Will a single Cisco WS-C2960-24TT-L switch share a single gw-wan for all its VLANs?

J

JediFonger

2[H]4U
Joined
Jan 2, 2003
Messages
2,777
i've searched through the archives and can't find related posts. so please excuse my super noobness!

in my research i think this capability is beyond this switch. this is a "limited l3" switch. i just wanted to verify this with you pros. i'm running this on my home lab.

the topology is this:
Comcast WAN->Sonicwall tz190 (this does *NOT* do VLANs, just a FYI, basic cookie cutter router/firewall)
From the sonicwall it goes to Cisco2960 running ios 15se7.

i do not have any other switches/routers on the network at all.

gateway is the typical 192.168.1.1.

on the Cisco2960 everything on vlan1 (management) can hit internet since it's on the same subnet as the rest of the network.

vlan2=192.168.2.x
vlan3=192.168.3.x
vlan4=192.168.4.x

i want vlan2 through vlan4 to access internet. can network devices on vlan2 through vlan4 hit the internet with inter-vlan routing?

ip routing is already enabled. i'm able to ping vlan2 through vlan4, but have a hard time getting vlan2 through vlan4 to ping vlan1.

again i know this is a super limited l3 switch and not the 3xxx series.

from what i've read this switch is very limited and would require another separate router to pass gw traffic from 192.168.1.1 to the other vlan2 through vlan4. just using this 2960 switch alone it is not possible.

the exact model# is WS-C2960-24TT-L
 
Can devices on VLAN2 or VLAN4 ping the VLAN1 IP address of the SWITCH?

Can the VLAN2 or VLAN4 ping the VLAN1 IP address of the Router?

If I had to guess I'd say the first question is YES and the second question is NO. Because the switch knows where the VLAN2 and VLAN4 subnet is, but the router does not. You'll need to create a static route on the router pointing the VLAN2 and VLAN4 subnets at the VLAN1 IP of the Switch.
 
Add the following static route to your sonicwall:

Route 192.168.0.0/16 to whatever IP you assigned vlan1 interface on the switch.

Also be clear when you say ping vlan1. Which device on vlan1: switch vlan1 interface or sonicwall? Without a static route on the sonicwall, it will send ping replies to it's default gateway. Adding the above static route will send all 192.168.x.x traffic to the switch.
 
To OP:

The TZ190 most definitely supports VLANs. What you are going to need to do is configure the switchport that connects to the Sonicwall as a trunk interface, and trunk your VLANs up to the Sonicwall. Then on the Sonicwall, you will need to create subinterfaces which will act as the gateway for all the VLANs that exist on that 2960 switch.

Since the 2960 is a limited L3 switch, I would advise just keeping it as a Layer 2 appliance and segment your networks, but use the Sonicwall subinterfaces as the gateways for each of those networks.

The Sonicwall can provide DHCP to each of these networks, so long as you are tagging the traffic up to the device.

Please refer to this guide by Sonicwall:

https://www.sonicwall.com/downloads/configuring_vlans.pdf

The config on the switch would be

Switch>en
Switch#conf t
Switch(config)#int
Switch(config)#interface fa0/1 Obviously use whatever interface you want to set
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
 
Last edited:
In addition to my above post, something to aware of is that Sonicwall is a zone-based firewall by default, so each interface will need to belong to the LAN zone in order for traffic to flow between the networks.
 
Your 2960 can route also. It can route up to 8 SVI via static routes.

You just need to have software version 12.x and above installed.

You toggle it on by using SDM Prefer Routing. You still probably have to route on a stick on that firewall though for specific vlans to gain internet access. You can route on a stick just the vlans you want internet and all other vlans will not have a physical way to get out and remain only on internal lan. I do not know if SWalls can route on a stick. I know nothing at all about them really. I do not like them from what I have used. For me Cisco is speaking English and just makes plain sense.
 
wow i haven't been back in awhile and just saw this pop-up. thank you for all the suggestions. i haven't had time to try all that but i will once i get a break. thank you!
 
just a note about Sonicwall TZ190 it does *NOT* have VLAN tagging. i called Dell/Sonicwall about this long while ago. I am already running latest firmware and this model/product does not have any VLAN tagging when I go add new interfaces.

FYI thank you!
 
Can you create portshield interfaces as gateways for each vlan? You will have to wire them individually to the switch. 4 vlans will use 4 ports on your sonicwall and 4 ports on your switch.
 
