3

I have a router that has 4 VLANs configured, with an interface on each VLAN, the router serves as a gateway and provides internet access.

VLAN  |  Interface      |  Function
---------------------------------------
  1   |  192.168.1.1/24  |  DMZ
  2   |  192.168.2.1/24  |  Phones
  3   |  192.168.3.1/24  |  Work Stations
  4   |  192.168.4.1/24  |  Servers

The router has a single cable connecting it to a Cisco 3750 (Gi1/0/1), this connection is setup as an 802.11q trunk.

Other than the trunk port, the other ports on the switch are split among the 4 VLANs.

VLAN  |  Interface
--------------------
1     |  Gi1/0/2-6
2     |  Gi1/0/7-12
3     |  Gi1/0/13-18
4     |  Gi1/0/19-24

How can I set up the switch so that all VLANs have internet access, via their respective gateways on the router, while still allowing any required inter-VLAN communication to occur on the switch itself?

The inter-VLAN communication I require is as follows: 

from   |  to
--------------
2      |  1
3      |  1
4      |  1

I would prefer to run the DHCP server on the Cisco switch, but if necessary I can run it on the router.

System image file is "flash:c3750-advipservicesk9-mz.122-35.SE5.bin"

Improve this question
2
  • Tried this in 4500E "ip route 192.168.0.0 0.0.255.255 192.168.5.1" error response in the command shell. I used the standard masking 255.255.255.0 then it was accepted.
    – user28115
    Commented Jul 24, 2016 at 23:36
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.
    – Ron Maupin
    Commented Aug 14, 2017 at 3:53

3 Answers 3

Reset to default
2

The switch would need to be a layer-3 switch with routing enabled to allow communication between the VLANs; a layer-2 switch cannot route traffic between VLANs. You would configure SVIs on the layer-3 switch, and the addresses of the SVIs would be the gateways of the VLANs.

You would then convert the trunk link to the router to a routed link:

interface GigabitEthernet 1/0/1
 no switchport
 ip address <ip address> <mask>

You will either need to run a routing protocol between the layer-3 switch and the router, or you will need to configure static routes to the VLAN network on the router.

You will also need a way to have a default route on the layer-3 switch, either specifically configured to point to the router, or through a routing protocol from the router.

Improve this answer
2
1

Your setup this like you described is something called "router on a stick", you can search on the internet by the topic "inter vlan routing".

The thing is that is you already configure your scenario, and on host or devices connected to it respective vlans, already have it gateway, you must be able to communicate devices between vlans.

But to reach the internet, here is where you need to do some configuration.

  1. You need to create a default route that send all the traffic accross the interface connected to your ISP:

    ip route 0.0.0.0 0.0.0.0 x

Note: x can be a gateway provide by your isp (usually you entablish a link using an /30 network, or can be the interface connected to you ISP, this one depends of your configuration)

  1. I guess you need to check if some kind of NATing is needed of if this is part of you ISP provider. It is not, you need to configure NAT on your router.

Here you can reach the internet from all vlans. Now, because you want to deny access from one vlan to another, you need to create access list and applied to the subinterfaces that you created on router: Eg:

   access-list 100 deny ip any 192.168.2.0 0.0.0.255
   access-list 100 deny ip any 192.168.3.0 0.0.0.255
   access-list 100 permit any any

This ACL is defined to vlan 4, allowing access to internet and to vlan 1. MUST be applied INBOUND on respective vlan 4 subinterface on router.

You need to create 2 mores to vlan 2 and 3, and do the same thing

Improve this answer
2
  • The router-on-a-stick won't work because the OP wants the routing between VLANs to happen on the switch.
    – Ron Maupin
    Commented May 14, 2016 at 16:36
  • Oh, my fault, i missed that part
    – Orlando Gaetano
    Commented May 14, 2016 at 19:31
0

The 3750 is a layer 3 switch. It should be configured as such because better/faster inter-vlan routing. 

interface VLAN1 
ip address 192.168.1.1 255.255.255.0

interface VLAN2
ip addres 192.168.2.1 255.255.255.0

interface VLAN5 //you need to first add vlan5
descript *** link to router ***
ip address 192.168.5.1 255.255.255.0

put the port linking to the router as

switchport mode access
switchport access VLAN5

..etc. finally the switch needs

ip route 0.0.0.0.0 0.0.0.0 192.168.5.2

Then on the router wipe out existing interface config and put

ip address 192.168.5.2 255.255.255.0

and then globally

ip route 192.168.0.0 0.0.255.255 192.168.5.1

your routers default route should point to the ISP gateway

Finally, you should have 2 links between the router and switch stack. See port-channel config guide.

Improve this answer
3
  • 1
    Faster, yes; better, NOT REMOTELY. The layer-3 capabilities of the 3750 are extremely limited. Other than one of those vlans being the "DMZ", that isn't an issue.
    – Ricky
    Commented May 14, 2016 at 21:52
  • 1
    Don't demand the use of etherchannel without providing meaningful justification. (bandwidth, resiliency, etc.)
    – Ricky
    Commented May 14, 2016 at 21:54
  • @RickyBeam Switch does 13.1 mpps. Router does 353kppp. That's approx 40x performance difference. Use the switch for inter-vlan routing.
    – Ronnie Royston
    Commented May 14, 2016 at 22:55

Not the answer you're looking for? Browse other questions tagged or ask your own question.