS, Router, svi, Switch, Switch Virtual Interface, vlan and tagged , , . Bookmark the permalink.

13 Responses to Configuring InterVLAN Routing on a Layer 3 Switch and providing DHCP to multiple subnets Part 2

  1. chan says:

    what if i want to route between the and subnet on the 3750g running ip services image?
    both subnets have their own firewall for external client pc access?
    would i need to amend the current:
    ip default-gateway
    ip route

    or is is better to add a route on both firewalls to show how to reach the other subnet via the 3750g SVI.


  2. jbernec says:

    Hello Chan,
    Thank you for the comment. In response to your question, your current setup might work, but this is what I propose considering you did not provide more details :
    1) Configure SVIs on the C3750G for each subnet.
    2) Let these SVI IP Addresses be the gateway for clients in each subnet. The Layer 3 switch will route between each subnet since they are directly connected networks.
    3) As best practice, internal subnet/vlan routing should be configured on your Layer 3 switch C3750G or router.
    4) Since you want two different firewalls for internet access for each subnet, I suggest configuring Policy Based routing on your Layer 3 switch C3750G. I have a post on Policy Based Routing and the steps are pretty straight forward. It will enable you route internet traffic to a specific firewall depending on the source subnet. The C3750 IP Services switch supports Policy Based Routing.
    5) You should still configure your subnets routing on the Firewalls, but this should be mainly for any services and NAT hosted on your internal network.

    I hope this makes sense and helps point you in the right direction for your design. Thanks again.

  3. hi,
    1. I have my default vlan500 where all all my clients going out to internet via gateway
    2. I have a group of people joining us today and I have created new VLAN601 as well as INTERFACE VLAN601 with IP I also create DHCP server on this INTERFACE VLAN601 with all the parameters (GA-, subnet DNS and etc).
    3. IP routing is enable on my L3-3750G.
    4. II have 2 unit of 2960 in different locations and have created one port on each switch and make it member of vlan601.
    5. Trunk has been able to carry the traffic between the two L2-2960 and L3-3750. Prove of this is that when i connect a laptop to each of the port on L2-2960, the two laptops gets IP addresses from the DHCP server configured on INTERFACE VLAN601 and also they can ping each other.
    6. Since default vlan500 is going out to internet via (within vlan500), can you tell me why I can not connect internet from network in vlan601?

    Help please.

  4. so rry to add.
    7. I cannot ping any devices from computer/pc from vlan601.

  5. jbernec says:

    Hello Ulderico,
    Here are a few quick thoughts:
    1) Check that Vlan 500 and it’s subnet are directly connected to your Layer 3 switch or configured on your Layer 3 switch. Make sure Vlan 601 subnet has a route to Vlan 500 subnet on your Layer 3 switch if not directly connected. You did not mention how your Vlan 500 subnet connects to your Layer 3 switch.
    2) As you correctly indicated, the gateway for the Vlan 601 subnet should be the interface Vlan 601 Switch Virtual Interface( Make sure you also have a default route set on your Layer 3 switch to the internet. It should look like: ip route x.x.x.x (where x.x.x.x is your next hop address to the internet).
    3) Is the Vlan 500 Gateway IP:, the Switch Virtual Interface for the Vlan 500 subnet ? If not, if it’s your gateway/firewall to the internet, then you should configure that IP as your default route as indicated in point 2 above.

    I hope this helps point you in the right direction as I don’t have enough information . Good luck.

  6. thanks mate for your explanation.
    1. Yes, vlan 500 is also VSI on L3 and vlan 601 is also VSI on the same L3 3750G.
    Now to route the vlan 601 with vlan500? please see the ‘ sh ip route’ on L3 below.
    3. vlan 500 gateaway IP is configured on proprietary Firewall/router (MSS-II) by external company.

    I just wanted the vlan 601 and 500 to communicate each other and using to get to internet.

    do yo have email that I can contact?


    ++++++++++ sh ip route ++++++++++++
    Gateway of last resort is not set is variably subnetted, 4 subnets, 2 masks
    C is directly connected, Vlan350
    L is directly connected, Vlan350
    C is directly connected, Vlan666
    L is directly connected, Vlan666 is variably subnetted, 4 subnets, 2 masks
    C is directly connected, Vlan500
    L is directly connected, Vlan500
    C is directly connected, Vlan555
    L is directly connected, Vlan555 is variably subnetted, 2 subnets, 2 masks
    C is directly connected, Vlan601
    L is directly connected, Vlan601


    ++++++++ vlan interface ++++++++

    interface GigabitEthernet1/1/4
    interface TenGigabitEthernet1/1/1
    interface TenGigabitEthernet1/1/2
    interface Vlan1
    no ip address
    interface Vlan350
    ip address
    ip helper-address
    interface Vlan500
    ip address
    ip helper-address
    interface Vlan555
    ip address
    interface Vlan601
    ip address
    ip helper-address
    interface Vlan666
    ip address
    ip default-gateway
    ip forward-protocol udp 12223
    ip forward-protocol udp 5246
    ip http server
    ip http secure-server
    ip route


  7. jbernec says:

    Your ip route config doesn’t seem right to me though. I think you should have a default route of : ip route .

  8. I have done that before but is does not work.
    ip route
    that is why I request for help. If you wanted to more information, please let me know.

  9. Ak says:

    where is the configuration of access switches

  10. stoneditch says:


    I hope you don’t mind me asking you the question below. I have been through your post above, and part 1 too.

    We have a Cisco WS-C3750G-24WS-S50 (Switch with integrated WLC) which is currently our core and Wireless controller. there are a number of interfaces defined on it…
    ap-manager (vlan 50),
    management (vlan 50),
    staff-wifi (vlan 10),
    byod-wifi (vlan 90),

    and a couple of WLANS…
    staff-wifi which uses the staff-wifi (vlan 10 interface) and byod-wifi which uses the byod (vlan 90 interface)
    There is an MS AD integrated DHCP server serving scopes for vlan 10 and 90. Right now I have Wifi devices conected to vlan 10 (staff-wifi) and they happily pickup an ip address and are able to get to our transparent bridge to get to the internet Also I have devices on the byod vlan which are able to pickup up an address from their dhcp pool but, they are unable to get to the internet. they can ping server/printers on the local network and can also ping a mail gw ( but they can’t ping Why?

    There is a gateway of last resort configured on the core ip route 10 ( is our FW)

    interface Vlan10
    description Main-network
    ip address
    interface Vlan90
    description byod-wifi
    ip address

    Essentialy, if I have a machine on vlan 10 it works fine, if I put a machine on vlan 90 it’s able to get a dhcp address from but is unable to ping and therefore get to the outside world?

    I’m sure that this is something simple. I guess that I have been looking at it for too long. Happy to supply some more info if you need it.

    Thank you

  11. jbernec says:

    Hello Stoneditch,
    Thanks for stopping by. Please check to make sure you have the route back to the byod-wifi subnet set on the firewall (.254) or the device. It seems you have the .254 and .253 mixed up or maybe it’s just me.But I would start there.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s