I'm not familiar with sonicwall but you'd possible have to create NAT rules for the new subnets as well if you want them to hit the internet.

The switch is capable for what you want to do, you look to just need to ask a static route on the sonicwall so it knows where to access vlan 2/3/4.
 
on my tz190, in the back there are 8ports. if i connect 3 ports out of that to the switch, it will create a loopback. there is no way to segment/divide/chop up the sonicwall because it does no honor VLAN tags, without honoring VLAN tags, it will rebroadcast all traffic... which creates a loopback.

all in all, i'll need a VLAN-tag honoring router/firewall device to make this work.

meanwhile, that was the my original question/intent. is that if i had a basic/non-business fw and i hooked it up the Layer "2.5" switch, will it do some basic routing for me so i can create multiple gw for multiple VLAN subnets and the answer is no. so i can just consider this case closed until i get a router. eventually i will, when i save up enough $ for used equipment. i wanna get some cisco certs in the future.

thank you all for the help/input.
 
JediFonger said:
on my tz190, in the back there are 8ports. if i connect 3 ports out of that to the switch, it will create a loopback. there is no way to segment/divide/chop up the sonicwall because it does no honor VLAN tags, without honoring VLAN tags, it will rebroadcast all traffic... which creates a loopback.

all in all, i'll need a VLAN-tag honoring router/firewall device to make this work.
Click to expand...
Only if you are trying to trunk VLANs.

When you plugged in the three ports into the Cisco switch, did you set each switch port into a different native VLAN? If not, then you created a switching loop as they are all in the same VLAN (broadcast domain).

You don't need a VLAN capable router to do what you want. You just need the three ports on the Sonicwall to be in three different IP subnets and the three switch ports to be in different native VLANs (ie. No tagging).

Having a VLAN capable router would allow you to only need one physical interface on the router and one on the switch. Then you can trunk the VLANS across. The downside of this is all your traffic is limited to the bandwidth of one interface.

Your switch is capable of this. What I can't tell you is if the Sonicwall has routed interfaces or are they just switch ports. From the docs the portshield settings seem to make them routed interfaces, but I do not have personal experience. I come from a Cisco centric world where router interfaces can be sub interfaced into tagged VLANs (module dependent). Or one physical interface per native VLAN if you have enough ports. I've done both.
 
The Sonicwall TZ190 does "honor" VLAN tags. You have to create subinterfaces.

I just feel by your responses that you are trying to configure something without fully understanding the technology, and quite possibly making a mountain out of a molehill.
 
show me documentation that it does. i can tell you that i see no fields for VLAN tagging 802.11q

meanwhile, djflow195, i do want to trunk VLANs, that is why this is not working. VLAN2, VLAN3, VLAN4 all gotta see one another all the while accessing their own gateways or any gateways for outbound internet.
 
I cant read all of this too much for my brain.

a 2960g can route up to 8 SVIs

Yes you can intervlan route on an 2960 with firmware 12.x and up.

I have no idea if I answered anything right in this thread.
 
some suggestions and questions:

1. Don't use 192.168.1.0/24 or anything close to it. 192.168.10.0/24 and up.
2. Why are you wanting to vlan?
3. If you use the sonicwall as a router on a stick, inter-vlan traffic will be throughput limited by the sonicwall.
4. Personally, I wouldn't router-on-a-stick unless you have to. I suspect you just want a internet-only guest vlan or something.

change the cisco sdm prefer to the one that gives you the most static routes (8). Unfamiliar with the exact command.

Each vlan is a separate static route. set the default gateway 0.0.0.0 to the IP of the sonicwall.
Isolate guest vlan from the others with a simple ACL in the switch.

Done? Full throughput from all vlans to others, and you can use zones or whatever on the sonicwall to specify internet traffic rules per vlan. And of course, use ACLs in the switch to keep vlans from talking to each other.

Caveats: All my L3 switches are full L3 so I'm not sure of the limitations of the L2.5 gear, and I haven't used sonicwall gear.
 
I thought the Sonicwall TZ190 uses Sonicwall Enhanced OS rather than standard?
 
i have the sonicOS enhanced, but i'm telling you, there is no VLAN options. i'm running it now and can get screenshot, it just doesn't exist.
 
You must log in or register to reply here.
Back
Top