We have a setup with 4 total sites all connected back to one, 2 via fiber and one via a wireless link. The link with the wireless bridge also needs a vlan (269) from our main site, so we set it up as a trunk instead of a link.
4507-2 ^ | WAN -> Sonicwall -> 4507 -> 3560 | v 4507-3
Cannot ping from 3560 to Sonicwall or external.
Can ping from 3560 to all 4507 switches.
Can ping from Firewall to 3560.
4507 Configuration
interface GigabitEthernet1/1
description *SONICWALL*
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
interface GigabitEthernet2/46
description **Trunk to 3560**
switchport trunk allowed vlan 269,300
switchport mode trunk
interface Vlan100
ip address 10.1.100.1 255.255.252.0
ip helper-address 10.1.104.10
interface Vlan269
no ip address
shutdown
interface Vlan300
ip address 172.20.20.9 255.255.255.252
ip default-gateway 10.1.100.254
ip route 0.0.0.0 0.0.0.0 10.1.100.254
ip route 10.4.100.0 255.255.252.0 172.20.20.10
3560 Configuration
ip routing
interface GigabitEthernet0/24
description Trunk to 4507
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 269,300
switchport mode trunk
interface Vlan100
ip address 10.4.100.1 255.255.252.0
ip helper-address 10.1.104.10
interface Vlan300
ip address 172.20.20.10 255.255.255.252
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.20.9
ip route 10.1.100.0 255.255.252.0 172.20.20.9
4507 routes
4507#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.1.100.254 to network 0.0.0.0
S 192.168.110.0/24 [1/0] via 10.1.104.180
172.20.0.0/30 is subnetted, 3 subnets
C 172.20.20.8 is directly connected, Vlan300
10.0.0.0/22 is subnetted, 20 subnets
S 10.4.100.0 [1/0] via 172.20.20.10
C 10.1.100.0 is directly connected, Vlan100
S* 0.0.0.0/0 [1/0] via 10.1.100.254
3560 routes
3560#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.20.20.9 to network 0.0.0.0
172.20.0.0/30 is subnetted, 1 subnets
C 172.20.20.8 is directly connected, Vlan300
10.0.0.0/22 is subnetted, 10 subnets
C 10.4.100.0 is directly connected, Vlan100
S 10.1.100.0 [1/0] via 172.20.20.9
S* 0.0.0.0/0 [1/0] via 172.20.20.9
Sonicwall also has a route for 10.4.100.0/22 to go to 10.4.100.1
Best Answer
It looks like your problem may be the firewall route.
You need the firewall route to go to the next hop,
10.1.100.1
, not to an address on the route itself. You are telling the firewall how to get to that network, and the address of the next hop for the network cannot be on the network itself because the firewall doesn't know how to get to the network where the next hop is, so the firewall cannot send anything to the next hop.My two cents, based on experience:
I would actually have a routed link between the firewall and the layer-3 switch, rather than a VLAN, and run a routing protocol between all the layer-3 devices. Static routes just don't scale.
Configure the switch interfaces as layer-3 interfaces, and address them as point-to-point interfaces with
/30
or/31
networks. You are using/30
networks on the SVI for the VLANs, but you can run into some problems with delayed detection of link problems using SVIs, and you don't have that if you address on the physical interfaces.For the 4507, instead of:
Use something like:
Also, understand that by extending layer-2 VLANs to a remote location, you increase the chances of a layer-2 problem, and the problem will affect two sites instead of one. There is almost nothing today that requires have two hosts on the same layer-2 domain. We live in a layer-3 world, and routing works well. I don't see any advantage to extending the VLAN to a remote location, but I do see some disadvantages to doing it.