In part 2 of this topic, I will show how to configure the Switch Virtual Interfaces and IP Helper addresses on the Cisco 3750G EMI:
L3Switch(config)#interface vlan 20
L3Switch(config-if)# ip address 10.0.2.1 255.255.255.0 (Configure IP Address on the vlan 20 interface)
L3Switch(config)# exit
It is not necessary to specify an IP Helper address for the Interface vlan 20, because the DHCP server is in the same subnet as this vlan.
L3Switch(config)#interface vlan 30
L3Switch(config-if)# ip address 10.0.3.1 255.255.255.0 (Configure IP Address on the vlan 30 interface)
L3Switch(config-if)# ip helper-address 10.0.2.14 (Configures DHCP IP Helper address for devices on vlan 30 subnet)
L3Switch(config)# exit
L3Switch(config)#interface vlan 40
L3Switch(config-if)# ip address 10.0.4.1 255.255.255.0 (Configure IP Address on the vlan 40 interface)
L3Switch(config-if)# ip helper-address 10.0.2.14 (Configures DHCP IP Helper address for devices on vlan 40 subnet)
L3Switch(config)# exit
The IP Helper address configured on the vlan interfaces, directs dhcp request packets to the specified DHCP server ip address. Without going into details in this post, the dhcp scope for each subnet should have been created on the Microsoft DHCP server as shown below:
A number of Microsoft documentations instruct that you create the scope for each subnet within a superscope. In my experience, that is not necessary.
The Switch Virtual Interfaces will serve as the gateway for the hosts/devices in each subnet. In the Scope Option for each subnet in the DHCP server, the Router option with code 003 will be configured with the SVI ip address.Scope options configuration for vlan 30 is shown in the screen shot:
The next line will configure 2 switchports on the C3750G as trunk ports between this switch and the C2960 Access switches:
L3Switch(config)#interface GigabitEthernet1/0/1
L3Switch(config-if)#description Connection to Accounting Switch .
L3Switch(config-if)#switchport trunk encapsulation dot1q
L3Switch(config-if)#switchport mode trunk
L3Switch(config)#interface GigabitEthernet1/0/2
L3Switch(config-if)#description Connection to HR Switch .
L3Switch(config-if)#switchport trunk encapsulation dot1q
L3Switch(config-if)#switchport mode trunk
In the next post, I will show my config for the Access switches directly connected to the end/user devices.
Chinny Chukwudozie, Cloud Solutions. 
what if i want to route between the 192.168.1.0 and 10.1.1.0 subnet on the 3750g running ip services image?
both subnets have their own firewall for external client pc access?
would i need to amend the current:
ip default-gateway 192.168.1.10
ip route 0.0.0.0 0.0.0.0 192.168.1.10
or is is better to add a route on both firewalls to show how to reach the other subnet via the 3750g SVI.
thanks!
Hello Chan,
Thank you for the comment. In response to your question, your current setup might work, but this is what I propose considering you did not provide more details :
1) Configure SVIs on the C3750G for each subnet.
2) Let these SVI IP Addresses be the gateway for clients in each subnet. The Layer 3 switch will route between each subnet since they are directly connected networks.
3) As best practice, internal subnet/vlan routing should be configured on your Layer 3 switch C3750G or router.
4) Since you want two different firewalls for internet access for each subnet, I suggest configuring Policy Based routing on your Layer 3 switch C3750G. I have a post on Policy Based Routing and the steps are pretty straight forward. It will enable you route internet traffic to a specific firewall depending on the source subnet. The C3750 IP Services switch supports Policy Based Routing.
5) You should still configure your subnets routing on the Firewalls, but this should be mainly for any services and NAT hosted on your internal network.
I hope this makes sense and helps point you in the right direction for your design. Thanks again.
hi,
1. I have my default vlan500 where all all my clients going out to internet via gateway 172.19.96.10
2. I have a group of people joining us today and I have created new VLAN601 as well as INTERFACE VLAN601 with IP 192.19.96.20.1/24. I also create DHCP server on this INTERFACE VLAN601 with all the parameters (GA-192.168.20.1, subnet 255.255.255.0 DNS and etc).
3. IP routing is enable on my L3-3750G.
4. II have 2 unit of 2960 in different locations and have created one port on each switch and make it member of vlan601.
5. Trunk has been able to carry the traffic between the two L2-2960 and L3-3750. Prove of this is that when i connect a laptop to each of the port on L2-2960, the two laptops gets IP addresses from the DHCP server configured on INTERFACE VLAN601 and also they can ping each other.
6. Since default vlan500 is going out to internet via 172.19.96.10 (within vlan500), can you tell me why I can not connect internet from network in vlan601?
Help please.
so rry to add.
7. I cannot ping any devices from computer/pc from vlan601.
Hello Ulderico,
Here are a few quick thoughts:
1) Check that Vlan 500 and it’s subnet are directly connected to your Layer 3 switch or configured on your Layer 3 switch. Make sure Vlan 601 subnet has a route to Vlan 500 subnet on your Layer 3 switch if not directly connected. You did not mention how your Vlan 500 subnet connects to your Layer 3 switch.
