intervlan routing confusion

Getting really confused on this for some reason....

layer 3 firewall device is talking to a layer 3 switch which is talking to an up stream router.

FIREWALL -> Layer 3 switch -> PROVIDER (router).

Firewall 1.1.1.1/30 -> L3 swtich 1.1.1.2/30 L3 switch 2.2.2.1/30 -> Provider 2.2.2.2/30

So basically a /30 on either side of the layer 3 switch...

So I was going to create two vlans, IP them with the .2/30 for the respective subnet.

Enable: Ip routing on the switch.

Turn the switch ports in to access ports. Have them access their respective VLAN.

Then create a default route on the L3 switch to the provider.

The firewall already has a default route to the Switch...

So in theory this should allow the firewall to communciate with the provider and use it as the gateway to external things...

Is there a better way? Assuming that I don't have any other devices to swap in, or use in place of what I am already using...

thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

peanutnoggin

If you're going to create two vlans on the switch, you should create the SVI as well for each respective vlan. That will allow the switch to perform the layer 3 functions for the vlans. This should provide you with what you need. HTH.

-Peanut

APA

Just out of curiosity.... assuming the Multilayer switch can support it and you aren't hitting platform limitations...

Why don't you terminate directly onto a routed port? Negating the VLAN and SVI needs?

So turn the switchport into a L3 interface via 'no switchport' and configure L3 addressing, IP acls etc directly on the interface

Perhaps to your internal firewall you can create a trunk link if you want.... but I don't see the need for this scenarios unless there is more of a design\plan that you haven't proposed.

/31 between the devices would suffice for a point-to-point circuit as well...

liven

APA wrote: »

Just out of curiosity.... assuming the Multilayer switch can support it and you aren't hitting platform limitations...

Why don't you terminate directly onto a routed port? Negating the VLAN and SVI needs?

So turn the switchport into a L3 interface via 'no switchport' and configure L3 addressing, IP acls etc directly on the interface

Perhaps to your internal firewall you can create a trunk link if you want.... but I don't see the need for this scenarios unless there is more of a design\plan that you haven't proposed.

/31 between the devices would suffice for a point-to-point circuit as well...

The SVI solution allows me to add more ports to the uplinks if I need to. It worked and was pretty clean/simple so I will stick with it.

/31... I have never used a /31 before. Will a cisco accept that mask? I have never tried to use that before.

deth1k

+1 what phoeneous said. Why would you have a firewall behind the switch and not the other way round? This can potentially be a big security hole in your network.

jason_lunde

liven wrote: »

.

/31... I have never used a /31 before. Will a cisco accept that mask? I have never tried to use that before.

Yes it will. It might give you a warning but it will accept them. It's actually an RFC...here
http://tools.ietf.org/rfc/rfc3021.txt

We do commonly place a switch inbetween our ISP's router and our firewall, but it is strictly for the port space and they never participate in routing anything. Strictly L2. With your setup there I dont know why your not just going from fw<-->ISP
HTH's

APA

+1 to what jason said...

That's how I setup the perimeter network at my last 'enterprise' company.....

Switch can be a DMZ\perimeter switch acting purely at L2.....

mgeorge

Check this out;
Configuring Inter-VLAN Routing (Router-on-a-Stick) | Free CCNA Workbook