(Probably) Basic Networking Question

sysadmin104 · 2018-03-08T22:52:17.000Z

I have the following setup:

4 VLANS

2 Layer 3 switches (Call them cisco but any layer 3 switch)

Behind one switch is one VLAN, the other three sit behind the second switch.

Currently each machine in each VLAN has the VLAN interface IP (of the VLAN interface of the respective switch) as the machine default gateway. Each machine can ping other machines in its own VLAN, but not any of the other VLAN machines?

Am I misunderstanding something? I thought that if I set the Default Gateway to the VLAN interface IP (of the connected switch), then this should work…

Carl-Holzhauer · 2018-03-08T23:13:46.000Z

You are right to put the default gateway of your hosts as the IP address of the layer 3 switch. I’ll bet that the switch that your using as your default gateway doesn’t have the correct route to the next switch. You can prove this by attempting to ping the gateway (it should work) and then pinging the hop beyond that (the other L3 switch) that shouldn’t work.

You can also run a traceroute to see where it fails

sysadmin104 · 2018-03-08T23:30:35.000Z

You may be on to something with the route idea, unfortunately it seems as though I’m unable to ping devices located on the same layer 3 switch. Would I put the VLAN IP address for the route ?

sysadmin104 · 2018-03-08T23:33:33.000Z

… I’m a stooge. The issue wound up being that I hadn’t yet enabled IP routing. Cisco is great in that it allows you to throw an IP scheme into it without ever forcing you to enable IP routing. I had enabled it on my one switch but not the other.

Always the small stuff, right?

Although I think at this point I may have uncovered a bit of a Packet Tracer bug… Seems as though now I’m able to ping from all devices to all other devices, great. The only problem is that on certain groups of interfaces (2-7, 8-13, 14-19, 20-24) I’ve entered “Switchport trunk allowed VLAN 10, X” where x is the VLAN of the respective interface. This has failed to separate the traffic though, as I’m still able to ping across all interfaces when I’m trying to separate it.

Dashrender · 2018-03-09T00:35:48.000Z

you have to create ACLs to limit traffic.

Many switches don’t support ACLs between VLANs, this means you would need to use a real router to provide that separation.

Also another reason why switches might not have IP routing turned on by default.

Kenny8416 · 2018-03-09T09:33:28.000Z

Bear in mind once you have IP routing enabled you can enable/disable routing on a per-vlan interface basis, so you can restrict which vlans are routed if required.

Bit of a questions as an aside though - if you’re looking for all devices to be able to route to all other vlan’s then what have 4 VLAN’s in the first place? WOuld be easier just to have them all on the same VLAN.

Dashrender · 2018-03-09T13:19:10.000Z

Kenny8416:

Bit of a questions as an aside though - if you’re looking for all devices to be able to route to all other vlan’s then what have 4 VLAN’s in the first place? WOuld be easier just to have them all on the same VLAN.

Exactly.

sysadmin104 · 2018-03-09T14:33:27.000Z

I should have mentioned in my original post, the endgame is for VLAN 1 to be able to contact VLANs 2,3,4 but only have VLANS 2,3,4 be able to contact VLAN 1 but not each other.

The reason I didn’t originally include that was that the issue I was encountering was on the way to that, so in order to partially restrict inter VLAN communication I first wanted to establish inter VLAN communication.

Dashrender · 2018-03-09T15:44:12.000Z

steven.e.miller1:

I should have mentioned in my original post, the endgame is for VLAN 1 to be able to contact VLANs 2,3,4 but only have VLANS 2,3,4 be able to contact VLAN 1 but not each other.

The reason I didn’t originally include that was that the issue I was encountering was on the way to that, so in order to partially restrict inter VLAN communication I first wanted to establish inter VLAN communication.

Does your switch support ACLs? If not, you have to move all routing out of the switch to a router.

Kenny8416 · 2018-03-09T15:49:54.000Z

Dashrender:

steven.e.miller1:

I should have mentioned in my original post, the endgame is for VLAN 1 to be able to contact VLANs 2,3,4 but only have VLANS 2,3,4 be able to contact VLAN 1 but not each other.

The reason I didn’t originally include that was that the issue I was encountering was on the way to that, so in order to partially restrict inter VLAN communication I first wanted to establish inter VLAN communication.

Does your switch support ACLs? If not, you have to move all routing out of the switch to a router.

That depends of VLAN on is on the separate L3 switch.

If it is, then just switch off inter-VLAN routing on switch 2 and set a static route to switch 1 for the VLAN 1 subnet, and 3 routes on switch 1 to point to the appropriate VLAN IP’s on switch 2

That should work I think (but it is getting late on a friday)

sysadmin104 · 2018-03-09T16:47:03.000Z

I’ll have to try this out! It sounds like a solid idea and something that could definitely work.

As of now I’m in the “preparing” stage and getting proof-of-concept using packet tracer to develop a solid IP scheme and basis for attack. Once I have the actual hardware I’ll be able to implement whatever I need to, but for now it’s mostly theoretical, it may help me argue for different hardware if needed. As of now I’m using the built in Cisco hardware in packet tracer, I believe the 3560 layer 3 switch in PT.

toddadams7725 · 2018-03-09T18:26:05.000Z

Speaking for Cisco switches, on a layer 3 switch you have to enter the ip route command before it will begin routing. And then you want to make sure that your routing table is correctly populated using show ip route.

ON EDIT: I replied before reading through the thread.

toddadams7725 · 2018-03-09T18:34:40.000Z

steven.e.miller1:

… I’m a stooge. The issue wound up being that I hadn’t yet enabled IP routing. Cisco is great in that it allows you to throw an IP scheme into it without ever forcing you to enable IP routing. I had enabled it on my one switch but not the other.

Always the small stuff, right?

Although I think at this point I may have uncovered a bit of a Packet Tracer bug… Seems as though now I’m able to ping from all devices to all other devices, great. The only problem is that on certain groups of interfaces (2-7, 8-13, 14-19, 20-24) I’ve entered “Switchport trunk allowed VLAN 10, X” where x is the VLAN of the respective interface. This has failed to separate the traffic though, as I’m still able to ping across all interfaces when I’m trying to separate it.

Make sure your VLAN allowed configuration is using the correct syntax. You may need to verify which VLANs are allowed using the command show int [interface_name] trunk. You can use the remove command if necessary to delete a VLAN that’s currently allowed on the trunk but shouldn’t be.

** How to define the VLANs allowed on a trunk link - Cisco Community **