2) As you correctly indicated, the gateway for the Vlan 601 subnet should be the interface Vlan 601 Switch Virtual Interface(192.19.96.20.1/24). Make sure you also have a default route set on your Layer 3 switch to the internet. It should look like: ip route 0.0.0.0 0.0.0.0 x.x.x.x (where x.x.x.x is your next hop address to the internet).
3) Is the Vlan 500 Gateway IP: 172.19.96.10, the Switch Virtual Interface for the Vlan 500 subnet ? If not, if it’s your gateway/firewall to the internet, then you should configure that IP as your default route as indicated in point 2 above.
I hope this helps point you in the right direction as I don’t have enough information . Good luck.
thanks mate for your explanation.
1. Yes, vlan 500 is also VSI on L3 and vlan 601 is also VSI on the same L3 3750G.
Now to route the vlan 601 with vlan500? please see the ‘ sh ip route’ on L3 below.
3. vlan 500 gateaway IP 172.19.96.10 is configured on proprietary Firewall/router (MSS-II) by external company.
I just wanted the vlan 601 and 500 to communicate each other and using 172.19.96.10 to get to internet.
do yo have email that I can contact?
Thanks
++++++++++ sh ip route ++++++++++++
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Vlan350
L 10.10.10.1/32 is directly connected, Vlan350
C 10.10.20.0/24 is directly connected, Vlan666
L 10.10.20.1/32 is directly connected, Vlan666
172.19.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.19.96.0/24 is directly connected, Vlan500
L 172.19.96.99/32 is directly connected, Vlan500
C 172.19.99.0/24 is directly connected, Vlan555
L 172.19.99.200/32 is directly connected, Vlan555
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, Vlan601
L 192.168.20.1/32 is directly connected, Vlan601
++++++++++
++++++++ vlan interface ++++++++
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan350
ip address 10.10.10.1 255.255.255.0
ip helper-address 172.19.96.9
!
interface Vlan500
ip address 172.19.96.99 255.255.255.0
ip helper-address 172.19.96.22
!
interface Vlan555
ip address 172.19.99.200 255.255.255.0
!
interface Vlan601
ip address 192.168.20.1 255.255.255.0
ip helper-address 172.19.96.22
!
interface Vlan666
ip address 10.10.20.1 255.255.255.0
!
ip default-gateway 172.19.99.10
ip forward-protocol udp 12223
ip forward-protocol udp 5246
ip http server
ip http secure-server
!
ip route 192.168.20.0 255.255.255.0 172.19.96.0
++++++++++++++++++++++++++++
Hello,
Your ip route config doesn’t seem right to me though. I think you should have a default route of : ip route 0.0.0.0 0.0.0.0 172.19.96.10 .
I have done that before but is does not work.
ip route 0.0.0.0 0.0.0.0 172.19.96.10
that is why I request for help. If you wanted to more information, please let me know.
Also, you have ip routing enabled on your layer 3 switch, you should remove the ip default-gateway configuration.
where is the configuration of access switches
I could write about the access switches if you need me to.
Hello,
I hope you don’t mind me asking you the question below. I have been through your post above, and part 1 too.
We have a Cisco WS-C3750G-24WS-S50 (Switch with integrated WLC) which is currently our core and Wireless controller. there are a number of interfaces defined on it…
ap-manager (vlan 50), 192.168.20.252
management (vlan 50), 192.168.20.253
staff-wifi (vlan 10), 10.1.2.253
byod-wifi (vlan 90), 192.168.27.253
and a couple of WLANS…
staff-wifi which uses the staff-wifi (vlan 10 interface) and byod-wifi which uses the byod (vlan 90 interface)
There is an MS AD integrated DHCP server serving scopes for vlan 10 and 90. Right now I have Wifi devices conected to vlan 10 (staff-wifi) and they happily pickup an ip address and are able to get to our transparent bridge to get to the internet 10.0.0.253. Also I have devices on the byod vlan which are able to pickup up an address from their dhcp pool but, they are unable to get to the internet. they can ping server/printers on the local network and can also ping a mail gw (10.0.0.11) but they can’t ping 10.0.0.253. Why?
There is a gateway of last resort configured on the core ip route 0.0.0.0 0.0.0.0 10.0.0.254 10 (10.0.0.254 is our FW)
!
interface Vlan10
description Main-network
ip address 10.100.254.254 255.0.0.0
!
interface Vlan90
description byod-wifi
ip address 192.168.27.254 255.255.252.0
!
Essentialy, if I have a machine on vlan 10 it works fine, if I put a machine on vlan 90 it’s able to get a dhcp address from 10.254.254.1 but is unable to ping 10.0.0.253 and therefore get to the outside world?
I’m sure that this is something simple. I guess that I have been looking at it for too long. Happy to supply some more info if you need it.
Thank you
Hello Stoneditch,
Thanks for stopping by. Please check to make sure you have the route back to the byod-wifi subnet set on the firewall (.254) or the 10.0.0.253 device. It seems you have the .254 and .253 mixed up or maybe it’s just me.But I would start there.