Routing between SVI and routed port on router

Question

How can I achieve reachability from vlan terminated on the L3 switch to routed port on the router, FW?

F.E

int vlan 10,50 are the SVI's on L3 switch

vlan 10 - 10.0.10.254 /24
vlan 50 - 10.0.50.254 /24

vlan 50 is the native vlan on trunk link towards (router, FW)

Routed port is configured on the physical interface with 10.0.50.1/24

Problem is that I can reach routed port sourcing from both SVI's but no from the device being inside vlan 10

Taking tcpdump on the routed interface i can see only icmp requests but no replies. Switch does have default gateway set to 10.0.50.1

I've enabled ospf on FW and switch but with no luck.

---

Thanks @Zac67 for the hint, maybe I wasn't clear what I try to achieve.

I want to have few vlans terminated on the L3 switch, some of them on the FW to have visibility in them. Problem is that I would like to use physical interface on the FW to be their DG to reach outside world or route to the vlans terminated on the FW.

It looks like router on the stick but with usage of physical interface by putting ip address on it.

So vlans 5,10,15.20 terminating on the L3 switch so they have SVI's created on it. Vlans 30,40,50 just existing on the switch and going to the router thru trunk and they have their own subinterfaces created.

I am looking for a way to use another vlan just for connectivity between SVI and router physical interface.

What I did until now is let's say create SVI for vlan 100 put ip on it - set vlan 100 as a native vlan on the trunk to reach the router untagged.

But it doesn't work unfortunately...

==========================================================

First of all sorry for all the mistakes I made and making in this question - this is first time posting on stack. Thank you all who is trying to help solve this problem. Please find the topology and configs below:

Switch config

Current configuration : 3350 bytes
!
! Last configuration change at 06:18:12 UTC Thu Aug 26 2021
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 switchport access vlan 20
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 40
 switchport mode trunk
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/0
 switchport access vlan 30
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/1
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/2
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/3
 media-type rj45
 negotiation auto
!
interface Vlan20
 ip address 10.0.20.254 255.255.255.0
!
interface Vlan40
 ip address 10.0.40.254 255.255.255.0
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

Router config

Router#sh run
Building configuration...

Current configuration : 3144 bytes
!
! Last configuration change at 06:18:16 UTC Thu Aug 26 2021
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 10.0.40.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 10.0.30.1 255.255.255.0
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

Sourcing from VPC10 I can ping

VPCS> ip 10.0.30.100 /24 10.0.30.1
Checking for duplicate address...
PC1 : 10.0.30.100 255.255.255.0 gateway 10.0.30.1

VPCS> ping 10.0.30.1

84 bytes from 10.0.30.1 icmp_seq=1 ttl=255 time=16.253 ms

VPCS> ping 10.0.40.1

84 bytes from 10.0.40.1 icmp_seq=1 ttl=255 time=8.569 ms

VPCS> ping 10.0.40.254

84 bytes from 10.0.40.254 icmp_seq=1 ttl=254 time=12.776 ms

VPCS> ping 10.0.20.254

84 bytes from 10.0.20.254 icmp_seq=1 ttl=254 time=15.602 ms

VPCS> ping 10.0.20.100

10.0.20.100 icmp_seq=1 timeout

VPCS> ping 3.3.3.3

84 bytes from 3.3.3.3 icmp_seq=1 ttl=255 time=11.675 ms

Only device which is not pingable is other VPCS 10.0.20.100

**But from VPC which is terminated on the switch only SVI's on the switch**

VPCS> ip 10.0.20.100 /24 10.0.20.254
Checking for duplicate address...
PC1 : 10.0.20.100 255.255.255.0 gateway 10.0.20.254


VPCS> ping 10.0.20.254

84 bytes from 10.0.20.254 icmp_seq=1 ttl=255 time=25.344 ms

VPCS> ping 10.0.30.1

10.0.30.1 icmp_seq=1 timeout

VPCS> ping 10.0.40.254

84 bytes from 10.0.40.254 icmp_seq=1 ttl=255 time=7.528 ms

Answer 1

What I did until now is let's say create SVI for vlan 100 put ip on it - set vlan 100 as a native vlan on the trunk to reach the router untagged.

That is one valid way to do it.

But it doesn't work unfortunately...

Be sure your router has routes for each of your VLANs. The next hop should be SVI for Vlan 100.

If that doesn't work, please edit your question to include your switch and router configurations, so we can see what you've done.

Answer 2

Problem is that I can reach routed port sourcing from both SVI's but no from the device being inside vlan 10

That indicates a problem with the VLAN trunk between switch and router. If you have no subinterface for VLAN 10 on the router, that VLAN ends on the trunk and tagged frames are dropped by the router.

You need to either

• extend VLAN connectivity to the router by configuring a subinterface for VLAN 10 and then using that subinterface as default gateway for nodes in VLAN 10, or
• activate routing on the L3 switch, point its default route to 10.0.50.1 and then use the L3's SVI on VLAN 10 as default gateway for nodes in VLAN 10; on the router you need either a static route for 10.0.10.0/24 pointing to 10.0.50.254 or configure OSPF between switch and router

[edit]

I would like to use physical interface on the FW to be their DG to reach outside world or route to the vlans terminated on the FW.

That is the former. Make sure you create a tagging subinterface for each VLAN on the router. (And, of course, that the trunk between switch and router includes those VLANs.) SVIs on the switch are not necessary.

The VLANs that are not trunked to the switch (with an appropriate subinterface there) require an SVI and a (static or dynamic) route on the router.

Basically, a node on any VLAN needs to be able to reach its default gateway.

If that gateway is the router, the VLAN needs to be trunked to the router, including a tagging VLAN subinterface.

If the L3 switch is used as gateway, an SVI is required. The switch needs to have a (default) route to the router, and the router needs to have a route back to the VLAN nodes.

What I did until now is let's say create SVI for vlan 100 put ip on it - set vlan 100 as a native vlan on the trunk to reach the router untagged.

You haven't mentioned VLAN 100 before. Note that there can only be one native (=untagged) VLAN on a trunk, so using VLAN 100 breaks the previously native VLAN 10's connectivity...

Make sure that you either tag all VLANs across the trunk or use the same native/untagged VLAN throughout.

If you still can't figure it out, please add the switch's and the router's configs to your question (paste text using the editor's { } function) and we can take a look.