intervlan routing confusion

livenliven Member Posts: 918
Getting really confused on this for some reason....


layer 3 firewall device is talking to a layer 3 switch which is talking to an up stream router.


FIREWALL -> Layer 3 switch -> PROVIDER (router).


Firewall 1.1.1.1/30 -> L3 swtich 1.1.1.2/30 L3 switch 2.2.2.1/30 -> Provider 2.2.2.2/30


So basically a /30 on either side of the layer 3 switch...


So I was going to create two vlans, IP them with the .2/30 for the respective subnet.

Enable: Ip routing on the switch.

Turn the switch ports in to access ports. Have them access their respective VLAN.

Then create a default route on the L3 switch to the provider.

The firewall already has a default route to the Switch...

So in theory this should allow the firewall to communciate with the provider and use it as the gateway to external things...

Is there a better way? Assuming that I don't have any other devices to swap in, or use in place of what I am already using...

thanks
encrypt the encryption, never mind my brain hurts.

Comments

  • peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    If you're going to create two vlans on the switch, you should create the SVI as well for each respective vlan. That will allow the switch to perform the layer 3 functions for the vlans. This should provide you with what you need. HTH.

    -Peanut
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
  • APAAPA Member Posts: 959
    Just out of curiosity.... assuming the Multilayer switch can support it and you aren't hitting platform limitations...

    Why don't you terminate directly onto a routed port? Negating the VLAN and SVI needs?

    So turn the switchport into a L3 interface via 'no switchport' and configure L3 addressing, IP acls etc directly on the interface

    Perhaps to your internal firewall you can create a trunk link if you want.... but I don't see the need for this scenarios unless there is more of a design\plan that you haven't proposed.

    /31 between the devices would suffice for a point-to-point circuit as well...

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • livenliven Member Posts: 918
    APA wrote: »
    Just out of curiosity.... assuming the Multilayer switch can support it and you aren't hitting platform limitations...

    Why don't you terminate directly onto a routed port? Negating the VLAN and SVI needs?

    So turn the switchport into a L3 interface via 'no switchport' and configure L3 addressing, IP acls etc directly on the interface

    Perhaps to your internal firewall you can create a trunk link if you want.... but I don't see the need for this scenarios unless there is more of a design\plan that you haven't proposed.

    /31 between the devices would suffice for a point-to-point circuit as well...


    The SVI solution allows me to add more ports to the uplinks if I need to. It worked and was pretty clean/simple so I will stick with it.

    /31... I have never used a /31 before. Will a cisco accept that mask? I have never tried to use that before.
    encrypt the encryption, never mind my brain hurts.
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    Why is the switch in front of the firewall? Wouldn't you want your external traffic hitting the firewall first?
  • deth1kdeth1k Member Posts: 312
    +1 what phoeneous said. Why would you have a firewall behind the switch and not the other way round? This can potentially be a big security hole in your network.
  • jason_lundejason_lunde Member Posts: 567
    liven wrote: »
    .

    /31... I have never used a /31 before. Will a cisco accept that mask? I have never tried to use that before.

    Yes it will. It might give you a warning but it will accept them. It's actually an RFC...here
    http://tools.ietf.org/rfc/rfc3021.txt

    We do commonly place a switch inbetween our ISP's router and our firewall, but it is strictly for the port space and they never participate in routing anything. Strictly L2. With your setup there I dont know why your not just going from fw<-->ISP
    HTH's
  • APAAPA Member Posts: 959
    +1 to what jason said...

    That's how I setup the perimeter network at my last 'enterprise' company.....

    Switch can be a DMZ\perimeter switch acting purely at L2.....

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
Sign In or Register to comment.