Inter-VLAN Routing – How to Achieve Inter-VLAN Routing with an Unmanaged Switch

interfacerouterroutingswitchvlan

I have a Cisco 3650 with inter-vlan routing enabled. All vlans reach each other with no problems. The problem appeared when I connected an unmanaged switch to an interface on the cisco. I set up a vlan with the same ip range of the unmanaged switch, I also set up an interface vlan in the same ip range of the unmanaged switch. Now, when i'm on the exec mode on the cisco switch, i can reach all devices on the unmanaged switch, however, from any other valn, I cannot.

no aaa new-model
system mtu routing 1500
vtp domain h873.eur.nsroot.net
vtp mode transparent
ip subnet-zero
ip routing
vlan 116
 name PROD_VLAN_111
!
vlan 120,200
!
vlan 211
 name MGMT_PHY_211
!
vlan 212
 name MGMT_APP_212
!
!
!
!
interface GigabitEthernet0/1
 switchport access vlan 211
 switchport mode access
!
interface GigabitEthernet0/2  
 switchport access vlan 212
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 116
 switchport mode access
!

interface GigabitEthernet0/11
 description Connection to Unmanaged Switch
 switchport access vlan 200
 switchport mode access
!

interface GigabitEthernet0/14
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk

interface Vlan1
 no ip address
!
interface Vlan116
 ip address 172.16.116.1 255.255.255.0
!
interface Vlan120
 ip address 10.11.120.1 255.255.255.0
!
interface Vlan200
ip address 192.168.1.100 255.255.255.0
!
interface Vlan211
 ip address 10.11.211.1 255.255.255.0
 !
  interface Vlan212
  ip address 10.11.212.1 255.255.255.0
 !
 router ospf 100
  log-adjacency-changes
  redistribute connected subnets
  network 172.16.116.0 0.0.0.255 area 0
 !
  ip default-gateway 192.168.1.165
  ip classless
 ip route 0.0.0.0 0.0.0.0 192.168.1.1
 ip http server
 ip http secure-server
 !

So for example, if i run "ping 192.168.1.100 source 10.11.211.1" the pings are fine, but if i run "ping 192.168.1.1 source 10.11.211.1"
it is not successful.
Any help would be much appreciated.

Switch#ping 192.168.1.1
 Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms 

Switch#ping 192.168.1.1 source 10.11.211.1 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
 Packet sent with a source address of 10.11.211.1
 .....
 Success rate is 0 percent (0/5) 

Switch#ping 192.168.1.100 source 10.11.211.1
 Packet sent with a source address of 10.11.211.1
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

Best Answer

If the hosts on the unmanaged switch have a gateway set to 192.168.1.1, then traffic from those hosts to a different network will be sent to that router, and if that router needs to send back to the switch on that network, it will not. Routers have split-horizon, meaning that they will not route back to the same network on which a packet is received.

You want the inter-VLAN routing to happen on the switch, not the WAN router, so the switch must be the gateway for all the hosts. The WAN router should inject the default route into OSPF, and you should not have a default route on the switch.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco – Configure Cisco Aironet 1600 AP with RADIUS and multiple VLANs

One way to solve this problem is to change the AP connection to a layer 2 trunk with both VLANs on the trunk. You can have two different SSIDs (one for users, one for guests) and each SSID is associated with a VLAN. When a client connects to the Guest SSID, her data goes on VL 200; a regular user's data goes on VL 100.

You will need separate DHCP scopes for each VLAN, either on the AP or a central DHCP server.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco – Configure Cisco Aironet 1600 AP with RADIUS and multiple VLANs

Related Topic