Options
intervlan routing confusion
liven
Member Posts: 918
in CCNA & CCENT
Getting really confused on this for some reason....
layer 3 firewall device is talking to a layer 3 switch which is talking to an up stream router.
FIREWALL -> Layer 3 switch -> PROVIDER (router).
Firewall 1.1.1.1/30 -> L3 swtich 1.1.1.2/30 L3 switch 2.2.2.1/30 -> Provider 2.2.2.2/30
So basically a /30 on either side of the layer 3 switch...
So I was going to create two vlans, IP them with the .2/30 for the respective subnet.
Enable: Ip routing on the switch.
Turn the switch ports in to access ports. Have them access their respective VLAN.
Then create a default route on the L3 switch to the provider.
The firewall already has a default route to the Switch...
So in theory this should allow the firewall to communciate with the provider and use it as the gateway to external things...
Is there a better way? Assuming that I don't have any other devices to swap in, or use in place of what I am already using...
thanks
layer 3 firewall device is talking to a layer 3 switch which is talking to an up stream router.
FIREWALL -> Layer 3 switch -> PROVIDER (router).
Firewall 1.1.1.1/30 -> L3 swtich 1.1.1.2/30 L3 switch 2.2.2.1/30 -> Provider 2.2.2.2/30
So basically a /30 on either side of the layer 3 switch...
So I was going to create two vlans, IP them with the .2/30 for the respective subnet.
Enable: Ip routing on the switch.
Turn the switch ports in to access ports. Have them access their respective VLAN.
Then create a default route on the L3 switch to the provider.
The firewall already has a default route to the Switch...
So in theory this should allow the firewall to communciate with the provider and use it as the gateway to external things...
Is there a better way? Assuming that I don't have any other devices to swap in, or use in place of what I am already using...
thanks
encrypt the encryption, never mind my brain hurts.
Comments
-
Optionspeanutnoggin Member Posts: 1,096 ■■■□□□□□□□If you're going to create two vlans on the switch, you should create the SVI as well for each respective vlan. That will allow the switch to perform the layer 3 functions for the vlans. This should provide you with what you need. HTH.
-PeanutWe cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
OptionsAPA Member Posts: 959Just out of curiosity.... assuming the Multilayer switch can support it and you aren't hitting platform limitations...
Why don't you terminate directly onto a routed port? Negating the VLAN and SVI needs?
So turn the switchport into a L3 interface via 'no switchport' and configure L3 addressing, IP acls etc directly on the interface
Perhaps to your internal firewall you can create a trunk link if you want.... but I don't see the need for this scenarios unless there is more of a design\plan that you haven't proposed.
/31 between the devices would suffice for a point-to-point circuit as well...
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
Optionsliven Member Posts: 918Just out of curiosity.... assuming the Multilayer switch can support it and you aren't hitting platform limitations...
Why don't you terminate directly onto a routed port? Negating the VLAN and SVI needs?
So turn the switchport into a L3 interface via 'no switchport' and configure L3 addressing, IP acls etc directly on the interface
Perhaps to your internal firewall you can create a trunk link if you want.... but I don't see the need for this scenarios unless there is more of a design\plan that you haven't proposed.
/31 between the devices would suffice for a point-to-point circuit as well...
The SVI solution allows me to add more ports to the uplinks if I need to. It worked and was pretty clean/simple so I will stick with it.
/31... I have never used a /31 before. Will a cisco accept that mask? I have never tried to use that before.encrypt the encryption, never mind my brain hurts. -
Optionsphoeneous Member Posts: 2,333 ■■■■■■■□□□Why is the switch in front of the firewall? Wouldn't you want your external traffic hitting the firewall first?
-
Optionsdeth1k Member Posts: 312+1 what phoeneous said. Why would you have a firewall behind the switch and not the other way round? This can potentially be a big security hole in your network.
-
Optionsjason_lunde Member Posts: 567.
/31... I have never used a /31 before. Will a cisco accept that mask? I have never tried to use that before.
Yes it will. It might give you a warning but it will accept them. It's actually an RFC...here
http://tools.ietf.org/rfc/rfc3021.txt
We do commonly place a switch inbetween our ISP's router and our firewall, but it is strictly for the port space and they never participate in routing anything. Strictly L2. With your setup there I dont know why your not just going from fw<-->ISP
HTH's -
OptionsAPA Member Posts: 959+1 to what jason said...
That's how I setup the perimeter network at my last 'enterprise' company.....
Switch can be a DMZ\perimeter switch acting purely at L2.....
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP